m0rkus

BuddyPress v3.2.0 Stored XSS

May 4th, 2019
1,148
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1.            _
  2.             | |          mark
  3.             | |===( )   //////
  4.             |_|   |||  | o o|
  5.                    ||| ( c  )                  ____
  6.                     ||| \= /                  ||   \_
  7.                      ||||||                   ||     |  
  8.                      ||||||                ...||__/|-"
  9.                      ||||||             __|________|__
  10.                        |||             |______________|
  11.                        |||             || ||      || ||
  12.                        |||             || ||      || ||
  13. ------------------------|||-------------||-||------||-||-------
  14.  
  15.  
  16. Stored/Persistent XSS through arbitrary upload of dotfile (resulting in wormable self-replicating malware):
  17.  
  18. an arbitrary file upload bug resulting in persistent/stored XSS in the form of a file uploaded on the server. This is possible due to the way BuddyPress handles Dotfiles. In BuddyPress, users have the ability to post their own statuses and they can include images within these statuses.
  19.  
  20. If you try uploading a valid image, it will be stored in a temporary folder prior to being included on your status message, here is the path for the temporary folder:
  21.  
  22. http://site.com/wp-content/uploads/bpfb/tmp/lol.jpg
  23.  
  24. Now if you use a HTTP proxy to view the request that is made while uploading a valid image, you will see that it is performed via the following API:
  25.  
  26. http://site.com/wp-admin/admin-ajax.php?action=bpfb_preview_photo&qqfile=lol.jpg
  27.  
  28. The contents of the uploaded image will be sent through a HTTP POST request, whereas the image name itself is sent via the qqfile= GET param. The POST request will look something like this:
  29.  
  30.  
  31. ^@^PJFIF^@^A^A^@^@^A^@^A^@^@
  32. ^BICC_PROFILE^@^A^A^@^@^B^pl
  33. cms^D0^@^@mntrRG$Y^@^@^S ^@^
  34. @[para^@^@^@^@^@^C^@^@^@^@^
  35.  
  36.  
  37. There are whitelist filters in place, so if you try to upload an invalid file format you will see the following message:
  38.  
  39. evil.php has invalid extension. Only jpg, jpeg, png, gif are allowed.
  40.  
  41. This is where dotfiles come into play, it is possible to create a file named .jpg which will satisfy the filter (by appearing to have a valid image extension) but since there are no getimagesize(); checks or anything of the sort in place, it doesn't check to see whether what is being uploaded is actually an image (the check is being performed by the extension alone).
  42.  
  43. You can make the following request:
  44.  
  45. http://site.com/wp-admin/admin-ajax.php?action=bpfb_preview_photo&qqfile=.jpg
  46.  
  47. and for your POST data, try something like "pwned". If everything works as planned, then you will see the following JSON response:
  48.  
  49. {"note":"Success. Image uploaded."}
  50.  
  51. Since what you are uploading is not an image (but rather just a dotfile ending in jpg) then the content-type is set by default to text/html rather than image/jpg as would be expected with a regular image. Now, since the content type is set to text/html, you could send a request to the link above but with the following as your POST data:
  52. DATA HOSTED WITH ♥ BY PASTEBIN.COM - DOWNLOAD RAW - SEE ORIGINAL
  53. <script>alert(document.domain)</script>
  54.  
  55.  
  56. and voila! You now have stored XSS. For a direct link to your uploaded HTML/JS code, you can navigate to the following URL to see your JavaScript code being triggered:
  57. Code
  58. http://site.com/wp-content/uploads/bpfb/tmp/.jpg
  59.  
  60. Since this is being stored as part of your status update on the 'BuddyPress' social network, and is viewable by other users, you can write a javascript payload that causes their browser to make a request to the URL listed above, with accompanying POST data containing your payload, resulting in their profile also posting an XSS payload... this means that from your single status update, everyone who views it will automatically post the same payload, and everyone who then views those statuses will also automatically post the same payload -- the end result is a worm that spreads exponentially until every single user of the social network is affected (of course, alongside this payload you could include some malware or a browser hook to infect people).
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×