ANTICHAT — форум по информационной безопасности, OSINT и технологиям
ANTICHAT — русскоязычное сообщество по безопасности, OSINT и программированию.
Форум ранее работал на доменах antichat.ru, antichat.com и antichat.club,
и теперь снова доступен на новом адресе —
forum.antichat.xyz.
Форум восстановлен и продолжает развитие: доступны архивные темы, добавляются новые обсуждения и материалы.
⚠️ Старые аккаунты восстановить невозможно — необходимо зарегистрироваться заново.
 |
03.04.2019, 22:08
|
|
Новичок
Регистрация: 21.10.2018
Сообщений: 0
Провел на форуме:
0
Репутация:
0
|
|
Нашел с помощью wpsscan CVE 2011-4673 (Exploit Title: WordPress jetpack plugin SQL Injection Vulnerability)
мучаюсь уже не один час пытаясь ее использовать.
localhost/wp-content/plugins/jetpack/modules/sharedaddy.php?id=-1
В ответ я ничего не получаю, делаю вывод что скорее всего данный параметр действительно уязвим и wpscan не ошибся.
Но что делать дальше я не совсем понимаю...
Вот описание, и примерэксплуатации который я не совсем понимаю.
WordPress Plugin jetpack - 'sharedaddy.php' ID SQL Injection
|
|
|
03.04.2019, 23:52
|
|
Новичок
Регистрация: 18.12.2017
Сообщений: 0
Провел на форуме:
0
Репутация:
0
|
|
Если в ответ ничего не получаешь, это не значит что параметр уязвим.
wpscan версию-то плагина определил?
|
|
|
|
04.04.2019, 00:01
|
|
Новичок
Регистрация: 21.10.2018
Сообщений: 0
Провел на форуме:
0
Репутация:
0
|
|
v3.2.3, данная версия уязвима 100%, вопрос в том как использовать данную инъекцию.
Wpscan:
Код:
Код:
root@debian:~# wpscan --url SITE.COM -e ap
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 2.9.3
Sponsored by Sucuri - https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________
[+] URL: http://SITE.COM/
[+] Started: Fri Apr 5 09:12:25 2019
[!] The WordPress 'http://SITE.COM/readme.html' file exists exposing a version number
[+] Interesting header: LINK: ; rel=shortlink
[+] Interesting header: SERVER: Apache/2.4.25 (Debian)
[+] XML-RPC Interface available under: http://SITE.COM/xmlrpc.php
[!] Upload directory has directory listing enabled: http://SITE.COM/wp-content/uploads/
[!] Includes directory has directory listing enabled: http://SITE.COM/wp-includes/
[+] WordPress version 4.2 (Released on 2015-04-23) identified from advanced fingerprinting, meta generator, readme, links opml, stylesheets numbers
[!] 65 vulnerabilities identified from the version number
[!] Title: WordPress prepare() potential SQL Injection
Reference: https://wpvulndb.com/vulnerabilities/8905
Reference: https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48
Reference: https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec
[i] Fixed in: 4.2.16
[!] Title: WordPress 2.3.0-4.7.4 - Authenticated SQL injection
Reference: https://wpvulndb.com/vulnerabilities/8906
Reference: https://medium.com/websec/wordpress-sqli-bbb2afcc8e94
Reference: https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48
Reference: https://wpvulndb.com/vulnerabilities/8905
[i] Fixed in: 4.7.5
[!] Title: WordPress 2.9.2-4.8.1 - Open Redirect
Reference: https://wpvulndb.com/vulnerabilities/8910
Reference: https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
Reference: https://core.trac.wordpress.org/changeset/41398
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14725
[i] Fixed in: 4.2.16
[!] Title: WordPress 3.0-4.8.1 - Path Traversal in Unzipping
Reference: https://wpvulndb.com/vulnerabilities/8911
Reference: https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
Reference: https://core.trac.wordpress.org/changeset/41457
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14719
[i] Fixed in: 4.2.16
[!] Title: WordPress prepare() Weakness
Reference: https://wpvulndb.com/vulnerabilities/8941
Reference: https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/
Reference: https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d
Reference: https://twitter.com/ircmaxell/status/923662170092638208
Reference: https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16510
[i] Fixed in: 4.2.17
[!] Title: WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload
Reference: https://wpvulndb.com/vulnerabilities/8966
Reference: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17092
[i] Fixed in: 4.2.18
[!] Title: WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping
Reference: https://wpvulndb.com/vulnerabilities/8967
Reference: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17094
[i] Fixed in: 4.2.18
[!] Title: WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing
Reference: https://wpvulndb.com/vulnerabilities/8969
Reference: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17091
[i] Fixed in: 4.2.18
[!] Title: WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/9006
Reference: https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850
Reference: https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/
Reference: https://core.trac.wordpress.org/ticket/42720
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5776
[i] Fixed in: 4.9.2
[!] Title: WordPress (79848 / 79848) 100.00% Time: 00:03:17
[+] We found 3 plugins:
[+] Name: all-in-one-seo-pack - v1.3.1
| Last updated: 2019-02-20T19:20:00.000Z
| Location: http://SITE.COM/wp-content/plugins/all-in-one-seo-pack/
| Readme: http://SITE.COM/wp-content/plugins/all-in-one-seo-pack/readme.txt
[!] The version is out of date, the latest version is 2.12
[!] Directory listing is enabled: http://SITE.COM/wp-content/plugins/all-in-one-seo-pack/
[!] Title: All in One SEO Pack <= 2.1.5 - aioseop_functions.php new_meta Parameter XSS
Reference: https://wpvulndb.com/vulnerabilities/6888
Reference: http://blog.sucuri.net/2014/05/vulnerability-found-in-the-all-in-one-seo-pack-wordpress-plugin.html
[i] Fixed in: 2.1.6
[!] Title: All in One SEO Pack <= 2.1.5 - Unspecified Privilege Escalation
Reference: https://wpvulndb.com/vulnerabilities/6889
Reference: http://blog.sucuri.net/2014/05/vulnerability-found-in-the-all-in-one-seo-pack-wordpress-plugin.html
[i] Fixed in: 2.1.6
[!] Title: All in One SEO Pack <= 2.0.3 - XSS
Reference: https://wpvulndb.com/vulnerabilities/6890
Reference: http://packetstormsecurity.com/files/123490/
Reference: http://www.securityfocus.com/bid/62784/
Reference: http://seclists.org/bugtraq/2013/Oct/8
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5988
Reference: https://secunia.com/advisories/55133/
[i] Fixed in: 2.0.3.1
[!] Title: All in One SEO Pack <= 2.2.5.1 - Information Disclosure
Reference: https://wpvulndb.com/vulnerabilities/7881
Reference: http://jvn.jp/en/jp/JVN75615300/index.html
Reference: http://semperfiwebdesign.com/blog/all-in-one-seo-pack/all-in-one-seo-pack-release-history/
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0902
[i] Fixed in: 2.2.6
[!] Title: All in One SEO Pack <= 2.2.6.1 - Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/7916
Reference: https://blog.sucuri.net/2015/04/security-advisory-xss-vulnerability-affecting-multiple-wordpress-plugins.html
[i] Fixed in: 2.2.6.2
[!] Title: All in One SEO Pack <= 2.3.6.1 - Unauthenticated Stored Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8538
Reference: http://seclists.org/fulldisclosure/2016/Jul/23
Reference: https://semperfiwebdesign.com/blog/all-in-one-seo-pack/all-in-one-seo-pack-release-history/
Reference: https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_in_all_in_one_seo_pack_wordpress_plugin.html
Reference: https://wptavern.com/all-in-one-seo-2-3-7-patches-persistent-xss-vulnerability
Reference: https://www.wordfence.com/blog/2016/07/xss-vulnerability-all-in-one-seo-pack-plugin/
[i] Fixed in: 2.3.7
[!] Title: All in One SEO Pack <= 2.3.7 - Unauthenticated Stored Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8558
Reference: https://www.wordfence.com/blog/2016/07/new-xss-vulnerability-all-in-one-seo-pack/
Reference: https://semperfiwebdesign.com/blog/all-in-one-seo-pack/all-in-one-seo-pack-release-history/
[i] Fixed in: 2.3.8
[!] Title: All in One SEO Pack <= 2.9.1.1 - Authenticated Stored Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/9159
Reference: https://www.ripstech.com/php-security-calendar-2018/#day-4
Reference: https://wordpress.org/support/topic/a-critical-vulnerability-has-been-detected-in-this-plugin/
Reference: https://semperfiwebdesign.com/all-in-one-seo-pack-release-history/
[i] Fixed in: 2.10
[+] Name: jetpack - v3.2.3
| Last updated: 2019-04-02T18:56:00.000Z
| Location: http://SITE.COM/wp-content/plugins/jetpack/
| Readme: http://SITE.COM/wp-content/plugins/jetpack/readme.txt
[!] The version is out of date, the latest version is 7.2
[!] Directory listing is enabled: http://SITE.COM/wp-content/plugins/jetpack/
[!] Title: Jetpack 3.0-3.4.2 - Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/7915
Reference: https://blog.sucuri.net/2015/04/security-advisory-xss-vulnerability-affecting-multiple-wordpress-plugins.html
Reference: https://jetpack.me/2015/04/20/jetpack-3-4-3-coordinated-security-update/
[i] Fixed in: 3.4.3
[!] Title: Jetpack <= 3.5.2 - Unauthenticated DOM Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/7964
Reference: https://blog.sucuri.net/2015/05/jetpack-and-twentyfifteen-vulnerable-to-dom-based-xss-millions-of-wordpress-websites-affected-millions-of-wordpress-websites-affected.html
[i] Fixed in: 3.5.3
[!] Title: Jetpack <= 3.7.0 - Stored Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8201
Reference: https://jetpack.me/2015/09/30/jetpack-3-7-1-and-3-7-2-security-and-maintenance-releases/
Reference: https://blog.sucuri.net/2015/10/security-advisory-stored-xss-in-jetpack.html
[i] Fixed in: 3.7.1
[!] Title: Jetpack <= 3.7.0 - Information Disclosure
Reference: https://wpvulndb.com/vulnerabilities/8202
Reference: https://jetpack.me/2015/09/30/jetpack-3-7-1-and-3-7-2-security-and-maintenance-releases/
[i] Fixed in: 3.7.1
[!] Title: Jetpack <= 3.9.1 - LaTeX HTML Element XSS
Reference: https://wpvulndb.com/vulnerabilities/8472
Reference: https://jetpack.com/2016/02/25/jetpack-3-9-2-maintenance-and-security-release/
Reference: https://github.com/Automattic/jetpack/commit/dbc33b9105c4dbb0de81544e682a8b6d5ab7e446
[i] Fixed in: 3.9.2
[!] Title: Jetpack 2.0-4.0.2 - Shortcode Stored Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8500
Reference: https://jetpack.com/2016/05/27/jetpack-4-0-3-critical-security-update/
Reference: http://wptavern.com/jetpack-4-0-3-patches-a-critical-xss-vulnerability
Reference: https://blog.sucuri.net/2016/05/security-advisory-stored-xss-jetpack-2.html
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10706
[i] Fixed in: 4.0.3
[!] Title: Jetpack <= 4.0.3 - Multiple Vulnerabilities
Reference: https://wpvulndb.com/vulnerabilities/8517
Reference: https://jetpack.com/2016/06/20/jetpack-4-0-4-bug-fixes/
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10705
[i] Fixed in: 4.0.4
[!] Title: Jetpack <= 6.4.2 - Authenticated Stored Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/9168
Reference: https://www.ripstech.com/php-security-calendar-2018/#day-11
[i] Fixed in: 6.5
[+] Name: wp-serverinfo - v1.30
| Last updated: 2018-12-19T06:22:00.000Z
| Location: http://SITE.COM/wp-content/plugins/wp-serverinfo/
| Readme: http://SITE.COM/wp-content/plugins/wp-serverinfo/readme.txt
[!] The version is out of date, the latest version is 1.65
[!] Directory listing is enabled: http://SITE.COM/wp-content/plugins/wp-serverinfo/
[+] Finished: Fri Apr 5 09:15:58 2019
[+] Requests Done: 79906
[+] Memory used: 181.289 MB
[+] Elapsed time: 00:03:33
|
|
|
|
05.04.2019, 21:00
|
|
Новичок
Регистрация: 10.01.2017
Сообщений: 11
Провел на форуме:
3505
Репутация:
0
|
|
Код:
http://nonaname.com/sharedaddy.php?id=1'
так не пробовали? |
|
|
|
06.04.2019, 20:50
|
|
Новичок
Регистрация: 18.12.2017
Сообщений: 0
Провел на форуме:
0
Репутация:
0
|
|
Версия 3.2.3 была выпущена в 2016 году, а сплойт 2011, не уязвима это версия к sql inj
Код:
Код:
== Changelog ==
= 3.2.3 =
Release Date: May 26, 2016
Судя по по чэйнджлогу, поледняя уязвимая версия 1.2.1 либо 1.2.2 |
|
|
|
07.04.2019, 02:49
|
|
Новичок
Регистрация: 21.10.2018
Сообщений: 0
Провел на форуме:
0
Репутация:
0
|
|
Да, все верно, плагин бесполезный(был невнимателен).
Доп инфа(сразу забыл)
1. apache:http_server: 2.4.25 CVE-2017-9798
вроде позволяет произвести атаку 'memory leak' если верно понимаю требуется присутствие на сервере авторизованных пользователей(вся суть в обработке сервером метода OPTIONS в test_bleed() что в результате мне позволит получить загруженные ими данные в RАМ, либо просто приведет к отказу в обслуживании(DOS).
Нахожу нужный мне эксплойт
Apache prepare() potential SQL Injection
Reference: WordPress 2.3.0-4.8.1 - $wpdb->prepare() potential SQL Injection
Reference: WordPress 4.8.2 Security and Maintenance Release
Reference: Database: Hardening for `wpdb:  repare()` · WordPress/WordPress@70b2127
Reference: Database: Hardening to bring `wpdb: repare()` inline with documentat… · WordPress/WordPress@fc930d3
Fixed in: 4.2.16
[!] Title: WordPress 2.3.0-4.7.4 - Authenticated SQL injection
Reference: WordPress 2.3.0-4.7.4 - Authenticated SQL injection
Reference: Wordpress SQLi
Reference: WordPress 4.8.2 Security and Maintenance Release
Reference: Database: Hardening for `wpdb:repare()` · WordPress/WordPress@70b2127
Reference: WordPress 2.3.0-4.8.1 - $wpdb->prepare() potential SQL Injection
Fixed in: 4.7.5
[!] Title: WordPress 3.5-4.7.1 - WP_Query SQL Injection
Reference: WordPress 3.5-4.7.1 - WP_Query SQL Injection
Reference: WordPress 4.7.2 Security Release
Reference: Query: Ensure that queries work correctly with post type names with s… · WordPress/WordPress@8538429
Reference: CVE - CVE-2017-5611
Fixed in: 4.2.12[/I] |
|
|
|
07.04.2019, 12:27
|
|
Новичок
Регистрация: 18.12.2017
Сообщений: 0
Провел на форуме:
0
Репутация:
0
|
|
InetTester сказал(а):
[!] Title: WordPress prepare() potential SQL Injection
Reference: WordPress 2.3.0-4.8.1 - $wpdb->prepare() potential SQL Injection
Reference: WordPress 4.8.2 Security and Maintenance Release
Reference: Database: Hardening for `wpdb:repare()` · WordPress/WordPress@70b2127
Reference: Database: Hardening to bring `wpdb:repare()` inline with documentat… · WordPress/WordPress@fc930d3
Fixed in: 4.2.16
Здесь потенциальная инъекция, эксплуатация требует наличие уязвимых плагинов, 0day нужно искать в плагинах самостоятельно
InetTester сказал(а):
[!] Title: WordPress 2.3.0-4.7.4 - Authenticated SQL injection
Reference: WordPress 2.3.0-4.7.4 - Authenticated SQL injection
Reference: Wordpress SQLi
Reference: WordPress 4.8.2 Security and Maintenance Release
Reference: Database: Hardening for `wpdb:repare()` · WordPress/WordPress@70b2127
Reference: WordPress 2.3.0-4.8.1 - $wpdb->prepare() potential SQL Injection
Fixed in: 4.7.5
Снова наличие уязвимых плагинов/тем
InetTester сказал(а):
[!] Title: WordPress 3.5-4.7.1 - WP_Query SQL Injection
Reference: WordPress 3.5-4.7.1 - WP_Query SQL Injection
Reference: WordPress 4.7.2 Security Release
Reference: Query: Ensure that queries work correctly with post type names with s… · WordPress/WordPress@8538429
Reference: CVE - CVE-2017-5611
Fixed in: 4.2.12
Аналогичная ситуация с плагинами/темами
Я бы на твоём месте посмотрел бы в сторону этого:
[!] Title: All in One SEO Pack <= 2.3.6.1 - Unauthenticated Stored Cross-Site Scripting (XSS)
Reference: All in One SEO Pack <= 2.3.6.1 - Unauthenticated Stored Cross-Site Scripting (XSS)
Reference: Full Disclosure: Persistent Cross-Site Scripting in All in One SEO Pack WordPress Plugin
Reference: All in One SEO Pack Changelog | WordPress Developer
Reference: Summer of Pwnage! July 1-29, Amsterdam.
Reference: All in One SEO 2.3.7 Patches Persistent XSS Vulnerability
Reference: Serious Vulnerability in All in One SEO Pack Plugin 2.3.6.1 and earlier
Fixed in: 2.3.7
|
|
|
|
07.04.2019, 14:34
|
|
Новичок
Регистрация: 21.10.2018
Сообщений: 0
Провел на форуме:
0
Репутация:
0
|
|
Raskolnikov сказал(а):
Здесь доступ к бд нужен
Я бы на твоём месте посмотрел бы в сторону этого:
XSS, не подходят...
|
|
|
|
|
|
|
Здесь присутствуют: 1 (пользователей: 0 , гостей: 1)
|
|
|
|
Линейный вид
