Exploiting framework configuration files – Part 2

Example: Zend I inurl:/application/configs/ intitle:index of inurl:/application/controllers/ intitle:index of filetype:ini “Bootstrap.php” (pass|passwd|password|pwd) Zend II inurl:/data/cache/ intitle:index of inurl:/module/application/ intitle:index of Laravel filetype:env intext:mail_host /  “MAIL_PASSWORD” filetype:env de cima procurando por email filetype:env intext:REDIS_PASSWORD por configuração de redis filetype:env intext:”APP_ENV” inurl:readme.md intext:”Laravel” -vendor -github -gitlab -bitbucket -git -node_modules Troca o readme.md …

13 / 17 WordPress Plugins with over 150,000 / 270,000 active downloads with the same security issues.

Introduction: At the end of November I noticed a file-handling function in PHP that was going unnoticed by developers, perhaps because it seemed harmless. The function in question is unlink, which, for those who do not know, works to delete a file in the filesystem. It is common to worry …

Simple Events Calendar 1.3.5 WordPress Plugin – Sql Injection

Homepage: https://wordpress.org/plugins/simple-events-calendar// Description: Type user acces: administrator user. $_POST[‘event_id’] is not escaped. File / Code: Path Request: /wp-content/plugins/simple-events-calendar/simple-events-calendar.php Line :  467 $edit_event = $_POST[‘event_id’]; $update = $wpdb->get_results( ” SELECT * FROM $table_name WHERE id = $edit_event “, “ARRAY_A” ); Proof of Concept: 1 – Log in with administrator user. 2 …

WP Events 2.3.4 WordPress Plugin – Sql Injetcion

Homepage: https://wordpress.org/plugins/wp-events/ Description: Type user acces: administrator user. $_GET[‘edit_event’] is not escaped. File / Code: Path Request: /wp-content/plugins/wp-events/wp-events.php Line :  450 – 468 if ( isset( $_GET[‘edit_event’] ) ) { $event_edit_id = esc_attr( $_GET[‘edit_event’] ); } … $edit_event = $wpdb->get_row( “SELECT * FROM `{$wpdb->prefix}events` WHERE `id` = {$event_edit_id}” ); Proof …

JTRT Responsive Tables 4.1 – WordPress Plugin – Sql Injection

Homepage: https://pt.wordpress.org/plugins/jtrt-responsive-tables/ Description: Type user acces: registered single user. $_POST[‘tableId’] is not escaped. File / Code: Path: /wp-content/plugins/jtrt-responsive-tables/admin/class-jtrt-responsive-tables-admin.php Line :  183 $getTableId = $_POST[‘tableId’]; … $retrieve_data = $wpdb->get_results( “SELECT * FROM $jtrt_tables_name WHERE jttable_IDD = ” . $getTableId ); Proof of Concept: 1 – Log in with single user. 2 …

Active Directory Integration 1.1.8 – WordPress Plugin – Sql Injection

Homepage: https://wordpress.org/plugins/active-directory-integration/ Description: Type user acces: administrator user. Target need have configured ldap and active. $_GET[‘userid’] is not escaped. File / Code: Path Request: /wp-content/plugins/active-directory-integration/syncback.php Line :  135 $result = $ADI->bulksyncback( $_GET[‘userid’] ); Path Method: /wp-content/plugins/active-directory-integration/BulkSyncBackADIntegrationPlugin.class.php Line: 142 // They must have a wp_usermeta.metakey = ‘adi_samaccount’ with a not empty …