Explorando arquivos de configuração de frameworks – Parte 2

Exemplo: Zend I inurl:/application/configs/ intitle:index of inurl:/application/controllers/ intitle:index of filetype:ini “Bootstrap.php” (pass|passwd|password|pwd) Zend II inurl:/data/cache/ intitle:index of inurl:/module/application/ intitle:index of Laravel filetype:env intext:mail_host /  “MAIL_PASSWORD” filetype:env de cima procurando por email filetype:env intext:REDIS_PASSWORD por configuração de redis filetype:env intext:”APP_ENV” inurl:readme.md intext:”Laravel” -vendor -github -gitlab -bitbucket -git -node_modules Troca o readme.md …

Explorando arquivos de configuração de frameworks – Parte 1

Como funciona um framework? Segundo o Wikipedia framework é … “Um framework em desenvolvimento de software, é uma abstração que une códigos comuns entre vários projetos de software provendo uma funcionalidade genérica.“ Por analogia, posso sugerir o funcionamento similar ao de uma chave inglesa, pois é algo que facilita e …

Link-Library 5.9.13.26 Plugin WordPress – Sql Injection

Homepage: https://wordpress.org/plugins/link-library/ Description: Type user access:  is accessible only admin user. $_GET[‘linkid’] is not escaped. Attack with Sql Injection File / Code: Path: /wp-content/plugin/link-library/link-library-admin.php Line: 686 if ( isset( $_GET[‘genthumbsingle’] ) || isset( $_GET[‘genfaviconsingle’] ) ) { $linkquery .= ” AND l.link_id = ” . $_GET[‘linkid’]; } $linkitems = $wpdb->get_results( $linkquery …

ZM Gallery 1 Plugin WordPress – Blind Injection

Homepage: https://wordpress.org/plugins/zm-gallery/ Description: Type user access: admin user. $_GET[‘order’] is escaped wrong. Attack with Blind Injection File / Code: Path: /wp-content/plugin/zm-gallery/zm-gallery-list.php Line: 126 if( isset($_GET[‘orderby’]) ) { $order = ‘ ORDER BY ‘ . esc_sql($_GET[‘orderby’]); if( isset($_GET[‘order’]) ) { $order .= ‘ ‘ . esc_sql($_GET[‘order’]); } } $table_name = $wpdb->prefix . ‘zm_gallery’; …

WP Private Messages 1.0.1 – Plugin WordPress – Sql Injection

Homepage: https://wordpress.org/plugins/wp-private-messages/ Description: Type user access: registered user. $_GET[‘id’] is not escaped. Url is accessible for every registered user. File / Code: Path: /wp-content/plugin/wp-private-messages/wpu_private_messages.php Line: 218 global $current_user, $wpulang; $id = $_GET[“id”]; $user = $_GET[“name”]; … $bf = “<tr><td class=\”left\”>”; $mid = “: </td><td>”; $af = “</td></tr>”; $pm = $wpdb->get_row(“SELECT * FROM …

WP Support Plus Responsive Ticket System 7.1.3 – WordPress Plugin – Sql Injection

Homepage: https://wordpress.org/plugins/wp-support-plus-responsive-ticket-system/ Description: Type user access: any user. $_POST[‘cat_id’] is not escaped. Is accessible for any user. File / Code: Path: /wp-content/wp-support-plus-responsive-ticket-system/includes/admin/wpsp_getCatName.php Line: 4 <?php if ( ! defined( ‘ABSPATH’ ) ) exit; // Exit if accessed directly global $wpdb; $category = $wpdb->get_row( “SELECT * FROM {$wpdb->prefix}wpsp_catagories where id=”.$_POST[‘cat_id’] ); echo …

Simple Personal Message 1.0.3 – Plugin WordPress – Sql Injection

Homepage: https://wordpress.org/plugins/simple-personal-message/ Description: Type user access: any user. $_GET[‘message’] is not escaped. sirv_get_row_by_id() is accessible for every registered user. File / Code: Path: /wp-content/plugins/simple-personal-message/admin/partials/simple-personal-message-admin-view.php Line: 25 <?php global $wpdb; $table = $wpdb->prefix . ‘spm_message’; $id = esc_attr($_GET[‘message’]); $message = $wpdb->get_results(“SELECT * FROM $table WHERE id = $id”); $user = get_user_by(‘login’, $message[0]->sender); …

755 e 644 ? Hacking em sistemas de servidores compartilhados. Explorando falhas de permissões

Observação: Este artigo irá demostrar os dois lado da moeda. Um lado ensinando a malícia (utilizando uma ferramenta que disponibilizarei), do outro, ensinarei como podemos mitigar os riscos. Introdução: Por ser um fanático por desenvolvimento e segurança, um amigo desesperado pediu ajuda para poder identificar e limpar o site que estava cheio arquivos …