Exploiting vulnerability in logical operators “isset (…) && !Anything”

Look this code: if ( isset( $_POST[‘cartflows-action-nonce’] ) && ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST[‘cartflows-action-nonce’] ) ), ‘cartflows-action-nonce’ ) ) { return; } This code was taken from a WordPress plugin with more than 100,000 active downloads, Cartflows (https://wordpress.org/plugins/cartflows/). This condition is a security validation to block CSRF, it works to …

Exploiting framework configuration files – Part 2

Example: Zend I inurl:/application/configs/ intitle:index of inurl:/application/controllers/ intitle:index of filetype:ini “Bootstrap.php” (pass|passwd|password|pwd) Zend II inurl:/data/cache/ intitle:index of inurl:/module/application/ intitle:index of Laravel filetype:env intext:mail_host /  “MAIL_PASSWORD” filetype:env de cima procurando por email filetype:env intext:REDIS_PASSWORD por configuração de redis filetype:env intext:”APP_ENV” inurl:readme.md intext:”Laravel” -vendor -github -gitlab -bitbucket -git -node_modules Troca o readme.md …

Exploiting framework configuration files – Part 1

How does a framework work? Wikipedia says framework is … “A framework in software development, is an abstraction that joins common codes among various software projects providing a generic functionality.“ By analogy, I can suggest the operation similar to that of a wrench, as it is something that facilitates and …

13 / 17 WordPress Plugins with over 150,000 / 270,000 active downloads with the same security issues.

Introduction: At the end of November I noticed a file-handling function in PHP that was going unnoticed by developers, perhaps because it seemed harmless. The function in question is unlink, which, for those who do not know, works to delete a file in the filesystem. It is common to worry …

Simple Events Calendar 1.3.5 WordPress Plugin – Sql Injection

Homepage: https://wordpress.org/plugins/simple-events-calendar// Description: Type user acces: administrator user. $_POST[‘event_id’] is not escaped. File / Code: Path Request: /wp-content/plugins/simple-events-calendar/simple-events-calendar.php Line :  467 $edit_event = $_POST[‘event_id’]; $update = $wpdb->get_results( ” SELECT * FROM $table_name WHERE id = $edit_event “, “ARRAY_A” ); Proof of Concept: 1 – Log in with administrator user. 2 …

WP Events 2.3.4 WordPress Plugin – Sql Injetcion

Homepage: https://wordpress.org/plugins/wp-events/ Description: Type user acces: administrator user. $_GET[‘edit_event’] is not escaped. File / Code: Path Request: /wp-content/plugins/wp-events/wp-events.php Line :  450 – 468 if ( isset( $_GET[‘edit_event’] ) ) { $event_edit_id = esc_attr( $_GET[‘edit_event’] ); } … $edit_event = $wpdb->get_row( “SELECT * FROM `{$wpdb->prefix}events` WHERE `id` = {$event_edit_id}” ); Proof …

Site deixa mais de mil documentos como CNH, RG e CPF abertos na internet.

Como você reagiria se encontrasse seu documento ou cartão exposto na internet? Não foi meu caso, mas poderia ser o caso de  muita gente. Uma imagem me intrigou bastante na terça-feira (26/09), era uma lista com vários links de passaportes e vistos russos, ao clicar apareciam as imagens digitalizadas.   …

JTRT Responsive Tables 4.1 – WordPress Plugin – Sql Injection

Homepage: https://pt.wordpress.org/plugins/jtrt-responsive-tables/ Description: Type user acces: registered single user. $_POST[‘tableId’] is not escaped. File / Code: Path: /wp-content/plugins/jtrt-responsive-tables/admin/class-jtrt-responsive-tables-admin.php Line :  183 $getTableId = $_POST[‘tableId’]; … $retrieve_data = $wpdb->get_results( “SELECT * FROM $jtrt_tables_name WHERE jttable_IDD = ” . $getTableId ); Proof of Concept: 1 – Log in with single user. 2 …

Active Directory Integration 1.1.8 – WordPress Plugin – Sql Injection

Homepage: https://wordpress.org/plugins/active-directory-integration/ Description: Type user acces: administrator user. Target need have configured ldap and active. $_GET[‘userid’] is not escaped. File / Code: Path Request: /wp-content/plugins/active-directory-integration/syncback.php Line :  135 $result = $ADI->bulksyncback( $_GET[‘userid’] ); Path Method: /wp-content/plugins/active-directory-integration/BulkSyncBackADIntegrationPlugin.class.php Line: 142 // They must have a wp_usermeta.metakey = ‘adi_samaccount’ with a not empty …

Did you know that WordPress accepts md5 but uses its own encryption for passwords?

WordPress has two ways of validating passwords when logging in. It supports MD5 and its own encryption. Yes, you can insert md5 password direct in database and it will understand. But when you use an md5 password it will automatically authenticate and update you password to the most recent encryption. …