WordPress ‘In the Wild’ and WPScan Update
As part of my on-going interest in WordPress security I wanted to find out for myself what the state of security was like on installations in the wild.
A list of servers running WordPress was acquired from Shodan by searching for a particular HTTP response header and its value. The list contained 10,000 entries, I don’t know for sure, but I assume the list contained servers from around the world and was fairly random.
An Open Source project I have been working on, WPScan, a WordPress security scanner, was used to passively scan 100 of those WordPress installations. This was done partly to test the scanner for any defects and also to gather data about the security of WordPress installations in the wild.
Full Path Disclosure (FPD)
Many people including developers, vendors and security professionals believe that Full Path Disclosure (FPD) is mainly a Security Misconfiguration problem rather than a Input Sanitation or Error Handling problem. I’m not saying that they are wrong, but I hope to convince them that it is more of a coding bug than a configuration bug. I want to put my argument over as to why I think FPD is a bug in source code and not in configuration.
What is Full Path Disclosure (FPD)?
According to OWASP:
“Full Path Disclosure (FPD) vulnerabilities enable the attacker to see the path to the webroot/file. e.g.: /home/omg/htdocs/file/. Certain vulnerabilities, such as using the load_file() (within a SQL Injection) query to view the page source, require the attacker to have the full path to the file they wish to view.”
https://www.owasp.org/index.php/Full_Path_Disclosure
For me this is a very vague description of what FPD really is. FPD occurs when a web application encounters an error that is displayed to the user; the error includes the full path to the file the error occurred in possibly along with other debugging information.
Why is it a problem?
It’s just the path of the file from the root directory, what’s all the fuss about?
Concrete5 <= 5.4.2.1 SQL Injection and XSS Vulnerabilities
# Exploit Title: Concrete5 < = 5.4.2.1 SQL Injection and XSS Vulnerabilities
# Date: 2011-10-04
# Author: Ryan Dewhurst (ryandewhurst at gmail) (@ethicalhack3r)(www.ethicalhack3r.co.uk)
# Software Link: http://sourceforge.net/projects/concretecms/files/concrete5/5.4.2.1/
# Version: 5.4.2.1 (tested)
1.Vulnerability Description
Multiple SQL Injection, Cross-Site Scripting (XSS) and Information Disclosure vulnerabilities were identified within Concrete5 version 5.4.2.1
Please note: Only a select few vulnerabilities are outlined in this disclosure, many other vulnerabilities were discovered. Due to time restraints only a small sample of the vulnerabilities are outlined below. The vendor was contacted and replied promptly. Further assistance was asked for but not delivered due to my time constraints.
2.Software Description
CMS made for Marketing but built for Geeks, concrete5 [0] is a content management system that is free and open source.
[Video] WPScan and Metasploit’s Meterpreter
Video demonstrating the PoC of WPScan using Metasploit’s meterpreter to exploit a vulnerable WordPress plugin.
WPScan and Metasploit’s Meterpreter from ryan dewhurst on Vimeo.
[ES] Metasploit db_autopwn contra Windows 8
Mi primer blog post en Español! (lo siento si mi Español escrito no es perfecto)
Ayer (o el anterior) Microsoft hizo disponible “Windows 8 Developer Preview” para cualquier persona poder descargar. Yo hize la instalación en VirtualBox siguiendo este guía (en Ingles).
Quería ver si Microsoft posiblemente han usado algunas librerías/programas de versiones de Windows antiguos que posiblemente tengan vulnerabilidades remotos y que el Metesploit tenga un exploit para el.
Para esto quería usar el db_autopwn para que Metasploit use todos los exploits que tenga para los puertos que Windows 8 Developer tenga abierto. Al mismo ves será un test rápido y sencillo.
(Configuración para BT5 R1, usando Metasploit revision 13728)
