Home

Posts

WordPress Brute Force Multithreading

THE PROJECT WAS MOVED TO GITHUB: https://github.com/claudioviviani/wordbrutepress

November 3, 2014 · 1 min · claudio

WordPress e Python: Come autenticarsi al famoso CMS con python

Intro Dopo aver pubblicato vari exploit e vulnerabilità, sono tornato a scrivere un articolo dove poter condividere piccole nozioni tecniche che ho acquisito recentemente. Negli ultimi mesi mi sono dedicato soprattutto ad analizzare codici php di vari plugins wordpress e alla programmazione in python. Dato che molte vulnerabilità dei plugins wordpress richiedevano un utente (privilegiato e non) con accesso all’area riservata ho pensato: perché non scrivere gli exploit in python per automatizzare il tutto?...

November 2, 2014 · 6 min · claudio

Joomla RD Download Sql Injection

claudio@backbox3:~$ python j00m_com_rd_download_sql_injection.py -t http://127.0.0.1 _______ __ | _ .-----.-----.--------| .---.-. |___| | _ | _ | | | _ | |. | |_____|_____|__|__|__|__|___._| |: 1 | |::.. . | `-------' _______ ______ ______ __ __ | _ | _ \ | _ \ .-----.--.--.--.-----| .-----.---.-.--| | |. l |. | \ |. | \| _ | | | | | | _ | _ | _ | |. _ |....

October 29, 2014 · 1 min · claudio

WordPress and Joomla Creative Contact Form Unauthenticated Shell Upload Vulnerability

claudio@backbox3:~$ python wp_j00m_creative_contact_form_shell_upload.py -t http://127.0.0.1/wordpress -f shell.php -c wordpress ___ ___ __ __,-,__ | Y .-----.----.--| .-----.----.-----.-----. | ' '__| |. | | _ | _| _ | _ | _| -__|__ --| | __| |. / \ |_____|__| |_____| __|__| |_____|_____| |_______| |: | _______ |__| __ |_| |::.|:. | | _ .-----.-----.--------| .---.-. `--- ---' |___| | _ | _ | | | _ | |. | |_____|_____|__|__|__|__|___._| |: 1 | |::....

October 23, 2014 · 2 min · claudio

WordPress CP Multi View Event Calendar 1.01 Sql Injection

###################### # Exploit Title : WordPress CP Multi View Event Calendar 1.01 SQL Injection Vulnerability # Exploit Author : Claudio Viviani # Software Link : https://downloads.wordpress.org/plugin/cp-multi-view-calendar.zip # Date : 2014-10-23 # Tested on : Windows 7 / Mozilla Firefox Windows 7 / sqlmap (0.8-1) Linux / Mozilla Firefox Linux / sqlmap 1.0-dev-5b2ded0 ###################### # Description CP Multi View Event Calendar 1.01 suffers from SQL injection vulnerability calid variable is not sanitized....

October 22, 2014 · 1 min · claudio