Windylh's blog

Wordpress插件渗透测试

Posted on 2017-09-18 Edited on 2018-11-01

0x00 信息收集

网址是一个wordpress博客。

1	Apache/2.4.10 (Debian)

既然是wp，直接用wpscan扫一扫。

[+] We found 2 plugins:

[+] Name: akismet
 |  Latest version: 3.3.4
 |  Location: http://218.2.197.234:2040/wp-content/plugins/akismet/

[!] We could not determine a version so all vulnerabilities are printed out

[!] Title: Akismet 2.5.0-3.1.4 - Unauthenticated Stored Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/8215
    Reference: http://blog.akismet.com/2015/10/13/akismet-3-1-5-wordpress/
    Reference: https://blog.sucuri.net/2015/10/security-advisory-stored-xss-in-akismet-wordpress-plugin.html
[i] Fixed in: 3.1.5

[+] Name: wp-symposium - v15.1
 |  Location: http://218.2.197.234:2040/wp-content/plugins/wp-symposium/
 |  Readme: http://218.2.197.234:2040/wp-content/plugins/wp-symposium/readme.txt
[!] The version is out of date, the latest version is 15.8.1

XNUCA-Writeup

Posted on 2017-09-18 Edited on 2018-11-01

#No.8 看视频真嗨皮（读：50分，写：100分）

提交
关键字词：一档靶标题
===============================================================
周末看个电影放松一下吧！

海洋cms v6.45前台getshell漏洞

实验吧(密码学、杂项、隐写部分)Writeup

Posted on 2017-09-18 Edited on 2018-11-01

这里没有key

题目：http://www.shiyanbar.com/ctf/7

打开题目，js弹窗，这里没有key，查看源代码，在注释发现

实验吧(Web部分)Writeup

Posted on 2017-09-15 Edited on 2018-11-01

PHP大法

题目：http://www.shiyanbar.com/ctf/54

提示访问index.php.txt

<?php
if(eregi("hackerDJ",$_GET[id])) {
  echo("<p>not allowed!</p>");
  exit();
}

$_GET[id] = urldecode($_GET[id]);
if($_GET[id] == "hackerDJ")
{
  echo "<p>Access granted!</p>";
  echo "<p>flag: *****************} </p>";
}
?>


<br><br>
Can you authenticate to this website?