Louis Dion-Marcil ldionmarcil

Description

Authenticated users are able to perform directory listings at any location available to the Wordpress user, leaking filenames of previous backups. This was found in XCloner - Backup and Restore version 3.1.5, but may have been introduced in earlier versions. Attackers can leverage directory listings to leak otherwise secret filepaths to previous backups, allowing them to acquire full backup contents, since the backup download is not authenticated.

POC

Logged in as a regular, unprivileged user (subscriber)

Description

There is a stored XSS vulnerability in the Newsletter Wordpress plugin version 4.6.0 when editors are given access to the Newsletter plugin. Editors are able to modify any subsriber's secret token, which is then displayed unescaped in various places in the administration panel. Attackers can then modify a token to contain a javascript snippet that will be served to and executed by administrators using the Newsletter panel, which may be used in order to perform an escalation of privileges. Found in version 4.6.0

POC

Description

There is a stored XSS in the 404-to-301 WP plugin<2.3.1. Unauthenticated users can visit a specially crafted URL and the redirect path will be logged to the database. The redirection source is stored unescaped in the database, thus it is served as-is and evaluated in the browsers of logged-in admins when they check the redirection logs on http://wordpress/wp-admin/admin.php?page=i4t3-logs. Affected versions are <2.3.1.

	metadata:
	language: v1-beta
	name: "HS256 JWT Detection"
	description: "JWT Using HS256"
	tags: "passive"
	author: "@ldionmarcil"

	given response then
	if {latest.response} matches "ey[\w]+((oc\|IU)zI1N\|(aH\|SF)MyNT\|(hz\|hT)MjU)[\w\-=]*\." then
	report issue:

	metadata:
	language: v1-beta
	name: "HS256 JWT Detection"
	description: "JWT Using HS256"
	tags: "passive"
	author: "@ldionmarcil"

	given response then
	if {latest.response} matches "ey.*((oc\|IU)zI1N\|(aH\|SF)MyNT\|(hz\|hT)MjU)" then
	report issue:

	function cert {
	# accepts urls/hostnames as stdin
	# returns Common Name + Subject Alternative Name from responding http server

	if [ $# -eq 0 ]; then
	# human readable
	httpx -silent -json -tls-grab \| jq -r '"\u001b[34m\(.url)\u001b[0m \(.tls \| [.subject_cn] + .subject_an \| unique \| join(" "))"'
	else
	# batching
	httpx -silent -json -tls-grab \| jq -r '(.tls \| [.subject_cn] + .subject_an \| unique \| join("\n"))'

	#clean : removes annoying requests a specific app might have that I dont want to permanently remove. for example if an app uses google identity toolkit but I don't want to filter out all of google API
	!(Request.URL CONTAINS "/_track") AND Request.Hostname != "identitytoolkit.googleapis.com"

	#nostatic : kinda dumb heuristic to remove most of the "uninteresting" (aka static) content in project. you can do much more with Response.Inferred_Type but I only use content-type because its much faster if you don't play with response bodies in large projects
	!(#js OR #image OR #css OR #plain OR #audiovideo)

	#json : filters for JSON content type. uses inferredtype because JSON is often returned with weird content types. not a member of #nostatic because parsing the body impacts perf too much.
	Response.InferredType == "json"

	#js

	function confurl() {
	url="$1"
	content=$(curl -s "$url")
	type="npm" #default to npm

	if [[ "$content" == "==" ]]; then
	type="pip"
	elif [[ "$content" == "dependencies\"" ]]; then
	type="npm"
	elif [[ "$content" == "maven.apache.org" ]]; then

	from matrix_client.client import MatrixClient

	client = MatrixClient("https://matrix.org")

	token = client.login_with_password(username="user", password="pass")
	print("connected...")

	room = client.join_room("!room:matrix.org")
	print ("Room joined")

	counter = 0
	gel = {"Abstention" : 0,
	"Pour" : 0,
	"Contre" : 0,
	"": 0}

	greve = {"Abstention" : 0,
	"Pour" : 0,
	"Contre" : 0,
	"": 0}