这个漏洞很鸡肋,要有一个发表的权限。昨天看了个中文版的,人家要那个啥才肯放出来……,今天看到了个英文版的!一样的利用方式!到底哪个才是原创!
原文地址:http://img.vul.kr/uploads/20101205/1291540019wordpress-another-0day-exploit.txt
英文原文: Framework of the preceding article was not allowed to tell me more about some interesting unpublished vulnerabilities and banal omissions WordPressSo now you'll be able to read the continuation of the penetration-testing of the famous blogging platformHere we go! Statistics 1.5.x - 207 blogs (0.6%) At the same time, these branches was found and published a very small number of vulnerabilities (recall that the last sql-injection was in public in the 2.2.2 version). Joke humor To begin a detailed analyze the mechanism of posting comments in the final at this writing, version 2.7.1. 1I've found wp-comments-post.php (as well as the wp-trackback.php), through which all comments have a following code:
4Action edit_post defined in/Wp-includes /default-filters.php:
5Find the desired us to function in/Wp-includes /post.php:
6And, actually, what all this code we needed,/Wp-includes /query.php:
From the analysis above code the following conclusion: if the database for a particular position has a value «_wp_old_slug», then it is carried out a redirect to the real address of the postTo add this value, your comment must be zaappruvlenHow to leave comments without being moderated, you already know the first part of the article:)Now, finally, ready to exploit for our jokes:
In the «Slug» insert the new name for a suitable post and link admin to show, watching his reaction. Unsafe Snoopy So, remember about a discovered zabugornye kodokopatelyami code exec vulnerability in the class Snoopy, which is also present in WordpressItself is a vulnerability in the Snoopy vordpressovskom was patched with escapeshellcmd still in 1.5.x branch, but, nevertheless, the developers have taken, and spoiled quite workable code incomprehensible patch in version 2.6.3. I guess what they were thinking by looking at the post devbloga with these words: A vulnerability in the Snoopy library was announced todayWordPress uses Snoopy to fetch the feeds shown in the DashboardAlthough this seems to be a low risk vulnerability for WordPress users, we wanted to get an update out immediately. Also, when comparing the code of Snoopy WordPress
- Snoopy code of WordPress
The second code - it is an official patch developers Snoopy, which closes the previous code exec (but does not close a new one)Funny, is not it? Why patch something that was so bad patched? The answers to these questions, we hardly know. Such negligence of developers revealed to me the way to a remarkable vulnerabilityBut first things first. 1Way from the first part of Article Refine any RSS-feed on the main page the admin, and the address of the stake to its clever script, for example, http://lamer.com/code-exec.php; 2Script code-exec.php should contain the following code:
After making these simple actions to the appropriate blog/Wp-content /test.php flood shellWe now consider, where and why this is possible: 1Only on WordPress 2.6.3, 2.6.5 (2.6.4 was not simple, and in 2.7 Snoopy is almost not used) with an open registration required for editing RSS-feeds; 2Only on systems where the curl is installed in /usr /local /bin /curl (the most common system in such a configuration file - FreeBSD), since this is the notorious hard-coded path in/Wp-includes /class-snoopy.php, plus a binary Kurla verify the existence and enforceability:
3This works because Snoopy supports forwarding (up to 5 times by default)During it he can set cookies and other hedery to send server-side scriptAs you can see from psevdopatcha over filtration hederov transfer them to the exec () No one, of course, not thought. 4This works not only cookies, but in many other titlesFor example, we will be able to pass arbitrary code in the header HOST follows:
Sly upload Consider the source code interface for remote publishing to WordPress - xmlrpc.php (yes, in this file was found the largest number of SQL-injection engine)The interface of the present method metaWeblog.newMediaObject, which is a direct reference to the function mw_newMediaObjectDraw a small reversing: 1/Xmlrpc.php
2/Wp-includes /post.php
Tracing the entire path of the variable $ type, you'll find that no one cared about her filter before inserting in SQL-query:)Therefore, we can easily proinzhektit UPDATE query, for example, sending a package to the POST-xmlrpc.php:
After sending the packet to the blog of the victim hurry to go to the admin panel: Manage => UploadsIn the «URL» in case of successful operation of the exploit you will see the hash and the password admin. Tricks with Kurlov First you need to say that this is not the vulnerability of WordPress, but rather a feature curl, php-library which is just yuzaet WordPress instead gone into oblivion Snoopy. Thus, the vulnerability of Kurla is that he can read with pleasure for you not only deleted files on http, but also local with the prefix «file ://»! But as a rule, the prefixes are checked at the entrance to another script and it would seem, «file: //» zayuzat impossibleHowever, no one thought that curl supports forwarding through the flag «CURLOPT_FOLLOWLOCATION»That is, - substituting Kurlya quite normal http, at the output we can get a reading of arbitrary local files (for a detailed advisory of the pioneer look in the footnotes)! In Wordpress a lot of files yuzayut class/Wp-includes /http.php, but now we consider only one of the most affordable pre-auth and procedures for maintenance bugs (to find other ways in admin - your homework:)). 1/Wp-includes /http.php
Yes! You see the same flag that is responsible for supporting a round-trip! Next omit arcane code, but I'll just say that by default (of four possible variants) as a transport http-data Wordpress chooses Kurlya: function wp_remote_get ($ url, $ args = array ()) { return $ objFetchSite-> get ($ url, $ args); 2Features outlined above is used/Wp-includes /functions.php: function wp_remote_fopen ($ uri) { 3And finally, this same function is used already a favorite of your interface xmlrpc: function pingback_ping ($ args) { Now we have everything you need to write an exploit - to which we now proceed. Was there a video? 1./ping1/index.php
2./ping2/index.php In this example, the first file will be able to ping the second, thanks to yet another flaw WordPressLook to the mechanism of pings xmlrpc.php: //Check if the page linked to is in our site In this test does not need to ping a second site was always this blog because we can bypass the check by inserting the address of this very blogFor example, at the end of the URL after the grating. All set to check for file c:boot.ini on the system under test. For the exploitation of this vulnerability you need only send the following POST-server package for xmlrpc:
After sending the package you can get two responses from the server: 1If the file c:boot.ini exists, then the blog will send such a response - Pingback from http://lamer.com/ping1/?p=2 to http://lamer.com/ping2/?p=1 # lamer.com /blog registeredKeep the web talking! 2If no such file exists, then wait for a response - The source URL does not exist. By the way, this way it would be quite possible to read the contents of any file system, if pingbek not reduced to a very small number of charactersSo, in a comment-pingbeke you will see only something like: [...] Server: Apache/2.2.4 (Win32) mod_ssl/2.2.4 OpenSSL/0.9.8d PHP/5.2.4 X-Powered-By: PHP/5.2.4 popa: 111 Location: file: ///c: boot.ini Content-Length: 0 Connection: close Content-Type: text /html; [...] The contents of c:boot.ini is somewhere under the cut:)The described method of exploitation is not uniqueIn admin area you can find other function calls wp_get_http (), and which will allow you to read files on the systemFind them - have your job. To be continued ... INFO |
文章来源于lcx.cc:【Exp】WordPress 博客个人信息发布平台
相关推荐: LuManager 2.0.99 渗透成功一次 开贴庆祝
LuManager 2.0.99 渗透成功一次 开贴庆祝 江南的鱼 | 2013-12-25 12:54 有个目标服务器 是 LuManager 2.0.99,服务器上就一个网站,久拿不下。 昨天平安夜,插入XSS,请友人 发入侵修改图【假的入侵图】给 网站客…
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论