XML Sitemap Generator for Wordpress (Google XML Sitemaps) Code Injection

2013.01.08
Credit: AkaStep
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 0 _ __ __ __ 1 1 /' \ __ /'__`\ /\ \__ /'__`\ 0 0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1 1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1 1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0 0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1 1 \ \____/ >> Exploit database separated by exploit 0 0 \/___/ type (local, remote, DoS, etc.) 1 1 1 0 [+] Site : 1337day.com 0 1 [+] Support e-mail : submit[at]1337day.com 1 0 0 1 ######################################### 1 0 I'm AkaStep member from Inj3ct0r Team 1 1 ######################################### 0 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 =============== Vendor: http://www.arnebrachhold.de/redir/sitemap-home/ Software: XML Sitemap Generator for Wordpress aka (Google XML Sitemaps) plugin. Vuln: PHP CODE injection. ===============Tested On: Debian squeeze 6.0.6 Server version: Apache/2.2.16 (Debian) PHP 5.3.3-7+squeeze14 with Suhosin-Patch (cli) (built: Aug 6 2012 20:08:59) Copyright (c) 1997-2009 The PHP Group Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies with Suhosin v0.9.32.1, Copyright (c) 2007-2010, by SektionEins GmbH =============== About Software: This plugin will generate a special XML sitemap which will help search engines like Google, Bing, Yahoo and Ask.com to better index your blog. With such a sitemap, it's much easier for the crawlers to see the complete structure of your site and retrieve it more efficiently. The plugin supports all kinds of WordPress generated pages as well as custom URLs. Additionally it notifies all major search engines every time you create a post about the new content. =============== About vulns: XML Sitemap Generator for Wordpress v<=3.2.8 (Google XML Sitemaps) plugin PHP CODE injection. 1'st issuse: The "xml" file name and extension can be changed to any name+extension. A) Due this issuse it is possible to create any file with any extension on filesystem. B) Using this condition this is possible to overwrite arbitrary files on system(even if the target file(s) chmod'ed to 400!) 2'nd issuse: By manipulating $_POST: sm_cf_home=PHP CODE PAYLOAD GOES HERE sm_cf_posts=PHP CODE PAYLOAD GOES HERE parameters and by injecting PHP CODE into this parameters it is possible to gain shell access there(shell upload). Proof of concept video can be found here about how to exploit this vulnerabilities: http://youtu.be/30OZanIoICE To exploit this vulnerabilities you need admin privileges on target site. To get successfull and easy shell access short_open_tag php.ini directive (php.ini) on server side must be set =off (otherwise you'll get syntax error when creating shell). But this is not panacea.Theris also another ways to solve this.Found it yourself. In itself this vulnerabilities can be used to escalate privileges on target site and fully compromise site and server. ==GUNUN RANDOM SITATI:======GOTDU OGUL ISTEREM! LOOOOOOOL======================= =============== KUDOSSSSSSS: =============== packetstormsecurity.org packetstormsecurity.com packetstormsecurity.net securityfocus.com cxsecurity.com security.nnov.ru securtiyvulns.com securitylab.ru secunia.com securityhome.eu exploitsdownload.com osvdb.com websecurity.com.ua 1337day.com to all Aa Team + to all Azerbaijan Black HatZ + *Especially to my bro CAMOUFL4G3 * To All Turkish Hackers Also special thanks to: ottoman38 & HERO_AZE ================================================ /AkaStep

References:

http://youtu.be/30OZanIoICE
http://www.arnebrachhold.de/redir/sitemap-home/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top