1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : 1337day.com 0
1 [+] Support e-mail : submit[at]1337day.com 1
0 0
1 ######################################### 1
0 I'm AkaStep member from Inj3ct0r Team 1
1 ######################################### 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
===============
Vendor: http://www.arnebrachhold.de/redir/sitemap-home/
Software: XML Sitemap Generator for Wordpress aka (Google XML Sitemaps) plugin.
Vuln: PHP CODE injection.
===============Tested On: Debian squeeze 6.0.6
Server version: Apache/2.2.16 (Debian)
PHP 5.3.3-7+squeeze14 with Suhosin-Patch (cli) (built: Aug 6 2012 20:08:59)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies
with Suhosin v0.9.32.1, Copyright (c) 2007-2010, by SektionEins GmbH
===============
About Software:
This plugin will generate a special XML sitemap which will help search engines like Google, Bing,
Yahoo and Ask.com to better index your blog.
With such a sitemap, it's much easier for the crawlers to see the complete structure of your site
and retrieve it more efficiently.
The plugin supports all kinds of WordPress generated pages as well as custom URLs.
Additionally it notifies all major search engines every time you create a post about the new content.
===============
About vulns:
XML Sitemap Generator for Wordpress v<=3.2.8 (Google XML Sitemaps) plugin PHP CODE injection.
1'st issuse: The "xml" file name and extension can be changed to any name+extension.
A) Due this issuse it is possible to create any file with any extension on filesystem.
B) Using this condition this is possible to overwrite arbitrary files on system(even if the target file(s) chmod'ed to 400!)
2'nd issuse:
By manipulating $_POST:
sm_cf_home=PHP CODE PAYLOAD GOES HERE
sm_cf_posts=PHP CODE PAYLOAD GOES HERE
parameters and by injecting PHP CODE into this parameters it is possible to gain shell access there(shell upload).
Proof of concept video can be found here about how to exploit this vulnerabilities:
http://youtu.be/30OZanIoICE
To exploit this vulnerabilities you need admin privileges on target site.
To get successfull and easy shell access short_open_tag php.ini directive (php.ini) on
server side must be set =off (otherwise you'll get syntax error when creating shell).
But this is not panacea.Theris also another ways to solve this.Found it yourself.
In itself this vulnerabilities can be used to escalate privileges on target site and fully compromise site and server.
==GUNUN RANDOM SITATI:======GOTDU OGUL ISTEREM! LOOOOOOOL=======================
===============
KUDOSSSSSSS:
===============
packetstormsecurity.org
packetstormsecurity.com
packetstormsecurity.net
securityfocus.com
cxsecurity.com
security.nnov.ru
securtiyvulns.com
securitylab.ru
secunia.com
securityhome.eu
exploitsdownload.com
osvdb.com
websecurity.com.ua
1337day.com
to all Aa Team + to all Azerbaijan Black HatZ
+ *Especially to my bro CAMOUFL4G3 *
To All Turkish Hackers
Also special thanks to: ottoman38 & HERO_AZE
================================================
/AkaStep