Nmap Development mailing list archives
[NSE] script for exploiting CVE-2014-8877 vulnerability
From: Mariusz Ziulek <mzet () owasp org>
Date: Fri, 19 Dec 2014 01:12:28 +0100
Hi List, I've just completed script that exploits CVE-2014-8877 vulnerability. This flaw was found recently in Wordpress CM Download Manager plugin (https://wordpress.org/plugins/cm-download-manager/). Versions <= 2.0.0 are affected. Vulnerability allows to inject arbitrary PHP code via CMDsearch param. The script simply injects system() function with OS shell command of choice (provided as script's parameter) as an argument. Testing and comments are appreciated. Running the script: nmap -P0 -p80 -n --script http-vuln-cve2014-8877 --script-args http-vuln-cve2014-8877.cmd="whoami", http-vuln-cve2014-8877.uri="/wordpress" Where 'cmd' parameter is shell command for execution and 'uri' is path to your Wordpress installation. Revisions 1007950 (and below) of the plugin are affected so if any one would like to test the script locally, here's a command to quickly fetch the right (vulnerable) version of the plugin: svn co -r 1007950 http://plugins.svn.wordpress.org/cm-download-manager/trunk/ cm-dw-manager Regards, Mariusz
Attachment:
http-vuln-cve2014-8877.nse
Description:
_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] script for exploiting CVE-2014-8877 vulnerability Mariusz Ziulek (Dec 18)
- Re: [NSE] script for exploiting CVE-2014-8877 vulnerability Patricio Castagnaro (Dec 19)