Re: [NSE] script for exploiting CVE-2014-8877 vulnerability

[Patricio Castagnaro <pcastagnaro () gmail com>]

Thank you very much Mariusz for sharing!


*Lic. Patricio Castagnaro*
*MSN/Gtalk/Mail* *pcastagnaro () gmail com <pcastagnaro () gmail com>*
*Twitter* @*pcastagnaro* <https://twitter.com/pcastagnaro>
*Skype:*
* pcastagnaro**LinkedIn* *http://ar.linkedin.com/in/pcastagnaro
<http://ar.linkedin.com/in/pcastagnaro>*
*Google+* *https://plus.google.com/+PatricioCastagnaro
<https://plus.google.com/+PatricioCastagnaro>*

Think before you print

2014-12-18 21:12 GMT-03:00 Mariusz Ziulek <mzet () owasp org>:
> Hi List,
>
> I've just completed script that exploits CVE-2014-8877 vulnerability. This
> flaw was found recently in Wordpress CM Download Manager plugin
> (https://wordpress.org/plugins/cm-download-manager/). Versions <= 2.0.0
> are affected.
>
> Vulnerability allows to inject arbitrary PHP code via CMDsearch param.
> The script simply injects system() function with OS shell command of choice
> (provided as script's parameter) as an argument.
>
> Testing and comments are appreciated.
>
> Running the script:
> nmap -P0 -p80 -n --script http-vuln-cve2014-8877 --script-args
> http-vuln-cve2014-8877.cmd="whoami", http-vuln-cve2014-8877.uri="/wordpress"
>
> Where 'cmd' parameter is shell command for execution and 'uri' is path
> to your Wordpress installation.
>
> Revisions 1007950 (and below) of the plugin are affected so if any one
> would like to test the script locally, here's a command to quickly fetch
> the
> right (vulnerable) version of the plugin:
>
> svn co -r 1007950
> http://plugins.svn.wordpress.org/cm-download-manager/trunk/ cm-dw-manager
>
> Regards,
> Mariusz
>
> _______________________________________________
> Sent through the dev mailing list
> http://nmap.org/mailman/listinfo/dev
> Archived at http://seclists.org/nmap-dev/
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/