Saturday, 20 July 2013

[EN] Wordpress 3.5.2 Hacked

Hi.

Because Wordpress don't give a shit about bug mentioned 3 weeks ago, here you have
a few-steps to own latest version.

It should be mentioned that to exploit this vulnerability we need few things (but
as a 'btw': in 3.5.2 version we have also few other vulnerabilities like persistent XSS
for example and this 'drop-shell'-exploiting, can be done by those (xss) bugs).

Anyway:

To make this vulnerability possible to exploit, you will need:
- file from theme (404.php) writable
- you must get (steal) valid '_wpnonce' value.

Here we go. Below is the poc-code:


Next you need to send your 'poc-page' to logged-in admin user
(who is still logged-in when visiting your page).



Now, 'you' (as this logged-in admin;) ) will see page like this:



And next thing to do is go to not-available postID, like this
one below for example, and add (to 'c' parameter) your command.


That's all. :)

If you have any questions, feel free to ask.

Cheers o/
Posted by at
Labels: , , , , ,

13 comments:

  1. Anonymous23 July 2013 at 07:06

    "- you must get (steal) valid '_wpnonce' value."

    And how to you presume one does this?

    ReplyDelete
  2. Haunt IT23 July 2013 at 07:21

    Hi,

    in case that 'admin is logged in when he's
    at your exploitpage.html':
    your 'exploitpage' should grab this value.
    What do you think about some XHR code in this case? ;)

    Check if it is possible to do it if you want.
    But remember to test it against 'your' host.
    And let me ask you one thing:
    what will happened if I will paste here this
    kind of 'stealer'? ;)
    That would be still a 'poc-code'?
    Or maybe 't00l-f0r-skidz'?

    And by the way:
    Thanks for watching my blog. :)

    Cheers
    o/

    ReplyDelete
  3. Anonymous24 July 2013 at 20:36

    hi, i only have a question, How can i upload the file to the wordpress ?

    ReplyDelete
  4. Haunt IT25 July 2013 at 07:49

    Why do you want to do that? ;)
    In case of this vulnerability you must have a writable file
    at remote host to write PHP code to it.

    ReplyDelete
  5. Anonymous29 July 2013 at 21:58

    nice mane

    ReplyDelete
  6. دردشة تناهيد قلبي26 August 2013 at 02:03

    nice mane

    ReplyDelete
  7. شات صوتي4 November 2013 at 01:19

    Thank you for this content

    ReplyDelete
    Replies
    1. Haunt IT4 November 2013 at 01:27

      No problem;) If you have any questions, feel free to ask here or via mail.

      cheers o/

      Delete
  8. Anonymous12 November 2013 at 08:32

    Hi,
    Can you explain a bit more how to inject code on remote host?

    ReplyDelete
    Replies
    1. Haunt IT12 November 2013 at 10:54

      What do you need to know? Mail me if you want. Sometimes I can't publish all details here ;)

      Delete
  9. Anonymous12 November 2013 at 08:33

    Hi,
    Where is your email address I want to email you

    ReplyDelete
    Replies
    1. Haunt IT12 November 2013 at 10:56

      Try at 'view full profile' (right side of the blog).

      cheers o/

      Delete
  10. شات كامات14 November 2013 at 00:33

    Thank you for this content and I really respect Malk / all greetings to you my friend :)

    ReplyDelete

What do You think...?

Subscribe to: Post Comments (Atom)