Saturday 20 July 2013

[EN] Wordpress 3.5.2 Hacked

Hi.

Because Wordpress don't give a shit about bug mentioned 3 weeks ago, here you have
a few-steps to own latest version.

It should be mentioned that to exploit this vulnerability we need few things (but
as a 'btw': in 3.5.2 version we have also few other vulnerabilities like persistent XSS
for example and this 'drop-shell'-exploiting, can be done by those (xss) bugs).

Anyway:

To make this vulnerability possible to exploit, you will need:
- file from theme (404.php) writable
- you must get (steal) valid '_wpnonce' value.

Here we go. Below is the poc-code:


Next you need to send your 'poc-page' to logged-in admin user
(who is still logged-in when visiting your page).



Now, 'you' (as this logged-in admin;) ) will see page like this:



And next thing to do is go to not-available postID, like this
one below for example, and add (to 'c' parameter) your command.


That's all. :)

If you have any questions, feel free to ask.

Cheers o/

13 comments:

  1. "- you must get (steal) valid '_wpnonce' value."

    And how to you presume one does this?

    ReplyDelete
  2. Hi,

    in case that 'admin is logged in when he's
    at your exploitpage.html':
    your 'exploitpage' should grab this value.
    What do you think about some XHR code in this case? ;)

    Check if it is possible to do it if you want.
    But remember to test it against 'your' host.
    And let me ask you one thing:
    what will happened if I will paste here this
    kind of 'stealer'? ;)
    That would be still a 'poc-code'?
    Or maybe 't00l-f0r-skidz'?

    And by the way:
    Thanks for watching my blog. :)

    Cheers
    o/

    ReplyDelete
  3. hi, i only have a question, How can i upload the file to the wordpress ?

    ReplyDelete
  4. Why do you want to do that? ;)
    In case of this vulnerability you must have a writable file
    at remote host to write PHP code to it.

    ReplyDelete
  5. Replies
    1. No problem;) If you have any questions, feel free to ask here or via mail.

      cheers o/

      Delete
  6. Hi,
    Can you explain a bit more how to inject code on remote host?

    ReplyDelete
    Replies
    1. What do you need to know? Mail me if you want. Sometimes I can't publish all details here ;)

      Delete
  7. Hi,
    Where is your email address I want to email you

    ReplyDelete
    Replies
    1. Try at 'view full profile' (right side of the blog).

      cheers o/

      Delete
  8. Thank you for this content and I really respect Malk / all greetings to you my friend :)

    ReplyDelete

What do You think...?