您的位置 » 首页 » 实用工具 » WordPress 3.X.X 及以前版本文件包含漏洞

WordPress 3.X.X 及以前版本文件包含漏洞

发表于5年前 | 作者: seay | 分类: 实用工具 | 孵化于:2012年09月14日 | 文章热度:8,167 次 全屏阅读

显示不全请点击全屏阅读

标题: WordPress 3.X.X and prior – Path Disclosure/File Inclusion Vulnerabilities.
作者: Dark-Puzzle (Souhail Hammou)
 
影响版本: 所有版本均可用
开发者: www.wordpress.com
测试平台: Windows XP SP3 – Fr & Backtrack 5 R3 .
# Greetings : Inj3ct0rs – Offensive Security – Security Focus – Packetstorm Security .
 
#####################################################################################
All Versions of WordPress are prone to a Full path disclosure vulnerability , because of a get_header() function or the include function in PHP .
The Vulnerable line is in the theme”s index.php that calls an undefined function while executing from the main directory of themes .
#####################################################################################
Why is that happening ??
 
The reason why the fatal error including the full path pops up is that the script was enabled to call header.php in the theme”s directory , so wordpress made a technique to call wp-includes/theme-compat/header.php when no compatible
header is found . but in our case we will not be redirected because actually the header.php is figuring in the same theme File . So, What is really happening is that we are calling header.php directly from the its source
directory so this will make a confusion because the theme is not called from the home page (http://www.example.com) But called from its location (http://www.example.com/wp-content/themes/theme/index.php)
This exploit is working on all themes that I tested it with , So I decided to globe it for WordPress, So that would be a challenge to fix this error .
Keep in mind that this vulnerability exists in all WordPress Themes installed directly without a manual script editing , if it”s not working on a website We”re coming for that in the end of this file .
 
#####################################################################################
The Danger :
 
**get_header() error shows the full path giving this error :
 
Fatal error: Call to undefined function get_header() in C:\AppServ\www\wordpress\wp-content\themes\twentyten\index.php on line 16
 
Ok , we”ve got the full path now.
 
The Problem is , if the function include was used instead of get_header() and we will call the index from its source it will give us a function.include error .
Which can lead the attacker to a Remote File Inclusion Vulnerability or a Local File Inclusion Vulnerability.
It is real that the probabilities to find an inclusion vulnerability are very tiny but this can really happen if you find a valid parameter which varies from a theme to another .
 
##################
 
示例: (Phiworx Theme)
 
File : /wp-content/themes/phiworx/index.php
 
—–Cut——
<?php include (TEMPLATEPATH . “/header.php”); ?>
—–Cut——
 
So when this line is executed the script fails to recognize The PATH so it is showing up a function.include error .
In fact this script should be edited by the user and put the complete directory of the header file . but when the theme is installed using the wp-admin method …
and attached to the default index page this would not cause any problem when requesting it from www.example.com/index.php that”s why the error is still showing up
when going to the /themes dir .
 
and this is what we will show up when requesting the page www.website.com/wp-content/themes/phiworx/ :
 
Warning:include(TEMPLATEPATH/header.php) [function.include]: failed to open stream: No such file or directory in /home/dark/public_html/website.com/wp-content/themes/phiworx/index.php on line 7
 
and if we could find a valid parameter like ”id”,”pid”,”cat” in the index.php or any other file showing this error we will be able to include for sure , taking in consideration PHP Version and Server/Website Restrictions .
 
###################
 
 
So Every Theme That you will install or try will be vulnerable .
 
BUT trying this vulnerability in some websites will fail with you , Why ?
Simply because some websites forbid the access on wp-content file because an attacker can list a theme directory for example .
So it will affect our exploitation too .
For example in my team website I installed Doover Theme but when you will try to disclosure the path or try an inclusion
the page will be redirected to an error page :
 
http://datasec.x90x.net/wp-content/themes/doover/
 
#####################
Solution : How did you do that and How Can I Protect My Self ??
 
It”s Simple I wrote a .htaccess script for you , go to your Cpanel –> File Manager –> Go to wp-content Directory —> create an .htaccess file and write the following lines .
 
################.htaccess#########################
# This Line is used to redirect into an inexisting directory which shows the error instead of showing “403 Forbidden”
ErrorDocument 403 /
Order Allow,Deny
Deny from all
# The following extensions are allowed , add many as you like . P.S :(Avoid PHP)
<Files ~ “.(css|jpeg|png|gif|js)$”>
Allow from all
</Files>
################.htaccess#########################
Who doesn”t believe that .htaccess is powerful =) ?
#####################
 
Thanks for you attention , Hope that all wordpress websites will fix there problem .
 
White Hats 4ever .
#Datasec Team .

Tags:

Wordpress文件包含漏洞,

如果您喜欢我的博客,欢迎点击图片定订阅到邮箱填写您的邮件地址,订阅我们的精彩内容: 也可以点击链接【订阅到鲜果】

如果我的想法或工具帮助到了你,也可微信扫下方二维码打赏本人一杯咖啡


来自 Seay互联网安全博客
本文地址:http://www.cnseay.com/888/
文章版权说明请看置顶文章,尊重作者,转载请以链接形式标明原文地址

马上分享给你的朋友吧~

发表评论

你的大名(必填)

你的邮箱(必填)

评论内容(必填)