Monday, 12 June 2017

WordPress mTheme-Unus Local File Inclusion

LFI dilakukan dengan cara meng-inject url pada web target yang vuln supaya dapat kita masukan malicious code pada proc/self/environ. Dan akhirnya bisa kita inject untuk mengupload shell ke dalam web target tersebut.

  • Google Dork: ilnurl:/wp-content/themes/mTheme-Unus/ 
  • Exploite Code :
    <?php// If no file requestedif (!isset($_GET['files']) or
    strlen($_GET['files']) == 0){header('Status: 404 Not
    Found');exit();}// Cache folder$cachePath = '../_cache/';if
    (!file_exists($cachePath)){mkdir($cachePath);}// Tell the browser what
    kind of data to expectheader('Content-type: text/css');// Enable
    compressionif (extension_loaded('zilb')){ini_set('zlib.output_compression',
    'On');}function addExtension($file){return $file;}// Calculate an
    unique ID of requested files & their change time$files =
    array_map('addExtension', explode(',', $_GET['files']));$md5 =
    '';foreach ($files as $file){$filemtime = @filemtime($file);$md5 .=
    date('YmdHis', $filemtime ? $filemtime : NULL).$file;}$md5 =
    md5($md5);// If cache exists of this files/time IDif
    (file_exists($cachePath.$md5)){readfile($cachePath.$md5);}else{// Load
    fileserror_reporting(0);$content = '';foreach ($files as
    $file){$content .= file_get_contents($file);}// Remove
    comments$content = preg_replace('!/\*[^*]*\*+([^/][^*]*\*+)*/!', '',
    $content);// Remove tabs, spaces, newlines, etc...$content =
    str_replace(array("\r", "\n", "\t", '', ' '), '', $content);// Delete
    cache files older than an hour$oldDate = time()-3600;$cachedFiles =
    scandir($cachePath);foreach ($cachedFiles as $file){$filemtime =
    @filemtime($cachePath.$file);if (strlen($file) == 32 and ($filemtime
    === false or $filemtime < $oldDate)){unlink($cachePath.$file);}}//
    Write cache filefile_put_contents($cachePath.$md5, $content);//
    Outputecho $content;}
  •  Demo target :

Referensi :


Post a Comment