exploit the possibilities

XML Sitemap Generator 3.2.8 Code Injection

XML Sitemap Generator 3.2.8 Code Injection
Posted Jan 8, 2013
Authored by Akastep

XML Sitemap Generator for WordPress versions 3.2.8 and below suffers from a remote PHP code injection vulnerability.

tags | exploit, remote, php
MD5 | 6b74f4bebc868e1a20e18edb94f4e79d

XML Sitemap Generator 3.2.8 Code Injection

Change Mirror Download
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : 1337day.com 0
1 [+] Support e-mail : submit[at]1337day.com 1
0 0
1 ######################################### 1
0 I'm AkaStep member from Inj3ct0r Team 1
1 ######################################### 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
================================================================================
Vendor: http://www.arnebrachhold.de/redir/sitemap-home/
Software: XML Sitemap Generator for Wordpress aka (Google XML Sitemaps) plugin.
Vuln: PHP CODE injection.
================================================================================
Tested On: Debian squeeze 6.0.6
Server version: Apache/2.2.16 (Debian)
PHP 5.3.3-7+squeeze14 with Suhosin-Patch (cli) (built: Aug 6 2012 20:08:59)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies
with Suhosin v0.9.32.1, Copyright (c) 2007-2010, by SektionEins GmbH
================================================================================
About Software:
This plugin will generate a special XML sitemap which will help search engines like Google, Bing,
Yahoo and Ask.com to better index your blog.
With such a sitemap, it's much easier for the crawlers to see the complete structure of your site
and retrieve it more efficiently.
The plugin supports all kinds of WordPress generated pages as well as custom URLs.
Additionally it notifies all major search engines every time you create a post about the new content.
================================================================================
About vulns:

XML Sitemap Generator for Wordpress v<=3.2.8 (Google XML Sitemaps) plugin PHP CODE injection.

1'st issuse: The "xml" file name and extension can be changed to any name+extension.

A) Due this issuse it is possible to create any file with any extension on filesystem.
B) Using this condition this is possible to overwrite arbitrary files on system(even if the target file(s) chmod'ed to 400!)

2'nd issuse:

By manipulating $_POST:

sm_cf_home=PHP CODE PAYLOAD GOES HERE
sm_cf_posts=PHP CODE PAYLOAD GOES HERE

parameters and by injecting PHP CODE into this parameters it is possible to gain shell access there(shell upload).

Proof of concept video can be found here about how to exploit this vulnerabilities:

http://youtu.be/30OZanIoICE


To exploit this vulnerabilities you need admin privileges on target site.

To get successfull and easy shell access short_open_tag php.ini directive (php.ini) on
server side must be set =off (otherwise you'll get syntax error when creating shell).
But this is not panacea.Theris also another ways to solve this.Found it yourself.

In itself this vulnerabilities can be used to escalate privileges on target site and fully compromise site and server.

==GUNUN RANDOM SITATI:======GOTDU OGUL ISTEREM! LOOOOOOOL=======================





================================================
KUDOSSSSSSS:
================================================
packetstormsecurity.org
packetstormsecurity.com
packetstormsecurity.net
securityfocus.com
cxsecurity.com
security.nnov.ru
securtiyvulns.com
securitylab.ru
secunia.com
securityhome.eu
exploitsdownload.com
osvdb.com
websecurity.com.ua
1337day.com

to all Aa Team + to all Azerbaijan Black HatZ
+ *Especially to my bro CAMOUFL4G3 *
To All Turkish Hackers

Also special thanks to: ottoman38 & HERO_AZE
================================================

/AkaStep






Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

February 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    22 Files
  • 2
    Feb 2nd
    9 Files
  • 3
    Feb 3rd
    2 Files
  • 4
    Feb 4th
    15 Files
  • 5
    Feb 5th
    50 Files
  • 6
    Feb 6th
    24 Files
  • 7
    Feb 7th
    15 Files
  • 8
    Feb 8th
    6 Files
  • 9
    Feb 9th
    1 Files
  • 10
    Feb 10th
    1 Files
  • 11
    Feb 11th
    22 Files
  • 12
    Feb 12th
    25 Files
  • 13
    Feb 13th
    16 Files
  • 14
    Feb 14th
    32 Files
  • 15
    Feb 15th
    15 Files
  • 16
    Feb 16th
    10 Files
  • 17
    Feb 17th
    2 Files
  • 18
    Feb 18th
    27 Files
  • 19
    Feb 19th
    32 Files
  • 20
    Feb 20th
    0 Files
  • 21
    Feb 21st
    0 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close