exploit the possibilities

XML Sitemap Generator 3.2.8 Code Injection

XML Sitemap Generator 3.2.8 Code Injection
Posted Jan 8, 2013
Authored by Akastep

XML Sitemap Generator for WordPress versions 3.2.8 and below suffers from a remote PHP code injection vulnerability.

tags | exploit, remote, php
MD5 | 6b74f4bebc868e1a20e18edb94f4e79d

XML Sitemap Generator 3.2.8 Code Injection

Change Mirror Download
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : 1337day.com 0
1 [+] Support e-mail : submit[at]1337day.com 1
0 0
1 ######################################### 1
0 I'm AkaStep member from Inj3ct0r Team 1
1 ######################################### 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
================================================================================
Vendor: http://www.arnebrachhold.de/redir/sitemap-home/
Software: XML Sitemap Generator for Wordpress aka (Google XML Sitemaps) plugin.
Vuln: PHP CODE injection.
================================================================================
Tested On: Debian squeeze 6.0.6
Server version: Apache/2.2.16 (Debian)
PHP 5.3.3-7+squeeze14 with Suhosin-Patch (cli) (built: Aug 6 2012 20:08:59)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies
with Suhosin v0.9.32.1, Copyright (c) 2007-2010, by SektionEins GmbH
================================================================================
About Software:
This plugin will generate a special XML sitemap which will help search engines like Google, Bing,
Yahoo and Ask.com to better index your blog.
With such a sitemap, it's much easier for the crawlers to see the complete structure of your site
and retrieve it more efficiently.
The plugin supports all kinds of WordPress generated pages as well as custom URLs.
Additionally it notifies all major search engines every time you create a post about the new content.
================================================================================
About vulns:

XML Sitemap Generator for Wordpress v<=3.2.8 (Google XML Sitemaps) plugin PHP CODE injection.

1'st issuse: The "xml" file name and extension can be changed to any name+extension.

A) Due this issuse it is possible to create any file with any extension on filesystem.
B) Using this condition this is possible to overwrite arbitrary files on system(even if the target file(s) chmod'ed to 400!)

2'nd issuse:

By manipulating $_POST:

sm_cf_home=PHP CODE PAYLOAD GOES HERE
sm_cf_posts=PHP CODE PAYLOAD GOES HERE

parameters and by injecting PHP CODE into this parameters it is possible to gain shell access there(shell upload).

Proof of concept video can be found here about how to exploit this vulnerabilities:

http://youtu.be/30OZanIoICE


To exploit this vulnerabilities you need admin privileges on target site.

To get successfull and easy shell access short_open_tag php.ini directive (php.ini) on
server side must be set =off (otherwise you'll get syntax error when creating shell).
But this is not panacea.Theris also another ways to solve this.Found it yourself.

In itself this vulnerabilities can be used to escalate privileges on target site and fully compromise site and server.

==GUNUN RANDOM SITATI:======GOTDU OGUL ISTEREM! LOOOOOOOL=======================





================================================
KUDOSSSSSSS:
================================================
packetstormsecurity.org
packetstormsecurity.com
packetstormsecurity.net
securityfocus.com
cxsecurity.com
security.nnov.ru
securtiyvulns.com
securitylab.ru
secunia.com
securityhome.eu
exploitsdownload.com
osvdb.com
websecurity.com.ua
1337day.com

to all Aa Team + to all Azerbaijan Black HatZ
+ *Especially to my bro CAMOUFL4G3 *
To All Turkish Hackers

Also special thanks to: ottoman38 & HERO_AZE
================================================

/AkaStep






Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

September 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    1 Files
  • 2
    Sep 2nd
    38 Files
  • 3
    Sep 3rd
    30 Files
  • 4
    Sep 4th
    15 Files
  • 5
    Sep 5th
    12 Files
  • 6
    Sep 6th
    17 Files
  • 7
    Sep 7th
    3 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    24 Files
  • 10
    Sep 10th
    22 Files
  • 11
    Sep 11th
    22 Files
  • 12
    Sep 12th
    15 Files
  • 13
    Sep 13th
    5 Files
  • 14
    Sep 14th
    2 Files
  • 15
    Sep 15th
    1 Files
  • 16
    Sep 16th
    11 Files
  • 17
    Sep 17th
    16 Files
  • 18
    Sep 18th
    8 Files
  • 19
    Sep 19th
    14 Files
  • 20
    Sep 20th
    20 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close