Showing posts with label File Path Traversal. Show all posts
Showing posts with label File Path Traversal. Show all posts

Thursday, August 18, 2016

Example of Wordpress File Disclosure

I saw this attack in the logs and thought it was interesting enough to mention. It's a known exploit for the WordPress Elegance Theme.

POST /wp-content/themes/elegance/lib/scripts/dl-skin.php HTTP/1.1
Host: mywebsite.mx
Content-Length: 60
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:34.0) Gecko/20100101 Firefox/34.0
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
_mysite_download_skin=../../../../../wp-config.php

It's actually quite simple, there is a PHP page called dl-skin.php that contained a POST parameter called _mysite_download_skin that was not properly sanitized / checking file paths. It is supposed to only allow a user to enter a skin file location in the current skins folder. But since it's not properly checking file path traversal the attacker can actually use the ../ shell command to go up/down folder structures and find files they want. In this case they go up 5 folders to where they believe the wp-config.php file is which is your Wordpress configuration file which probably contains keys, passwords, and all sorts of goodies. This can also be used to access the /etc/passwd file or anything else interesting on a server.

To prevent this of course upgrade your themes and plugins and Wordpress. Ideally you should remove themes and plugins you aren't using. In addition the account that is running Apache is of importance in this. If your account has proper least privilege permissions, this can limit what files the account can actually access for the attacker. But if your Apache web account is root for example or some other higher privileged account then the attacker can gain access to pretty much anywhere on your file system.

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Posted by at No comments:
Labels: , ,

Friday, August 12, 2016

Wordpress File Path Traversal Examples

I pasted several similar Wordpress exploit attempts from some web logs. They generally match WAF or IDS rules of file traversal. They look like this...

GET/wp-content/plugins/google-mp3-audio-player/direct_download.php?file=../../../wp-config.php
GET/wp-content/plugins/db-backup/download.php?file=../../../wp-config.php
GET/wp-content/plugins/hb-audio-gallery-lite/gallery/audio-download.php?file_path=../../../../wp-config.php&file_size=10
GET/wp-content/themes/mtheme-unus/css/css.php?files=../../../../wp-config.php

These exploits take advantage of insecure wordpress plugins. Each of them have a query string parameter that would allow you to download a file. Theoretically the plugin was only supposed to allow you to download files from the current plugin directory, like music, audio, etc. that was allowed. But in this case the query string parameter wasn't properly properly the path passed in and it allowed for path traversal (../../) to go up and down the file system hierarchy. In this case the attacker is then attempting to get to the wp-config.php file which can contain your security keys , database user and password, etc. so some valuable data!

To prevent this, either patch your plugins when vulns like this come out ... or disable/remove unused plugins.

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Posted by at 17 comments:
Labels: , ,

Wednesday, June 1, 2016

DVR File Path Traversal to Credentials

GET /../../../../../../../mnt/mtd/ijhe HTTP/1.1
Host: www.mysite.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:43.0) Gecko/20100101 Firefox/43.0
Accept-Encoding: gzip
Connection: close


I saw this request come in and thought it was interesting. With some help google searching wondering if it's an attempt to exploit a DVR or security camera of some sort with perhaps a known file path traversal web vulnerability such as this DVR File Path Traversal vulnerability which would in theory allow the attacker to access the administrative credentials file in plain text and output it to their web browser.

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. php injection ali.txt walk-thru


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Posted by at No comments:
Labels: ,
Subscribe to: Posts (Atom)