Faille ou non
karzak59600
Messages postés
23
Date d'inscription
Statut
Membre
Dernière intervention
-
un_neurone -
un_neurone -
Bonjour, je viens d'installer un theme sur mon site wordpress,
mais lorsque je le scanne avec un antivirus WP, il m'indique ce fichier est susceptible de contenir une faille .
<?php
global $General;
global $upload_folder_path;
$load = '../../../../wp-config.php';
if (file_exists($load)){ //if it's >WP-2.6
require_once($load);
}
else {
wp_die('Error: Config file not found');
}
global $upload_folder_path;
$today = getdate();
if ($today['month'] == "January"){
$today['month'] = "01";
}
elseif ($today['month'] == "February"){
$today['month'] = "02";
}
elseif ($today['month'] == "March"){
$today['month'] = "03";
}
elseif ($today['month'] == "April"){
$today['month'] = "04";
}
elseif ($today['month'] == "May"){
$today['month'] = "05";
}
elseif ($today['month'] == "June"){
$today['month'] = "06";
}
elseif ($today['month'] == "July"){
$today['month'] = "07";
}
elseif ($today['month'] == "August"){
$today['month'] = "08";
}
elseif ($today['month'] == "September"){
$today['month'] = "09";
}
elseif ($today['month'] == "October"){
$today['month'] = "10";
}
elseif ($today['month'] == "November"){
$today['month'] = "11";
}
elseif ($today['month'] == "December"){
$today['month'] = "12";
}
// Edit upload location here
$imagepath = $General->get_product_imagepath();
if($imagepath == '')
{
$imagepath = 'products_img';
}
//$destination_path = ABSPATH . "wp-content/uploads/".$today['year']."/".$today['month']."/";
$destination_path = ABSPATH . $upload_folder_path.$imagepath."/";
if (!file_exists($destination_path)){
$imagepatharr = explode('/',$upload_folder_path.$imagepath);
$upload_path = ABSPATH . "$imagepath";
if (!file_exists($upload_path)){
mkdir($upload_path, 0777);
}
$year_path = ABSPATH;
for($i=0;$i<count($imagepatharr);$i++)
{
if($imagepatharr[$i])
{
$year_path .= $imagepatharr[$i]."/";
if (!file_exists($year_path)){
mkdir($year_path, 0777);
}
mkdir($destination_path, 0777);
}
}
/* $year_path = ABSPATH . "wp-content/uploads/".$today['year']."/";
if (!file_exists($year_path)){
mkdir($year_path, 0777);
}
mkdir($destination_path, 0777);*/
}
$result = 0;
$digital_product_path = $General->get_digital_productpath();
if($digital_product_path == '')
{
$digital_product_path = 'digital_products';
}
$digital_destination_path = ABSPATH . "$upload_folder_path".$digital_product_path."/";
$imagepatharr = array();
if (!file_exists($digital_destination_path)){
$imagepatharr = explode('/',$digital_product_path);
$upload_path = ABSPATH . "$upload_folder_path";
if (!file_exists($upload_path)){
mkdir($upload_path, 0777);
}
for($i=0;$i<count($imagepatharr);$i++)
{
if($imagepatharr[$i])
{
$year_path = ABSPATH . "$upload_folder_path".$imagepatharr[$i]."/";
if (!file_exists($year_path)){
mkdir($year_path, 0777);
}
mkdir($digital_product_path, 0777);
}
}
}
$result = 0;
$name = $_FILES['myfile']['name'];
$name = strtolower($name);
/* $name = str_replace(" ", "_", $name);
preg_match("/(.*)\.(.*)/", $name, $matches);
$stem = $matches[1];
$extension = $matches[2];
$filetypes = array("jpg", "jpeg", "bmp", "gif", "png");
if (!in_array($extension, $filetypes)){
$user_path = "Not an allowed File type!"; ?>
<script language="javascript" type="text/javascript">window.parent.window.noUpload(<?php echo $result.", '".$user_path."'"; ?>);</script>
<?php die;
}*/
if(strstr($_GET['img'],'digital_product')) // digital products
{
$target_path = $digital_destination_path . $name;
$user_path = site_url() ."/$upload_folder_path".$digital_product_path."/".$name;
}else
{
$target_path = $destination_path . $name;
$user_path = site_url() ."/$upload_folder_path".$imagepath."/".$name;
}
// $target_path = $destination_path . $name;
//This tells the user where they've just uploaded the image to
// $user_path = site_url() ."/wp-content/uploads/".$today['year']."/".$today['month']."/".$name;
if(@move_uploaded_file($_FILES['myfile']['tmp_name'], $target_path)) {
$result = 1;
//if true, good; if false, zip creation failed
}
sleep(1);
/* creates a compressed zip file */
$imgNumb = "image".$_GET['img'];
?>
<script language="javascript" type="text/javascript">window.parent.window.noUpload(<?php echo $result.", '".$user_path."', '".$_GET['img']."'"; ?>);</script>
Pouvez vous me dire si vous voyez quelques choses qui cloche ??
Merci beaucoup pour votre aide
David
mais lorsque je le scanne avec un antivirus WP, il m'indique ce fichier est susceptible de contenir une faille .
<?php
global $General;
global $upload_folder_path;
$load = '../../../../wp-config.php';
if (file_exists($load)){ //if it's >WP-2.6
require_once($load);
}
else {
wp_die('Error: Config file not found');
}
global $upload_folder_path;
$today = getdate();
if ($today['month'] == "January"){
$today['month'] = "01";
}
elseif ($today['month'] == "February"){
$today['month'] = "02";
}
elseif ($today['month'] == "March"){
$today['month'] = "03";
}
elseif ($today['month'] == "April"){
$today['month'] = "04";
}
elseif ($today['month'] == "May"){
$today['month'] = "05";
}
elseif ($today['month'] == "June"){
$today['month'] = "06";
}
elseif ($today['month'] == "July"){
$today['month'] = "07";
}
elseif ($today['month'] == "August"){
$today['month'] = "08";
}
elseif ($today['month'] == "September"){
$today['month'] = "09";
}
elseif ($today['month'] == "October"){
$today['month'] = "10";
}
elseif ($today['month'] == "November"){
$today['month'] = "11";
}
elseif ($today['month'] == "December"){
$today['month'] = "12";
}
// Edit upload location here
$imagepath = $General->get_product_imagepath();
if($imagepath == '')
{
$imagepath = 'products_img';
}
//$destination_path = ABSPATH . "wp-content/uploads/".$today['year']."/".$today['month']."/";
$destination_path = ABSPATH . $upload_folder_path.$imagepath."/";
if (!file_exists($destination_path)){
$imagepatharr = explode('/',$upload_folder_path.$imagepath);
$upload_path = ABSPATH . "$imagepath";
if (!file_exists($upload_path)){
mkdir($upload_path, 0777);
}
$year_path = ABSPATH;
for($i=0;$i<count($imagepatharr);$i++)
{
if($imagepatharr[$i])
{
$year_path .= $imagepatharr[$i]."/";
if (!file_exists($year_path)){
mkdir($year_path, 0777);
}
mkdir($destination_path, 0777);
}
}
/* $year_path = ABSPATH . "wp-content/uploads/".$today['year']."/";
if (!file_exists($year_path)){
mkdir($year_path, 0777);
}
mkdir($destination_path, 0777);*/
}
$result = 0;
$digital_product_path = $General->get_digital_productpath();
if($digital_product_path == '')
{
$digital_product_path = 'digital_products';
}
$digital_destination_path = ABSPATH . "$upload_folder_path".$digital_product_path."/";
$imagepatharr = array();
if (!file_exists($digital_destination_path)){
$imagepatharr = explode('/',$digital_product_path);
$upload_path = ABSPATH . "$upload_folder_path";
if (!file_exists($upload_path)){
mkdir($upload_path, 0777);
}
for($i=0;$i<count($imagepatharr);$i++)
{
if($imagepatharr[$i])
{
$year_path = ABSPATH . "$upload_folder_path".$imagepatharr[$i]."/";
if (!file_exists($year_path)){
mkdir($year_path, 0777);
}
mkdir($digital_product_path, 0777);
}
}
}
$result = 0;
$name = $_FILES['myfile']['name'];
$name = strtolower($name);
/* $name = str_replace(" ", "_", $name);
preg_match("/(.*)\.(.*)/", $name, $matches);
$stem = $matches[1];
$extension = $matches[2];
$filetypes = array("jpg", "jpeg", "bmp", "gif", "png");
if (!in_array($extension, $filetypes)){
$user_path = "Not an allowed File type!"; ?>
<script language="javascript" type="text/javascript">window.parent.window.noUpload(<?php echo $result.", '".$user_path."'"; ?>);</script>
<?php die;
}*/
if(strstr($_GET['img'],'digital_product')) // digital products
{
$target_path = $digital_destination_path . $name;
$user_path = site_url() ."/$upload_folder_path".$digital_product_path."/".$name;
}else
{
$target_path = $destination_path . $name;
$user_path = site_url() ."/$upload_folder_path".$imagepath."/".$name;
}
// $target_path = $destination_path . $name;
//This tells the user where they've just uploaded the image to
// $user_path = site_url() ."/wp-content/uploads/".$today['year']."/".$today['month']."/".$name;
if(@move_uploaded_file($_FILES['myfile']['tmp_name'], $target_path)) {
$result = 1;
//if true, good; if false, zip creation failed
}
sleep(1);
/* creates a compressed zip file */
$imgNumb = "image".$_GET['img'];
?>
<script language="javascript" type="text/javascript">window.parent.window.noUpload(<?php echo $result.", '".$user_path."', '".$_GET['img']."'"; ?>);</script>
Pouvez vous me dire si vous voyez quelques choses qui cloche ??
Merci beaucoup pour votre aide
David
A voir également:
- Faille ou non
- Faille web - Accueil - Piratage
- Faille outlook - Accueil - Mail
- Faille windows - Accueil - Piratage
- Faille - Guide
- Faille samsung - Accueil - Piratage
2 réponses
C'est pas tellement une faille c'est plus l'utilisation de fonctions utilisées couramment par des virus.
Peut-être le window.parent.window.noUpload ou mkdir.
Quel anti-virus utilises-tu?
Je crois que wp-scan te dit quelle ligne pose problème.
Peut-être le window.parent.window.noUpload ou mkdir.
Quel anti-virus utilises-tu?
Je crois que wp-scan te dit quelle ligne pose problème.
bha à vue d'oeil le scanner a détecté une fonction d'upload et donc à lancé un avertissement quand à son implémentation. mais là juste avec ce code on peut rien faire, car on ne sait pas quand il se lance, où il se situe, si il est inclu ... enfin bon, c légé koi.
sinon ici, si on ne se base uniquement sur ce script, bien sur il y a des vulnérabilités, la première étant de créer un dossier en 777 (tout les droits) via mkdir, c'est plutôt sale... la second est que le script vérifie uniquement l'extension des fichiers, ok c'est bien, mais on fait quoi des types MIMES, des headers des fichiers, de leur poid ... etc ... ?
voilà voilà,
sinon ici, si on ne se base uniquement sur ce script, bien sur il y a des vulnérabilités, la première étant de créer un dossier en 777 (tout les droits) via mkdir, c'est plutôt sale... la second est que le script vérifie uniquement l'extension des fichiers, ok c'est bien, mais on fait quoi des types MIMES, des headers des fichiers, de leur poid ... etc ... ?
voilà voilà,
