<p>/wp-content/plugins/wysija-newsletters/helpers/back.php<br></p><pre class="">function verify_capability(){
if( isset( $_REQUEST['page'] ) && substr( $_REQUEST['page'] ,0 ,7 ) == 'wysija_' ){
switch( $_REQUEST['page'] ){
case 'wysija_campaigns':
$role_needed = 'wysija_newsletters';
break;
case 'wysija_subscribers':
$role_needed = 'wysija_subscribers';
break;
case 'wysija_config':
$role_needed = 'wysija_config';
break;
case 'wysija_statistics':
$role_needed = 'wysija_stats_dashboard';
break;
default:
$role_needed = 'switch_themes';
}
if( current_user_can( $role_needed ) ){
return true;
} else{
die( 'You are not allowed here.' );
}
}else{
// this is not a wysija interface/action we can let it pass
return true;
}
}
</pre><p>在PHPS默认配置$_POST[‘page’]变量覆盖了$ _REQUEST‘page’]数组中的$_GET‘page’]变量。</p><p>该插件使用$_REQUEST来检查访问权限。由POST参数设置为 一些不以'wysija_“开头就可以绕过admin_Init的权限判断。</p><p>/wp-content/plugins/wysija-newsletters/controllers/back/campaigns.php</p><pre class="">function themeupload() {
$helperNumbers = WYSIJA::get('numbers', 'helper');
$bytes = $helperNumbers->get_max_file_upload();
if (isset($_SERVER['CONTENT_LENGTH']) && $_SERVER['CONTENT_LENGTH'] > $bytes['maxbytes']) {
if (isset($_FILES['my-theme']['name']) && $_FILES['my-theme']['name']) {
$filename = $_FILES['my-theme']['name'];
} else {
$filename = "";
}
$this->error(sprintf(__('Upload error, file %1$s is too large! (MAX:%2$s)', WYSIJA), $filename, $bytes['maxmegas']), true);
$this->redirect('admin.php?page=wysija_campaigns&action=themes');
return false;
}
$ZipfileResult = trim(file_get_contents($_FILES['my-theme']['tmp_name']));
$themesHelp = WYSIJA::get('themes', 'helper');
$result = $themesHelp->installTheme($_FILES['my-theme']['tmp_name'], true);
$this->redirect('admin.php?page=wysija_campaigns&action=themes&reload=1');
return true;
}
</pre><p>绕过权限判断后可上传一个zip,上传后会解压到/wp-content/uploads/wysija/压缩包文件名/<br></p><p><br></p><p>漏洞利用过程</p><p>使用burpsuite</p><p>1.repeater--newtab</p><p><img alt="1.png" src="https://images.seebug.org/@/uploads/1434696362160-1.png" data-image-size="672,479"><br></p><p>2.Paste formfile<br></p><p><img alt="1.png" src="https://images.seebug.org/@/uploads/1434696393209-1.png" data-image-size="671,451"><br></p><p><br></p><p>3.导入post文件和端口(post文件在文档目录)</p><p>4.填入host---port-go</p><p><img alt="1.png" src="https://images.seebug.org/@/uploads/1434696424407-1.png" data-image-size="677,645"><br></p><p>shell地址:</p><p>/wp-content/uploads/wysija/themes/SWgVmGZaXn/abyufgq7uyg1.php</p><p>密码cmd</p>
京公网安备 11010502034610号
暂无评论