### 0x00 概述
插件版本`version 2.3`,PoC附插件网盘下载地址
### 0x01 漏洞分析
漏洞出现在`wp-content\plugins\wp-bliss-gallery\html\manage.php`,
```
<?php
...
$cpage = 'admin.php?page='.$_REQUEST['page'];
?>
<div class="wrap">
<h2><?php _e('Category Management'); ?><a href="javascript:;" id="add_new_album" class="add-new-h2"><?php _e('Add New'); ?></a></h2>
<form id="add_new_album_form" action="" method="post" enctype="multipart/form-data">
<input type="hidden" name="task" value="uni_add_new_album" />
<table>
<tr>
<td><label><?php _e('Category Name'); ?></label></td>
<td><input type="text" id="album_name" name="album_name" value="" /></td>
</tr>
<tr>
<td><label><?php _e('Category Description'); ?></label></td>
<td><textarea id="album_desc" name="album_desc"></textarea></td>
</tr>
<tr>
<td><label><?php _e('Category Image'); ?></label></td>
<td><input type="file" name="album_img" value="" /></td>
</tr>
</table>
<p>
<button type="submit" class="button-primary"><?php _e('Save'); ?></button>
</p>
</form>
```
跟到`wp-content\plugins\wp-bliss-gallery\bliss.php`
```
public function uni_add_new_album()
{
global $wpdb;
$album_id = isset($_POST['album_id']) ? (int)$_POST['album_id'] : null;
$album_name = trim($_POST['album_name']);
$album_desc = trim($_POST['album_desc']);
if (!function_exists('get_magic_quotes_gpc') || get_magic_quotes_gpc() != 1) {
//$album_name = addslashes($album_name);
//$album_desc = addslashes($album_desc);
}
$album = null;
$album_dir = null;
//edit album
if( $album_id != null )
{
//get album
$query = "SELECT album_id, name, description, image, thumb, status, `order`, creation_date
FROM {$wpdb->prefix}uni_albums
WHERE album_id = $album_id";
$album = $wpdb->get_row($query);
if( empty($album) )
{
//album does not exists
die('album not found'. $query);
}
$album_dir = uni_get_album_dir($album->album_id);
//delete album images if new one will be uploaded
if( isset($_FILES) && isset($_FILES['album_img']) && $_FILES['album_img']['size'] > 0 )
{
if( file_exists($album_dir . '/big/' . $album->image) )
unlink($album_dir . '/big/' . $album->image);
if( $album_dir . '/thumb/' . $album->thumb )
unlink($album_dir . '/thumb/' . $album->thumb);
}
$album = array('name' => $album_name, 'description' => $album_desc);
}
//create a new album
else
{
$album = array('name' => $album_name, 'description' => $album_desc, 'order' => 0, 'image' => '', 'thumb' => '', 'status' => 1);
$wpdb->insert($wpdb->prefix.'uni_albums', $album);
//get album id
$album_id = $wpdb->insert_id;
$album_dir = uni_get_album_dir($album_id);
if( !is_dir( $album_dir ) )
mkdir($album_dir);
if( !is_dir($album_dir . '/big') )
mkdir($album_dir . '/big');
if( !is_dir($album_dir . '/thumb') )
mkdir($album_dir . '/thumb');
}
//upload images
if( isset($_FILES) && isset($_FILES['album_img']) && $_FILES['album_img']['size'] > 0 )
{
//die(UNI_PLUGIN_UPLOADS_DIR . '/' . $album_dir);
if( !is_dir( $album_dir ) )
mkdir($album_dir);
if( !is_dir($album_dir . '/big') )
mkdir($album_dir . '/big');
if( !is_dir($album_dir . '/thumb') )
mkdir($album_dir . '/thumb');
$unique_name = wp_unique_filename($album_dir . '/big', $_FILES['album_img']['name']);
//move uploaded file (big file)
move_uploaded_file($_FILES['album_img']['tmp_name'], $album_dir . '/big/' . $unique_name);
//set album image
$album['image'] = $unique_name;
//resize for thumbnail
$thumb = image_resize($album_dir . '/big/' .$unique_name,
//(int)get_option('large_size_w'),
//(int)get_option('large_size_h'),
80,
80,
0, 'resized');
copy($thumb, $album_dir . '/thumb/' . basename($thumb));
//delete temp thumb
unlink($thumb);
if( is_wp_error($thumb) )
{
print_r($thumb);die('Error');
}
$album['thumb'] = basename($thumb);
}
$wpdb->update($wpdb->prefix.'uni_albums', $album, array('album_id' => $album_id));
if( isset($_REQUEST['TB_iframe']))
{
$js = '<script type="text/javascript">self.parent.tb_remove();self.parent.uni_refresh_albums_table();</script>';
die($js);
}
}
```
### 0x02 漏洞利用
详情参考PoC(具有攻击性,仅供测试使用)。
王大雷 兑换漏洞详情
cappuccino 兑换漏洞详情
mrbean 兑换漏洞详情
京公网安备 11010502034610号
暂无评论