Home > CMS Tutorial > WordPress > Does wordpress have vulnerabilities?

Does wordpress have vulnerabilities?

爱喝马黛茶的安东尼
Release: 2019-07-20 10:37:38
Original
2229 people have browsed it

Does wordpress have vulnerabilities?

According to the official CVE vulnerability report, we learned that WordPress has a new combined rce vulnerability. The vulnerability numbers are CVE-2019-8943 and CVE-2019-8942. Download the source code of the vulnerability version and analyze it. Vulnerability triggering process, note: When the vulnerability recurs, the network must be disconnected to build. WordPress will automatically update the code package when it is connected to the Internet. Find the file post.php where the vulnerability occurs. WordPress has multiple post.php files. Here is a brief explanation of their respective functions. wp-includes/post.php is the source file of post, and wp-admin/includes/post.php has the backend. Permissioned post interface, wp-admin/post.php is for background post request processing. The specific calling code is as follows:

wp-admin/post.php:require_once( dirname( __FILE__ ) . '/admin.php' );
wp-admin/admin.php:require_once(ABSPATH . 'wp-admin/includes/admin.php');
wp-admin/includes/admin.php:require_once(ABSPATH . 'wp-admin/includes/post.php');
wp-admin/admin.php::require_once(dirname(dirname(__FILE__)) . '/wp-load.php');
wp-load.php:require_once( dirname( ABSPATH ) . '/wp-config.php' );
wp-config.php:require_once(ABSPATH . 'wp-settings.php');
wp-settings.php:require( ABSPATH . WPINC . '/post.php' );
define( 'WPINC', 'wp-includes' );
Copy after login

According to the above calling process, the vulnerability exploitation process is to upload an image to the media library and then update it. Operation, call the wp-admin/post.php function, and switch to case:editpost, as shown in the following figure:

Does wordpress have vulnerabilities?

where edit_post is the vulnerability function, enter the function declaration, As shown in the figure below:

Does wordpress have vulnerabilities?

$post_data is a post array without any filtering protection, which caused subsequent vulnerabilities. Compare the repaired code, as shown in the figure below Instructions:

Does wordpress have vulnerabilities?

I will say a few more words here, because I did not find that wordpress will automatically update when connected to the Internet at the beginning, so I located another similar vulnerability point. , as shown in the figure below:

Does wordpress have vulnerabilities?

The above code will update_meta based on the incoming meta array. According to the $key (meta_id in the database) in the code, $value[' key'] (meta_key in the database), $value['value'] (meta_value in the database), construct meta[1][key]=_wp_attached_file&meta[1][value]=123, and finally execute a database statement similar to the following UPDATE `wp_postmeta` SET `meta_key` = '_wp_attached_file', `meta_value` = '123' WHERE `meta_id` = 2, the implementation process is as shown in the figure below:

Does wordpress have vulnerabilities?

#Related Recommended: "WordPress Tutorial"

Update the content in the wp_postmeta table according to meta_id, and finally execute the do_action function, as shown in the following figure:

Does wordpress have vulnerabilities?

# #However, due to the limitations of the third and fourth if, the execution cannot be successful. This is also an interesting point in the recurrence of the vulnerability. Continue to track, as shown in the following figure:

Does wordpress have vulnerabilities?

Find the available points and enter the wp_updae_post function as shown in the code, as shown in the figure below:

Does wordpress have vulnerabilities?

This function will go through some acquisition parameters Operation, extract the variables in the array and assign values, and track the vulnerability occurrence point, as shown in the following figure:

Does wordpress have vulnerabilities?

It is found that the wp_insert_attachment function is returned, and this function is tracked as follows As shown in the figure:

Does wordpress have vulnerabilities?

Return to the wp_insert_post function, track this function, and locate the vulnerability occurrence point in this function, as shown in the following figure:

Does wordpress have vulnerabilities?

So based on the above vulnerability points, you can pass in meta_input[_wp_attached_file] =../evil.jpg?shell.php, and execute the SQL statement UPDATE `wp_postmeta` SET `meta_value` = '../evil .jpg?shell.php ' WHERE `post_id` = 8 AND `meta_key` = '_wp_attached_file'. The post_id must be known as a prerequisite for testing conditions. However, under normal circumstances, this parameter will be included when updating the image. If it is a test, you can observe it. Fill in the relevant content in the database. The specific SQL statement nesting execution method is as shown in the following figure:

Does wordpress have vulnerabilities?

#By passing in parameters, assigning values ​​to the corresponding table names and column names, and finally executing the do_action function, as shown below Shown:

Does wordpress have vulnerabilities?

Complete the WordPress directory traversal vulnerability here, and then use the local file inclusion vulnerability to execute rce. WordPress officially uses image libraries for GD and Imagick, as shown in the following figure:

Does wordpress have vulnerabilities?

Imagick does not come with WordPress and requires downloading a plug-in, so by default you can execute arbitrary code by bypassing the GD library.

The above is the detailed content of Does wordpress have vulnerabilities?. For more information, please follow other related articles on the PHP Chinese website!

Related labels:
source:php.cn
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template