WordPress 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution

date 2009年11月16日 | category 学习笔记| 坏人咖啡

漏洞分析就不说了,下面我们来看下漏洞利用吧!

Browser is enough to replicate this issue. Simply log in to your wordpress blog as a low privileged
user or admin. Create a new post and use the media file upload feature to upload a file:

test-image.php.jpg

containing the following code:

After the upload you should receive a positive response saying:

test-vuln.php.jpg
image/jpeg
2009-11-11

and it should be possible to request the uploaded file via a link:
http://link-to-our-wp-unsecured-blog.com/wp-content/uploads/2009/11/test-vuln.php.jpg

thus executing the PHP code it contains.

In the above code example, a php info page will be shown.

下面我来解析下这段文字的意思,首先你要拿到一个用户权限账号,然后来到发布文章的地方,通过上传媒体功能上传一个名为test-image.php.jpg的文件,其中test-image.php.jpg中的内容为

当上传完成后我们会得到一个类似这样的地址
http://link-to-our-wp-unsecured-blog.com/wp-content/uploads/2009/11/test-image.php.jpg现在执行PHP包含你就会看到PHP的信息面了。

所属分类: 学习笔记
Tags:


没有评论

暂无评论

RSS feed for comments on this post.

对不起,该文章的评论被关闭了!