WordPress 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution

2009年11月16日 | 学习笔记| 坏人咖啡

漏洞分析就不说了，下面我们来看下漏洞利用吧！

Browser is enough to replicate this issue. Simply log in to your wordpress blog as a low privileged
user or admin. Create a new post and use the media file upload feature to upload a file:

test-image.php.jpg

containing the following code:

After the upload you should receive a positive response saying:

test-vuln.php.jpg
image/jpeg
2009-11-11

and it should be possible to request the uploaded file via a link:
http://link-to-our-wp-unsecured-blog.com/wp-content/uploads/2009/11/test-vuln.php.jpg

thus executing the PHP code it contains.

In the above code example, a php info page will be shown.

下面我来解析下这段文字的意思，首先你要拿到一个用户权限账号，然后来到发布文章的地方，通过上传媒体功能上传一个名为test-image.php.jpg的文件，其中test-image.php.jpg中的内容为

当上传完成后我们会得到一个类似这样的地址
http://link-to-our-wp-unsecured-blog.com/wp-content/uploads/2009/11/test-image.php.jpg现在执行PHP包含你就会看到PHP的信息面了。