### 0x00 概述 插件版本`version 2.3`,PoC附插件网盘下载地址 ### 0x01 漏洞分析 漏洞出现在`wp-content\plugins\wp-bliss-gallery\html\manage.php`, ``` <?php ... $cpage = 'admin.php?page='.$_REQUEST['page']; ?> <div class="wrap"> <h2><?php _e('Category Management'); ?><a href="javascript:;" id="add_new_album" class="add-new-h2"><?php _e('Add New'); ?></a></h2> <form id="add_new_album_form" action="" method="post" enctype="multipart/form-data"> <input type="hidden" name="task" value="uni_add_new_album" /> <table> <tr> <td><label><?php _e('Category Name'); ?></label></td> <td><input type="text" id="album_name" name="album_name" value="" /></td> </tr> <tr> <td><label><?php _e('Category Description'); ?></label></td> <td><textarea id="album_desc" name="album_desc"></textarea></td> </tr> <tr> <td><label><?php _e('Category Image'); ?></label></td> <td><input type="file" name="album_img" value="" /></td> </tr> </table> <p> <button type="submit" class="button-primary"><?php _e('Save'); ?></button> </p> </form> ```...
### 0x00 概述 插件版本`version 2.3`,PoC附插件网盘下载地址 ### 0x01 漏洞分析 漏洞出现在`wp-content\plugins\wp-bliss-gallery\html\manage.php`, ``` <?php ... $cpage = 'admin.php?page='.$_REQUEST['page']; ?> <div class="wrap"> <h2><?php _e('Category Management'); ?><a href="javascript:;" id="add_new_album" class="add-new-h2"><?php _e('Add New'); ?></a></h2> <form id="add_new_album_form" action="" method="post" enctype="multipart/form-data"> <input type="hidden" name="task" value="uni_add_new_album" /> <table> <tr> <td><label><?php _e('Category Name'); ?></label></td> <td><input type="text" id="album_name" name="album_name" value="" /></td> </tr> <tr> <td><label><?php _e('Category Description'); ?></label></td> <td><textarea id="album_desc" name="album_desc"></textarea></td> </tr> <tr> <td><label><?php _e('Category Image'); ?></label></td> <td><input type="file" name="album_img" value="" /></td> </tr> </table> <p> <button type="submit" class="button-primary"><?php _e('Save'); ?></button> </p> </form> ``` 跟到`wp-content\plugins\wp-bliss-gallery\bliss.php` ``` public function uni_add_new_album() { global $wpdb; $album_id = isset($_POST['album_id']) ? (int)$_POST['album_id'] : null; $album_name = trim($_POST['album_name']); $album_desc = trim($_POST['album_desc']); if (!function_exists('get_magic_quotes_gpc') || get_magic_quotes_gpc() != 1) { //$album_name = addslashes($album_name); //$album_desc = addslashes($album_desc); } $album = null; $album_dir = null; //edit album if( $album_id != null ) { //get album $query = "SELECT album_id, name, description, image, thumb, status, `order`, creation_date FROM {$wpdb->prefix}uni_albums WHERE album_id = $album_id"; $album = $wpdb->get_row($query); if( empty($album) ) { //album does not exists die('album not found'. $query); } $album_dir = uni_get_album_dir($album->album_id); //delete album images if new one will be uploaded if( isset($_FILES) && isset($_FILES['album_img']) && $_FILES['album_img']['size'] > 0 ) { if( file_exists($album_dir . '/big/' . $album->image) ) unlink($album_dir . '/big/' . $album->image); if( $album_dir . '/thumb/' . $album->thumb ) unlink($album_dir . '/thumb/' . $album->thumb); } $album = array('name' => $album_name, 'description' => $album_desc); } //create a new album else { $album = array('name' => $album_name, 'description' => $album_desc, 'order' => 0, 'image' => '', 'thumb' => '', 'status' => 1); $wpdb->insert($wpdb->prefix.'uni_albums', $album); //get album id $album_id = $wpdb->insert_id; $album_dir = uni_get_album_dir($album_id); if( !is_dir( $album_dir ) ) mkdir($album_dir); if( !is_dir($album_dir . '/big') ) mkdir($album_dir . '/big'); if( !is_dir($album_dir . '/thumb') ) mkdir($album_dir . '/thumb'); } //upload images if( isset($_FILES) && isset($_FILES['album_img']) && $_FILES['album_img']['size'] > 0 ) { //die(UNI_PLUGIN_UPLOADS_DIR . '/' . $album_dir); if( !is_dir( $album_dir ) ) mkdir($album_dir); if( !is_dir($album_dir . '/big') ) mkdir($album_dir . '/big'); if( !is_dir($album_dir . '/thumb') ) mkdir($album_dir . '/thumb'); $unique_name = wp_unique_filename($album_dir . '/big', $_FILES['album_img']['name']); //move uploaded file (big file) move_uploaded_file($_FILES['album_img']['tmp_name'], $album_dir . '/big/' . $unique_name); //set album image $album['image'] = $unique_name; //resize for thumbnail $thumb = image_resize($album_dir . '/big/' .$unique_name, //(int)get_option('large_size_w'), //(int)get_option('large_size_h'), 80, 80, 0, 'resized'); copy($thumb, $album_dir . '/thumb/' . basename($thumb)); //delete temp thumb unlink($thumb); if( is_wp_error($thumb) ) { print_r($thumb);die('Error'); } $album['thumb'] = basename($thumb); } $wpdb->update($wpdb->prefix.'uni_albums', $album, array('album_id' => $album_id)); if( isset($_REQUEST['TB_iframe'])) { $js = '<script type="text/javascript">self.parent.tb_remove();self.parent.uni_refresh_albums_table();</script>'; die($js); } } ``` ### 0x02 漏洞利用 详情参考PoC(具有攻击性,仅供测试使用)。
