<p>/wp-content/plugins/wysija-newsletters/helpers/back.php<br></p><pre class="">function verify_capability(){ if( isset( $_REQUEST['page'] ) && substr( $_REQUEST['page'] ,0 ,7 ) == 'wysija_' ){ switch( $_REQUEST['page'] ){ case 'wysija_campaigns': $role_needed = 'wysija_newsletters'; break; case 'wysija_subscribers': $role_needed = 'wysija_subscribers'; break; case 'wysija_config': $role_needed = 'wysija_config'; break; case 'wysija_statistics': $role_needed = 'wysija_stats_dashboard'; break; default: $role_needed = 'switch_themes'; } if( current_user_can( $role_needed ) ){ return true; } else{ die( 'You are not allowed here.' ); } }else{ // this is not a wysija interface/action we can let it pass return true; } } </pre><p>在PHPS默认配置$_POST[‘page’]变量覆盖了$ _REQUEST‘page’]数组中的$_GET‘page’]变量。</p><p>该插件使用$_REQUEST来检查访问权限。由POST参数设置为 一些不以'wysija_“开头就可以绕过admin_Init的权限判断。</p><p>/wp-content/plugins/wysija-newsletters/controllers/back/campaigns.php</p><pre class="">function...
<p>/wp-content/plugins/wysija-newsletters/helpers/back.php<br></p><pre class="">function verify_capability(){ if( isset( $_REQUEST['page'] ) && substr( $_REQUEST['page'] ,0 ,7 ) == 'wysija_' ){ switch( $_REQUEST['page'] ){ case 'wysija_campaigns': $role_needed = 'wysija_newsletters'; break; case 'wysija_subscribers': $role_needed = 'wysija_subscribers'; break; case 'wysija_config': $role_needed = 'wysija_config'; break; case 'wysija_statistics': $role_needed = 'wysija_stats_dashboard'; break; default: $role_needed = 'switch_themes'; } if( current_user_can( $role_needed ) ){ return true; } else{ die( 'You are not allowed here.' ); } }else{ // this is not a wysija interface/action we can let it pass return true; } } </pre><p>在PHPS默认配置$_POST[‘page’]变量覆盖了$ _REQUEST‘page’]数组中的$_GET‘page’]变量。</p><p>该插件使用$_REQUEST来检查访问权限。由POST参数设置为 一些不以'wysija_“开头就可以绕过admin_Init的权限判断。</p><p>/wp-content/plugins/wysija-newsletters/controllers/back/campaigns.php</p><pre class="">function themeupload() { $helperNumbers = WYSIJA::get('numbers', 'helper'); $bytes = $helperNumbers->get_max_file_upload(); if (isset($_SERVER['CONTENT_LENGTH']) && $_SERVER['CONTENT_LENGTH'] > $bytes['maxbytes']) { if (isset($_FILES['my-theme']['name']) && $_FILES['my-theme']['name']) { $filename = $_FILES['my-theme']['name']; } else { $filename = ""; } $this->error(sprintf(__('Upload error, file %1$s is too large! (MAX:%2$s)', WYSIJA), $filename, $bytes['maxmegas']), true); $this->redirect('admin.php?page=wysija_campaigns&action=themes'); return false; } $ZipfileResult = trim(file_get_contents($_FILES['my-theme']['tmp_name'])); $themesHelp = WYSIJA::get('themes', 'helper'); $result = $themesHelp->installTheme($_FILES['my-theme']['tmp_name'], true); $this->redirect('admin.php?page=wysija_campaigns&action=themes&reload=1'); return true; } </pre><p>绕过权限判断后可上传一个zip,上传后会解压到/wp-content/uploads/wysija/压缩包文件名/<br></p><p><br></p><p>漏洞利用过程</p><p>使用burpsuite</p><p>1.repeater--newtab</p><p><img alt="1.png" src="https://images.seebug.org/@/uploads/1434696362160-1.png" data-image-size="672,479"><br></p><p>2.Paste formfile<br></p><p><img alt="1.png" src="https://images.seebug.org/@/uploads/1434696393209-1.png" data-image-size="671,451"><br></p><p><br></p><p>3.导入post文件和端口(post文件在文档目录)</p><p>4.填入host---port-go</p><p><img alt="1.png" src="https://images.seebug.org/@/uploads/1434696424407-1.png" data-image-size="677,645"><br></p><p>shell地址:</p><p>/wp-content/uploads/wysija/themes/SWgVmGZaXn/abyufgq7uyg1.php</p><p>密码cmd</p>
