Shulou(Shulou.com)06/01 Report--

At the beginning of January 2019, the latest version of WordPress has a vulnerability of remote code injection to obtain SHELL. The version affected by the vulnerability of the website is wordpress5.0.0. The vulnerability is caused by the image module, because the code can obtain directory permissions and file inclusion functions, resulting in successful remote code injection.

Through the published details of the vulnerability, we found through security analysis that the vulnerability is mainly uploaded in wordpress here, looked at the code post meta parameter value is not filtered, resulting in you can modify the WP blog database field, in the file contains embedded local file address can be modified parameters across directories, resulting in saved pictures can be arbitrarily saved to any directory of the site.

Exploitation of vulnerabilities in wordpress website

Let's first set up the environment needed by the system, linux centos server, php5.3,mysql database is 5.6, installed wordpress 5.0.0 system, the data is the default, then we open the website, click on the wordpress media library to cut our pictures here, we upload the pictures to the website, the default image is saved in the wp-content file in the root directory of the site under the upload folder The uploaded image will be saved directly to the wp_postmeta table, and the information in the table is the path and details of the image. As shown below:

We can modify the attributes of the uploaded image for post tampering. There is no strict security filtering for post transmission in the code. Let's construct a packet to modify the path value. Let's take a security test. / convenience directory vulnerability, first obtain the parameter of wp_admin/post.php, then modify it, change the parameter wp_attached_file to jpg../../safe.jpg, and then submit post, which will be written directly to the database.

When we open the properties of the picture that we have just modified, we will find that the picture has been executed, from which we can judge that this function is simply the path to read the picture locally and the image can be read at any directory address, and the remote read image will be filtered to the question mark and the parameters after jpg, resulting in the cropped picture being directly stored in the wordpress theme folder. We can get shell permission by remote code injection.

Summary of wordpress vulnerabilities

The occurrence of the vulnerability of the website only exists in the wordpress5.0.0 version, and other versions are not affected by the vulnerability. The main reason is that the function of cropping pictures is injected, which leads to remote reading of pictures, the malicious code image files can be written to the root directory of the website, and finally, the vulnerabilities contained in the files are used to generate SHELL to obtain the highest permissions of the website.

On the wordpress site loopholes repair recommendations, website operators as soon as possible to upgrade the wordpress version to the latest version, do not use 5.0.0 version, the site patch timely login background update, if the site has been attacked, it is recommended to immediately detect and remove Trojan files on the site, do a good job in website security reinforcement, you can also find a professional website security company to solve the problem.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.