2 on the 20th, and RIPS the team in the official website discloses a WordPress 5.0.0 Remote Code Execution, CVE number CVE-2019-6977, the article mainly mentioned in the author permissions to the account, you can modify the Post Meta variable coverage, directory traversal write the file, the template contains 3 vulnerabilities constitute a RCE vulnerability.

But in the original text, the author only roughly describes the vulnerability principle and the attack chain, wherein a large number of vulnerabilities details are omitted.

The three master analysis of the article really likes, and basically has been set forth particularly clear. But their use of the chain almost no difference, I also turned the domestic many analytical articles, are also the attack chain. Because of this attack chain is a vulnerability publisher: RIPS the organization in publishing the vulnerability to the given analysis. And I in the reproduction process, but found in conjunction with variable overrides to directory traversal write the file in this step there is another directory through the write file method.

RIPS play
The following figure is taken from LoRexxar master of the article:
! [](/Article/UploadPic/2019-3/201931734847694. png)
The following figure is taken from Hu3sky master of the article:
! [](/Article/UploadPic/2019-3/201931734848964. png)
Most online master analysis articles attack method.
Analysis
When action=crop-image, the program will call the wp_ajax_crop_image method for image cropping.
#/wp-admin/admin-ajax.php line 145
if ( ! empty( $POST[‘action’] ) && in_array( $POST[‘action’], $core_actions_post ) ) {
add_action( 'wp_ajax’ . $POST[‘action’], 'wp_ajax’ . str_replace( ‘-’, '‘, $_POST[‘action’] ), 1 );
}
The post over the action to the splice, and perform the appropriate function. Always follow up to wp_ajax_crop_image function.
#/wp-admin/includes/ajax-actions.php line 3950
function wp_ajax_crop_image() {
$attachment_id = absint( $POST[‘id’] );
check_ajax_referer( ‘image_editor-’ . $attachment_id, ‘nonce’ );
if ( empty( $attachment_id ) || ! current_user_can( ‘edit_post’, $attachment_id ) ) {
wp_send_json_error();
}
$context = str_replace( '’, ‘-’, $_POST[‘context’] );
$data = array_map( ‘absint’, $_POST[‘cropDetails’] );
$cropped = wp_crop_image( $attachment_id, $data[‘x1’], $data[‘y1’], $data[‘width’], $data[‘height’], $data[‘dst_width’], $data[‘dst_height’] );
if ( ! $cropped || is_wp_error( $cropped ) ) {
wp_send_json_error( array( ‘message’ => __( ‘Image could not be processed.’ ) ) );
}
…
You can see check_ajax_referer( ‘image_editor-‘ . $attachment_id, ‘nonce’ );the phrase for the nonce for the checksum. So to the nonce parameter and the id parameter remains unchanged.
Look at the$cropped = wp_crop_image( $attachment_id, $data[‘x1’], $data[‘y1’], $data[‘width’], $data[‘height’], $data[‘dst_width’], $data[‘dst_height’] );this line performs the cutting operation.
Follow wp_crop_image function.

wp-admin/includes/image.php line 25

function wp_crop_image( $src, $src_x, $src_y, $src_w, $src_h, $dst_w, $dst_h, $src_abs = false, $dst_file = false ) {
$src_file = $src;
if ( is_numeric( $src ) ) {
$src_file = get_attached_file( $src );
if ( ! file_exists( $src_file ) ) {
$src = _load_image_to_edit_path( $src, ‘full’ );
} else {
$src = $src_file;
}
}
$editor = wp_get_image_editor( $src );
if ( is_wp_error( $editor ) ) {
return $editor;
}
$src = $editor->crop( $src_x, $src_y, $src_w, $src_h, $dst_w, $dst_h, $src_abs );
if ( is_wp_error( $src ) ) {
return $src;
}
if ( ! $dst_file ) {
$dst_file = str_replace( basename( $src_file ), ‘cropped-’ . basename( $src_file ), $src_file );
}
wp_mkdir_p( dirname( $dst_file ) );
$dst_file = dirname( $dst_file ) . ‘/’ . wp_unique_filename( dirname( $dst_file ), basename( $dst_file ) );
$result = $editor->save( $dst_file );
if ( is_wp_error( $result ) ) {
return $result;
}
return $dst_file;
}
Talk about get_attached_file words can be found it is read from the database _wp_attached_file. And in before the Post Meta variables covering the 2019/03/poc. jpg#/…/…/…/…/themes/twentyseventeen/poc. jpg write the _wp_attached_file.

[1] [2] [3] [4] next