/wp-content/plugins/wysija-newsletters/helpers/back.php

function verify_capability(){
        if( isset( $_REQUEST['page'] ) && substr( $_REQUEST['page'] ,0 ,7 ) == 'wysija_' ){

            switch( $_REQUEST['page'] ){
                case 'wysija_campaigns':
                    $role_needed = 'wysija_newsletters';
                    break;
                case 'wysija_subscribers':
                    $role_needed = 'wysija_subscribers';
                    break;
                case 'wysija_config':
                    $role_needed = 'wysija_config';
                    break;
                case 'wysija_statistics':
                    $role_needed = 'wysija_stats_dashboard';
                    break;
                default:
                    $role_needed = 'switch_themes';
            }

            if( current_user_can( $role_needed ) ){
                return true;
            } else{
                die( 'You are not allowed here.' );
            }

        }else{
            // this is not a wysija interface/action we can let it pass
            return true;
        }
    }

在PHPS默认配置$_POST[‘page’]变量覆盖了$ _REQUEST‘page’]数组中的$_GET‘page’]变量。

该插件使用$_REQUEST来检查访问权限。由POST参数设置为一些不以'wysija_“开头就可以绕过admin_Init的权限判断。

/wp-content/plugins/wysija-newsletters/controllers/back/campaigns.php

function themeupload() {
        $helperNumbers = WYSIJA::get('numbers', 'helper');
        $bytes = $helperNumbers->get_max_file_upload();

        if (isset($_SERVER['CONTENT_LENGTH']) && $_SERVER['CONTENT_LENGTH'] > $bytes['maxbytes']) {
            if (isset($_FILES['my-theme']['name']) && $_FILES['my-theme']['name']) {
                $filename = $_FILES['my-theme']['name'];
            } else {
                $filename = "";
            }

            $this->error(sprintf(__('Upload error, file %1$s is too large! (MAX:%2$s)', WYSIJA), $filename, $bytes['maxmegas']), true);
            $this->redirect('admin.php?page=wysija_campaigns&action=themes');

            return false;
        }


        $ZipfileResult = trim(file_get_contents($_FILES['my-theme']['tmp_name']));

        $themesHelp = WYSIJA::get('themes', 'helper');
        $result = $themesHelp->installTheme($_FILES['my-theme']['tmp_name'], true);
        $this->redirect('admin.php?page=wysija_campaigns&action=themes&reload=1');

        return true;
}

绕过权限判断后可上传一个zip，上传后会解压到/wp-content/uploads/wysija/压缩包文件名/

漏洞利用过程

使用burpsuite

1.repeater--newtab

2.Paste formfile

3.导入post文件和端口(post文件在文档目录)

4.填入host---port-go

shell地址:

/wp-content/uploads/wysija/themes/SWgVmGZaXn/abyufgq7uyg1.php

密码cmd