根据CVE官方漏洞通报得知wordpress新出一个组合式rce漏洞,漏洞编号分别为CVE-2019-8943和CVE-2019-8942,下载漏洞版本源码,分析漏洞触发过程,注:漏洞复现时一定要断网搭建,wordpress在联网状态时会自动更新代码包。找到漏洞发生文件post.php,wordpress有多个post.php文件,这里简要说明一下各自的作用,wp-includes/post.php为post的源文件,wp-admin/includes/post.php为有后台权限的post接口,wp-admin/post.php为后台post的请求处理,具体调用代码如下:
wp-admin/post.php:require_once(dirname(__FILE__).'/admin.php');wp-admin/admin.php:require_once(ABSPATH.'wp-admin/includes/admin.php');wp-admin/includes/admin.php:require_once(ABSPATH.'wp-admin/includes/post.php');wp-admin/admin.php::require_once(dirname(dirname(__FILE__)).'/wp-load.php');wp-load.php:require_once(dirname(ABSPATH).'/wp-config.php');wp-config.php:require_once(ABSPATH.'wp-settings.php');wp-settings.php:require(ABSPATH.WPINC.'/post.php');define('WPINC','wp-includes');