搜索此博客

2017年12月19日星期二

WordPress Updraftplus 插件漏洞2则以及一些有趣的故事

本邮件内容由第三方提供,如果您不想继续收到该邮件,可 点此退订
WordPress Updraftplus 插件漏洞2则以及一些有趣的故事  阅读原文»

几个月前代码审计的时候,翻了翻wordpress的几个插件,因为wordpress的主要功能基本都是后台的,很少有前台能触发的漏洞,也就没看了,后来顺手就把挖到的2个后台漏洞申请了cve,没想到引来两个人讨论…

你觉得,什么样的漏洞才算是漏洞呢?

authentiicated upload file and php code execution

file /wp-content/plugins/updraftplus/admin.php line 1843 function plupload_action

via the name parameter to set filename, and move file content into this file.

The server will do a basic verification of the file name, you can get a valid backup file name,just like backup_2017-11-29-1844_test_d6c634e49869-plugins.zip.

image.png-72.3kB

after the 39 lines, this file be delete
image.png-296.3kB

there are Race condition, when we view this pages before delete after write in. we can make php code execution.

PoC

file name just like:

1
backup_2017-11-29-1844_test_d6c634e49869-plugins

file content:

1
2
3
4
<?php
$f = fopen('../a.php','wb');
fwrite($f, '<?php phpinfo();?>');
fclose($f);

via upload this file, and view this pages before delete, we can write a a.php into /wp-content/a.php

(2017.11.29 Supplement Vulnerability Details)
image.png-197.1kB

image.png-105.2kB

image.png-89.2kB

image.png-172.5kB

authentiicated ssrf

file /wp-content/plugins/updraftplus/admin.php line 1233 function updraft_ajax_handler

when subaction='httpget'the curl parameter follow into function http_get,

image.png-26.1kB

image.png-163.4kB

they will use curl to request url, it can be exploited to conduct server-side request forgery (SSRF) attacks.

PoC

login and view website

1
http://127.0.0.1/wordpress4.8/wp-admin/options-general.php?page=updraftplus&tab=expert

image.png-8.9kB

use fetch(curl)

image.png-20.9kB

聊聊漏洞

由于申请cve的关系,漏洞详情用英文写了,大都是通俗易懂的句子,就不花时间翻译了。

有趣的是,当我在github上公开漏洞详情的时候,引来了两个人的关注(聊天时候的感觉更像是插件的开发者)。

源地址

第一个人直接向我推了一份mr,让我删除漏洞详情,Σ(っ °Д °;)っ,然后就开始撕逼了…

https://github.com/LoRexxar/CVE_Request/pull/1

整个过程,这个人始终认为漏洞不存在,对话非常有意思,那么,漏洞到底是什么?

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
DavidAnderson684 commented 22 days ago   edited 
@LoRexxar If somebody can log in as a WP administrator, then they do not need to carry out complicated "attacks" against upload race conditions that only they have access to. Instead, they can just do any of 10,000 other things to manipulate your filesystem, e.g.
Install a WP file manager plugin and manipulate the filesystem at will
Install their own malicious plugin or theme directly using the WP plugin uploader
Upload a malicious backup of their own creation and restore it
Download an existing backup, edit it, upload it and restore it
Use the in-built WordPress code or theme editor to edit existing parts of WordPress
For something to be an attack, it has to give a user powers that they did not already have. A procedure that allows them, through a very complicated work-around method, to do something that they could already do through many other mechanisms is not an attack. Admins can already do the same thing in zillions of other ways. UpdraftPlus is a backup/restore plugin! An evil admin can just create a malicious backup, and then restore it.... he doesn't need to do something really convoluted as an alternative.

这段的意思差不多是说,当你可以登录WordPress之后,你有一万种方式可以操作网站的文件系统,而且UpdarPlus本身就是一个用来备份恢复的插件,你完全没必要使用条件竞争来修改文件系统,所以这并不算一个漏洞。

1
2
3
4
5
你说的当然没错,但是你认为漏洞是什么?
1、在我看来,网站管理员不应当拥有服务器权限。
2、并不是因为有更易于应用的漏洞,别的漏洞就不算是漏洞。
3、wordpress官方对于s
如何设计有效且隐蔽的红军团队攻击基础设施 Part.2  阅读原文»
C2 长连接与短连接 - 长连接和短连接C2服务器在上面的"常规" 部分已经作过简要的介绍; 但是,重申一次:长连接的服务器只能用于恢复进入环境的通道。服务器应该从持久性接收回调,并且非常缓慢地接收检查,例如每十二小时进行一次检查。短连接 ...
  黑客技术官网地址:http://www.hackdig.com/
阅读更多内容
    
  








发帖者



时间:










































没有评论:











发表评论






        
      








订阅:
博文评论 (Atom)