来源

关联漏洞

介绍

# CVE-2022-1329-WordPress-Elementor-RCE

This poc is based on the one of [AkuCyberSec](https://github.com/AkuCyberSec/CVE-2022-1329-WordPress-Elementor-3.6.0-3.6.1-3.6.2-Remote-Code-Execution-Exploit).

[中文版本](./README-zh.md)

# Usage

Use `docker-compose` to start the vuln environment:

```shell
docker-compose up -d
```

Then you can access the WordPress Admin page with URL `http://localhost:8000`.

Register the admin user, and add a **no-admin** user in the **Users** tag. For example, there are two users:

| Username | Password | Role   |
|----------|----------|--------|
| wc       | 123456   | Admin  |
| a2       | aaaaaa   | Editor |

Log in with the admin account, and install **Elementor 3.6.1** with the zip provided.

If you encounter the upload size problem, add **php.ini** to `/var/www/html/` as following and restart the docker server:

```text
upload_max_filesize = 64M
max_execution_time = 0
post_max_size = 150M
file_uploads = on
```

Edit the poc script with your **no-admin** user infomation and run the poc script to exploit:

```shell
python3 poc.py
```

**NOTE:** the script may failed with **upload problem**, but it's **OK**, try to refresh the admin page in the browser to see if it works.

The poc now runs `phpinfo();` as it's payload, of course you can edit this, but you need to manual remove the `elementor-pro` plugin in docker container `/var/www/html/wp-content/plugin/elementor-pro`:

```shell
# Unzip the zip file
unzip elementor-pro.zip

# Edit the main file to put your payload, it's in the begin of the file
nano elementor-pro/elementor-pro.php

# And zip
rm elementor-pro.zip; zip -ry elementor-pro.zip elementor-pro

# exploit again
python3 poc.py
```

![Result](1.png)

文件快照

 [4.0K]  /data/pocs/03649cc669403cf4808effa8e1bab2fe103d2b3a
├── [198K]  1.png
├── [ 501]  docker-compose.yml
├── [7.6M]  elementor.3.6.1.zip
├── [2.8M]  elementor-pro.zip
├── [5.5K]  poc.py
├── [1.7K]  README.md
└── [1.8K]  README-zh.md

0 directories, 7 files

备注