关联漏洞
Description
Proof of concept for CVE-2020-36708
介绍
# CVE-2020-36708 – WordPress Epsilon Framework Function Injection PoC
## Overview
**CVE-2020-36708** is a vulnerability in the **Epsilon Framework** for WordPress that allows unauthenticated attackers to invoke arbitrary PHP class methods via the AJAX action `epsilon_framework_ajax_action`.
This issue is categorized as a **function injection vulnerability** because an attacker controls both:
- The **class** to call (e.g., `Requests`)
- The **method** to invoke (e.g., `request_multiple`)
- The **arguments** to supply
In effect, the attacker can direct the framework to execute PHP functions or library calls not intended to be exposed.
The most straightforward and non-destructive way to demonstrate this is by abusing the bundled `Requests` library to trigger an **SSRF** (Server-Side Request Forgery). By forcing the server to make a web request to a controlled domain, we confirm arbitrary function execution without impacting the target system.
If Burp pro isn't available use webhook.site in it's place.
This PoC is for educational and authorized penetration testing only.
Do not use it against systems without explicit permission.
文件快照
[4.0K] /data/pocs/0610bf5ddb56187badfa44eb14e7b4b3160bf65d
├── [ 601] CVE-2020-36708.sh
└── [1.1K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。