关联漏洞
标题:Elementor安全漏洞 (CVE-2022-1329)Description:Elementor是以色列Elementor公司的一个网站构建器,允许WordPress用户创建和编辑网站。 Elementor 版本 3.6.0 到 3.6.2存在安全漏洞,目前暂无该漏洞信息,请随时关注CNNVD或厂商公告。
Description
WordPress Elementor 3.6.0 3.6.1 3.6.2 RCE POC
介绍
# WP Elementor 3.6.0/1/2 Remote Code Execution
```
Google Dork: none
Date: April 16 2022
Exploit Author: AkuCyberSec (https://github.com/AkuCyberSec)
Vendor Homepage: https://elementor.com/
Software Link: https://wordpress.org/plugins/elementor/advanced/ (scroll down to select the version)
Version: 3.6.0, 3.6.1, 3.62
Tested on: WordPress 5.9.3 (os-independent since this exploit does NOT provide the payload)
CVE : CVE-2022-1329
```
## VULNERABILITY DESCRIPTION
The WordPress plugin called Elementor (v. 3.6.0, 3.6.1, 3.6.2) has a vulnerability that allows any authenticated user to upload and execute any PHP file.
This vulnerability, in the OWASP TOP 10 2021, is placed in position #1 (Broken Access Control)
The file that contains this vulnerability is elementor/core/app/modules/onboarding/module.php
At the end of this file you can find this code:
```
add_action( 'admin_init', function() {
if ( wp_doing_ajax() &&
isset( $_POST['action'] ) &&
isset( $_POST['_nonce'] ) &&
wp_verify_nonce( $_POST['_nonce'], Ajax::NONCE_KEY )
) {
$this->maybe_handle_ajax();
}
} );
```
This code is triggered whenever ANY user account visits /wp-admin
In order to work we need the following 4 things:
1. The call must be an "ajax call" (wp_doing_ajax()) and the method must be POST. In order to do this, we only need to call /wp-admin/admin-ajax.php
2. The parameter "action" must be "elementor_upload_and_install_pro" (check out the function named maybe_handle_ajax() in the same file)
3. The parameter "_nonce" must be retrieved after login by inspecting the /wp-admin page (this exploit does this in DoLogin function)
4. The parameter "fileToUpload" must contain the ZIP archive we want to upload (check out the function named upload_and_install_pro() in the same file)
The file we upload must have the following structure:
1. It must be a ZIP file. You can name it as you want.
2. It must contain a folder called "elementor-pro"
3. This folder must contain a file named "elementor-pro.php"
This file will be YOUR payload (e.g. PHP Reverse Shell or anything else)
WARNING: The fake plugin we upload will be activated by Elementor, this means that each time we visit any page we trigger our payload.
If it tries, for example, to connect to an offline host, it could lead to a Denial of Service.
In order to prevent this, I suggest you to use some variable to activate the payload.
Something like this (visit anypage.php?activate=1 in order to continue with the actual payload):
```
if (!isset($_GET['activate']))
return;
```
文件快照
[4.0K] /data/pocs/778ec9b57495075acc3655c4dd54bf29a38753a0
├── [5.6K] exploit.py
└── [2.5K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。