关联漏洞
标题:
WordPress plugin Fusion Builder 代码问题漏洞
(CVE-2022-1386)
描述:WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress plugin Fusion Builder 3.6.2之前版本存在代码问题漏洞,该漏洞源于不验证任意 HTTP 请求的参数。攻击者利用该漏洞绕过防火墙和访问控制措施与服务器本地网络上的主机交互。
描述
Automatic Mass Tool for checking vulnerability in CVE-2022-1386 - Fusion Builder < 3.6.2 - Unauthenticated SSRF
介绍
# Fubucker | CVE-2022-1386 - Fusion Builder
Automatic Mass Tool for checking vulnerability in CVE-2022-1386 - Fusion Builder < 3.6.2 - Unauthenticated SSRF<br>Using GNU Parallel. You must have parallel for running this tool<br><b>If you found error like "$'\r': command not found" just do "dos2unix fubucker.sh"</b>
# Install Parallel
Linux : <br>
<b>command</b> <br># <i>apt-get install parallel -y</i><br>
Windows : <br>
You can install WSL (windows subsystem linux) then do install like linux<br>if you want use windows, install <a href="https://git-scm.com/download/win">GitBash</a><br>
<b>command</b> <br># <i>curl pi.dk/3/ > install.sh <br># sha1sum install.sh | grep 12345678 <br># md5sum install.sh <br># sha512sum install.sh <br># bash install.sh</i><br>
# Install JQ
Linux : <br>
<b>command</b> <br># <i>apt-get install jq -y</i><br>
Windows : <br>
For WSL just do install like linux, For gitbash you can do this command<br>
<b>command</b> <br># <i>curl -L -o C:/Program\ Files/Git/usr/bin/jq.exe https://github.com/stedolan/jq/releases/latest/download/jq-win64.exe</i>
# How To Use
<i>bash fubucker.sh yourlist.txt thread</i>
# Reference
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1386<br>
https://wpscan.com/vulnerability/bf7034ab-24c4-461f-a709-3f73988b536b<br>
https://github.com/projectdiscovery/nuclei-templates/issues/4892<br>
https://github.com/ardzz/CVE-2022-1386<br>
文件快照
[4.0K] /data/pocs/ce6b9aef9b12eaf9edf65ebe7bd4cbb85d712ccd
├── [1.9K] fubucker.sh
├── [ 9] notvuln.txt
├── [1.4K] README.md
├── [1.5K] single-exploiter.sh
└── [ 11] vuln.txt
0 directories, 5 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。