Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2020-12077 PoC — WordPress mappress-google-maps-for-wordpress 代码问题漏洞

Source
https://github.com/RandomRobbieBF/CVE-2020-12077
Associated Vulnerability
Title:WordPress mappress-google-maps-for-wordpress 代码问题漏洞 (CVE-2020-12077)
Description:WordPress是WordPress基金会的一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。mappress-google-maps-for-wordpress是使用在其中的一个交互式地图插件。 WordPress mappress-google-maps-for-wordpress 2.53.9之前版本中存在代码问题漏洞。远程攻击者可利用该漏洞执行代码。
Description
MapPress Maps Pro < 2.53.9 - Remote Code Execution (RCE) due to Incorrect Access Control in AJAX Actions
Readme
# CVE-2020-12077
MapPress Maps Pro &lt; 2.53.9 - Remote Code Execution (RCE) due to Incorrect Access Control in AJAX Actions

### Description

The pro version of this plugin registers several AJAX actions that call functions which lack capability checks and nonce checks, specifically the ‘ajax_get’, ‘ajax_save’, and ‘ajax_delete’ functions in mappress_template.php. As such, it is possible for a logged-in attacker with minimal permissions, such as a subscriber, to perform the following actions:
Upload an executable PHP file (including potential backdoors) and achieve Remote Code Execution by sending a $_POST request to wp-admin/admin-ajax.php with the ‘action’ parameter set to ‘mapp_tpl_save’, the ‘name’ parameter set to the base name of the file they want to create, and the ‘content’ parameter set to executable PHP code. This file would then be created in and could be executed from the directory of the currently active theme.

Delete any existing PHP file on the site (such as wp-config.php) by sending a $_POST request to wp-admin/admin-ajax.php with the ‘action’ parameter’ set to ‘mapp_tpl_delete’, and the ‘name’ parameter set to the basename of the file to delete. For example, to delete wp-config.php a directory traversal attack could be used, and the ‘name’ parameter could be set to ‘../../../wp-config’). This would cause the site to be reset, at which point an attacker could gain full control of the site.

View the contents of any existing PHP file on the site (such as wp-config.php) by sending a $_GET request to wp-admin/admin-ajax.php with the ‘action’ parameter set to ‘mapp_tpl_get’, and the ‘name’ parameter of the file to disclose. For example, to view the contents of wp-config.php, a directory traversal attack could be used, and the ‘name’ parameter could be set to’../../../../wp-config’.


POC
---
```
python3 exploit.py --url http://wordpress.lan --username user --password useruser1 --code "<?php phpinfo(); ?>"
```
File Snapshot

 [4.0K]  /data/pocs/d21b22f130c125f98d29b955fcab9ce8766a22bd
├── [1.5K]  exploit.py
└── [2.0K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.