关联漏洞
标题:WordPress 代码问题漏洞 (CVE-2021-24499)Description:WordPress是WordPress(Wordpress)基金会的一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。 WordPress theme Workreap 存在代码问题漏洞,该漏洞源于 workreap_award_temp_file_uploader 和 workreap_temp_file_uploader 未执行随机数检查,或以任何其他方式验证请求是否来自有效用户。
介绍
# CVE-2021-24499
Mass exploitation of CVE-2021-24499 unauthenticated upload leading to remote code execution in `Workreap` theme.
The AJAX actions `workreap_award_temp_file_uploader` and `workreap_temp_file_uploader` did not perform nonce checks, or validate that the request is from a valid user in any other way. The endpoints allowed for uploading arbitrary files to the `uploads/workreap-temp` directory. Uploaded files were neither sanitized nor validated, allowing an unauthenticated visitor to upload executable code such as php scripts.
文件快照
[4.0K] /data/pocs/6bad05bd73d028c432ae551909134e4bf0b14b1d
├── [ 153] abe.php
├── [ 551] exploit.sh
└── [ 546] README.md
0 directories, 3 files
备注
1. 建议优先通过来源进行访问。
2. 本地 POC 快照面向订阅用户开放;当原始来源失效或无法访问时,本地镜像作为订阅权益的一部分提供。
3. 持续抓取、验证、维护这份 POC 档案需要不少投入,因此本地快照已纳入付费订阅。您的订阅是让这份资料能继续走下去的关键,由衷感谢。 查看订阅方案 →