目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CVE-2020-12077 PoC — WordPress mappress-google-maps-for-wordpress 代码问题漏洞

来源
https://github.com/RandomRobbieBF/CVE-2020-12077
关联漏洞
标题:WordPress mappress-google-maps-for-wordpress 代码问题漏洞 (CVE-2020-12077)
Description:WordPress是WordPress基金会的一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。mappress-google-maps-for-wordpress是使用在其中的一个交互式地图插件。 WordPress mappress-google-maps-for-wordpress 2.53.9之前版本中存在代码问题漏洞。远程攻击者可利用该漏洞执行代码。
Description
MapPress Maps Pro < 2.53.9 - Remote Code Execution (RCE) due to Incorrect Access Control in AJAX Actions
介绍
# CVE-2020-12077
MapPress Maps Pro &lt; 2.53.9 - Remote Code Execution (RCE) due to Incorrect Access Control in AJAX Actions

### Description

The pro version of this plugin registers several AJAX actions that call functions which lack capability checks and nonce checks, specifically the ‘ajax_get’, ‘ajax_save’, and ‘ajax_delete’ functions in mappress_template.php. As such, it is possible for a logged-in attacker with minimal permissions, such as a subscriber, to perform the following actions:
Upload an executable PHP file (including potential backdoors) and achieve Remote Code Execution by sending a $_POST request to wp-admin/admin-ajax.php with the ‘action’ parameter set to ‘mapp_tpl_save’, the ‘name’ parameter set to the base name of the file they want to create, and the ‘content’ parameter set to executable PHP code. This file would then be created in and could be executed from the directory of the currently active theme.

Delete any existing PHP file on the site (such as wp-config.php) by sending a $_POST request to wp-admin/admin-ajax.php with the ‘action’ parameter’ set to ‘mapp_tpl_delete’, and the ‘name’ parameter set to the basename of the file to delete. For example, to delete wp-config.php a directory traversal attack could be used, and the ‘name’ parameter could be set to ‘../../../wp-config’). This would cause the site to be reset, at which point an attacker could gain full control of the site.

View the contents of any existing PHP file on the site (such as wp-config.php) by sending a $_GET request to wp-admin/admin-ajax.php with the ‘action’ parameter set to ‘mapp_tpl_get’, and the ‘name’ parameter of the file to disclose. For example, to view the contents of wp-config.php, a directory traversal attack could be used, and the ‘name’ parameter could be set to’../../../../wp-config’.


POC
---
```
python3 exploit.py --url http://wordpress.lan --username user --password useruser1 --code "<?php phpinfo(); ?>"
```
文件快照

 [4.0K]  /data/pocs/d21b22f130c125f98d29b955fcab9ce8766a22bd
├── [1.5K]  exploit.py
└── [2.0K]  README.md

0 directories, 2 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 本地 POC 快照面向订阅用户开放;当原始来源失效或无法访问时,本地镜像作为订阅权益的一部分提供。
    3. 持续抓取、验证、维护这份 POC 档案需要不少投入,因此本地快照已纳入付费订阅。您的订阅是让这份资料能继续走下去的关键,由衷感谢。 查看订阅方案 →