WP_Hunter - Bug hunting in Wordpress - BoomerNiX

lunes, 30 de noviembre de 2020

WP_Hunter - Bug hunting in Wordpress

 It's the first time I decide to make a post in English  (or "Spanglish")... it's a miracle XD.

Some time ago I developed a short script in Python to search for possible vulnerabilities in Wordpress plugins, but due to lack of time to exploit and improve it (I'm sure you've already noticed, because I haven’t updated the blog, I share it here, in case anyone is interested.

The idea is simple, the steps are the following:

    1. Download the list of plugins.

    2. For each plugin:

        ◦ Download.

        ◦ Processing (extract content).

        ◦ Php and js+html analysis with regular expressions.

        ◦ If something is found, write in the report.

        ◦ Removal.

This was the first version, the next one would bring the corresponding improvements, among those I had in mind:

  • Adding the ability to analyze several plugins at once and access control to the report.
  • Work on good regular expressions.
  • Add a database.
  • Although it's a small project... Redo the code in a microservices model, letting each part take care of its part (for example, one would be in charge of downloading the plugin) and letting the rest know as they finish their task.

How to use the project:

  1. Git Clone
  2. cd wp_hunter
  3. pip3 intall -r requirements
  4. python3 wp_hunter.py

And we will have the code working, the first thing we will see is shown in the following Figure:


To create regular expressions, we will have to create .py files in the modules folder, for each vulnerability we want to create a file, as shown here:

modules wp_hunter

An example of a module, very easy, the only thing that needs to be worked on are the regular expressions (in the project they are not uploaded):

wp_hunter new module

Everything that coincides with our regular expressions will be added to the file results/vulnerabilities.txt, including false positives, and then we will have to manually check the one that catches our attention... The better the expressions, the less false positives, an example of the type of report is shown below:

wp_hunter output example

I tried the project a little bit, and in a matter of minutes I had some interesting reports, so I set up a Wordpress locally, all fast with Docker, and started installing the "suspicious" plugins, several false positives, until I got to one with an XSS reflected in several parameters. This was the account-manager-woocommerce plugin in version 2.0.15, which to use correctly we need to previously install the woocommerce plugin, the vulnerable URLs (localhost:8000 is where I have mounted the Wordpress):

  • http://localhost:8000/wp-admin/admin.php?page=zacctmgr_commission&tab=orders&search_order=</script><script>alert(1)</script>
  • http://localhost:8000/wp-admin/admin.php?page=zacctmgr_commission&range=custom&start_date=gnk90</script><script>alert(10)</script>aicii&end_date=&wc_reports_nonce=0d5cd62880&range=custom&start_date=&end_date=&wc_reports_nonce=0d5cd62880

And here are some captures of the vulnerability:

xss plugin wordpress 1

xss plugin wordpress 2

On October 8th the company in charge of developing the plugin (BizSwoop) wrote, within half an hour I had an answer:

Developer Response 1

And a week later they told me that it was already solved:

Developer Response 2

Great speed of reaction and grateful. It's the behavior that is appreciated and not those companies that get angry. The version of the commented plugin can be downloaded for here.

Wp_Hunter Github

See you soon.

No hay comentarios:

Publicar un comentario