Giters

matinciel / Wordpress_CVE-2019-9787

Try to reproduce this issue with Docker

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Wordpress_CVE-2019-9787

Try to reproduce this issue with Docker with an auto install for wordpress

PoC of CVE-2019-9787 CSRF WordPress Version up to 5.1

To demonstrate the full potential of CVE-2019-9787 you probably want a more nasty piece of code than the comment present in nginx/iframe-post.html. In my code I don't use the flaw in the Wordpress wp_filter_post_kses().

Do not use this except for test purpose.

Installation using bash :

copy the repo :

git clone https://github.com/matinciel/Wordpress_CVE-2019-9787.git

go to the directory

cd Wordpress_CVE-2019-9787

launch the install, you need docker 18.02.0 at least (docker -v to check)

make autoinstall

Now you have installed :

Wordpress (with a default admin account log : wordpress / pass : wordpress). You can access it with http://localhost

if you want to reproduce the security issue :

Hacker part

  1. go to wordpress (do not connect as wordpress). http://localhost
  2. Leave a comment on the Hello world! post (by clicking the "1 Comment link). the comment should contain something like (only url is needed) :

Please visit my blog : http://localhost:6060

Wordpress owner (admin or editor role needed).

  1. login in the wordpress "backend" by going to http://localhost/wp-admin log : wordpress password : wordpress
  2. You should see a comment to validate in the comment section, just click on the link.
  3. Go back to http://localhost/wp-admin : click on the comment tab, you should have a new comment already validted without any action from your side...

Limitiation :

  1. the malicious code in the iframe only works with the post ID=1 (Hello World!)
  2. if a "hacked" comment is already validated, it does not work again
  3. nonce protection seems not to be needed to make a comment validation (in other tutorial, it is needed because -maybe - you want to use a plugin / theme action ?)
  4. As already said : to demonstrate the full potential of CVE-2019-9787 you probably want a more nasty piece of code than the comment present in nginx/iframe-post.html. In my code I don't use the flaw in the Wordpress wp_filter_post_kses().

uninstall / retry / refresh :

To stop service

docker-compose down

To delete all containers including its volumes use

docker rm -vf $(docker ps -a -q)

To delete all the images

docker rmi -f $(docker images -a -q)

Don't forget to delete the repository

cd .. sudo sudo rm -Rf Wordpress_CVE_2019-9787

Intial project copied/forked to make this happened :

For the wordpress auto install : https://github.com/kassambara/wordpress-docker-compose

For the CVE proof of concept (without a autoinstall wordpress) : https://github.com/rkatogit/cve-2019-9787_csrf_poc

If there is any (official) way to link those pages to this one please let me know, I use the fork on the second one but without knowing really what I was doing :-)

About

Try to reproduce this issue with Docker

Languages

Language:Makefile 35.8%Language:Shell 29.0%Language:Dockerfile 19.9%Language:HTML 15.3%