来源

关联漏洞

介绍

# CVE-2024-10924 Exploit - WordPress Really Simple SSL Plugin 2FA Bypass

## Overview
This repository contains an exploit for **CVE-2024-10924**, a vulnerability in the **Really Simple SSL** plugin for WordPress. It allows an attacker to bypass Two-Factor Authentication (2FA) onboarding and gain unauthorized administrative access to a WordPress site.

## Vulnerability Details
- **CVE**: CVE-2024-10924
- **Affected Component**: `/reallysimplessl/v1/two_fa/skip_onboarding` endpoint
- **Impact**: Authentication Bypass (Admin Access)
- **Requirements**: User ID (e.g., `1` for the default admin) and the vulnerable domain.

## Exploit Requirements
- Python 3.x
- `requests` library

## Installation
```bash
pip install requests
```

## Usage
```bash
python3 exploit.py <domain> <user_id>
```
Example:
```bash
python3 exploit.py example.com 1
```

## Expected Output
The exploit will print the `wordpress_logged_in_*` and `wordpress_*` cookies, which can be manually set in your browser to authenticate as the targeted user.

## Manual Cookie Injection (Firefox Example)
1. Open Developer Tools (`F12` or Right-click > Inspect).
2. Go to the **Storage** tab > **Cookies** > `http://<domain>`
3. Add the cookies retrieved from the exploit:
    - `wordpress_logged_in_*`
    - `wordpress_*`
4. Navigate to `http://<domain>/wp-admin` to access the admin panel.

## License
This exploit is intended for educational and authorized testing purposes only.

## Disclaimer
Use this code responsibly. Unauthorized access to systems is illegal.

文件快照

 [4.0K]  /data/pocs/5bc2d6981577e0cf35fea145f8cdaa0e72063ca7
├── [1.2K]  exploit.py
└── [1.5K]  README.md

0 directories, 2 files

备注