漏洞平台

POC详情： c3d2b848dd531d159847752d03a1b8fd36af2f3c

来源

https://github.com/Nxploited/CVE-2024-9698

关联漏洞

标题： WordPress plugin Crafthemes Demo Import 代码问题漏洞 (CVE-2024-9698)
描述：WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress plugin Crafthemes Demo Import 3.3版本及之前版本存在代码问题漏洞，该漏洞源于process_uploaded_files函数中缺少文件类型验证，导致任意文件上传。

描述

Crafthemes Demo Import <= 3.3 - Authenticated ( Admin+) Arbitrary File Upload in process_uploaded_files

介绍

# CVE-2024-9698

# Crafthemes Demo Import <= 3.3 - Arbitrary File Upload Exploit

## 📌 Overview
This exploit targets a critical vulnerability (**CVE-2024-9698**) in the **Crafthemes Demo Import** plugin for WordPress. The vulnerability allows authenticated administrators to **upload arbitrary files** to the affected WordPress site, leading to potential **remote code execution (RCE)**.

## 🔍 Vulnerability Details
- **Plugin:** Crafthemes Demo Import
- **Affected Versions:** ≤ 3.3
- **CVE ID:** CVE-2024-9698
- **Severity:** High (CVSS Score: 7.2)
- **Vulnerable Function:** `process_uploaded_files`
- **Issue:** The plugin **lacks proper file type validation**, allowing administrators to upload **malicious PHP files** to the server.
- **Potential Impact:** Attackers can gain full control over the website by executing arbitrary commands.

## 🎯 Exploitation
### ✅ Prerequisites
- **WordPress Administrator** credentials are required to exploit this vulnerability.


### 🚀 How It Works
1. **Check Vulnerability:** The script first **checks the plugin version** by extracting information from `readme.txt`.
2. **Login to WordPress:** Authenticates as an admin and retrieves session cookies.
3. **Extract Nonce Token:** Parses the nonce token required for AJAX requests.
4. **Upload Malicious File:** Uses `admin-ajax.php` to upload a **custom PHP shell**.
5. **Verify Upload:** Confirms successful upload and prints the shell's URL.

### 🛠️ Usage
```bash
python CVE-2024-9698.py --url "http://target.com/wordpress" --username "admin" --password "password"
```

#### 📝 Custom Payload
If you want to upload a **custom PHP payload**, use:
```bash
python CVE-2024-9698.py --url "http://target.com/wordpress" --username "admin" --password "password" --payload "<?php phpinfo(); ?>"
```

### 🔥 Example Output
```bash
[+] Target is vulnerable, proceeding with exploit...
[+] Logged in successfully.
[+] Extracted nonce: abc123xyz
[+] Shell uploaded successfully: http://target.com/wp-content/uploads/2025/02/Nxploit.php
```

## 🛡️ Mitigation
- **Update the plugin** to a patched version if available.
- Restrict admin access to trusted users.
- Monitor and audit uploaded files.

---
**Disclaimer:** This script is intended for educational and security research purposes **only**. Unauthorized use against systems without explicit permission is **illegal**.

文件快照


 [4.0K]  /data/pocs/c3d2b848dd531d159847752d03a1b8fd36af2f3c
├── [6.5K]  CVE-2024-9698.py
└── [2.3K]  README.md

0 directories, 2 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。