漏洞平台

POC详情： 3332f78e5ac2fedbf2d6bb7d347d8ebef2e1e71e

来源

https://github.com/EQSTSeminar/CVE-2024-5932

关联漏洞

标题： WordPress plugin GiveWP 安全漏洞 (CVE-2024-5932)
描述：WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress plugin GiveWP 3.14.1版本及之前版本存在安全漏洞。攻击者利用该漏洞可以远程执行代码并删除任意文件。

描述

PoC for CVE-2024-5932

介绍

# CVE-2024-5932
★ CVE-2024-5932 Arbitrary File deletion PoC ★

## Description
CVE-2024-5932 : GiveWP PHP Object Injection vulnerability
description: The GiveWP  Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.14.1 via deserialization of untrusted input from the 'give_title' parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to execute code remotely, and to delete arbitrary files.

## Recon
### Fofa
```
body="/wp-content/plugins/give/"
```

## How to use

### Git clone
```
git clone https://github.com/EQSTSeminar/CVE-2024-5932.git
cd CVE-2024-5932
```
### Install packages 
```sh
pip install -r requirements.txt
```
### Command
```sh
python cve-2024-5932.py -u <URL_TO_EXPLOIT(Donation Form URL)> -f <FILE_TO_DELETE>
```

### Example
```sh
python cve-2024-5932.py -u http://example.com/2024/08/24/donation2/ -f /tmp/test
```

### Output
![image](https://github.com/user-attachments/assets/98dd5af2-3a11-4174-b64e-72a1a63bd946)

### Result
![image](https://github.com/user-attachments/assets/613f6f4f-8de3-4200-8f29-b46719083bff)


## Vulnerable Environment
### 1. Using docker-compose file, It isn't hard to make the vulnerable development environment. 
```sh
services:
  db:
    image: mysql:8.0.27
    command: '--default-authentication-plugin=mysql_native_password'
    restart: always
    environment:
      - MYSQL_ROOT_PASSWORD=somewordpress
      - MYSQL_DATABASE=wordpress
      - MYSQL_USER=wordpress
      - MYSQL_PASSWORD=wordpress
    expose:
      - 3306
      - 33060
  wordpress:
    image: wordpress:6.3.2
    ports:
      - 80:80
    restart: always
    environment:
      - WORDPRESS_DB_HOST=db
      - WORDPRESS_DB_USER=wordpress
      - WORDPRESS_DB_PASSWORD=wordpress
      - WORDPRESS_DB_NAME=wordpress
    volumes:
      - ./give:/var/www/html/wp-content/plugins/give
volumes:
  db_data:
```

### 2. Then download vulnerable GiveWP plugin:
https://downloads.wordpress.org/plugin/give.3.14.1.zip

### 3. Unzip the GiveWP plugin zip file and copy the whole files in the "/var/www/html/wp-content/plugins" directory
```sh
docker cp give docker-wordpress-1:/var/www/html/wp-content/plugins
```

### 4. Activate the GiveWP plugin
![image](https://github.com/user-attachments/assets/11c37afa-17dc-48bf-8819-d0bf24daaab8)

### 5. Add new post with GiveWP plugin and copy the post link
![image](https://github.com/user-attachments/assets/6b806d89-dfa6-44be-809c-03ba3f666605)

### 6. Check the vulnerable link
![image](https://github.com/user-attachments/assets/23247a02-d8a0-4bcc-8c3b-0d424dba260d)


### (Option) Setup the target file in the docker environment 
First, access the wordpress shell with the following command:
```sh
docker exec -it -u root docker-wordpress-1 /bin/bash
```

If the file is owned by root, it may not be deleted due to permissions. Therefore, you need to change the ownership of the test file with the following command:
```sh
touch test && chown www-data test
```
![image](https://github.com/user-attachments/assets/eb46528d-975a-46d3-b917-0a144252798f)


## Debugging thru PHPSTORM
You can debug your GiveWP using PHPSTORM.

### 1. Download the xdebug in your wordpress(Docker):
```sh
pecl install xdebug
```

### 2. And then setup wordpress's php.ini file like(Docker):
```sh
[DEBUG]
zend_extension=/usr/local/lib/php/extensions/no-debug-non-zts-20200930/xdebug.so
xdebug.mode=debug
xdebug.start_with_request=trigger
xdebug.remote_enable=on
xdebug.remote_handler=dbgp
xdebug.client_host={your_PHPSTORM_address}
xdebug.client_port={your_PHPSTORM_debugging_port}
xdebug.idekey=PHPSTORM
xdebug.profiler_enable_trigger=1
xdebug.trace_enable_trigger=1
```
..And then you can debug your wordpress.

### 3. Setup PHPSTORM like(Local):
![image](https://github.com/user-attachments/assets/d236eeba-b482-43e3-9028-3651cdbd10fd)
![image](https://github.com/user-attachments/assets/021c0cea-fbec-46e5-8824-bf6fd1feaed4)

### 4. Enjoy bebugging (e.g. TCPDF arbitrary file deletion)
![image](https://github.com/user-attachments/assets/433c4824-314e-4982-bf85-34640a259053)


# Attack Scenario
## RCE thru POP Chain
POP Chain allows remote command execution.

## Arbitrary File deletion 
Using TCPDF, you can exploit the arbitrary file deletion.

# Further Research
Through our research, we have confirmed that arbitrary file deletion is possible via TCPDF, but we have not yet confirmed that arbitrary command execution is possible. We are also planning to follow up on POP Chaining.

# Disclaimer
This repository is not intended to be Object injection exploit to CVE-2024-5932. The purpose of this project is to help people learn about this vulnerability, and perhaps test their own applications.

# EQST Insight
We publish CVE and malware analysis once a month. If you're interested, please follow the links below to check out our publications.
https://www.skshieldus.com/eng/business/insight.do

# Refernce
https://www.wordfence.com/blog/2024/08/4998-bounty-awarded-and-100000-wordpress-sites-protected-against-unauthenticated-remote-code-execution-vulnerability-patched-in-givewp-wordpress-plugin/

文件快照


 [4.0K]  /data/pocs/3332f78e5ac2fedbf2d6bb7d347d8ebef2e1e71e
├── [5.1K]  cve-2024-5932.py
├── [5.1K]  README.md
└── [  88]  requirements.txt

0 directories, 3 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。