来源

关联漏洞

描述

POC CVE-2024-7627

介绍

# CVE-2024-7627 — Bit File Manager (WordPress) Unauthenticated RCE Exploit

## 📌 Description
This repository contains a proof-of-concept (PoC) exploit for **CVE-2024-7627**, a critical **Unauthenticated Remote Code Execution (RCE)** vulnerability in the **Bit File Manager** WordPress plugin (versions **6.0 – 6.5.5**).  

When the **Guest User Read** feature is enabled, the plugin exposes a race condition inside the `checkSyntax` function.  
This function writes a temporary PHP file into `/wp-content/uploads/` before validation, allowing attackers to request the file and execute arbitrary system commands.

- **Vulnerability Type:** Unauthenticated RCE  
- **Affected Versions:** Bit File Manager 6.0 – 6.5.5  
- **Patched Version:** 6.5.6  
- **CVSS Score:** 9.8 (Critical)  

---

## ⚡ Features
- Automatically extracts a valid **AJAX nonce** from the target.  
- Retrieves a random writable file hash for exploitation.  
- Performs race condition using **async parallel requests**.  
- Provides an **interactive reverse shell-like interface** for executing commands.  

---

## 🔧 Requirements
- Python **3.8+**  
- Dependencies: `requests`, `aiohttp`, `asyncio`, `beautifulsoup4`  

Install dependencies:
```bash
pip install requests aiohttp beautifulsoup4
```

## example output
```bash
[*] Getting a valid AJAX nonce...
[+] Found the valid AJAX nonce: 65a1d91c63
[*] Getting a random file hash...
[+] Starting interactive shell. Type 'exit' to quit.

lab-shell> id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

lab-shell> uname -a
Linux victim-wp 5.15.0-78-generic #85-Ubuntu SMP x86_64 GNU/Linux

lab-shell> whoami
www-data

文件快照

 [4.0K]  /data/pocs/fd322662c961b39a976726ce28f30206effc77c1
├── [4.1K]  exploit.py
└── [1.6K]  README.md

0 directories, 2 files

备注