CVE-2024-5932 PoC — GiveWP – Donation Plugin and Fundraising Platform <= 3.14.1 - Unauthenticated PHP Object Injection to Remote Code Execut

Source

Associated Vulnerability

Description

PoC for CVE-2024-5932

Readme

# CVE-2024-5932
★ CVE-2024-5932 Arbitrary File deletion PoC ★

## Description
CVE-2024-5932 : GiveWP PHP Object Injection vulnerability
description: The GiveWP  Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.14.1 via deserialization of untrusted input from the 'give_title' parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to execute code remotely, and to delete arbitrary files.

## Recon
### Fofa
```
body="/wp-content/plugins/give/"
```

## How to use

### Git clone
```
git clone https://github.com/EQSTSeminar/CVE-2024-5932.git
cd CVE-2024-5932
```
### Install packages 
```sh
pip install -r requirements.txt
```
### Command
```sh
python cve-2024-5932.py -u <URL_TO_EXPLOIT(Donation Form URL)> -f <FILE_TO_DELETE>
```

### Example
```sh
python cve-2024-5932.py -u http://example.com/2024/08/24/donation2/ -f /tmp/test
```

### Output
![image](https://github.com/user-attachments/assets/98dd5af2-3a11-4174-b64e-72a1a63bd946)

### Result
![image](https://github.com/user-attachments/assets/613f6f4f-8de3-4200-8f29-b46719083bff)


## Vulnerable Environment
### 1. Using docker-compose file, It isn't hard to make the vulnerable development environment. 
```sh
services:
  db:
    image: mysql:8.0.27
    command: '--default-authentication-plugin=mysql_native_password'
    restart: always
    environment:
      - MYSQL_ROOT_PASSWORD=somewordpress
      - MYSQL_DATABASE=wordpress
      - MYSQL_USER=wordpress
      - MYSQL_PASSWORD=wordpress
    expose:
      - 3306
      - 33060
  wordpress:
    image: wordpress:6.3.2
    ports:
      - 80:80
    restart: always
    environment:
      - WORDPRESS_DB_HOST=db
      - WORDPRESS_DB_USER=wordpress
      - WORDPRESS_DB_PASSWORD=wordpress
      - WORDPRESS_DB_NAME=wordpress
    volumes:
      - ./give:/var/www/html/wp-content/plugins/give
volumes:
  db_data:
```

### 2. Then download vulnerable GiveWP plugin:
https://downloads.wordpress.org/plugin/give.3.14.1.zip

### 3. Unzip the GiveWP plugin zip file and copy the whole files in the "/var/www/html/wp-content/plugins" directory
```sh
docker cp give docker-wordpress-1:/var/www/html/wp-content/plugins
```

### 4. Activate the GiveWP plugin
![image](https://github.com/user-attachments/assets/11c37afa-17dc-48bf-8819-d0bf24daaab8)

### 5. Add new post with GiveWP plugin and copy the post link
![image](https://github.com/user-attachments/assets/6b806d89-dfa6-44be-809c-03ba3f666605)

### 6. Check the vulnerable link
![image](https://github.com/user-attachments/assets/23247a02-d8a0-4bcc-8c3b-0d424dba260d)


### (Option) Setup the target file in the docker environment 
First, access the wordpress shell with the following command:
```sh
docker exec -it -u root docker-wordpress-1 /bin/bash
```

If the file is owned by root, it may not be deleted due to permissions. Therefore, you need to change the ownership of the test file with the following command:
```sh
touch test && chown www-data test
```
![image](https://github.com/user-attachments/assets/eb46528d-975a-46d3-b917-0a144252798f)


## Debugging thru PHPSTORM
You can debug your GiveWP using PHPSTORM.

### 1. Download the xdebug in your wordpress(Docker):
```sh
pecl install xdebug
```

### 2. And then setup wordpress's php.ini file like(Docker):
```sh
[DEBUG]
zend_extension=/usr/local/lib/php/extensions/no-debug-non-zts-20200930/xdebug.so
xdebug.mode=debug
xdebug.start_with_request=trigger
xdebug.remote_enable=on
xdebug.remote_handler=dbgp
xdebug.client_host={your_PHPSTORM_address}
xdebug.client_port={your_PHPSTORM_debugging_port}
xdebug.idekey=PHPSTORM
xdebug.profiler_enable_trigger=1
xdebug.trace_enable_trigger=1
```
..And then you can debug your wordpress.

### 3. Setup PHPSTORM like(Local):
![image](https://github.com/user-attachments/assets/d236eeba-b482-43e3-9028-3651cdbd10fd)
![image](https://github.com/user-attachments/assets/021c0cea-fbec-46e5-8824-bf6fd1feaed4)

### 4. Enjoy bebugging (e.g. TCPDF arbitrary file deletion)
![image](https://github.com/user-attachments/assets/433c4824-314e-4982-bf85-34640a259053)


# Attack Scenario
## RCE thru POP Chain
POP Chain allows remote command execution.

## Arbitrary File deletion 
Using TCPDF, you can exploit the arbitrary file deletion.

# Further Research
Through our research, we have confirmed that arbitrary file deletion is possible via TCPDF, but we have not yet confirmed that arbitrary command execution is possible. We are also planning to follow up on POP Chaining.

# Disclaimer
This repository is not intended to be Object injection exploit to CVE-2024-5932. The purpose of this project is to help people learn about this vulnerability, and perhaps test their own applications.

# EQST Insight
We publish CVE and malware analysis once a month. If you're interested, please follow the links below to check out our publications.
https://www.skshieldus.com/eng/business/insight.do

# Refernce
https://www.wordfence.com/blog/2024/08/4998-bounty-awarded-and-100000-wordpress-sites-protected-against-unauthenticated-remote-code-execution-vulnerability-patched-in-givewp-wordpress-plugin/

File Snapshot

 [4.0K]  /data/pocs/3332f78e5ac2fedbf2d6bb7d347d8ebef2e1e71e
├── [5.1K]  cve-2024-5932.py
├── [5.1K]  README.md
└── [  88]  requirements.txt

0 directories, 3 files

Remarks