Skip to content

vladko312/extras

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
CVE-2024-6386.py
CVE-2024-6386.py
 
 
LICENSE.md
LICENSE.md
 
 
README.md
README.md
 
 
__init__.py
__init__.py
 
 

Repository files navigation

SSTImap Extra Plugins

SSTImap 1.2 Payload count Python 3.13 Python 3.6 GitHub GitHub last commit Maintenance

This repository contains SSTImap plugins, which might be useful in some specific cases, but are too situational to include in the main repository.

Installation:

  • Install the latest version of SSTImap.
  • Clone this repository inside plugins/ directory of SSTImap.

Alternatively, required plugins can be manually saved in plugins/custom/ directory of SSTImap.

List of supported plugins

Plugin Ver. RCE Blind Code evaluation File read File write
CVE_2024_6386 1.2.3 PHP

Plugin details

  • CVE_2024_6386 - WPML Multilingual CMS Contributor+ RCE via Twig SSTI.

Plugin automates detection and exploitation of CVE-2024-6386 providing post-exploitation capabilities. Correctly set headers X-WP-Nonce and Content-Type as well as cookies are required for exploitation. Example:

./sstimap.py -i -e CVE_2024_6386 --data-type json -m POST -H "Content-Type: application/json" -H "X-WP-Nonce: ..." -H "Cookie: ..." -d '{"id":...,"content":"*"}' -u "http://localhost/index.php?rest_route=%2Fwp%2Fv2%2Fpages%2F..."

Developing plugins

New plugins are always welcome in PRs

Debugging tips

  • Use -e/--engine option with the name of the plugin's class, e.g. -e CVE_2024_6386 to use a specific plugin
  • Use -p/--proxy option with BurpSuite or a similar tool to see the requests, e.g. -p http://127.0.0.1:8080
  • Use interactive mode (-i/--interactive) to preserve settings between runs. Use run to run tests and reload to reload plugins from disk (e.g. after some changes)
  • Use --data-type fromhex to provide request body as hex-encoded string with * as injection marker, if body format is not supported otherwise, e.g. --data-type fromhex --data E29885C2AB*C2BBE29885

Example

  • Install the latest version of SSTImap
  • Copy CVE_2024_6386.py plugin to plugins/custom inside SSTImap directory
  • Run the following command:
./sstimap.py -i -e CVE_2024_6386 -p http://127.0.0.1:8080 --data-type json -m POST -H "Content-Type: application/json" -H "X-WP-Nonce: ..." -H "Cookie: ..." -d '{"id":...,"content":"*"}' -u "http://localhost/index.php?rest_route=%2Fwp%2Fv2%2Fpages%2F..."
  • Use run command to test the payload
  • Edit the payload, use commands reload and run

About

Extra plugins for SSTImap

Resources

Readme

License

GPL-3.0 license
Activity

Stars

1 star

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages