Awesome

SSTImap Extra Plugins

This repository contains SSTImap plugins, which might be useful in some specific cases, but are too situational to include in the main repository.

Installation:

Install the latest version of SSTImap.
Clone this repository inside plugins/ directory of SSTImap.

Alternatively, required plugins can be manually saved in plugins/custom/ directory of SSTImap.

List of supported plugins

Plugin	Ver.	RCE	Blind	Code evaluation	File read	File write
CVE_2024_6386	1.2.3	✓	✓	PHP	✓	✓

Plugin details

CVE_2024_6386 - WPML Multilingual CMS Contributor+ RCE via Twig SSTI.

Plugin automates detection and exploitation of CVE-2024-6386 providing post-exploitation capabilities. Correctly set headers X-WP-Nonce and Content-Type as well as cookies are required for exploitation. Example:

./sstimap.py -i -e CVE_2024_6386 --data-type json -m POST -H "Content-Type: application/json" -H "X-WP-Nonce: ..." -H "Cookie: ..." -d '{"id":...,"content":"*"}' -u "http://localhost/index.php?rest_route=%2Fwp%2Fv2%2Fpages%2F..."

Developing plugins

New plugins are always welcome in PRs

Debugging tips

Use -e/--engine option with the name of the plugin's class, e.g. -e CVE_2024_6386 to use a specific plugin
Use -p/--proxy option with BurpSuite or a similar tool to see the requests, e.g. -p http://127.0.0.1:8080
Use interactive mode (-i/--interactive) to preserve settings between runs. Use run to run tests and reload to reload plugins from disk (e.g. after some changes)
Use --data-type fromhex to provide request body as hex-encoded string with * as injection marker, if body format is not supported otherwise, e.g. --data-type fromhex --data E29885C2AB*C2BBE29885

Example

Install the latest version of SSTImap
Copy CVE_2024_6386.py plugin to plugins/custom inside SSTImap directory
Run the following command:

./sstimap.py -i -e CVE_2024_6386 -p http://127.0.0.1:8080 --data-type json -m POST -H "Content-Type: application/json" -H "X-WP-Nonce: ..." -H "Cookie: ..." -d '{"id":...,"content":"*"}' -u "http://localhost/index.php?rest_route=%2Fwp%2Fv2%2Fpages%2F..."

Use run command to test the payload
Edit the payload, use commands reload and run