-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WordPress File Manager Advanced Shortcode Unauthenticated RCE [CVE-2023-2068] #18142
WordPress File Manager Advanced Shortcode Unauthenticated RCE [CVE-2023-2068] #18142
Conversation
Thanks for your pull request! Before this can be merged, we need the following documentation for your module: |
Please also add the plugin to https://github.com/rapid7/metasploit-framework/blob/master/data/wordlists/wp-exploitable-plugins.txt |
does the normal May also want a:
|
Will do ! |
Cool! Did not know that these already existed. I will add it to the |
@h00die , |
you shouldn't need to login at all to use I only looked at the first 10 or so, but many modules just call that as the singular thing for the |
Hi @h00die, figured out why it did not work. This particular plugin does not have a |
modules/exploits/multi/http/wp_plugin_fma_shortcode_unauth_rce.rb
Outdated
Show resolved
Hide resolved
execute_command(payload.encoded) | ||
when :linux_dropper, :windows_dropper | ||
execute_cmdstager({ linemax: target.opts['Space'] }) | ||
when :windows_powershell |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You should be able to remove this because of the ability to remove the powershell target.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See 3425173.
modules/exploits/multi/http/wp_plugin_fma_shortcode_unauth_rce.rb
Outdated
Show resolved
Hide resolved
modules/exploits/multi/http/wp_plugin_fma_shortcode_unauth_rce.rb
Outdated
Show resolved
Hide resolved
modules/exploits/multi/http/wp_plugin_fma_shortcode_unauth_rce.rb
Outdated
Show resolved
Hide resolved
documentation/modules/exploit/multi/http/wp_plugin_fma_shortcode_unauth_rce.md
Outdated
Show resolved
Hide resolved
documentation/modules/exploit/multi/http/wp_plugin_fma_shortcode_unauth_rce.md
Outdated
Show resolved
Hide resolved
@h00die-gr3y Looks like the merge conflicts are stopping us from landing this. If you're able to rebase it we'll be able to land it; Or if you want I believe we can rebase it on our side 👍 |
@adfoster-r7 I would appreciate if you can rebase it from your side. |
6803988
to
52b417b
Compare
Rebased on our side, thanks! 👍 I used
It turns out that adding an extra commit to the end won't resolve the merge conflict that was actually in your second commit Thanks for the PR! Will get this landed now 🎉 |
Release NotesThis PR adds a Wordpress exploit that makes use of the WordPress File Manager Advanced Shortcode 2.3.2 plugin, to gain unauthenticated Remote Code Execution through shortcode. |
WordPress File Manager Advanced Shortcode 2.3.2 - Unauthenticated Remote Code Execution through shortcode.
The WordPress plugin does not adequately prevent uploading files with disallowed MIME types when using the shortcode.
This leads to RCE in cases where the allowed MIME type list does not include PHP files.
In the worst case, this is available to unauthenticated users, but is also works in an authenticated configuration.
File Manager Advanced Shortcode plugin version
2.3.2
and lower are vulnerable.To install the Shortcode plugin, File Manager Advanced version
5.0.5
or lower is required to keep the configuration vulnerable. Any user can exploit this vulnerability which results in access to the underlying operating systemwith the same privileges under which the WordPress web services run.
This module has been tested on:
Instructions for a vulnerable WordPress installation:
For Windows and Linux follow these instructions to install and configure WordPress: Install WordPress locally
After you have successfully installed and configures WordPress, follow the below steps to install the vulnerable plugins and configure a web page with the file-manager-advanced shortcode embedded.
Plugins
Add New
on the submenuAdd New
Upload Plugin
browse
button appears. Browse for file-manager-advanced.zip file that you have downloaded in step 1.install
buttonfile-manager-advanced-shortcode-2.3.2-mdnhux.zip
TARGETURI
option with the uripath pointing to this webpagereverse shell
ormeterpreter
Verification
msfconsole
use exploit/multi/http/wp_plugin_fma_shortcode_unauth_rce
set rhosts <ip-target>
set rport <port>
set target <0=PHP, 1=Unix Command, 2=Linux Dropper, 3=Windows Command, 4=Windows Dropper>
exploit
reverse shell
orMeterpreter
session depending on thepayload
andtarget
settingsScenarios
Windows Server 2019 PHP - php/meterpreter/reverse_tcp
Kali Linux Server Unix Command - cmd/unix/reverse_bash
Kali Linux Server Linux Dropper - linux/aarch64/meterpreter_reverse_tcp
Windows Server 2019 Windows Command - cmd/windows/powershell/x64/meterpreter/reverse_tcp
Windows Server 2019 Windows Dropper - windows/x64/meterpreter/reverse_tcp