Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add script for detecting and exploiting vulnerability in Wordpress CM Do... #38

wants to merge 2 commits into from


Copy link

@mzet- mzet- commented Jan 2, 2015


Following script detects & exploits CVE-2014-8877 vulnerability in Wordpress CM Download Manager plugin
( Versions <= 2.0.0 are affected.

Vulnerability allows to inject arbitrary PHP code via CMDsearch param. The script simply injects system() function with OS shell command of choice (provided as script's parameter) as an argument.

Preparing testing environment

To prepare local testing environment following steps should be performed:

  • Install latest version of Wordpress on Linux machine
  • Get vulnerable version of Wordpress CM Download Manager plugin: svn co -r 1007950 cm-dw-manager
  • Prepare plugin for installation: find cm-dw-manager/ -type d -name .svn -print0 | xargs -0 rm -rf; zip -r cm-dw-manager/
  • Upload it to wp-content/plugins directory of your Wordpress installation. Unzip. Activate in admin panel.

Running the script

Running the script:
nmap -P0 -p80 -n --script http-vuln-cve2014-8877 --script-args http-vuln-cve2014-8877.cmd="whoami",

Where 'cmd' parameter is shell command for execution and 'uri' is path to your Wordpress installation.

-- exploit the vulnerability
if cmd ~= nil then
-- wrap cmd with pattern which is used to filter out only relevant output from the response
req = genHttpReq(host, port, uri, 'echo ZZZ;'..cmd..';echo ZZZ;')
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You could pick a pseudo-random string, maybe with a hash of the command sent instead of ZZZ (just to avoid to miss part of the result if it includes ZZZ).

Copy link

@mzet- Sorry for the delay in reviewing this. Unfortunately, it has false positive problems. If the page requested echoes the request URI at all, then the check will be true, since the check is a simple echo function. Here are the changes I would like to see before we could include this:

  1. Come up with a check that is not subject to this echo problem. This could be done by base64-encoding the string and having the server use base64_decode to echo it back.
  2. Use pure PHP calls for the check function, not system. This will help keep the script cross-platform and less likely to run afoul of a WAF or other server hardening.

Copy link

mzet- commented Sep 22, 2015


I've finally found some time to incorporate your feedback:

  • base64 encoded string is used now,
  • PHP system() isn't used anymore for checking if site is vulnerable (is used only for invoking payload)
  • I've also got rid of 'ZZZ' strings and changed it to random strings.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet

Successfully merging this pull request may close these issues.

None yet

4 participants