-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Wordpress automatic plugin aux module #15776
Conversation
If accepted, please add the 'hacktoberfest-accepted' label :) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks good, thank you!
Some minor comments on metadata and logging messages.
] | ||
|
||
register_advanced_options [ | ||
OptString.new('WPEMAIL', [false, 'Wordpress Administration Email (default: no email modification)', nil]) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OptString.new('WPEMAIL', [false, 'Wordpress Administration Email (default: no email modification)', nil]) | |
OptString.new('WpEmail', [false, 'Wordpress Administration Email (default: no email modification)', nil]) |
This is registered as advanced.
Or since this is presented as an option that needed to be called out in descriptions it feels like this may be better presented as a standard option defaulted to nil
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I modeled this after
OptString.new('WPEMAIL', [false, 'Wordpress Administration Email (default: no email modification)', nil]) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Understood, the comment was made base on review of this module and what I think a user would like to see when reviewing options
for this module.
I can live with it as is. To be honest, I still fall on the side of this being an optional standard option for both modules.
@jmartin-r7 was there anything still pending on this? |
@h00die all my requests are handled, testing is still in queue. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for this module @h00die! I just left a few minor comments for you to review. Otherwise, it looks good to me. I'll start testing now.
return Exploit::CheckCode::Safe('Wordpress not detected.') unless wordpress_and_online? | ||
|
||
# this is for pickup into the vulnerable plugins list | ||
# check_plugin_version_from_readme('wp-automatic', '3.53.3') |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is out of scope, but I'm just wondering if there would be a way to avoid adding a comment to be picked up by the update_wordpress_vulnerabilities.rb
tool. Maybe using a specific info hash key/value pair, such as 'WordpressVulnType' => 'plugin'
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
in general, like 90+% of plugins use that function, so it seemed like the right answer (especially when not trying to change all of wordpress modules). In theory, anything could be changed, but since wordpress plugin modules tend to be such a small portion of the framework, I didn't want to make anything global.
documentation/modules/auxiliary/admin/http/wp_automatic_plugin_privesc.md
Show resolved
Hide resolved
Thanks for making these changes @h00die ! Everything looks good now. I tested against Wordpress 5.8.1 with Automatic 3.50.7 and verified a new user was created with the correct email, with the admin role. I'll go ahead and land it. |
Release NotesThis adds an auxiliary module that leverages an unauthenticated arbitrary Wordpress options change vulnerability |
This module exploits an unauthenticated arbitrary wordpress options change vulnerability
in the Automatic (wp-automatic) plugin. We use that, very similar to the GDPR module to optionally:
Verification
use auxiliary/admin/http/wp_automatic_plugin_privesc
set rhosts [IPs]
set email [email address]
run