Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixes store_valid_credential conditional logic for unix/webapp/wp_admin_shell_upload module #18985

Merged
merged 1 commit into from Mar 21, 2024
Merged

Fixes store_valid_credential conditional logic for unix/webapp/wp_admin_shell_upload module #18985

merged 1 commit into from Mar 21, 2024

Conversation

cgranleese-r7
Copy link
Contributor

@cgranleese-r7 cgranleese-r7 commented Mar 21, 2024
edited by dwelch-r7

Note

This PR fixes #18916

This PR updates the conditional logic for unix/webapp/wp_admin_shell_upload module. Previously store_valid_credential was added to the wrong conditional branch in d69bfd5.

The new fix will now return return CheckCode::Safe when an invalid login (cookie returns nil) is used by the module. CheckCode::Safe is return when a target is safe and is therefore not exploitable.

metasploit-framework/lib/msf/core/exploit.rb

Line 124 in d64ed33

# The target is safe and is therefore not exploitable. This is recommended after the check

When a valid login is used by the module, the module will now store the creds to the database and return CheckCode::Appears. CheckCode::Appears is return when the target appears to be vulnerable.

metasploit-framework/lib/msf/core/exploit.rb

Line 136 in d64ed33

# The target appears to be vulnerable. This is recommended if the vulnerability is determined

Example

image

Target

Guide I followed: https://github.com/docker/awesome-compose/tree/master/wordpress-mysql
Example file when targeting Wordpress version 4.8.2:

File name: compose.yaml

services:
  db:
    # We use a mariadb image which supports both amd64 & arm64 architecture
    image: mariadb:10.6.4-focal
    # If you really want to use MySQL, uncomment the following line
    #image: mysql:8.0.27
    command: '--default-authentication-plugin=mysql_native_password'
    volumes:
      - db_data:/var/lib/mysql
    restart: always
    environment:
      - MYSQL_ROOT_PASSWORD=somewordpress
      - MYSQL_DATABASE=wordpress
      - MYSQL_USER=wordpress
      - MYSQL_PASSWORD=wordpress
    expose:
      - 3306
      - 33060
  wordpress:
    image: wordpress:4.8.2
    ports:
      - 80:80
    restart: always
    environment:
      - WORDPRESS_DB_HOST=db
      - WORDPRESS_DB_USER=wordpress
      - WORDPRESS_DB_PASSWORD=wordpress
      - WORDPRESS_DB_NAME=wordpress
volumes:
  db_data:

Command to run that Docker compose image:

docker compose up

Verification

  • Start msfconsole
  • use unix/webapp/wp_admin_shell_upload
  • Get a Wordpress target - see Target section above for setup steps
  • Verify when a valid login is used that the module returns The target appears to be vulnerable. and the creds are added to the DB via the creds command
  • Verify when an invalid login is used that it returns The target is not exploitable.

@dwelch-r7 dwelch-r7 self-assigned this Mar 21, 2024
@cgranleese-r7 cgranleese-r7 added the rn-fix release notes fix label Mar 21, 2024
@dwelch-r7 dwelch-r7 merged commit 3de8b02 into rapid7:master Mar 21, 2024
35 checks passed
@cgranleese-r7 cgranleese-r7 deleted the fix-store-valid-credential-conditional-logic-within-wp-admin-shell-upload-module branch March 21, 2024 12:56
@dwelch-r7
Copy link
Contributor

dwelch-r7 commented Mar 21, 2024
edited

Release Notes

Fixes store_valid_credential conditional logic for unix/webapp/wp_admin_shell_upload module

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@dwelch-r7 dwelch-r7

Labels
rn-fix release notes fix
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

exploits/unix/webapp/wp_admin_shell_upload.rb check is broken
2 participants
@cgranleese-r7 @dwelch-r7