module
Wordpress Popular Posts Authenticated RCE
| Disclosed | Created |
|---|---|
| Jun 11, 2021 | Dec 20, 2021 |
Disclosed
Jun 11, 2021
Created
Dec 20, 2021
Description
This exploit requires Metasploit to have a FQDN and the ability to run a payload web server on port 80, 443, or 8080.
The FQDN must also not resolve to a reserved address (192/172/127/10). The server must also respond to a HEAD request
for the payload, prior to getting a GET request.
This exploit leverages an authenticated improper input validation in Wordpress plugin Popular Posts
The exploit chain is rather complicated. Authentication is required and 'gd' for PHP is required on the server.
Then the Popular Post plugin is reconfigured to allow for an arbitrary URL for the post image in the widget.
A post is made, then requests are sent to the post to make it more popular than the previous #1 by 5. Once
the post hits the top 5, and after a 60sec (we wait 90) server cache refresh, the homepage widget is loaded
which triggers the plugin to download the payload from our server. Our payload has a 'GIF' header, and a
double extension ('.gif.php') allowing for arbitrary PHP code to be executed.
The FQDN must also not resolve to a reserved address (192/172/127/10). The server must also respond to a HEAD request
for the payload, prior to getting a GET request.
This exploit leverages an authenticated improper input validation in Wordpress plugin Popular Posts
The exploit chain is rather complicated. Authentication is required and 'gd' for PHP is required on the server.
Then the Popular Post plugin is reconfigured to allow for an arbitrary URL for the post image in the widget.
A post is made, then requests are sent to the post to make it more popular than the previous #1 by 5. Once
the post hits the top 5, and after a 60sec (we wait 90) server cache refresh, the homepage widget is loaded
which triggers the plugin to download the payload from our server. Our payload has a 'GIF' header, and a
double extension ('.gif.php') allowing for arbitrary PHP code to be executed.
Authors
h00die
Simone Cristofaro
Jerome Bruandet
Simone Cristofaro
Jerome Bruandet
Platform
PHP
Architectures
php
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.