automatic module_metadata_base.json update

rapid7 · Jan 17, 2024 · 39b0943 · 39b0943
1 parent b8aa55c
commit 39b0943
Showing 1 changed file with 64 additions and 0 deletions.
diff --git a/db/modules_metadata_base.json b/db/modules_metadata_base.json
@@ -109401,6 +109401,70 @@
     "session_types": false,
     "needs_cleanup": true
   },
+  "exploit_multi/http/wp_backup_migration_php_filter": {
+    "name": "WordPress Backup Migration Plugin PHP Filter Chain RCE",
+    "fullname": "exploit/multi/http/wp_backup_migration_php_filter",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2023-12-11",
+    "type": "exploit",
+    "author": [
+      "Nex Team",
+      "Valentin Lobstein",
+      "jheysel-r7"
+    ],
+    "description": "This module exploits an unauth RCE in the WordPress plugin: Backup Migration (<= 1.3.7).  The vulnerability is\n          exploitable through the Content-Dir header which is sent to the /wp-content/plugins/backup-backup/includes/backup-heart.php endpoint.\n\n          The exploit makes use of a neat technique called PHP Filter Chaining which allows an attacker to prepend\n          bytes to a string by continuously chaining character encoding conversions. This allows an attacker to prepend\n          a PHP payload to a string which gets evaluated by a require statement, which results in command execution.",
+    "references": [
+      "CVE-2023-6553",
+      "URL-https://github.com/Chocapikk/CVE-2023-6553/blob/main/exploit.py",
+      "URL-https://www.synacktiv.com/en/publications/php-filters-chain-what-is-it-and-how-to-use-it",
+      "WPVDB-6a4d0af9-e1cd-4a69-a56c-3c009e207eca"
+    ],
+    "platform": "Linux,PHP,Unix,Windows",
+    "arch": "php",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2024-01-16 14:49:22 +0000",
+    "path": "/modules/exploits/multi/http/wp_backup_migration_php_filter.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/wp_backup_migration_php_filter",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": true
+  },
   "exploit_multi/http/wp_catch_themes_demo_import": {
     "name": "Wordpress Plugin Catch Themes Demo Import RCE",
     "fullname": "exploit/multi/http/wp_catch_themes_demo_import",