Valentin Lobstein
Valentin Lobstein
Hello, waaah this exploit has a lot of errors. Exploitation is kinda hard, have you activated the plugin (just in case)? To be really sure I did several tests on...
Ouch... By chance did you try to print the response of the request when sending the char to see what it displays? There is a big chance that it is...
There is also a metasploit module that does this, have you tried if it worked?
Well, so that's not the header size limit. You would have an error 500 otherwise. For the moment I don't know what's blocking. I try again and let you know...
> Is the metasploit module for the cve ? I searched for it by name in msfconsole but couldnt find anything. Yes. The module is here; https://www.rapid7.com/db/modules/exploit/multi/http/wp_backup_migration_php_filter/
Hello again @KremSH , I think it's about the encoding of the char, I think it's ok this time, check it: this commit has just been done: [ad0e8f4e47fa8e0fe14da4e79670415062892930](https://github.com/Chocapikk/CVE-2023-6553/commit/ad0e8f4e47fa8e0fe14da4e79670415062892930)
Okay sorry. I'll take a closer look at this. If it works with metasploit it’s perfect :)
Ok, you succeeded with metasploit, I think I fixed the code for good, I was too specific on the verification of the payload sent, if you ever have the opportunity...
Hello, I have no idea how the team who found this did it, but you can find the technical analysis here: https://www.wordfence.com/blog/2023/12/critical-unauthenticated-remote-code-execution-found-in-backup-migration-plugin/ Don't hesitate to read the backup-heart.php file to...
Yeah I have to add more checks in the code. Not yet reliable enough. It's a v1. I will take care of it soon. Thanks for the feedback