CVE-2023-6553
CVE-2023-6553 copied to clipboard
Chocapikk
Failed to send payload for character: < , Failed to write shell
Hello,
I am trying to get this exploit to work for a project, I created a basic Wordpress site using Local and upload version 1.3.7 of the backup migration plugin and activated it but I get this error when running the exploit.py:
I apologize if this was mentioned before or is a simple fix I just can't understand what's going wrong.
Hello, waaah this exploit has a lot of errors. Exploitation is kinda hard, have you activated the plugin (just in case)? To be really sure I did several tests on a docker container and I had no problems. It's weird. However, from the image I see that it detects that it is vulnerable. Did you leave the code as is or did you make changes?
Hey, I definitely activated the plugin, the checking mechanism actually detected the vulnerability even if the plugin was deactivated. The only thing I added was just a debug "print" to check the code was entering an if statement but other than that no.
Ouch... By chance did you try to print the response of the request when sending the char to see what it displays? There is a big chance that it is the configuration of the web server (the header size limit)
There is also a metasploit module that does this, have you tried if it worked?
Hmm no I didn't know about it I'll check it out, I printed the response in the send_payload function and this is what I got:
Well, so that's not the header size limit. You would have an error 500 otherwise. For the moment I don't know what's blocking. I try again and let you know soon
Is the metasploit module for the cve ? I searched for it by name in msfconsole but couldnt find anything.
Is the metasploit module for the cve ? I searched for it by name in msfconsole but couldnt find anything.
Yes. The module is here; https://www.rapid7.com/db/modules/exploit/multi/http/wp_backup_migration_php_filter/
Hello again @KremSH , I think it's about the encoding of the char, I think it's ok this time, check it: this commit has just been done: ad0e8f4e47fa8e0fe14da4e79670415062892930
Unfortunately it still shows the same error, I did try the metasploit module and it works.
Okay sorry. I'll take a closer look at this. If it works with metasploit it’s perfect :)
Ok, you succeeded with metasploit, I think I fixed the code for good, I was too specific on the verification of the payload sent, if you ever have the opportunity to check later it would be cool. It's up to you
https://github.com/Chocapikk/CVE-2023-6553/commit/30f0eff73edc04f93fbcbd143705b8dcde1687f7
Hey been a while, I didn't want to open up another thread but do you have any idea how the vulnerability was discovered naturally the first time?
Hello, I have no idea how the team who found this did it, but you can find the technical analysis here:
https://www.wordfence.com/blog/2023/12/critical-unauthenticated-remote-code-execution-found-in-backup-migration-plugin/
Don't hesitate to read the backup-heart.php file to understand. Well if that was your question
In any case, what an attacker is looking for is a file where a dangerous function is misused and where the user has access to an input.
Thank you so much, sorry if I inconvenienced you that last thing you said is something I'll probably think about before asking lol