Attacking WordPress Plugins

Someone once described PHP as a "web API for remote code execution," and it's true that PHP is definitely web programming without guardrails. This week's security news was dominated by a RCE vulnerability in a pair of wildly popular WordPress plugins, W3 Total Cache and WP Super Cache, which are written in (wait for it) PHP. Regular Metasploit contributors HD Moore, Juan Vazquez, and FireFart leaped into action to write up a Metasploit module to achieve code execution on WordPress-powered sites that use these plugins.


What does this mean for network defenders and auditors? Well, for many small businesses, and some larger ones, a WordPress-powered site may be the one touch point that these business have with their customers. Suffering a website defacement can damage these business's brands and reputations. However, there's no law that says a PHP-based attack must result in a website defacement. A persistent attacker can leverage this vulnerability to perform all sorts of mischief, such as compromising back-end database credentials, dumping stored user password hashes, or combining this attack with a local privilege escalation exploit to gain control over the entire server. This can all be done without leaving obvious signs of compromise on the website proper.


So, if you are responsible for a WordPress site, it would behoove you to use Metasploit to determine if you are, in fact, vulnerable to these kinds of exploits, and to see for yourself how far an exploit can go.



This update also comes with a shiny new way to steal credentials. The pentesters in the audience are no doubt aware of a tool called mimikatz that has been around for a while, but which invariably causes AV to lose its mind and ruin your day. Mimikatz, written by @gentilkiwi, is a tool that rummages through lsass.exe's memory looking for credential structures of various kinds. In most cases, it can grab cleartext passwords.


Now, thanks to @gentilkiwi's change to a compatible license (Creative-Commons-Attribution) and the integration efforts of Meatballs, Meterpreter can use this valuable technique completely in memory, saving you the headache of having to figure out how to run a packer.


Still Seeking Interns

I mentioned last week that the Metasploit Framework team is seeking an intern to help out over the summer in our secret underground exploit lair here in Austin. We've already gotten a number of good leads, so this week is about the last chance to get on board with our internship program. If you are passionate about open source security and want to spend your summer helping advance the state of the art with a team of world-class security professionals, check out the job requirements at and we'll see if we can't set up an interview in the next few days.


New Modules

This week, we have eight new modules, including the WordPress Total Cache exploit, Joe Vennix's Safari-based universal XSS module, Ben Campbell's implementation of waraxe's phpMyAdmin RCE exploit, a pair of SAP modules from Andras Kabai based on the research by Dmitry Chastuhin.



If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.


For additional details on what's changed and what's current, please see Brandont's most excellent release notes.