Post Syndicated from Sonny Gonzalez original https://blog.rapid7.com/2021/08/27/metasploit-wrap-up-127/

LearnPress authenticated SQL injection

Metasploit contributor h00die added a new module that exploits CVE-2020-6010, an authenticated SQL injection vulnerability in the WordPress LearnPress plugin. When a user is logged in with contributor privileges or higher, the id parameter can be used to inject arbitrary code through an SQL query. This exploit can be used to collect usernames and password hashes. The responsible code is located in learnpress/inc/admin/lp-admin-functions.php at line 1690. The vulnerability affects plugin versions v3.2.6.7 and prior.

Continuous improvement

In addition to new exploit modules, Metasploit releases include a number of enhancements and bug fixes. This week we would like to highlight a few key enhancements that improve usability. Contributor pingport80 added support for easy reading of binary files from target systems compromised through a PowerShell session. Our very own sjanusz-r7 added a default payload option to the postgres_payload module so that payloads update correctly when changing target systems. An enhancement made by our own gwillcox-r7 extends Windows process lib injection beyond just notepad.exe. The logic now selects from a random list that can be updated in the future. We appreciate all the contributions that make Metasploit more robust and easier to use.

New module content (1)

• WordPress LearnPress current_items Authenticated SQLi by Omri Herscovici, Sagi Tzadik, h00die, and nhattruong, which exploits CVE-2020-6010 – This collects usernames and password hashes from WordPress installations via an authenticated SQL injection vulnerability that exists in LearnPress plugin versions below v3.2.6.8.

Enhancements and features

• #15384 from gwillcox-r7 – This consolidates and changes the library code used by exploits that use RDLLs. The changes improve upon the logic used to start a process to host the RDLL so it is no longer notepad.exe but randomly selected from a list that can also be updated in the future.
• #15477 from pingport80 – This adds PowerShell session support to the readable? and read_file functions provided by the Post::File API.
• #15580 from sjanusz-r7 – Updates postgres_payload exploit modules to specify a valid default PAYLOAD option when changing target architectures
• #15584 from h00die – Updates the list of WordPress plugins and themes to allow users to discover more plugins and themes when running tools such as auxiliary/scanner/http/wordpress_scanner

Bugs fixed

• #15496 from zeroSteiner – Users can now specify the SSL version for servers with the SSLVersion datastore option, ensuring compatibility with a range of targets old and new.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.1.1…6.1.2
• Full diff 6.1.1…6.1.2

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).