Not vulnerable

[v4rm3t]

First of all, thanks for the PoC @Chocapikk!

I am trying to prepare a PoC for my research project and I was unable to use this exploit.

I installed WP on my ubuntu 20.04 VM + BackupMigration plugin 1.3.7/1.3.6.

I tried exploiting it locally, but I was unable to. It said target not vulnerable, I'm not sure if I'm missing out something :(

[NozoMizore7]

Same issue. Added some output:

python3 Chocapikk_modified.py -c -u http://172.16.101.169/
uncoded_payload:  <?php fwrite(fopen('t','w'),'B');?>
payload[:100]:  php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.ic
send_payload_response_code:200 text: ''
send_payload_success:  True
file_path: http://172.16.101.169//wp-content/plugins/backup-backup/includes/t response code: 404
http://172.16.101.169/ is not vulnerable to CVE-2023-6553

seems like the file is not created on the server, which talked about in the earlier issue.

BTW, send_payload_response_code would always return 200 in any case: send anything on both vulnerable and NON-vulnerable versions. Only differs in the response.text.

WP 6.4.3, BackupMigration plugin 1.3.7

[v4rm3t]

@NozoMizore7 Do you think it might be something with WordPress patching something on their side?